Summary of the invention
Based on this, it is necessary to for the low problem of data encryption in traditional technology or decryption safety, provide a kind of data
Transmit method of controlling security and device, computer equipment and Internet of things system.
On the one hand, the embodiment of the present application provides a kind of data transmission security control method, and this method is applied to target network
Network nodal terminal, this method comprises:
Obtain the dynamic code that server is sent;
According to dynamic code, the configuration information of target network node terminal and key seed generating algorithm, key seed is generated;
Key seed is input to Symmetric key generation device, and obtains the first key of Symmetric key generation device generation;
Data encryption or decryption are carried out using first key.
One or more embodiment provided by the invention at least has the advantages that by using the dynamic of dynamic change
The configuration information and key seed generating algorithm of state code and target network node terminal generate dynamic change key seed, with
Symmetric key generation device combines, and generates the key of dynamic change, improves the anti-crack ability of key, is counted to improve terminal
Safety when according to transmission.
The configuration information of target network node terminal includes: equipment management key, using soft in one of the embodiments,
Part manages key and media access control address;
According to dynamic code, the configuration information of target network node terminal and key seed generating algorithm, key seed is generated
The step of include:
Target network node terminal is by equipment management key, application software management key and media access control address by pre-
If regularly arranged, to generate the static seed factor;
Target network node terminal generates key kind according to dynamic code, the static seed factor and key seed generating algorithm
Son.
Dynamic code is Pseudo-Random Noise Code in one of the embodiments,;
According to dynamic code, the static seed factor and key seed generating algorithm, the step of generating key seed, includes:
Static seed factor step-by-step is scrambled according to Pseudo-Random Noise Code, generates Scrambling seeds source;
According to Scrambling seeds source and key seed generating algorithm, key seed is generated.
Data transmission security control method in one of the embodiments, further include:
The second key is generated according to dynamic code and scrambling algorithms.
Data transmission security control method in one of the embodiments, further include:
In the case where the first kind for receiving server generation encrypts pattern, pattern is encrypted according to the first kind and is alternately used
First key and the second key carry out data encryption or decryption;
Or
In the case where the second class for receiving server generation encrypts pattern, pattern is encrypted according to the second class and uses first
Key carries out data encryption or decryption;
Wherein, first kind encryption pattern is what server was generated when determining target network node terminal overload operation;
Second class encryption pattern is that server is generated in the non-overload operation of judgement target network node terminal.
First kind encryption pattern and the second class encryption pattern include N block identifiers in one of the embodiments, often
The corresponding block of information to be encrypted of position block identifier or block of information to be decrypted;
It is the first value that the first kind, which encrypts the N-i position block identifier in pattern, and the first kind encrypts the position the i block identifier in pattern
For second value, N and i are the natural number more than or equal to 1, and i≤N, the corresponding original information block of each block identifier or one
Block of information to be decrypted;
The position the N block identifier that second class encrypts pattern is the first value;
Wherein, the first value is used to indicate target network node terminal and is believed using first key the corresponding target of block identifier
Breath block is encrypted or is decrypted;It is corresponding using the second key pair block identifier that second value is used to indicate target network node terminal
Target information block is encrypted or is decrypted;Target information block is block of information to be encrypted or block of information to be decrypted.
A kind of data transmission security control method, this method are applied to server, this method comprises:
Dynamic code is sent to target network node terminal, keeps target network terminal whole according to dynamic code, target network node
The configuration information at end generates first key, and first key is by target network node terminal for carrying out data encryption or decryption.
Data transmission security control method in one of the embodiments, further include:
Obtain the configuration information of target network node terminal;
According to the configuration information of target network node terminal, judge target network node terminal whether overload operation;
If it is determined that target network node terminal overload operation, then generate and send the first kind and encrypt pattern to target network
Nodal terminal, first kind encryption pattern are used to indicate target network node terminal and carry out data encryption or solution by the first preset rules
It is close;
If it is determined that the non-overload operation of target network node terminal, then generate and send the second class and encrypt pattern to target network
Network nodal terminal, the second class encryption pattern be used to indicate target network node terminal by the second preset rules carry out data encryption or
Decryption;
Wherein, terminal processing capacity needed for carrying out data encryption or decryption by the first preset rules is lower than default by second
Terminal processing capacity needed for rule carries out data encryption or decryption.
First kind encryption pattern and the second class encryption pattern include N block identifiers in one of the embodiments, often
The corresponding block of information to be encrypted of position block identifier or block of information to be decrypted;
It is the first value that the first kind, which encrypts the N-i position block identifier in pattern, and the first kind encrypts the position the i block identifier in pattern
For second value, N and i are the natural number more than or equal to 1, and i≤N, the corresponding original information block of each block identifier or one
Block of information to be decrypted;
The position the N block identifier that second class encrypts pattern is the first value;
Wherein, the first value is used to indicate target network node terminal and is believed using first key the corresponding target of block identifier
Breath block is encrypted or is decrypted;It is corresponding using the second key pair block identifier that second value is used to indicate target network node terminal
Target information block is encrypted or is decrypted;Target information block is block of information to be encrypted or block of information to be decrypted.
Data transmission security control method in one of the embodiments, further include:
Dynamic code is updated before each network connection disconnects;Or
Timing updates dynamic code;Or
Dynamic code is updated in the first update request command for receiving the transmission of target network node terminal.
Data transmission security control method in one of the embodiments, further include:
First kind encryption pattern is updated before each network connection disconnects and the second class encrypts pattern;Or
Timing updates first kind encryption pattern and the second class encrypts pattern;Or
Receive target network node terminal transmission second update request command when update the first kind encryption pattern and
Second class encrypts pattern;Or
In keep alive timer time-out, updates first kind encryption pattern and the second class encrypts pattern.
A kind of data transmission security control device, the device are applied to target network node terminal, which includes:
Key seed parameter acquisition module, for obtaining the dynamic code of server transmission;
Key seed generation module, for according to dynamic code, the configuration information of target network node terminal and key seed
Generating algorithm generates key seed;
First key determining module, for key seed to be input to Symmetric key generation device, and it is raw to obtain symmetric key
It grows up to be a useful person the first key of generation;
Encryption/decryption module, for carrying out data encryption or decryption using first key.
A kind of data transmission security control device, device are applied to server, and device includes:
Dynamic code sending module makes target network terminal according to dynamic for sending dynamic code to target network node terminal
State code and the configuration information of target network node terminal generate first key, first key by target network node terminal be used for into
Row data encryption or decryption.
A kind of computer equipment, including memory and processor, memory are stored with computer program, and processor executes meter
The step of realizing above-mentioned data transmission security control method when calculation machine program.
A kind of Internet of things system, comprising:
Server, server include memory and processor, and memory is stored with computer program, and processor executes calculating
The step of data transmission security control method of above-mentioned server side is realized when machine program;
Multiple terminals, each terminal include memory and processor, and memory is stored with computer program, the target in terminal
The step of processor of the network terminal realizes the data transmission security control method of above-mentioned terminal side when executing computer program.
A kind of computer readable storage medium, is stored thereon with computer program, realization when which is executed by processor
The step of above-mentioned data transmission security control method.
Specific embodiment
To facilitate the understanding of the present invention, a more comprehensive description of the invention is given in the following sections with reference to the relevant attached drawings.In attached drawing
Give preferred embodiment of the invention.But the invention can be realized in many different forms, however it is not limited to this paper institute
The embodiment of description.On the contrary, purpose of providing these embodiments is make it is more thorough and comprehensive to the disclosure.
It should be noted that it can be directly to separately when an element is considered as " connection " another element
One element and it is in combination be integrated, or may be simultaneously present centering elements.Term as used herein " installation ", " one
End ", " other end " and similar statement are for illustrative purposes only.
Unless otherwise defined, all technical and scientific terms used herein and belong to technical field of the invention
The normally understood meaning of technical staff is identical.Term as used herein in the specification of the present invention is intended merely to description tool
The purpose of the embodiment of body, it is not intended that in the limitation present invention.Term " and or " used herein includes one or more phases
Any and all combinations of the listed item of pass.
Data transmission security control method provided by the present application, can be applied in application environment as shown in Figure 1.Its
In, each terminal 102 is communicated with server 104 by network by network, forms Intelligent internet of things (Artificial
Internet of Thing, AIoT), in communication transmission process, each terminal 102 carries out the number to transmitting-receiving according to Encryption Algorithm
According to being decrypted and encrypting respectively, to ensure the safety of data transmission.Wherein, terminal 102 can be, but not limited to be various
Intelligent terminals (the Smart such as people's computer, laptop, smart phone, tablet computer and portable wearable device
Terminal, ST), server 104 can be with the server cluster of the either multiple server compositions of independent server come real
Existing, server 104 can also be one in intelligent terminal 102.
For the low problem of data encryption in traditional technology or the safety of decryption method, as shown in Fig. 2, the present invention is implemented
Example provides a kind of data transmission security control method, and this method is applied to target network node terminal, this method comprises:
S10: the dynamic code that server is sent is obtained;
S20: according to dynamic code, the configuration information of target network node terminal and key seed generating algorithm, key is generated
Seed;
S30: being input to Symmetric key generation device for key seed, obtains the first key that Symmetric key generation device generates;
S40: data encryption or decryption are carried out using first key.
Wherein, target network node terminal can be one or more terminals in Intelligent internet of things, which can be into
Row data encryption or decryption, with safe sending and receiving data.When the target network node terminal needs transmission data outward, to be added
Ciphertext data generates ciphertext after being encrypted, and is issued with ciphertext form, which needs to receive other equipment biography
When defeated ciphertext to be decrypted, the step of decrypting to ciphertext to be decrypted is executed, obtains the be-encrypted data that other equipment want transmission.
Configuration information may include the hardware parameter for being able to reflect the target network node terminal and the application software parameter installed thereon
Deng can be and obtained from server, be also possible to the hardware parameter that has been arranged when terminal factory.Dynamic code can be it is pseudo- with
Machine noise (Pseudorandom Noise, PN) code or code according to other regular dynamic changes.Key seed generating algorithm is
It refers to obtain the algorithm of key seed according to certain input parameter.Symmetric key generation device is to be applied to data ciphering and deciphering
Using the scene of same key, for example, it (may include receiving number that server, which will generate dynamic code and each target network node terminal,
According to terminal with send data terminal) configuration information synchronize be sent to send data terminal and receive data terminal,
Two terminals carry out encryption and decryption using identical data key, realize data communication.
Specifically, in order to better illustrate the data transmission security control method provided in the embodiment of the present application, with service
It is illustrated for interaction scenarios between device and each network nodes terminal.Server can send out the dynamic code generated at random
It send to the target network node terminal for needing to carry out data encryption or decryption, the terminal is whole according to dynamic code, target network node
The configuration information and key seed generating algorithm at end obtain the key seed of dynamic change, then key seed input is symmetrical close
Key generator dynamic generation first key, then extracts the first key, avoids only using fixed key kind in traditional technology
The shortcomings that son causes key to remain unchanged for a long period of time.After terminal generates the first key, if the terminal is needed to outgoing data encryption or right
It is stored after received data encryption, then the terminal can encrypt be-encrypted data using the first key, generate ciphertext
It issues or stores afterwards, if the terminal needs to receive at present external device (can be other network nodes terminals or server) transmission
When the ciphertext to be decrypted of (or forwarding), which can be decrypted (the mesh to received ciphertext to be decrypted according to first key
It marks and uses identical key, i.e. symmetry algorithm, Ke Yiyou between network nodes terminal and the external device for sending ciphertext to be decrypted
Server complete two equipment rooms key synchronization), it is similar, the target network node terminal receive simultaneously ciphertext to be decrypted with
Encryption and decryption when needing to be sent out be-encrypted data can also be all made of first key realization.
Encryption Algorithm used by the Symmetric key generation device provided in the embodiment of the present application in one of the embodiments,
It can be AES (Advance Encryption Standard, Advanced Encryption Standard) symmetric encipherment algorithm, for example, optional
AES128,AES192,AES256.AES is the password an of iteration, symmetric key grouping, and 128,192 and can be used in it
256 keys, and with 128 (block of information of 16 bytes) block encryptions and ciphertext data, symmetric key cipher uses phase
Same key encrypting and decrypting data, and the digit of the encryption data returned by block cipher and the data of input (will be outward
The be-encrypted data of transmission or received ciphertext to be decrypted) it is identical.Iterative cryptographic uses a loop structure, weighs in the cycle
The data changed (permutations) and replace (substitutions) input reset.
Data transmission security control method provided by the invention, by using matching for dynamic code and target network node terminal
Confidence breath cooperates key seed generating algorithm after combining, and the key seed of dynamic change is generated, further by the dynamic change
Key seed is input to Symmetric key generation device, obtains the first key of dynamic change, and carry out data using the first key
Encryption or decryption, improve the anti-crack ability of key, to improve the data transmission security of the systems such as Intelligent internet of things.
In one of the embodiments, as shown in figure 3, the configuration information of target network node terminal includes: equipment management
Key, application software management key and media access control address;
According to dynamic code, the configuration information of target network node terminal and key seed generating algorithm, key seed is generated
Step S20 include:
S21: equipment management key, application software management key and media access control address are arranged by preset rules,
Generate the static seed factor;
S22: according to dynamic code, the static seed factor and key seed generating algorithm, key seed is generated.
Wherein, equipment management key (DeviceKey) can be distributed unitedly by the server of Intelligent internet of things, and length can
To be 32 bytes.Application software management key (UserKey) refers to the application software management on the application terminal of Intelligent internet of things
Key is distributed unitedly by application software, is uniquely that length can be 32 bytes in application terminal.Media access control
The address (Media Access Control, MAC), specific form can be the different communications such as WiFi, BT, NB-IoT, LoRa
Network address under technology, length can be 6 bytes.Preset rules can be equipment management key, application software management is close
Key and media access control address are by byte progress head and the tail splicing.The static seed factor can refer to influence key seed generation
Changeless signal.
Data transmission security control method proposed by the present invention, dynamic code is applied on symmetric encipherment algorithm, will such as be moved
State code applies the seed generating algorithm in AES (Advanced Encryption Standard, Advanced Encryption Standard) algorithm
Input terminal plays the role of the scrambling generated to static seed.For example, realization process is generated to better illustrate key seed, with
Dynamic code is to illustrate for Pseudo-Random Noise Code (PN code): the digits long of Pseudo-Random Noise Code, which designs, can be used 32, follow
Thus ring length is 231=2147483648 times, dynamic code is in continuous variable condition, and recurrence probability is small.First setting 32 bytes
The media access control address of standby management key, 32 byte application softwares management key and 6 bytes forms static kind of 70 bytes
The sub- factor scrambles the static seed factor of 70 byte (for less than 32 by the step-by-step of 32 Pseudo-Random Noise Codes
Can make zero padding registration process, can also be other cover alignment thereofs, such as mend 1 alignment), after the scrambling for generating 70 bytes
The seed factor, and be re-used as input and be supplied to key seed generating algorithm, key seed is obtained, which is dynamic
Variation, by carrying out step scrambling processing to key seed generating process, improve the corresponding key generated of key seed more
Pseudo-randomness and preventing decryption ability, improve data transfer safety.
In one of the embodiments, as shown in figure 4, dynamic code is Pseudo-Random Noise Code;According to dynamic code, static seed
The factor and key seed generating algorithm, the step S22 for generating key seed include:
S221: static seed factor step-by-step is scrambled according to Pseudo-Random Noise Code, generates Scrambling seeds source;
S222: according to Scrambling seeds source and key seed generating algorithm, key seed is generated.
It, can be by static kind if the coding that Pseudo-Random Noise Code is 32 by taking the static seed factor of 70 bytes as an example
The sub- factor is divided into one group by every four bytes, and 32 Pseudo-Random Noise Codes are respectively corresponded 32 static seeds with each group
The factor carries out scrambling operation, such as carries out XOR operation, Scrambling seeds source is obtained, by carrying out at scrambling to the static seed factor
Reason, obtains the Scrambling seeds source of dynamic change, and the key seed generated with the cooperation of key seed generating algorithm has dynamic change
Property, it is highly-safe.It should be noted that different with configuration according to the requirement of target network node terminal, the static seed factor is simultaneously
Concrete example in being not limited to the above embodiment, this example are intended merely to the preferably side of helping skilled in the art to understand
Case does not impact the real protection scope of the application.
It is calculated in one of the embodiments, as shown in figure 5, being generated according to the Scrambling seeds source and the key seed
Method, the step S222 for generating key seed include:
S2221: Scrambling seeds source is ranked up;
S2222: being input to RC4 algorithm model for the Scrambling seeds source after sequence, and obtains the close of RC4 algorithm model generation
Key seed.
The S-box length of the core of RC4 algorithm model can be any, but generally 256 bytes, the speed of the algorithm
It can achieve 10 times or so of des encryption, arithmetic speed is fast.Specifically, being ranked up processing, sequencer procedure to seed source first
Can requirement according to RC4 algorithm model to input signal, shift sort generates 128 or 256 signals, then will sequence
Input of the Scrambling seeds source as RC4 algorithm model afterwards extracts the seed of RC4 algorithm model generation as key seed.Clothes
Device end be engaged in when generating seed, does same processing.Key seed generating algorithm provided by the embodiments of the present application is in standard pair
On the basis of claiming Encryption Algorithm, one layer of scrambling processing has been done, more one layer of encipherment protection crack difficulty height, reliability is stronger.
In one of the embodiments, as shown in fig. 6, data transmission security control method further include:
S50: the second key is generated according to the dynamic code and scrambling algorithms.
Intelligent terminal for Internet of things has diversity, different industries, different user, all terminals used of different application scene
Capacity of water in terms of computing capability, storage resource, traffic rate, power consumption is different.For example, wisdom cell
The internet-of-things terminals such as intelligent water, electricity and gas table, environment PM2.5 detector, controller for road lamp, have been generally configured with central processing function mould
Block and network communicating function module, have certain function of safety protection.And the intelligent video camera head of smart city, intelligence are paid eventually
End, intelligent gateway such as control in intelligent car networking at the terminals, itself has operating system, has powerful arithmetic element, storage energy
Power, communication capacity, external sensible ability.Single enciphering and deciphering algorithm is used in traditional technology, is not able to satisfy different disposal ability
Intelligent terminal, resource allocation is unreasonable.In response to this problem, data transmission security control method provided by the embodiments of the present application,
It is selective that two kinds of keys can be generated in target network node terminal.In view of the second key generated using scrambling algorithms is counted
It is more many fastly than the processing speed for carrying out data encryption or decryption using above-mentioned first key according to the processing speed of encryption or decryption,
The data transmission security control method of the embodiment of the present application, it is raw by dynamic code (for example, Pseudo-Random Noise Code) and scrambling algorithms
At the second key, for being used when data encryption or decryption.Wherein, if the Pseudo-Random Noise Code that dynamic code is 32, second
Key can serve to indicate that the data to be sent that are sent out of needs are grouped by 32 (4 bytes) and Pseudo-Random Noise Code into
Row exclusive or etc. scrambles operation, generates ciphertext, decrypting process of the terminal to ciphertext to be decrypted and the ciphering process to data to be sent
Similar, this will not be repeated here.
In one of the embodiments, as shown in fig. 6, data transmission security control method further include:
S60: in the case where the first kind for receiving server generation encrypts pattern, pattern alternating is encrypted according to the first kind
Data encryption or decryption are carried out using first key and the second key;
Or
S70: in the case where the second class for receiving server generation encrypts pattern, pattern is encrypted according to the second class and is used
First key carries out data encryption or decryption;
Wherein, first kind encryption pattern is what server was generated when determining target network node terminal overload operation;
Second class encryption pattern is that server is generated in the non-overload operation of judgement target network node terminal.
The data transmission security control method provided in the application one embodiment can determine terminal excess load fortune
When row, sends the first kind and encrypt pattern to the terminal, to indicate that the terminal alternately uses first key and the second key pair to receive and dispatch
Data carry out encryption or decryption process, to reduce terminal burden, guarantee that the terminal can operate normally.For the number of different content
According to the requirement of safety coefficient height when carrying out data transmission to it is often different, for example, being related in the sensitivity such as internal list
The data of appearance, it is generally higher to security request data, and the data such as time in journal file, to security request data generally compared with
It is low.It, alternately can using the detailed process that first key and the second key pair sending and receiving data carry out encryption or decryption process based on this
To be: data higher for security request data can be carried out using the first key that arithmetic speed is slow but security performance is high
Encryption or decryption process, data lower for security request data can be carried out using faster second key of arithmetic speed
Encryption or decryption process.Under the premise of ensureing data transmission security, can be according to target network node terminal the case where, is adaptive
Terminal key selection should be adjusted, processing speed, reasonable distribution resource are improved.For target network node terminal processing capacity foot
In the case where enough, total data can be encrypted or be decrypted using first key, do not influence the normal operation of terminal and
In the case where data processing speed, improve data transfer safety.
First kind encryption pattern and the second class encryption pattern include N block identifiers in one of the embodiments, often
The corresponding block of information to be encrypted of position block identifier or block of information to be decrypted;
It is the first value that the first kind, which encrypts the N-i position block identifier in pattern, and the first kind encrypts the position the i block identifier in pattern
For second value, N and i are the natural number more than or equal to 1, and i≤N, the corresponding original information block of each block identifier or one
Block of information to be decrypted;
The position the N block identifier that second class encrypts pattern is the first value;
Wherein, the first value is used to indicate target network node terminal and is believed using first key the corresponding target of block identifier
Breath block is encrypted or is decrypted;It is corresponding using the second key pair block identifier that second value is used to indicate target network node terminal
Target information block is encrypted or is decrypted;Target information block is block of information to be encrypted or block of information to be decrypted.
Wherein, data to be sent are drawn by byte and are segmented into multiple above-mentioned block of informations to be encrypted, and ciphertext to be decrypted presses byte
It draws and is segmented into multiple above-mentioned block of informations to be decrypted.When the first value and second value are binary machine code, the first value can be with
It is 1 or 0, second value can be 0 or 1, and the first value is not equal to second value.
It is generally configured with stronger security protection capable terminal, there is also more attack approach, and have Generally Recognized as safe
The terminal of protective capacities, although it is less by the approach of outside world, its processing capacity is lower, carries out data encryption or solution
The Diversity of requirement and the terminal self-ability of the close processing to network nodes terminal processing capacity forms contradiction.Consider
Arrive, in onesize original information block, its processing speed of different Encryption Algorithm difference is larger, for example, based on it is pseudo- with
The scrambling algorithms of machine noise code 80~100 times of processing speed faster than symmetric encipherment algorithm.Preferably to implement to the application
The course of work for the key selection generation method that example provides is described, and is herein raw using symmetric encipherment algorithm with first key
At key and the second key be the key that scrambling algorithms based on Pseudo-Random Noise Code generate for, be illustrated.
Specifically, needing to comprehensively consider the data-handling capacity and current sending and receiving data amount of target network node terminal, example
Such as, the configuration information of target network node terminal may include the data-handling capacity of the terminal, can first obtain the data
The sending and receiving data amount of processing capacity parameter and the target network node terminal, then according to the data-handling capacity parameter,
The sending and receiving data amount of the target network node terminal and preset excess load threshold value judge that the target network node terminal is
No overload operation, deterministic process can be, and by current sending and receiving data amount divided by the data-handling capacity parameter of the terminal, obtain
Current working capacity occupancy illustrates that the current terminal is in excess load fortune if occupancy is more than preset excess load threshold value
Row state can send the first kind at this time and encrypt pattern to the terminal, and first kind encryption pattern can be 32 bytes (128
Position) variable, can be generated by server by random algorithm, the quantity balanced proportions of the controllable bit 1 and 0 of random algorithm.
When corresponding bit is 1, then the block identifier on this is 1, is used to indicate terminal to the original information block of corresponding byte-sized
It is encrypted or is decrypted using first key, when corresponding bit is 0, then the block identifier on this is 0, is used to indicate the terminal
The original information block of corresponding byte is encrypted or decrypted using the second key, so that terminal is to a part of raw information
Block is encrypted or is decrypted using the first key that symmetric encipherment algorithm generates, and ensures high confidentiality when significant data transmission,
The data of lightweight security requirements can be encrypted or be decrypted using the second key that scrambling algorithms generate, due to scrambling
Algorithm is more many fastly than symmetric encipherment algorithm processing speed, therefore saves computing resource, while also avoiding the exposure of plaintext,
While ensureing data safety, it can be realized terminal encryption and adaptively adjust.Wherein, terminal is receiving first key and
When two keys, nandflash can be stored it in.Wherein, first key and the second key be in addition to using the algorithm in citing,
It can also be realized by other algorithms with processing speed difference, this will not be repeated here.
On the other hand, the embodiment of the present application also provides a kind of data transmission security control method as shown in Figure 7, the party
Method includes:
S100: dynamic code is sent to target network node terminal, makes target network terminal according to dynamic code and target network
The configuration information of nodal terminal generates first key, and first key is by target network node terminal for carrying out data encryption or solution
It is close.
For improve data transfer safety, data transmission security control method provided by the embodiments of the present application can also be given birth to
At and send target network node terminal configuration information and dynamic code to each target network node terminal, for each target network section
Point terminal is used when generating key, specifically, the configuration information and dynamic code of target network node terminal can be with key kinds
Sub- generating algorithm combines, and generates the key seed of dynamic change, which can be used as the input of Symmetric key generation device, leads to
Cross the Symmetric key generation device generate can dynamic change first key, compared to traditional technology use static keys side
Formula, anti-reversing crack ability are stronger.
In one of the embodiments, as shown in fig. 7, data transmission security control method further include:
S200: the configuration information of target network node terminal is obtained;
S300: according to the configuration information of target network node terminal, judging target network node terminal, whether excess load is transported
Row;
S400: if it is determined that target network node terminal overload operation, then generate and send the first kind and encrypt pattern to mesh
Network nodes terminal is marked, first kind encryption pattern is used to indicate target network node terminal and adds by the first preset rules progress data
Close or decryption;
S500: if it is determined that the non-overload operation of target network node terminal, then generate and send the second class encryption pattern extremely
Target network node terminal, the second class encryption pattern are used to indicate target network node terminal and carry out data by the second preset rules
Encryption or decryption;
Wherein, terminal processing capacity needed for carrying out data encryption or decryption by the first preset rules is lower than default by second
Terminal processing capacity needed for rule carries out data encryption or decryption.
Wherein, target network node terminal can be one or more terminals in Intelligent internet of things, which can be into
Row data encryption or decryption, with safe sending and receiving data.When the target network node terminal needs transmission data outward, to pending
Ciphertext is generated after sending data to be encrypted, is issued with ciphertext form, which needs to receive other equipment biography
When defeated ciphertext to be decrypted, the step of decrypting to ciphertext to be decrypted is executed, obtains the data to be sent that other equipment want transmission.
Configuration information may include the hardware parameter for being able to reflect the target network node terminal and the application software parameter installed thereon
Deng can be and obtained from server, be also possible to the hardware parameter that has been arranged when terminal factory.Needed for encryption or decryption
The cpu resource of terminal processing capacity required occupancy when referring to same data progress encryption or decryption process.
For under the premise of guaranteeing data transmission security, the resource of reasonable distribution target network node terminal is at
Preferably working condition, data transmission security control method provided by the embodiments of the present application are whole by obtaining target network node
The configuration information at end, to judge the terminal at present whether in overload operation state, if it is determined that overload operation, then explanation should
Terminal data volume to be dealt with exceed terminal data-handling capacity, will cause terminal operating slowly or data processing speed
Phenomena such as slow is spent, at this point it is possible to which sending the first kind encrypts pattern to the terminal, first kind encryption pattern is used to indicate terminal use
First preset rules carry out encryption or decryption process to sending and receiving data, to reduce terminal burden, guarantee that the terminal can be transported normally
Row.If it is determined that the non-overload operation of target network node terminal, server then generates and sends the second class and encrypts pattern to target
Network nodes terminal makes target network node terminal carry out encryption or decryption process to sending and receiving data using the second preset rules,
The terminal resource is made full use of to carry out data encryption or decryption.Wherein, data are encrypted or is solved using the first preset rules
Close data transmission security can be lower than the data transmission security for being encrypted or being decrypted to data using the second preset rules
Property, data transmission security is higher, frequently with key it is more complicated, consumed terminal resource is more.In target network section
In the point enough situations of terminal processing capacity, it can be carried out at data encryption or decryption using the high key of preventing decryption ability
Reason, improve data transfer safety;In the insufficient situation of the terminal processing capacity, it can be taken second place using preventing decryption ability close
Key carries out data encryption or decryption processing, under the premise of data transmission security, guarantees the normal operation of the terminal.
It in some possible embodiments, can be according to the configuration information of target network node terminal and preset super negative
Lotus threshold value come judge the terminal whether overload operation.For example, as used by the data-handling capacity and the terminal of terminal
The dominant frequency parameter of CPU has important relationship, and the configuration information of target network node terminal may include the dominant frequency parameter of CPU, super negative
Lotus threshold value can be the dominant frequency parameter of 1GHz, and (according to application scenarios difference, the occurrence of the excess load threshold value can be adjusted accordingly
It is whole), in this case, if the dominant frequency parameter of the CPU of target network node terminal is greater than 1GHz, determine the non-excess load of the terminal
Operation determines the terminal overload operation if the dominant frequency parameter of the CPU of target network node terminal is less than 1GHz.
In other feasible embodiments, it can also directly be judged according to the configuration information of target network node terminal
Target network node terminal whether overload operation.For example, can be according to the process performance of target network node terminal by target
Network node is divided into two kinds of network nodes terminals, and two kinds of network nodes terminals are respectively the high network nodes terminal of process performance
The low network nodes terminal of (terminal for not having operating system for example) and process performance (for example, has the end of operating system
End);The type that then can determine target network node terminal according to the configuration information of target network node terminal, when according to target network
When the configuration information of network nodal terminal determines that target network node terminal is process performance high network nodes terminal, then net is judged
The non-overload operation of network nodal terminal;When determining that target network node terminal is according to the configuration information of target network node terminal
When the low network nodes terminal of process performance, then network nodes terminal overload operation is judged.It is not limited to be previously mentioned two kinds
Mode can also have more embodiments to judge that target network node terminal is come the configuration information according to target network node
No overload operation, the embodiment of the present application is with no restrictions.
First kind encryption pattern and the second class encryption pattern include N block identifiers in one of the embodiments, often
The corresponding block of information to be encrypted of position block identifier or block of information to be decrypted;
It is the first value that the first kind, which encrypts the N-i position block identifier in pattern, and the first kind encrypts the position the i block identifier in pattern
For second value, N and i are the natural number more than or equal to 1, and i≤N, the corresponding original information block of each block identifier or one
Block of information to be decrypted;
The position the N block identifier that second class encrypts pattern is the first value;
Wherein, the first value is used to indicate target network node terminal and is believed using first key the corresponding target of block identifier
Breath block is encrypted or is decrypted;It is corresponding using the second key pair block identifier that second value is used to indicate target network node terminal
Target information block is encrypted or is decrypted;Target information block is block of information to be encrypted or block of information to be decrypted.
Wherein, data to be sent are drawn by byte and are segmented into multiple above-mentioned block of informations to be encrypted, and ciphertext to be decrypted presses byte
It draws and is segmented into multiple above-mentioned block of informations to be decrypted.When the first value and second value are binary machine code, the first value can be with
It is 1 or 0, second value can be 0 or 1, and the first value is not equal to second value.
It is generally configured with stronger security protection capable terminal, there is also more attack approach, and have Generally Recognized as safe
The terminal of protective capacities, although it is less by the approach of outside world, its processing capacity is lower, carries out data encryption or solution
The Diversity of requirement and the terminal self-ability of the close processing to network nodes terminal processing capacity forms contradiction.Consider
Arrive, in onesize original information block, its processing speed of different Encryption Algorithm difference is larger, for example, based on it is pseudo- with
The scrambling algorithms of machine noise code 80~100 times of processing speed faster than symmetric encipherment algorithm.Preferably to implement to the application
The course of work for the key selection generation method that example provides is described, and is herein raw using symmetric encipherment algorithm with first key
At key and the second key be the key that scrambling algorithms based on Pseudo-Random Noise Code generate for, be illustrated.
The generating process of first kind encryption pattern and the second class encryption pattern may is that server first obtains data processing energy
The sending and receiving data amount of force parameter and the target network node terminal, then according to data-handling capacity parameter, target network section
Point terminal sending and receiving data amount and preset excess load threshold value, judge target network node terminal whether overload operation, judgement
Process can be, and by current sending and receiving data amount divided by the data-handling capacity parameter of the terminal, obtains current working capacity and occupies
Rate illustrates that the current terminal is in overload operation state, can send out at this time if occupancy is more than preset excess load threshold value
The first kind is sent to encrypt pattern to the terminal, first kind encryption pattern can be the variable of 32 bytes (128), can be by taking
Device be engaged in by random algorithm generation, random algorithm can control the quantity balanced proportions of bit 1 and 0.When corresponding bit is 1, then
Block identifier on this is 1, is used to indicate terminal and is added to the original information block of corresponding byte-sized using first key
Decryption, when corresponding bit is 0, then the block identifier on this is 0, is used to indicate the terminal to the original information block of corresponding byte
Encryption and decryption is carried out using the second key so that terminal a part of original information block is generated using symmetric encipherment algorithm the
One key carries out encryption and decryption, ensures high confidentiality when significant data transmission, the data of lightweight security requirements can be adopted
Encryption and decryption is carried out with the second key that scrambling algorithms generate, fastly very than symmetric encipherment algorithm processing speed due to scrambling algorithms
It is more, therefore computing resource is saved, while also avoiding the exposure of plaintext, while ensureing data safety, it can be realized end
Hold encryption self-adaptation adjustment.Wherein, terminal can store it in Nand_ when receiving first key and the second key
flash.Wherein, 1 and the 0 of block identifier, which puts in order, can be the preset orders periodic arrangements such as 10101, can also be according to number
It is arranged according to importance, the corresponding information block identifier of significant data is assigned as 1, it will number lower for security requirement
0 is assigned as according to corresponding information block identifier.
Data transmission security control method in one of the embodiments, further include:
Dynamic code is updated before each network connection disconnects;Or
Timing updates dynamic code;Or
Dynamic code is updated in the first update request command for receiving the transmission of target network node terminal.
In the embodiment of the present application, the update method of dynamic code is additionally provided, it can be in the disconnection of each server and target network
When the TCP/IP connection of network nodal terminal, by the server update dynamic code, the first key generated according to the dynamic code is synchronous
It is broadcast to each network nodes terminal of Intelligent internet of things, can preferably to realize data interaction between each terminal.In addition, dynamic
The update of state code can also be to be forced to update by server, for example, it may be timing updates, generates new dynamic code.It can also be by
Server is updated according to the request of target network node terminal, for example, receiving the first of network nodes terminal transmission
When updating request command, the dynamic code is updated, the first update request command can be what the terminal generated during idle time, can also be with
It is that terminal timing generates.
Data transmission security control method in one of the embodiments, further include:
First kind encryption pattern is updated before each network connection disconnects and the second class encrypts pattern;Or
Timing updates first kind encryption pattern and the second class encrypts pattern;Or
Receive target network node terminal transmission second update request command when update the first kind encryption pattern and
Second class encrypts pattern;Or
In keep alive timer time-out, updates first kind encryption pattern and the second class encrypts pattern.
Key management control method provided by the embodiments of the present application updates protection by providing encryption pattern, increases by one layer
Dynamic security protection.Specifically, can be when each server be disconnected and being connect with the TCP/IP of target network node terminal, by taking
The device update first kind of being engaged in encrypts pattern and the second class encrypts pattern, again according to the processing capacity sum number of target network node terminal
Key selection is carried out according to transmitting-receiving amount to generate;It can also be and updated by server timing;Or receiving the of terminal transmission
It is updated when two update request commands, for example, active transmission second updates request command to service when the terminal idle
Device, instruction server carry out the update of first kind encryption pattern and the second class encryption pattern.Further, it is also possible in keep alive timer
When overtime, i.e., the terminal disconnection is connect with server after be more than that certain time still fails to establish TCP/IP connection, then server is more
New first kind encryption pattern and the second class encrypt pattern.The present invention encrypts pattern by the setting first kind and the second class encrypts pattern
Update mechanism, guarantee and target network node terminal between block of information identifier space consistency, while can handle because
The packet loss that outwardly and inwardly factor generates such as network problem, plant issue, disorder phenomenon, guarantee to apply the key management controlling party
The reliability service of the adaptive terminal encryption system of method.Wherein, first update request command and second update request command can be with
It is identical order, when the two is identical order, dynamic code and first kind encryption pattern/second class encryption figure may be implemented
The synchronized update of sample.
Data transmission security control method in one of the embodiments, further include:
The first key and second key synchronization are broadcasted to other network nodes terminals.
It, will after generating first key and/or the second key for convenience of data interaction is carried out between each network nodes terminal
Result synchronized broadcast is generated to other network nodes terminals.
It should be understood that although each step in the flow chart of Fig. 2-7 is successively shown according to the instruction of arrow,
These steps are not that the inevitable sequence according to arrow instruction successively executes.Unless expressly stating otherwise herein, these steps
Execution there is no stringent sequences to limit, these steps can execute in other order.Moreover, at least one in Fig. 2-7
Part steps may include that perhaps these sub-steps of multiple stages or stage are not necessarily in synchronization to multiple sub-steps
Completion is executed, but can be executed at different times, the execution sequence in these sub-steps or stage is also not necessarily successively
It carries out, but can be at least part of the sub-step or stage of other steps or other steps in turn or alternately
It executes.
The embodiment of the present application provides a kind of data transmission security control device, as shown in Figure 8, comprising:
Dynamic code obtains module 1, for obtaining the dynamic code of server transmission;
Key seed generation module 2, for according to dynamic code, the configuration information of target network node terminal and key seed
Generating algorithm generates key seed;
First key determining module 3, for key seed to be input to Symmetric key generation device, and it is raw to obtain symmetric key
It grows up to be a useful person the first key of generation;
Encryption/decryption module 4, for carrying out data encryption or decryption using first key.
Wherein, each module in data transmission security control device, the realization of step performed by unit are referred to
State the explanation in the embodiment in data transmission security control method.A kind of data provided by the embodiments of the present application add transmission control
Device obtains the dynamic codes such as the Pseudo-Random Noise Code that the acquisition server of module 1 generates by dynamic code, and it is raw to pass through key seed
Key seed is generated according to the configuration information and key seed generating algorithm of the dynamic code code and the terminal at module 2, then into one
Step, using the key seed as the input of Symmetric key generation device, is obtained first key, avoided by first key determining module 3
The problem of static keys of single fixation are easily inversely cracked, then it is to be encrypted to this according to the first key by encryption/decryption module 4
Ciphertext to be decrypted is decrypted in data encryption, improves the safety of terminal data transmission.
In one of the embodiments, as shown in figure 9, key seed generation module 2 includes:
Static seed factor generation unit 21, for equipment management key, application software to be managed key and media interviews
It controls address to arrange by preset rules, to generate the static seed factor;
Dynamic key seed determination unit 22 is used for according to dynamic code, the static seed factor and key seed generating algorithm,
Generate key seed.
In one of the embodiments, as shown in Figure 10, dynamic key seed determination unit 22 includes:
Scrambling seeds source generation unit 221 is generated for being scrambled according to Pseudo-Random Noise Code to static seed factor step-by-step
Scrambling seeds source;
Descrambling key seed determination unit 222, for generating key according to Scrambling seeds source and key seed generating algorithm
Seed.
In one of the embodiments, as shown in figure 11, descrambling key seed determination unit 222 includes:
Scrambling seeds source sequencing unit 2221, for being ranked up to Scrambling seeds source;
RC4 key seed determination unit 2222, for the Scrambling seeds source after sequence to be input to RC4 algorithm model, and
Obtain the key seed that RC4 algorithm model generates.
In one of the embodiments, as shown in figure 8, data transmission security control device further include:
Second key determining module 5, for generating the second key according to dynamic code and scrambling algorithms.
In one of the embodiments, as shown in figure 8, data transmission security control device further include:
Alternating keys selecting module 6, in the case where for encrypting pattern in the first kind for receiving server generation, according to
First kind encryption pattern alternately uses first key and the second key to carry out data encryption or decryption;
Or
Single key selecting module 7, in the case where for encrypting pattern in the second class for receiving server generation, according to
Second class encrypts pattern and carries out data encryption or decryption using first key;
Wherein, first kind encryption pattern is what server was generated when determining target network node terminal overload operation;
Second class encryption pattern is that server is generated in the non-overload operation of judgement target network node terminal.
The embodiment of the present application also provides a kind of data transmission security control devices, as shown in figure 12, comprising:
Dynamic code sending module 100, for sending dynamic code to target network node terminal, make target network terminal according to
Dynamic code and the configuration information of target network node terminal generate first key, and first key is used for by target network node terminal
Carry out data encryption or decryption.
Data transmission security control device in one of the embodiments, as shown in figure 12, further includes:
Selection parameter obtains module 200, for obtaining the configuration information of target network node terminal;
Excess load judgment module 300 judges target network node for the configuration information according to target network node terminal
Terminal whether overload operation;
First operating mode selecting module 400, for generating simultaneously when determining target network node terminal overload operation
Send the first kind and encrypt pattern to target network node terminal, first kind encryption pattern be used to indicate target network node terminal by
First preset rules carry out data encryption or decryption;
Second operating mode selecting module 500, for generating in the non-overload operation of judgement target network node terminal
And send the second class and encrypt pattern to target network node terminal, the second class encryption pattern is used to indicate target network node terminal
Data encryption or decryption are carried out by the second preset rules;
Wherein, terminal processing capacity needed for carrying out data encryption or decryption by the first preset rules is lower than default by second
Terminal processing capacity needed for rule carries out data encryption or decryption.
Key management control device in one of the embodiments, further include:
Dynamic code update module, for updating dynamic code before each network connection disconnects;Or timing updates dynamic code;
Or when receive the transmission of target network node terminal first updates request command, update dynamic code.It is updated by dynamic code
Module updates dynamic code, further increases data transmission security.
Key management control device in one of the embodiments, further include:
Pattern update module is encrypted, for updating first kind encryption pattern and the second class before each network connection disconnects
Encrypt pattern;Or timing updates first kind encryption pattern and the second class encrypts pattern;Or receiving target network node terminal
Second sent updates the first kind encryption pattern when updating request command and the second class encrypts pattern;Or in keep alive timer time-out
When, it updates first kind encryption pattern and the second class encrypts pattern.The first kind, which is updated, by encryption pattern update module encrypts pattern
Pattern is encrypted with the second class, intermittently to modulate key management controlling party according to the processing capacity of target network node terminal
Case makes target network node terminal be in preferable working condition.
It should be noted that modules in the control of above-mentioned data transmission security can be fully or partially through software, hard
Part and combinations thereof is realized.Above-mentioned each module can be embedded in the form of hardware or independently of in the processor in computer equipment,
It can also be stored in a software form in the memory in computer equipment, execute the above modules in order to which processor calls
Corresponding operation.
In one embodiment, a kind of computer equipment is provided, which can be terminal or server,
Internal structure chart can be as shown in figure 13.The computer equipment includes processor, the memory, network connected by system bus
Interface, display screen and input unit.Wherein, the processor of the computer equipment is for providing calculating and control ability.The calculating
The memory of machine equipment includes non-volatile memory medium, built-in storage.The non-volatile memory medium is stored with operating system
And computer program.The built-in storage provides ring for the operation of operating system and computer program in non-volatile memory medium
Border.The network interface of the computer equipment is used to communicate with external terminal by network connection.The computer program is processed
To realize a kind of data transmission security control method when device executes.The display screen of the computer equipment can be liquid crystal display or
Person's electric ink display screen, the input unit of the computer equipment can be the touch layer covered on display screen, be also possible to count
Key, trace ball or the Trackpad being arranged on machine equipment shell are calculated, can also be external keyboard, Trackpad or mouse etc..
It will be understood by those skilled in the art that structure shown in Figure 13, only part relevant to application scheme
The block diagram of structure, does not constitute the restriction for the computer equipment being applied thereon to application scheme, and specific computer is set
Standby may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
A kind of computer equipment provided by the embodiments of the present application, including memory and processor, memory are stored with calculating
Machine program, processor perform the steps of when executing computer program
S10: the dynamic code that server is sent is obtained;
S20: according to dynamic code, the configuration information of target network node terminal and key seed generating algorithm, key is generated
Seed;
S30: being input to Symmetric key generation device for key seed, obtains the first key that Symmetric key generation device generates;
S40: data encryption or decryption are carried out using first key.
Wherein, the paraphrase of the nouns such as be-encrypted data is identical as the paraphrase in above-mentioned data transmission security control method, herein
It does not repeat them here.Computer equipment can be server or terminal, which can be with each net in Intelligent internet of things
Network nodal terminal is communicated.Specifically, computer equipment provided by the embodiments of the present application is using the dynamic such as Pseudo-Random Noise Code
Code and target network node terminal configuration information, obtain can more new change key seed, and using the key seed as
The input of Symmetric key generation device, obtains first key, which can be set for updating according to user, such as every
Secondary TCP/IP connection is updated before disconnecting, and perhaps forces to update or by terminal idle state by computer equipment (server)
When actively to computer equipment (server) apply update.For the key obtained compared to traditional Symmetric key generation device,
The Information Security that its applied internet-of-things terminal is waited at runtime is higher.It should be noted that the embodiment of the present application provides
Computer equipment, processor thereon can also realize in above-mentioned data transmission security control method when executing computer program
Other steps, the beneficial effect realized also is same as above, and therefore not to repeat here.
A kind of Internet of things system, as shown in Figure 1, comprising:
Server 104, server include memory and processor, and memory is stored with computer program, and processor executes
The step of data transmission security control method of above-mentioned server side is realized when computer program;
Multiple terminals 102, each terminal include memory and processor, and memory is stored with computer program, in terminal
The processor of target network terminal realizes the step of the data transmission security control method of above-mentioned terminal side when executing computer program
Suddenly.
Server 104 and each terminal 102 in Internet of things system provided by the embodiments of the present application can execute above-mentioned side
Step in method embodiment realizes identical beneficial effect, and this will not be repeated here.
Present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, computer program
It is performed the steps of when being executed by processor
S10: the dynamic code that server is sent is obtained;
S20: according to dynamic code, the configuration information of target network node terminal and key seed generating algorithm, key is generated
Seed;
S30: being input to Symmetric key generation device for key seed, obtains the first key that Symmetric key generation device generates;
S40: data encryption or decryption are carried out using first key.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer
In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein,
To any reference of memory, storage, database or other media used in each embodiment provided herein,
Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM
(PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include
Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms,
Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing
Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM
(RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..The application is real
In the computer storage medium that example offer is provided, also realize that above-mentioned data pass when the computer program stored thereon is executed by processor
The step of defeated method of controlling security, this will not be repeated here.
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, all should be considered as described in this specification.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously
Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention
Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.