CN110690966A

CN110690966A - Method, system, equipment and storage medium for connecting terminal and service server

Info

Publication number: CN110690966A
Application number: CN201911090515.4A
Authority: CN
Inventors: 杜珂
Original assignee: Jinmao Green Building Technology Co Ltd
Current assignee: Jinmao Green Building Technology Co Ltd
Priority date: 2019-11-08
Filing date: 2019-11-08
Publication date: 2020-01-14
Anticipated expiration: 2039-11-08
Also published as: CN110690966B

Abstract

The invention provides a method, a system, electronic equipment and a storage medium for connecting a terminal and a service server. The method comprises the following steps: the business server generates a first token to enable the security server to initialize a public key for generating a communication key; and sending a communication public key certificate to the function library; the service server acquires the session key and sends the session key and the communication public key certificate to the terminal; the terminal verifies that the communication public key certificate stored in the service server is consistent with the communication public key certificate in the function library and stores the communication public key certificate and the communication public key certificate in the local; and the security server receives the synchronous session command and the session key locally stored by the terminal and establishes the secure communication connection between the service server and the terminal. According to the scheme, the communication data are doubly encrypted, and the session key, the public key and the private key are stored in the function library of the security server and the terminal, so that the security of the communication data is ensured, the terminal and the intelligent equipment cannot be controlled by illegal personnel, and the private data of a user cannot be leaked.

Description

Method, system, equipment and storage medium for connecting terminal and service server

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method, a system, an electronic device, and a storage medium for connecting a terminal and a service server.

Background

In the current big data era, smart home systems are increasingly applied, so that intelligent life is brought to users, the functions of the current intelligent equipment are more powerful, the users can use the smart home systems conveniently and quickly, and the smart home systems can be applied to ordinary families and also can be widely applied to scenes such as large business supermarkets, office buildings and the like in the foreseeable future.

At present, a user generally uses a terminal to perform related control on intelligent equipment of an intelligent home system, the terminal can directly control the intelligent equipment through gateway equipment under the condition that the terminal and the intelligent equipment are in the same local area network, and data interaction among all the equipment is safer due to the characteristics of the local area network; however, if the terminal and the intelligent device are not in the same local area network, the data interaction between the terminal and the intelligent device needs to be implemented through a wide area network (e.g., internet, mobile data, etc.) and a service server, and the risk of communication data being stolen during data transmission is relatively high.

At present, most of communication data between a terminal and a service server does not use a special encryption technology or only uses a few of communication data to use a simple encryption technology, so that the communication data is easily captured and decrypted in the data communication transmission process, thereby causing some serious losses caused by the fact that the terminal and intelligent equipment are operated by illegal personnel, and privacy data of a user can be leaked.

Disclosure of Invention

The invention provides a method, a system, electronic equipment and a storage medium for connecting a terminal and a service server, which solve the problems.

In order to solve the above technical problem, an embodiment of the present invention provides a method for connecting a terminal and a service server, which is applied to a secure communication system, where the secure communication system includes: the system comprises a terminal, a service server and a security server; a function library is embedded in the terminal, and the safety server is the function library of the service server; the method comprises the following steps:

the business server generates a first token for identifying the business server and sends the first token to the security server so as to initialize the security server;

after the security server is initialized, a public key of a communication key is generated;

the security server sends a communication public key certificate and public parameters of the security server to the service server and sends the communication public key certificate to the function library;

the service server receives the public parameters and the communication public key certificate, stores the public parameters and the communication public key certificate locally, and sends the public parameters and the first token to the terminal;

the terminal sends the public parameter and the first token to the function library so as to initialize the function library;

the terminal applies for a certificate exchange instruction to the function library and sends the certificate exchange instruction to the service server;

after receiving the certificate exchange instruction, the service server acquires a session key generated by the security server from the security server and sends the session key and a communication public key certificate stored in the service server to the terminal;

the terminal receives the session key and the communication public key certificate stored by the service server, verifies whether the communication public key certificate stored by the service server is consistent with the communication public key certificate in the function library, and stores the session key and the communication public key certificate stored by the service server locally under the condition that the communication public key certificate stored by the service server is consistent with the communication public key certificate in the function library;

the terminal sends the communication public key certificate stored locally to the function library to acquire a synchronous session instruction, and sends the synchronous session instruction and a session key stored locally to the security server;

and the security server receives a synchronous session instruction and a session key sent by the terminal and establishes first secure communication connection between the service server and the terminal.

Optionally, the receiving, by the security server, the synchronous session instruction and the session key sent by the terminal, and establishing a first secure communication connection between the service server and the terminal includes:

the security server receives a synchronous session instruction and a session key sent by the terminal and decrypts the session key sent by the terminal;

and the security server establishes first secure communication connection between the service server and the terminal according to the synchronous session instruction under the condition that the security server successfully decrypts the session key sent by the terminal.

Optionally, after establishing the first secure communication connection between the service server and the terminal, the method further includes:

the terminal sends the unique identification of the terminal to the function library;

the function library encrypts the unique identifier by adopting the session key to obtain an encrypted string of the unique identifier, and returns the encrypted string to the terminal;

the terminal sends the encrypted string to the security server;

the security server generates a second token corresponding to the encryption string and a private key of a communication key corresponding to the encryption string according to the encryption string and stores the second token and the private key;

the security server encrypts the second token and the private key by using the session key, and sends the encrypted second token and the encrypted private key to the terminal through the service server;

the terminal receives the encrypted second token and the private key, and stores the second token and the private key locally after decryption by using the function library;

and the terminal sends challenge information to the security server, wherein the challenge information is used for authentication operation of the security server so as to establish security connection between the terminal and the service server again.

Optionally, the sending, by the terminal, challenge information to the security server, where the challenge information is used for performing an authentication operation by the security server to establish a secure connection between the terminal and the service server again includes:

the security server double-encrypts the challenge information by using the session key and the public key and sends the double-encrypted challenge information to the terminal;

the terminal receives the challenge information after the double encryption and sends the challenge information and the local stored private key to the function library;

the function library signs the challenge information after decrypting the challenge information subjected to double encryption by using the session key and the private key, and returns the signed challenge information to the terminal after double encryption by using the session key and the private key;

the terminal sends the signed challenge information subjected to double encryption and the second token stored locally to the security server;

the security server decrypts the signed challenge information after the double encryption by using the session key and the public key, performs authentication operation and returns an authentication result;

and under the condition that the authentication result is correct, establishing second secure communication connection between the terminal and the service server so that the terminal and the service server establish secure connection again by using the session key, the public key and the private key to perform subsequent data secure interaction.

Optionally, the session key is time-limited, and in case that the time limit of the session key expires, the secure connection between the terminal and the service server is automatically interrupted, and the terminal and the service server re-execute the method of any one of claims 1 to 4 to achieve the secure connection therebetween.

Optionally, in a case that the time limit of the session key has not expired, when the secure connection between the terminal and the service server is interrupted and needs to be connected again, the terminal does not perform the following steps:

the terminal sends the encrypted string to the security server;

the security server generates a second token corresponding to the encryption string and a private key of communication corresponding to the encryption string according to the encryption string and stores the second token and the private key;

and the terminal receives the encrypted second token and the private key, decrypts by using the function library, and stores the second token and the private key locally.

The embodiment of the invention also provides a system for connecting the terminal and the service server, which comprises: the system comprises a terminal, a service server and a security server; a function library is embedded in the terminal, and the safety server is the function library of the service server;

the service server comprises: the system comprises a first token generation module, a receiving and storing module, a session key acquisition module and a transmission module;

a first token generation module, configured to generate a first token that identifies the service server, and send the first token to the security server, so that the security server initializes;

the receiving and storing module is used for receiving the public parameter and the communication public key certificate, storing the public parameter and the communication public key certificate in the local of the service server, and sending the public parameter and the first token to the terminal;

a session key acquiring and sending module, configured to acquire, after receiving the certificate exchange instruction, a session key generated by the security server from the security server, and send the session key and a communication public key certificate stored in the security server to the terminal;

the security server includes: the system comprises a public key generating module, a public key certificate and public parameter sending module and a verification establishing module;

the public key generating module is used for generating a public key of the communication key after initialization;

a public key certificate and public parameter sending module, configured to send a communication public key certificate and public parameters of the security server to the service server, and send the communication public key certificate to the function library;

the verification establishing module is used for receiving a synchronous session instruction and a session key sent by the terminal and establishing first safe communication connection between the service server and the terminal;

the terminal includes: the system comprises an initialization function library module, an application exchange certificate instruction module, a verification storage module and an acquisition synchronization session instruction module;

an initialization function library module for sending the common parameters and the first token to the function library to initialize the function library;

the application exchange certificate instruction module is used for the terminal to apply an exchange certificate instruction to the function library and send the exchange certificate instruction to the service server;

the verification storage module is used for receiving the session key and the communication public key certificate stored by the service server, verifying whether the communication public key certificate stored by the service server is consistent with the communication public key certificate in the function library or not, and storing the session key and the communication public key certificate stored by the service server locally under the condition that the communication public key certificate stored by the service server is consistent with the communication public key certificate in the function library;

and the acquisition synchronization session instruction module is used for sending the locally stored communication public key certificate to the function library to acquire a synchronization session instruction, and sending the synchronization session instruction and the locally stored session key to the security server.

Optionally, the verification establishing module includes:

the verification submodule is used for receiving the synchronous session command and the session key sent by the terminal and decrypting the session key sent by the terminal;

and the establishing submodule is used for establishing the first-time safe communication connection between the service server and the terminal according to the synchronous session instruction under the condition that the security server successfully decrypts the session key sent by the terminal.

Optionally, the terminal further includes: the system comprises a unique identifier sending module, an encryption string generating module, an encryption string sending module, a decryption storage module, a challenge information sending module, a double encryption and private key sending module, a decryption signature and double encryption module and a signature and second token sending module;

the unique identifier sending module is used for sending the unique identifier of the unique identifier sending module to the function library;

the encryption string generation module is used for encrypting the unique identifier by the function library by adopting the session key to obtain an encryption string of the unique identifier and returning the encryption string to the terminal;

a send encryption string module for sending the encryption string to the security server;

the decryption storage module is used for receiving the encrypted second token and the private key, and storing the second token and the private key in the local after decryption by using the function library;

and the challenge information sending module is used for sending challenge information to the security server, wherein the challenge information is used for authentication operation of the security server so as to establish security connection between the terminal and the service server again.

The double encryption and private key sending module is used for receiving the challenge information subjected to double encryption and sending the challenge information and the private key stored locally to the function library;

the decryption signing and double encryption module is used for signing the challenge information after the function library decrypts the challenge information subjected to double encryption by using the session key and the private key, and returning the signed challenge information to the terminal after double encryption by using the session key and the private key;

the signature and second token sending module is used for sending the signed challenge information subjected to double encryption and the second token stored locally to the security server;

the security server further comprises: the system comprises a first token and private key generation module, a first token and private key encryption module, a double encryption sending module, an authentication module and a connection establishment module;

the generation second token and private key module is used for generating and storing a second token corresponding to the encryption string and a private key of a communication key corresponding to the encryption string according to the encryption string;

the second token and private key encryption module is used for encrypting the second token and the private key by using the session key and sending the encrypted second token and private key to the terminal through the service server;

the double encryption sending module is used for carrying out double encryption on the challenge information by utilizing the session key and the public key and sending the challenge information subjected to double encryption to the terminal;

the authentication module is used for decrypting the signed challenge information subjected to the double encryption by using the session key and the public key, performing authentication operation and returning an authentication result;

and the connection establishing module is used for establishing a second secure communication connection between the terminal and the service server under the condition that the authentication result is correct, so that the terminal and the service server establish a secure connection again by using the session key, the public key and the private key to perform subsequent data secure interaction.

Embodiments of the present invention also provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps in the method according to the present invention.

An embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and running on the processor, and when the processor executes the computer program, the electronic device implements the steps in the above-described method of the present invention.

The method for connecting the terminal and the service server is adopted, a function library of encryption and decryption technology for communication is embedded in the terminal side, the service server is specially used for encrypting and decrypting the communication by using a security server, namely the security server is the function library of the service server, the service server generates a first token and sends the first token to the security server, so that the security server initializes and generates a public key of a communication key, and then the security server sends self public parameters and a public key certificate to the service server and sends the public key certificate to the function library; the service server receives the public parameter and the public key certificate and stores the public parameter and the public key certificate locally, and sends the public parameter and the first token to the terminal, the terminal sends the public parameter and the first token to the function library, so as to initialize the function library, the terminal sends a command of exchanging certificates to the service server, the service server obtains the session key generated by the security server from the security server after receiving the command of exchanging certificates, the session key and the public key certificate stored by the terminal are sent to the terminal, the terminal receives the session key and the public key certificate stored by the service server, verifies that the communication public key certificate stored by the service server is consistent with the communication public key certificate in the function library, and stores the session key and the communication public key certificate stored by the service server locally, so that the uniqueness and the correctness of the binding between the terminal and the service server are ensured, and the function library of the security server and the function library of the terminal have the session key; and finally, the terminal sends a synchronous session instruction and a session key stored locally to the security server, and the security server establishes the first secure communication connection between the service server and the terminal, so that the correctness and consistency of the session key owned by the security server and the function library of the terminal are ensured. By the method, the service server and the terminal are connected safely and reliably for the first time, then data interaction between the terminal and the service server is based on the encryption technology of the session key, the communication safety of the service server and the terminal is ensured, and even if data information is captured in the data communication transmission process, the session key cannot be decrypted because the session key is stored in the function library and the safety server during initialization, so that the safety of communication data is ensured, and the private data of a user cannot be leaked.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.

Fig. 1 is a flowchart of a method for connecting a terminal and a service server according to an embodiment of the present invention;

fig. 2 is a flowchart of a method for establishing a connection between a service server and a terminal again according to an embodiment of the present invention;

FIG. 3 is a flowchart illustrating step 207 of the present invention;

fig. 4 is a block diagram of a system for connecting a terminal and a service server according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The inventor finds that at present, when data interaction between a terminal and an intelligent device needs to be realized through a wide area network (such as the internet, mobile data and the like) and a service server, the risk that communication data is stolen in the data transmission process is high.

The above situation is that some data communication between the terminal and the service server may use a simple encryption technology, and some data communication may not use an encryption technology, so that when a user uses the terminal to perform data communication interaction with the service server, communication data is more easily captured, and in addition, the communication data is not high in safety and is easily cracked, so that not only the terminal and the intelligent device can be operated by illegal personnel, but also the user privacy data is easily stolen.

In order to solve the above problems, the inventor of the present invention has conducted extensive research, creatively embeds a function library of an encryption and decryption technology for communication in a terminal side, uses a security server to exclusively encrypt and decrypt communication of a service server, and when the terminal is bound with the service server, the uniqueness and the correctness of the terminal and the service server are ensured, and the correctness and the consistency of session keys owned by the function library of the terminal and the security server are also ensured. Thereby establishing a secure and reliable connection. The embodiments of the present invention are specifically explained and illustrated below.

Fig. 1 shows a flowchart of a method for connecting a terminal and a service server according to an embodiment of the present invention, where the method is applied to a secure communication system, and the secure communication system includes: the system comprises a terminal, a service server and a security server; a function library is embedded in the terminal, and the security server is a function library of the service server; the method for secure communication connection comprises the following steps:

step 101: the traffic server generates a first token identifying itself and sends the first token to the security server to cause the security server to initialize.

In the embodiment of the invention, the business server refers to a server built by a manufacturer for producing intelligent equipment; the invention is distinguished from the characteristic that the business server only completes all business operations, and separates the business data operation, processing and business data safety encryption, the business server is only responsible for processing various business data operation tasks, and the functions of the function library required by the safety encryption and decryption of the business data and the functions of completing the encryption and decryption are all independently completed by the safety server, thus greatly improving the safety of the communication data; the terminal is the equipment that can control intelligent home systems that the user used, and the user generally realizes controlling intelligent home systems in intelligent equipment such as cell-phone, computer through installing the APP that is provided by the producer of production intelligent equipment at present, and of course, also can provide the terminal that is used for controlling intelligent home systems by the producer of production intelligent equipment specially.

And the terminal is embedded with a function library which is mainly used for encrypting and decrypting communication data and providing instruction codes for managing and controlling the intelligent home system.

When the service server starts to be used, the service server generates a first token for identifying the service server, wherein the first token is the unique identifier of the service server and is used for the security server to identify and determine the service server, and after the service server generates the first token for identifying the service server, the first token is sent to the security server so that the security server is initialized.

In addition, it should be noted that, since the function library is embedded, any data received or sent by the function library needs to be transparently transmitted by the terminal embedded with the function library, and all operations related to data reception or sending by the function library in the description of the present invention include operations transparently transmitted by the terminal embedded with the function library, and for the sake of brevity of the description, they are not separately described.

Step 102: after the security server is initialized, a public key of the communication key is generated.

In the embodiment of the invention, after the security server is initialized, a public key of a communication key is generated, and the public key is a public key in an asymmetric encryption mode to be adopted during data communication between the terminal and the service server. It should be noted that the two steps performed between the service server and the security server must be completed before any service data operation is generated between the terminal and the service server, and if the two steps are not performed between the service server and the security server, the terminal has no way to perform any subsequent service data operation between the terminal and the service server.

Step 103: and the security server sends the communication public key certificate and the public parameters of the security server to the service server and sends the communication public key certificate to the function library.

In the embodiment of the invention, after the security server generates the public key of the communication key, the public parameter and the communication public key certificate of the security server are sent to the service server, the service server receives and stores the public parameter and the communication public key certificate of the security server sent by the security server, and meanwhile, the security server also sends the communication public key certificate to the function library of the terminal. The public parameters of the security server are parameters representing the contents of self identification, setting data, custom data and the like of the security server; the communication public key certificate is a certificate which is generated by the security server according to the public key and identifies the public key as the only own certificate.

Step 104: and the service server receives the public parameters and the communication public key certificate, stores the public parameters and the communication public key certificate locally, and sends the public parameters and the first token to the terminal.

In the embodiment of the invention, the service server receives the public parameter and the communication public key certificate sent by the security server and stores the public parameter and the communication public key certificate in the local part of the service server, and then sends the public parameter and the first token to the terminal, so that the function library of the terminal is used for initialization.

Step 105: the terminal sends the common parameters and the first token to the function library to initialize the function library.

In the embodiment of the invention, the terminal obtains the public parameters of the security server stored in the service server and the first token of the service server and then sends the public parameters and the first token to the function library embedded in the terminal, so that the function library is initialized, and the initialized function library can carry out subsequent work.

Step 106: and the terminal applies for a certificate exchange instruction to the function library and sends the certificate exchange instruction to the service server.

In the embodiment of the invention, after the function library is initialized, the terminal needs to apply for the certificate exchange instruction to the function library, the instruction is built in the function library in advance, the terminal can return to the terminal only by active application, and the terminal sends the certificate exchange instruction to the security server after receiving the certificate exchange instruction.

Step 107: and after receiving the command of exchanging the certificate, the service server acquires the session key generated by the security server from the security server and sends the session key and the communication public key certificate stored in the service server to the terminal.

In the embodiment of the invention, after receiving the command of exchanging the certificate, the service server sends the command to the security server, the security server generates the session key according to the command, and then the service server obtains the session key generated by the security server from the security server and sends the session key and the communication public key certificate stored by the service server to the terminal.

Step 108: and the terminal receives the session key and the communication public key certificate stored by the service server, verifies whether the communication public key certificate stored by the service server is consistent with the communication public key certificate in the function library or not, and stores the session key and the communication public key certificate stored by the service server locally under the condition that the session key and the communication public key certificate are consistent.

In the embodiment of the present invention, after receiving the session key sent by the service server and the communication public key certificate stored in the service server, the terminal verifies whether the communication public key certificate stored in the service server is consistent with the communication public key certificate sent from the security server in step 103, and stores the session key and the communication public key certificate stored in the service server locally when the two are consistent. If the communication public key certificate stored in the service server is verified by the terminal to be inconsistent with the communication public key certificate sent from the security server in step 103 (for example, an illegal person tampers with the communication public key certificate stored in the service server), the terminal will not store the session key and the communication public key certificate stored in the service server, the operation fails, and the user needs to perform step 101 to step 108 again until the verification is passed.

Through the process, the uniqueness and the correctness of the binding between the terminal and the service server are ensured, and the function libraries of the security server and the terminal both have the session key.

Step 109: and the terminal sends the locally stored communication public key certificate to the function library to acquire a synchronous session instruction, and sends the synchronous session instruction and the locally stored session key to the security server.

In the embodiment of the invention, after the terminal locally stores the session key and the communication public key certificate stored by the service server, the terminal sends the locally stored communication public key certificate to the embedded function library to obtain the synchronous session instruction, the synchronous session instruction is also embedded in the function library in advance, the terminal can return the locally stored communication public key certificate to the terminal only by actively sending the locally stored communication public key certificate, and after the terminal obtains the synchronous session instruction, the synchronous session instruction and the locally stored session key are sent to the security server.

Step 110: and the security server receives the synchronous session command and the session key sent by the terminal and establishes first secure communication connection between the service server and the terminal.

In the embodiment of the invention, after the security server receives the synchronous session command and the session key sent by the terminal, the first secure communication connection between the service server and the terminal is established through decrypting the session key under the condition of successfully decrypting the session key, so that the correctness and consistency of the session key owned by the function libraries of the security server and the terminal are ensured.

It should be noted that the session key in the embodiment of the present invention substantially refers to a session key index, and whether it is a function library or a secure server, the session key generated by various built-in functions and algorithms is stored in the respective function libraries, which cannot be leaked out, and the session key index is used for guiding the function libraries for encryption and decryption to find out which session key is specifically used, which is also generated through a series of algorithms.

For example: the security server encrypts communication data to be sent by using the session key generated by the H function and the E algorithm, and then sends the encrypted communication data and the session index 6 to a function library of the terminal, and after the function library receives the encrypted communication data, the function library firstly finds out the corresponding H function and the E algorithm which can be decrypted through the session key index 6, and then can decrypt the communication data. The purpose of the method is to improve the security of the communication data, if the communication data is captured by an illegal person, the illegal person does not have the H function and the E algorithm in the function library, and does not know which algorithm is specifically represented by the number 6, and the captured communication data cannot be cracked.

Optionally, step 110 specifically includes:

step s 1: and the security server receives the synchronous session command and the session key sent by the terminal and decrypts the session key sent by the terminal.

In the embodiment of the invention, after the security server receives the synchronous session command and the session key sent by the terminal, the security server firstly decrypts the session key sent by the terminal, and the purpose of this is to ensure that the session key is not tampered.

Step s 2: and the security server establishes the first secure communication connection between the service server and the terminal according to the synchronous session instruction under the condition that the session key sent by the terminal is successfully decrypted.

In the embodiment of the invention, the security server returns the successfully decrypted information to the service server under the condition of successfully decrypting the session key sent by the terminal, namely ensuring that the session key is not tampered, the service server establishes the first secure communication connection between the service server and the terminal according to the synchronous session instruction after receiving the information, and then the communication data between the service server and the terminal can be encrypted and decrypted by using the session key, thereby achieving the purpose of the secure communication connection between the service server and the terminal, and because the session key is a symmetric key, the symmetric key has the advantages of higher calculation speed, higher efficiency, less occupied resource space and the like, and in addition, the session key is stored in a function library of the security server and the terminal, even if the communication data is captured, the session key cannot be stolen to crack the communication data, therefore, the communication data between the service server and the terminal is safe and reliable, and the safety of the user privacy data is ensured.

Optionally, after establishing the first secure communication connection between the service server and the terminal, in order to further enhance the security of the communication data, the embodiment of the present invention further needs to perform asymmetric encryption on the communication data by using the public key and the private key of the communication key, and referring to fig. 2, it is shown that the specific steps include:

step 201: and the terminal sends the unique identification of the terminal to the function library.

In the embodiment of the invention, after the terminal establishes the first-time secure communication connection with the service server, the terminal sends the unique identifier (such as an MAC address) of the terminal to the function library, so that the function library encrypts the unique identifier.

It should be noted that, after the terminal establishes the first secure communication connection with the service server, the connection between the terminal and the service server may not be interrupted, if the connection between the terminal and the service server is interrupted, step 101 to step 110 need to be executed again from step 101, the secure communication connection between the terminal and the service server needs to be established again, then step 201 is executed again, and in the execution process of all the steps after step 201, if the connection between the terminal and the service server is interrupted, step 101 to step 110 need to be executed again from step 101, the secure communication connection between the terminal and the service server needs to be established again, and then the steps are executed again according to step 201 and the subsequent steps.

Step 202: and the function library encrypts the unique identifier by adopting the session key to obtain an encrypted string of the unique identifier, and returns the encrypted string to the terminal.

Step 203: the terminal sends the encrypted string to the security server.

In the embodiment of the invention, after the function library receives the unique identifier sent by the terminal, the function library encrypts the unique identifier by adopting the session key to obtain the encrypted string of the unique identifier, and the encrypted string is returned to the terminal, and then the terminal sends the encrypted string to the security server.

Step 204: and the security server generates a second token corresponding to the encrypted string and a private key of a communication key corresponding to the encrypted string according to the encrypted string and stores the second token and the private key.

In the embodiment of the invention, after the security server receives the encrypted string sent by the terminal, the security server generates the second token corresponding to the encrypted string and the private key of the communication key corresponding to the encrypted string according to the encrypted string and stores the second token and the private key, namely, the security server generates the second token corresponding to the unique identifier and the private key of the communication key corresponding to the unique identifier according to the unique identifier of the terminal. The original for doing so is: because the number of the terminals is huge, a private key corresponding to each terminal needs to be generated according to the unique identifier of each terminal, so that the security of communication data between each terminal and the service server can be ensured, if the used private keys of the communication keys are the same, once the private keys of the communication keys are tampered and cracked, all the communication data between all the terminals and the service server are stolen, and therefore, the way of generating the private key corresponding to each terminal according to the unique identifier of each terminal is adopted, and when the private keys of the communication keys are tampered and cracked, the occurrence of large area stealing of the communication data can be greatly reduced.

Step 205: and the security server encrypts the second token and the private key by using the session key and sends the encrypted second token and the encrypted private key to the terminal through the service server.

In the embodiment of the invention, after the security server generates the second token and the private key, the security server encrypts the second token and the private key by using the session key and sends the encrypted second token and the encrypted private key to the terminal.

Step 206: and the terminal receives the encrypted second token and the private key, decrypts the second token and the private key by using the function library, and stores the second token and the private key locally.

In the embodiment of the invention, the terminal receives the second token and the private key which are encrypted by the security server by using the session key, sends the second token and the private key to the function library, obtains the second token and the private key after decryption by using the function library, and stores the second token and the private key in the local. The terminal and the security server both have the public key and the private key of the communication key, then the communication data between the terminal and the service server can be doubly encrypted by the public key and the private key of the communication key on the basis of session key encryption, and the public key and the private key of the communication key are also stored in the function libraries of the security server and the terminal, so that the security of the communication data is further enhanced, and the possibility of cracking of the communication data capture is basically avoided.

It should be noted that the public key and the private key of the communication key are asymmetric keys, which has the advantages that the pair of keys has the disadvantages that any one of the two sides respectively stores one key and is lost, which does not cause information leakage, but has the disadvantages of low efficiency, more occupied resource space and the like.

Step 207: the terminal sends challenge information to the security server, and the challenge information is used for authentication operation of the security server so as to establish secure communication connection between the terminal and the service server again.

In the embodiment of the invention, after the terminal and the security server both have the public key and the private key of the communication key, in order to ensure that the terminal and the security server both have the public key and the private key of the communication key and that the public key and the private key of the communication key both correspond to each other correctly and uniquely, the security server is required to perform one authentication operation to achieve the purpose.

Therefore, after the terminal and the security server both possess the public key and the private key of the communication key, the terminal sends challenge information to the security server, the challenge information is used for authentication operation of the security server, after the authentication operation of the security server is finished and the information with correct authentication is returned, the service server and the terminal are considered to really complete establishment of the secure communication connection, namely, the secure communication connection between the terminal and the service server is established again, it can be understood that, the establishment of the secure communication connection between the terminal and the service server again means that the secure communication connection between the terminal and the service server is established again by adopting the encryption mode of the public key and the private key of the communication key on the basis of the establishment of the secure communication connection between the terminal and the service server by adopting the encryption mode of the session key for the first time, it does not mean that the communication connection between the terminal and the service server is established once again by interrupting the communication connection between the terminal and the service server.

Optionally, referring to fig. 3, step 207 specifically includes:

step 207 a: the security server double-encrypts the challenge information by using the session key and the public key, and sends the double-encrypted challenge information to the terminal.

In the embodiment of the invention, after the terminal and the security server both have the public key and the private key of the communication key, the terminal sends challenge information to the security server, and after receiving the challenge information, the security server performs double encryption on the challenge information by using the session key and the public key, and then sends the challenge information after double encryption to the terminal.

Step 207 b: and the terminal receives the challenge information subjected to double encryption and sends the challenge information and the locally stored private key to the function library.

Step 207 c: and the function library signs the challenge information after decrypting the doubly encrypted challenge information by using the session key and the private key, and returns the signed challenge information to the terminal after doubly encrypting the challenge information by using the session key and the private key.

In the embodiment of the invention, the terminal receives the challenge information which is sent by the security server after double encryption, the challenge information and a private key which is locally stored by the terminal are sent to the function library, the function library decrypts the challenge information which is subjected to double encryption by using the existing session key and the private key to obtain the challenge information of a plaintext, signs the challenge information of the plaintext, and returns the signed challenge information to the terminal after double encryption by using the session key and the private key.

If the function library cannot decrypt the challenge information after the double encryption by using the existing session key and private key, it indicates that the public key and private key of the communication key owned by both the terminal and the secure server are stolen and tampered, or the session key is stolen and tampered, or some steps of establishing secure communication connection between the terminal and the service server have problems, then the step 101 is executed again to the step 207.

Step 207 d: and the terminal sends the signed challenge information subjected to double encryption and a second token stored locally to the security server.

In the embodiment of the invention, the terminal receives the challenge information which is sent by the function library and subjected to double encryption and signature by the function library, and sends the challenge information and the second token locally stored by the terminal to the security server, so that the second token locally stored by the terminal is added, and the security of the communication data is further ensured.

Step 207 e: the security server decrypts the signed challenge information after double encryption by using the session key and the public key, performs authentication operation, and returns an authentication result.

In the embodiment of the invention, the security server receives the challenge information which is subjected to double encryption and signed by the function library, decrypts the challenge information which is subjected to double encryption and signed by the function library by using the session key and the public key of the security server to obtain the challenge information which is subjected to function library signature of a plaintext, then carries out authentication operation, and returns an authentication result to the service server.

Step 207 f: and under the condition that the authentication result is correct, the terminal establishes second secure communication connection with the service server, so that the terminal establishes secure connection with the service server again by using the session key, the public key and the private key to perform subsequent secure communication data interaction.

In the embodiment of the invention, the service server receives the authentication result returned by the security server, and under the condition that the authentication result is correct, the service server establishes the second secure communication connection with the terminal, so that the terminal and the service server establish the secure connection again by using the session key, the public key and the private key to perform subsequent secure communication data interaction.

If the service server receives that the authentication result returned by the security server is an authentication error, the process starts from step 101 to step 207 again.

It can be understood that, the terminal sends the challenge information, the authentication performed by the security server is equivalent to verifying whether the service server and the terminal correctly establish the second secure communication connection, and then all the communication data between the service server and the terminal are securely interacted according to the method of step 207.

Optionally, in this embodiment of the present invention, in order to further improve the security of the communication data between the service server and the terminal, the session key is set to have a time limit, when the time limit of the session key expires, the secure connection between the terminal and the service server is automatically interrupted, and assuming that the time limit of the session key is 875 seconds, after the first secure communication connection is established between the terminal and the service server for 875 seconds, the secure connection between the terminal and the service server is automatically interrupted, and the terminal and the service server need to re-execute the methods in steps 101 to 207 to implement the secure connection between the terminal and the service server.

If the secure connection between the terminal and the service server is interrupted and the connection is required again when the time limit of the session key has not expired, the terminal and the service server may directly execute step 207 without executing steps 201 to 206 after the execution of step 101 to step 110. That is, when the terminal establishes the first secure communication connection with the service server within 875 seconds, the terminal establishes the first secure communication connection with the service server for interruption, and needs to establish the secure communication connection again, after the terminal and the service server execute step 101 to step 110, step 201 to step 206 are not executed, and step 207 may be directly executed, but if the terminal establishes the first secure communication connection with the service server for interruption and the time duration when the secure communication connection is established again exceeds 875 seconds, the terminal and the service server still need to execute the methods of step 101 to step 207 again to realize the secure connection between the terminal and the service server.

In summary, the overall scheme of the invention is as follows: function libraries for encrypting and decrypting communication data are embedded in the terminal, and a security server is used for providing encryption and decryption services for a service server. Firstly, a business server generates a first token for identifying the business server and sends the first token to a security server, so that the security server is automatically initialized, after the security server is initialized, a public key of a communication key is generated, a public parameter of the business server and a public key of the communication key are sent to the business server, meanwhile, the public key of the communication key is sent to a function library of a terminal, the business server receives the public parameter and a communication public key certificate sent by the security server and stores the public parameter and the communication public key certificate in the local of the business server, then the public parameter and the first token are sent to the terminal, and after the terminal obtains the public parameter of the security server and the first token of the business server stored in the business server, the public parameter and the first token of the business server are sent to.

After the function library is initialized, the terminal needs to apply for a command of exchanging a certificate to the function library, the terminal receives the command of exchanging the certificate and then sends the command of exchanging the certificate to the security server, the security server receives the command of exchanging the certificate and then generates a session key according to the command, after the generation of the session key is completed, the session key is returned to the service server, the service server sends the session key and a communication public key certificate stored in the service server to the terminal, after the terminal receives the session key sent by the service server and the communication public key certificate stored in the service server, whether the communication public key certificate stored in the service server is consistent with the communication public key certificate in the function library is verified, and under the condition that the session key and the communication public key certificate stored in the service server are consistent, the terminal stores the session key and the communication public key certificate stored in the service server in the local, and then sends the, the method comprises the steps that a synchronous session instruction is obtained, after the terminal obtains the synchronous session instruction, the synchronous session instruction and a session key stored locally are sent to a security server, the security server receives the synchronous session instruction and the session key sent by the terminal, the security server returns successfully decrypted information to a service server under the condition that the session key sent by the terminal is successfully decrypted, and after the service server receives the information, first-time secure communication connection between the service server and the terminal is established according to the synchronous session instruction.

After the terminal establishes first secure communication connection with the service server, the terminal sends a unique identifier (such as an MAC address and the like) of the terminal to the secure server, the function library encrypts the unique identifier by using a session key after receiving the unique identifier sent by the terminal to obtain an encrypted string of the unique identifier, the encrypted string is returned to the terminal and then sent to the secure server by the terminal, after the secure server receives the encrypted string sent by the terminal, the secure server generates a second token corresponding to the encrypted string and a private key of a communication key corresponding to the encrypted string according to the encrypted string and stores the second token and the private key of the communication key corresponding to the unique identifier, namely, the secure server generates the second token and the private key according to the unique identifier of the terminal, and after the secure server generates the second token and the private key, the secure server encrypts the second token and the private key by using the session key, and the terminal receives the second token and the private key which are encrypted by the security server by using the session key, sends the second token and the private key to the function library, obtains the second token and the private key after decryption by using the function library, and stores the second token and the private key locally.

After a terminal and a security server both have a public key and a private key of a communication key, the terminal sends challenge information to the security server, the security server receives the challenge information, double encrypts the challenge information by using a session key and the public key, returns the encrypted challenge information to a service server, sends the double encrypted challenge information to the terminal by the service server, the terminal receives the double encrypted challenge information sent by the service server, sends the double encrypted challenge information and a private key locally stored by the terminal to a function library, the function library decrypts the double encrypted challenge information by using the existing session key and the private key to obtain challenge information of a plaintext, signs the challenge information of the plaintext, doubly encrypts the signed challenge information by using the session key and the private key, and returns the challenge information to the terminal, and the terminal receives the challenge information signed by the function library after double encryption, sending the challenge information which is subjected to double encryption and signed by a function library to a security server, decrypting the challenge information which is subjected to double encryption and signed by the function library by using a session key and a public key by using the security server, obtaining the challenge information which is subjected to function library signature and is subjected to authentication operation, returning an authentication result to a service server, receiving the authentication result returned by the security server by the service server, and establishing second secure communication connection between the service server and the terminal under the condition that the authentication result is correct so that the terminal and the service server establish secure connection again by using the session key, the public key and the private key to perform subsequent communication data secure interaction.

Based on the scheme, when data interaction is carried out between the terminal and the service server, communication data are doubly encrypted, safety is greatly improved, and the session key, the public key and the private key of the communication key are all stored in the function library of the safety server and the function library of the terminal, so that even if data information is captured in the data communication transmission process, the session key, the public key and the private key of the communication key cannot be decrypted because the session key, the public key and the private key of the communication key are stored in the function library of the terminal and the safety server, safety of the communication data is guaranteed, the terminal and intelligent equipment cannot be controlled by illegal personnel, and privacy data of a user cannot be leaked.

Referring to fig. 4, a schematic diagram of a system for connecting a terminal and a service server according to an embodiment of the present invention is shown, where the system includes: the system comprises a terminal, a service server and a security server; a function library is embedded in the terminal, and the security server is a function library of the service server;

wherein, the business server includes: the system comprises a first token generation module, a receiving and storing module, a session key acquisition module and a transmission module;

the security server includes: the system comprises a public key generating module, a public key certificate and public parameter sending module, a verification establishing module, a second token and private key generating module, a second token and private key encrypting module, a double encryption sending module, an authentication module and a connection establishing module;

the terminal includes: the system comprises an initialization function library module, an application exchange certificate instruction module, a verification storage module, an acquisition synchronization session instruction module, a unique identifier sending module, an encryption string generating module, an encryption string sending module, a decryption storage module, a challenge information sending module, a double encryption and private key sending module, a decryption signature and double encryption module and a signature and second token sending module;

specifically, the method comprises the following steps: the first token generation module is used for generating a first token for identifying the service server and sending the first token to the security server so as to initialize the security server;

the session key acquisition and transmission module is used for acquiring the session key generated by the security server from the security server after receiving the command of exchanging the certificate, and transmitting the session key and the communication public key certificate stored by the service server to the terminal;

the public key certificate and public parameter sending module is used for sending the communication public key certificate and the public parameters of the security server to the service server and sending the communication public key certificate to the function library;

the generation second token and private key module is used for generating and storing a second token corresponding to the encrypted string and a private key of a communication key corresponding to the encrypted string according to the encrypted string;

the authentication module is used for decrypting the signed challenge information subjected to double encryption by using the session key and the public key, performing authentication operation and returning an authentication result;

the connection establishing module is used for establishing secondary safe communication connection between the terminal and the service server under the condition that the authentication result is correct, so that the terminal and the service server establish safe connection again by using the session key, the public key and the private key to perform subsequent data safe interaction;

the initialization function library module is used for sending the common parameters and the first token to the function library so as to initialize the function library;

the application exchange certificate instruction module is used for the terminal to apply for an exchange certificate instruction to the function library and send the exchange certificate instruction to the service server;

the verification storage module is used for receiving the session key and the communication public key certificate stored by the service server, verifying whether the communication public key certificate stored by the service server is consistent with the communication public key certificate in the function library or not, and storing the session key and the communication public key certificate stored by the service server locally under the condition that the communication public key certificate stored by the service server is consistent with the communication public key certificate stored by the function library;

and the synchronous session acquisition instruction module is used for sending the locally stored communication public key certificate to the function library so as to acquire a synchronous session instruction and sending the synchronous session instruction and the locally stored session key to the security server.

The unique identifier sending module is used for sending the unique identifier of the terminal to the function library;

the encryption string sending module is used for sending the encryption string to the security server;

and the challenge information sending module is used for sending challenge information to the security server, and the challenge information is used for authentication operation of the security server so as to establish security connection between the terminal and the service server again.

The double encryption and private key sending module is used for receiving the challenge information subjected to double encryption and sending the challenge information and a private key stored by the terminal to the function library;

the decryption signature and double encryption module is used for signing the challenge information after the function library decrypts the challenge information subjected to double encryption by using the session key and the private key, and returning the signed challenge information to the terminal after double encryption by using the session key and the private key;

and the signature and second token sending module is used for sending the signed challenge information subjected to double encryption and the second token stored locally to the security server.

Optionally, the verification establishing module includes:

Based on the same inventive concept, another embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, performs the steps of the method as set forth in any one of the above.

Based on the same inventive concept, another embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and running on the processor, and when the processor executes the computer program, the electronic device implements the steps of the method according to any of the above embodiments of the present invention.

Through the embodiment, when the terminal and the service server are used, the scheme of the invention ensures the uniqueness and the correctness of the binding between the terminal and the service server, and ensures that the security server and the function library of the terminal both have the session key; the correctness and consistency of the session key owned by the function library of the security server and the terminal are ensured. By the method, the service server and the terminal establish safe and reliable connection for the first time, and then data interaction between the terminal and the service server is based on the encryption technology of the session key, so that the communication safety of the terminal and the service server is ensured; after establishing the first secure communication connection between the service server and the terminal, in order to further enhance the security of the communication data, the public key and the private key of the communication key are further used for asymmetrically encrypting the communication data, both the terminal and the secure server have the public key and the private key of the communication key, then the communication data between the terminal and the service server can be doubly encrypted by using the public key and the private key of the communication key on the basis of the encryption of the session key, and the session key, the public key and the private key of the communication key are all stored in the function libraries of the service server and the terminal, even if data information is captured in the data communication transmission process, the session key, the public key and the private key of the communication key cannot be decrypted because the session key, the public key and the private key of the communication key are stored in the function libraries of the service server and the terminal, thereby ensuring the security of the communication data, and preventing the terminal and the intelligent device from, the private data of the user is not revealed.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, herein, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims

1. A method for connecting a terminal and a service server is applied to a secure communication system, and the secure communication system comprises: the system comprises a terminal, a service server and a security server; a function library is embedded in the terminal, and the safety server is the function library of the service server; the method comprises the following steps:

2. The method of claim 1, wherein the security server receives the synchronous session command and the session key sent by the terminal, and establishes a first secure communication connection between the service server and the terminal, and comprises:

3. The method according to claim 1, further comprising, after establishing the first secure communication connection between the service server and the terminal:

the terminal sends the encrypted string to the security server;

4. The method as claimed in claim 3, wherein the terminal sends challenge information to the security server, the challenge information being used for the security server to perform an authentication operation to establish a secure connection between the terminal and the service server again, including:

5. The method according to claim 4, wherein the session key has a time limit, and in case that the time limit of the session key expires, the secure connection between the terminal and the service server is automatically interrupted, and the terminal and the service server re-execute the method according to any one of claims 1 to 4 to realize the secure connection therebetween.

6. The method according to claim 4, wherein when the secure connection between the terminal and the service server is interrupted and the connection is needed again in case the time limit of the session key has not expired, the terminal does not perform the following steps:

the terminal sends the encrypted string to the security server;

7. A system for connecting a terminal to a service server, the system comprising: the system comprises a terminal, a service server and a security server; a function library is embedded in the terminal, and the safety server is the function library of the service server;

the receiving and storing module is used for receiving the public parameters and the communication public key certificate, storing the public parameters and the communication public key certificate locally, and sending the public parameters and the first token to the terminal;

8. The system of claim 7, wherein the authentication establishment module comprises:

and the establishing submodule is used for establishing the first-time secure communication connection between the service server and the terminal according to the synchronous session instruction under the condition that the secure server successfully decrypts the session key sent by the terminal.

9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.

10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executed implements the steps of the method according to any of claims 1-6.