CN111416718A - Method and device for receiving communication key, method and device for sending communication key - Google Patents
Method and device for receiving communication key, method and device for sending communication key Download PDFInfo
- Publication number
- CN111416718A CN111416718A CN202010177883.9A CN202010177883A CN111416718A CN 111416718 A CN111416718 A CN 111416718A CN 202010177883 A CN202010177883 A CN 202010177883A CN 111416718 A CN111416718 A CN 111416718A
- Authority
- CN
- China
- Prior art keywords
- server
- information
- key
- communication
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
Abstract
The embodiment of the invention provides a receiving method and a device, a sending method and a device of a communication key, wherein the receiving method comprises the following steps: sending an access request to a server, wherein the access request carries verification information which is used for indicating the server to verify the identity of access equipment; when the identity of the access equipment passes the verification, public key information is sent to the server, wherein the public key information is information generated by the access equipment by using a first encryption algorithm; and receiving a communication key sent by the server, wherein the communication key is carried in a ciphertext, the ciphertext is obtained by encrypting the communication key by using public key information by the server, and the communication key is used for encrypting communication data between the server and the access equipment. The problems that the encryption algorithm of the communication data is low in safety and low in encryption and decryption efficiency in the related technology are solved.
Description
Technical Field
The present invention relates to the field of data communication technologies, and in particular, to a method and an apparatus for receiving a communication key, and a method and an apparatus for sending the communication key.
Background
With the rapid development of the internet of things, more and more communication devices access the network in a wired or wireless manner, so that information exchange and resource sharing are realized. However, the data delivered by these access devices is vulnerable to malicious hijacking and tampering by attackers. Once security leakage occurs, sensitive information such as privacy of the user cannot be guaranteed, and immeasurable loss can be caused to the user.
Currently, embedded devices, wearable sensors, RFID devices, and the like are widely used in the fields of medical care, smart home, environmental monitoring, and the like. The limited storage capacity and the calculation level of the devices enable the information security requirement among the devices to be higher, and the encryption algorithm in the current related technology is lower in security and higher in probability of being cracked.
Aiming at the problems of low security of an encryption algorithm of communication data and low encryption and decryption efficiency in the related technology, no reasonable solution exists at present.
Disclosure of Invention
The embodiment of the invention provides a receiving method and device, a sending method and device of a communication key, and aims to at least solve the problems of low security of an encryption algorithm of communication data and low encryption and decryption efficiency in the related technology.
According to an embodiment of the present invention, there is provided a method for receiving a communication key, including: sending an access request to a server, wherein the access request carries verification information, and the verification information is used for indicating the server to verify the identity of access equipment; when the identity of the access equipment passes verification, public key information is sent to a server, wherein the public key information is information generated by the access equipment by using a first encryption algorithm; and receiving a communication key sent by the server, wherein the communication key is carried in a ciphertext, the ciphertext is obtained by encrypting the communication key by using the public key information by the server, and the communication key is used for encrypting communication data between the server and the access equipment.
Optionally, when the identity of the access device is verified, sending public key information to the server includes: generating a pair of public key information and private key information by using a first encryption algorithm in a pair, wherein the first encryption algorithm is an asymmetric encryption algorithm; and sending the public key information to the server.
Optionally, the generating a pair of public key information and private key information by using a first encryption algorithm includes: and encrypting the ECC algorithm by using an elliptic curve, and generating a pair of public key information and private key information according to different elliptic curve parameters and base points, wherein the elliptic curve parameters and the base points of the ECC algorithm corresponding to different equipment numbers of the access equipment are different.
Optionally, the receiving the communication key sent by the server includes: receiving ciphertext information sent by the server, wherein the ciphertext information carries the communication key; and decrypting the ciphertext information by using the private key information to obtain the communication key.
Optionally, after receiving the correspondent key sent by the server, the method further includes: sending key confirmation information to the server, wherein the key confirmation information is used for indicating the access equipment to successfully access the server; starting the failure countdown of the communication key; when the expiration time of the communication key is reached, the connection between the access equipment and the server is disconnected; and sending the access request to the server again.
Optionally, the method further comprises: disconnecting the access equipment from the server and resending the access request information to the server when at least one of the following conditions occurs: if the access equipment is overtime, whether the authentication of the access equipment passes or not is not confirmed; confirming that authentication of the access device fails; if the server receives the public key information, the server is not confirmed to be overtime; confirming that the server does not receive the public key information; receiving no communication key sent by the server after overtime; and the received communication key data is wrong.
According to another embodiment of the present invention, there is also provided a method for sending a communication key, including: receiving an access request sent by access equipment, wherein the access request carries verification information, and the verification information is used for indicating the server to verify the identity of the access equipment; when the identity of the access equipment passes verification, public key information sent by the access equipment is received, wherein the public key information is information generated by the access equipment by using a first encryption algorithm; and sending a communication key to the access equipment according to the key request sent by the access equipment, wherein the communication key is carried in a cipher text, the cipher text is obtained by encrypting the communication key by the server by using the public key information, and the communication key is used for encrypting communication data between the server and the access equipment.
Optionally, after receiving the correspondent key sent by the server, or after sending the correspondent key to the access device, the method further includes: and encrypting and/or decrypting the communication data by using a second encryption algorithm and the communication key.
Optionally, the encrypting and/or decrypting the communication data using the second encryption algorithm and the communication key comprises: encrypting and/or decrypting the communication data using a symmetric encryption algorithm and the communication key, wherein the symmetric encryption algorithm comprises: encryption algorithm of AES-128 based on chip.
Optionally, the method further comprises: disconnecting the server from the access device when at least one of: if the access equipment receives the communication key, the access equipment does not determine whether the communication key is received or not; after confirming that the access equipment receives the communication key, the communication data sent by the access equipment is not received within overtime; the received communication data sent by the access equipment are wrong; confirming that authentication of the access device fails; receiving no public key information sent by the access equipment when overtime; and receiving no key request sent by the access equipment after timeout.
According to another embodiment of the present invention, there is also provided a receiving apparatus for a communication key, including:
the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending an access request to a server, the access request carries verification information, and the verification information is used for indicating the server to verify the identity of access equipment;
the second sending module is used for sending public key information to a server when the identity of the access equipment passes verification, wherein the public key information is information generated by the access equipment by using a first encryption algorithm;
the first receiving module is configured to receive a communication key sent by the server, where the communication key is carried in a ciphertext, the ciphertext is obtained by the server by encrypting the communication key using the public key information, and the communication key is used to encrypt communication data between the server and the access device.
Optionally, the second sending module includes:
the device comprises a generating unit, a generating unit and a processing unit, wherein the generating unit is used for generating a pair of public key information and private key information by using a first encryption algorithm, and the first encryption algorithm is an asymmetric encryption algorithm;
and the sending unit is used for sending the public key information to the server.
Optionally, the generating unit includes:
and the generating subunit is used for generating a pair of public key information and private key information according to different elliptic curve parameters and base points by using an elliptic curve encryption ECC algorithm, wherein the elliptic curve parameters and the base points of the ECC algorithm corresponding to the equipment numbers of different access equipment are different.
Optionally, the first receiving module includes:
the receiving unit is used for receiving ciphertext information sent by the server, wherein the ciphertext information carries the communication key;
and the decryption unit is used for decrypting the ciphertext information by using the private key information to obtain the communication key.
Optionally, the apparatus further comprises:
the confirmation module is used for sending key confirmation information to the server, wherein the key confirmation information is used for indicating the access equipment to successfully access the server;
the starting module is used for starting the failure countdown of the communication key;
the first disconnection module is used for disconnecting the access equipment from the server when the expiration time of the communication key is reached;
the first sending module is further configured to resend the access request to the server.
Optionally, the apparatus further comprises:
a second disconnection module, configured to disconnect the access device from the server and resend the access request information to the server when at least one of the following conditions occurs: if the access equipment is overtime, whether the authentication of the access equipment passes or not is not confirmed; confirming that authentication of the access device fails; if the server receives the public key information, the server is not confirmed to be overtime; confirming that the server does not receive the public key information; receiving no communication key sent by the server after overtime; and the received communication key data is wrong.
Optionally, the apparatus further comprises:
and the first encryption and decryption module is used for encrypting and/or decrypting the communication data by using a second encryption algorithm and the communication key.
According to another embodiment of the present invention, there is also provided a communication key transmitting apparatus, including:
a second receiving module, configured to receive an access request sent by an access device, where the access request carries authentication information, and the authentication information is used to instruct the server to authenticate an identity of the access device;
a third receiving module, configured to receive public key information sent by the access device when the identity of the access device passes verification, where the public key information is information generated by the access device using a first encryption algorithm;
and a third sending module, configured to send a communication key to the access device according to a key request sent by the access device, where the communication key is carried in a ciphertext, the ciphertext is obtained by the server by encrypting the communication key using the public key information, and the communication key is used to encrypt communication data between the server and the access device.
Optionally, the apparatus further comprises:
and the second encryption and decryption module is used for encrypting and/or decrypting the communication data by using a second encryption algorithm and the communication key.
Optionally, the apparatus further comprises:
a third disconnection module, configured to disconnect the server from the access device when at least one of the following conditions occurs: if the access equipment receives the communication key, the access equipment does not determine whether the communication key is received or not; after confirming that the access equipment receives the communication key, the communication data sent by the access equipment is not received within overtime; the received communication data sent by the access equipment are wrong; confirming that authentication of the access device fails; receiving no public key information sent by the access equipment when overtime; and receiving no key request sent by the access equipment after timeout.
According to another embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to another embodiment of the present invention, there is also provided an electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the steps of any of the above method embodiments.
According to the embodiment of the invention, the access equipment can generate a group of public keys and private keys which are generated in a matching way, wherein the public keys are sent to the server, the server encrypts the communication key by using the public keys to generate a ciphertext, the ciphertext is sent to the access equipment, and the access equipment analyzes the ciphertext by using the private keys to obtain the communication key. At this time, the server and the access device have the same communication key to complete the access link. In the following data communication process, the communication key is used for encrypting the communication data, and at the moment, a symmetric encryption algorithm is adopted to realize encryption and decryption of the communication data. The problems of low security of encryption algorithm of communication data and low encryption and decryption efficiency in the related technology are solved, and the security in the data communication process is effectively improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a block diagram of a hardware structure of a mobile terminal of a method for receiving a communication key according to an embodiment of the present invention;
fig. 2 is a flowchart of an alternative communication key receiving method according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating an alternative method for sending a communication key according to an embodiment of the present invention;
FIG. 4 is a data interaction flow diagram of an alternative device access phase according to an embodiment of the present invention;
FIG. 5 is an interaction flow diagram of an alternative data communication phase according to an embodiment of the present invention;
FIG. 6 is an AES-128 encryption schedule for an STM 32L 162 chip according to an embodiment of the invention;
FIG. 7 is a block diagram of an alternative communication key receiving device according to an embodiment of the present invention;
fig. 8 is a block diagram of an alternative communication key transmitting apparatus according to an embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking the operation on the mobile terminal as an example, fig. 1 is a hardware structure block diagram of the mobile terminal of a method for receiving a communication key according to an embodiment of the present invention. As shown in fig. 1, the mobile terminal 10 may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and does not limit the structure of the mobile terminal. For example, the mobile terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a computer program, for example, a software program and a module of application software, such as a computer program corresponding to the method for acquiring the scheduled throughput in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the mobile terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
The embodiment of the invention provides a method for receiving a communication key. Fig. 2 is a flowchart of a method for receiving a selectable communication key according to an embodiment of the present invention, and as shown in fig. 2, the method includes:
step S202, an access request is sent to a server, wherein the access request carries verification information, and the verification information is used for indicating the server to verify the identity of access equipment;
step S204, when the identity of the access equipment passes the verification, public key information is sent to a server, wherein the public key information is information generated by the access equipment by using a first encryption algorithm;
step S206, receiving a communication key sent by the server, wherein the communication key is carried in a ciphertext, the ciphertext is obtained by encrypting the communication key by the server by using public key information, and the communication key is used for encrypting communication data between the server and the access device.
By the method, the access device can generate a group of public keys and private keys which are generated in a matched mode, wherein the public keys are sent to the server, the server encrypts the communication keys by the public keys to generate ciphertext, the ciphertext is sent to the access device, and the access device analyzes the ciphertext by the private keys to obtain the communication keys. At this time, the server and the access device have the same communication key to complete the access link. In the following data communication process, the communication key is used for encrypting the communication data, and at the moment, a symmetric encryption algorithm is adopted to realize encryption and decryption of the communication data. The problems of low security of encryption algorithm of communication data and low encryption and decryption efficiency in the related technology are solved, and the security in the data communication process is effectively improved.
Optionally, when the verification information passes the verification, sending public key information to the server includes: generating a pair of public key information and private key information by using a first encryption algorithm in a pair, wherein the first encryption algorithm is an asymmetric encryption algorithm; and sending the public key information to the server.
Optionally, generating a pair of public key information and private key information using a first encryption algorithm comprises: and encrypting the ECC algorithm by using an elliptic curve, and generating a pair of public key information and private key information according to different elliptic curve parameters and base points, wherein the elliptic curve parameters and the base points of the ECC algorithm corresponding to different equipment numbers of the access equipment are different.
Optionally, the receiving the communication key sent by the server includes: receiving ciphertext information sent by a server, wherein the ciphertext information carries a communication key; and decrypting the ciphertext information by using the private key information to obtain the communication key.
Optionally, after receiving the correspondent key sent by the server, the method further includes: sending key confirmation information to the server, wherein the key confirmation information is used for indicating the access equipment to successfully access the server; starting the failure countdown of the communication key; when the failure time of the communication key is reached, the connection between the access equipment and the server is disconnected; and the access equipment sends the access request to the server again.
Optionally, the method further comprises: when at least one of the following conditions occurs, the access equipment disconnects with the server and sends access request information to the server again: if the access equipment passes the authentication, the authentication of the access equipment is not confirmed; confirming that authentication of the access device fails; whether the server receives the public key information is not confirmed after timeout; confirming that the server does not receive the public key information; the communication key sent by the server is not received within overtime; the received communication key data is wrong.
According to another embodiment of the invention, a method for sending a communication key is also provided. Fig. 3 is a flowchart of a method for sending an optional communication key according to an embodiment of the present invention, and as shown in fig. 3, the method includes:
step S302, receiving an access request sent by access equipment, wherein the access request carries verification information, and the verification information is used for indicating a server to verify the identity of the access equipment;
step S304, when the identity of the access equipment passes the verification, public key information sent by the access equipment is received, wherein the public key information is information generated by the access equipment by using a first encryption algorithm;
step S306, according to the key request sent by the access device, sending a communication key to the access device, wherein the communication key is carried in a ciphertext, the ciphertext is obtained by encrypting the communication key by the server through public key information, and the communication key is used for encrypting communication data between the server and the access device.
Optionally, after the access device receives the communication key sent by the server, or after the server sends the communication key to the access device, the method further includes: and encrypting and/or decrypting the communication data by using a second encryption algorithm and the communication key.
Optionally, encrypting and/or decrypting the communication data using the second encryption algorithm and the communication key comprises: encrypting and/or decrypting communication data by using a symmetric encryption algorithm and a communication key, wherein the symmetric encryption algorithm comprises: encryption algorithm of AES-128 based on chip.
Optionally, the method further comprises: the server disconnects from the access device when at least one of: if the access equipment receives the communication key, the access equipment is not confirmed to be overtime; after confirming that the access equipment receives the communication key, the communication data sent by the access equipment is not received within overtime; the received communication data sent by the access equipment are wrong; confirming that authentication of the access device fails; the public key information sent by the access equipment is not received when overtime; and the key request sent by the access equipment is not received after time-out.
It should be noted that, the ECC encryption algorithm may generate a set of public and private keys generated by pairing. The key is generated by the access device, wherein the public key is sent to the server, the server encrypts the communication key by using the public key to generate a ciphertext, the ciphertext is sent to the access device, and the access device analyzes the ciphertext by using the private key to obtain the communication key. At this time, the server and the access device have the same communication key to complete the access link. In the following data communication process, the communication key is used for encrypting the communication data, and at the moment, a symmetric encryption algorithm is adopted to realize encryption and decryption of the communication data. The communication key related to the embodiment of the invention can be a key which is distributed by a server and used for the communication stage of the equipment after the equipment is successfully accessed, and the key can be based on a symmetric encryption algorithm or an asymmetric encryption algorithm.
In the embodiment of the invention, the equipment meeting the requirements can be accessed to the server, and the equipment of different manufacturers can be supported to be accessed to the same server platform. In the device number, a fixed 2-byte vendor code may be set to distinguish products of different vendors. Different manufacturer codes have different elliptic curves and base points (which are equivalent to different initial encryption functions), so that the decryption of all products in the system cannot be realized by decrypting the encryption algorithm of one manufacturer. And after the server confirms the information of the equipment manufacturer by judging the equipment number, the server decrypts the data by adopting the elliptic curve of the ECC algorithm corresponding to the manufacturer and the parameters of the base point.
In the embodiment of the invention, the equipment docking server can be divided into 2 stages, namely equipment access and equipment communication. The device access phase is mainly to complete the confirmation of the device and the distribution of the communication key, in this phase, the interaction of the communication key is realized through an asymmetric encryption algorithm, and the sharing of the communication key is completed. After the equipment access is finished, the equipment adopts a communication secret key and a symmetric encryption algorithm based on AES-128 to realize the subsequent operation of encrypting and decrypting communication data. When communication is interrupted or communication return data is wrong, the access or communication flow is disconnected, equipment needs to perform the access flow again, and at the moment, a communication key for symmetric encryption is regenerated.
Fig. 4 is a data interaction flowchart of an optional device access phase according to an embodiment of the present invention, and as shown in fig. 4, a process of accessing an access device to a server includes the following steps:
step (1), the embedded device initiates an access process, and firstly, the device number and the authentication information of the device are sent to a server. The authentication information is calculated by adopting a Hash algorithm based on the equipment number and time.
And (2) verifying the equipment number and the check value, and if the verification fails, jumping to the step (16) to disconnect the equipment. And (4) if the verification is correct, entering the step (3).
And (3) after the verification is passed, sending information of successful verification to the equipment.
And (4) the equipment terminal waits for the confirmation information sent by the server, if the confirmation information is not received or the negative confirmation information is received, the authentication is failed, the step (1) is returned, the authentication is restarted, and if the confirmation information is received, the step (5) is carried out.
And (5) generating public key information and private key information based on an ECC algorithm, and sending the public key information to the server. The ECC algorithm here corresponds to the first encryption algorithm described above.
And (6) the server waits for the equipment side to send the public key information, and if the public key information is not received, the server jumps to the step (16) to disconnect the equipment. If the verification is correct, the step (7) is entered.
And (7) the server returns confirmation information to the equipment, which indicates that the public key information is received.
And (8) the equipment terminal waits for the confirmation information sent by the server, and if the confirmation information is not received or the negative confirmation information is received and the authentication is failed, the equipment terminal returns to the step (1) and re-initiates the authentication. If the confirmation message is received, step (9) is entered.
And (9) the equipment requests the server to distribute the communication key in the communication stage.
And (10) the server waits for the information which is sent by the equipment and requests the communication key, and if the information is overtime or the information is received wrongly, the server jumps to the step (16) to disconnect the equipment. If the verification is correct, the step (11) is entered.
And (11) the server firstly generates a communication key in a communication stage, the key is a symmetric encryption key, the public key received in the step (6) is adopted to encrypt the communication key, and a ciphertext generated after encryption is sent to the equipment terminal.
And (12) the equipment end waits for the server to send the ciphertext information of the communication key, decrypts the ciphertext by adopting a private key, and acquires the communication key in the communication stage. And (4) if the equipment terminal waits for timeout or the received communication key data is wrong, jumping to the step (1) and restarting the authentication. If the verification is correct, step (13) is entered.
And (13) the equipment terminal sends information of successful receiving of the communication key to the server.
And (14) the server waits for the confirmation information sent by the equipment end, and if the data is not received after timeout or the received data is wrong, the server jumps to the step (16) to disconnect the equipment. If the verification is correct, the step (15) is entered.
And (15) the server stores the communication key in the server, the equipment access is finished, and the encryption and decryption operation is carried out on the data by using the communication key when the subsequent data communication is carried out.
And (16) if the server does not receive the data or the received return data is incorrect, the server disconnects the equipment. In this way, the device can resend the device access procedure, starting from step (1), and then re-access.
Fig. 5 is an interaction flowchart of an optional data communication stage according to an embodiment of the present invention, and as shown in fig. 5, in the communication stage, a device side or a server encrypts plaintext to be communicated with using a communication key interacted in an access stage to generate ciphertext information, and sends the generated ciphertext information to a receiving side, and the receiving side also decrypts data using the communication key to obtain an original plaintext. The data encryption mode at this stage can adopt a symmetric encryption method, the data encryption and decryption are fast, and the communication delay is short.
And for the communication key failure maintenance, the device side initiates the communication key failure maintenance. And after the equipment end is successfully accessed to the server, starting key failure timing, actively disconnecting the connection with the server by the equipment end after the key failure time is reached, and re-executing the access process, wherein a new communication key is generated at the moment. In this case, the server is not required to maintain the access time of each device, thereby reducing the server load.
For the encryption of the symmetric encryption mode in the communication stage, the scheme adopts an AES-128 encryption algorithm based on a chip, an STM 32L chip of a semiconductor by a Ruyi method and an encryption and decryption module with AES-128, can quickly realize the encryption and decryption of data, only 72us are needed for completing the encryption of 128 bytes of data under the condition of 32M running frequency, the encryption and decryption efficiency is high, an external independent encryption chip is not adopted, the layout space of a PCB is saved, meanwhile, the risk of abnormity of the encryption chip is avoided when tests such as electromagnetic compatibility are carried out, and the reliability of the system is improved.
According to another embodiment of the present invention, there is also provided a receiving apparatus for a communication key, which is used to implement any one of the embodiments of the receiving method for a communication key described above, and the contents that have been described above are not repeated here. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 7 is a block diagram of a receiving device of an alternative communication key according to an embodiment of the present invention, as shown in fig. 7, the device includes:
a first sending module 702, configured to send an access request to a server, where the access request carries authentication information, and the authentication information is used to indicate the server to authenticate an identity of an access device;
a second sending module 704, configured to send public key information to a server when the identity of the access device passes verification, where the public key information is information generated by the access device using a first encryption algorithm;
a first receiving module 706, configured to receive a communication key sent by the server, where the communication key is carried in a ciphertext, the ciphertext is obtained by the server by encrypting the communication key using the public key information, and the communication key is used to encrypt communication data between the server and the access device.
Optionally, the second sending module includes:
the device comprises a generating unit, a generating unit and a processing unit, wherein the generating unit is used for generating a pair of public key information and private key information by using a first encryption algorithm, and the first encryption algorithm is an asymmetric encryption algorithm;
and the sending unit is used for sending the public key information to the server.
Optionally, the generating unit includes:
and the generating subunit is used for generating a pair of public key information and private key information according to different elliptic curve parameters and base points by using an elliptic curve encryption ECC algorithm, wherein the elliptic curve parameters and the base points of the ECC algorithm corresponding to the equipment numbers of different access equipment are different.
Optionally, the first receiving module includes:
the receiving unit is used for receiving ciphertext information sent by the server, wherein the ciphertext information carries the communication key;
and the decryption unit is used for decrypting the ciphertext information by using the private key information to obtain the communication key.
Optionally, the apparatus further comprises:
the confirmation module is used for sending key confirmation information to the server, wherein the key confirmation information is used for indicating the access equipment to successfully access the server;
the starting module is used for starting the failure countdown of the communication key;
the first disconnection module is used for disconnecting the access equipment from the server when the expiration time of the communication key is reached;
the first sending module is further configured to resend the access request to the server.
Optionally, the apparatus further comprises:
a second disconnection module, configured to disconnect the access device from the server and resend the access request information to the server when at least one of the following conditions occurs: if the access equipment is overtime, whether the authentication of the access equipment passes or not is not confirmed; confirming that authentication of the access device fails; if the server receives the public key information, the server is not confirmed to be overtime; confirming that the server does not receive the public key information; receiving no communication key sent by the server after overtime; and the received communication key data is wrong.
Optionally, the apparatus further comprises:
and the first encryption and decryption module is used for encrypting and/or decrypting the communication data by using a second encryption algorithm and the communication key.
According to another embodiment of the present invention, there is also provided a communication key sending apparatus, and fig. 8 is a block diagram of an alternative communication key sending apparatus according to an embodiment of the present invention, as shown in fig. 8, the apparatus includes:
a second receiving module 802, configured to receive an access request sent by an access device, where the access request carries authentication information, and the authentication information is used to instruct the server to authenticate an identity of the access device;
a third receiving module 804, configured to receive public key information sent by the access device when the identity of the access device passes verification, where the public key information is information generated by the access device using a first encryption algorithm;
a third sending module 806, configured to send a communication key to the access device according to a key request sent by the access device, where the communication key is carried in a ciphertext, the ciphertext is obtained by the server encrypting the communication key using the public key information, and the communication key is used to encrypt communication data between the server and the access device.
Optionally, the apparatus further comprises:
and the second encryption and decryption module is used for encrypting and/or decrypting the communication data by using a second encryption algorithm and the communication key.
Optionally, the apparatus further comprises:
a third disconnection module, configured to disconnect the server from the access device when at least one of the following conditions occurs: if the access equipment receives the communication key, the access equipment does not determine whether the communication key is received or not; after confirming that the access equipment receives the communication key, the communication data sent by the access equipment is not received within overtime; the received communication data sent by the access equipment are wrong; confirming that authentication of the access device fails; receiving no public key information sent by the access equipment when overtime; and receiving no key request sent by the access equipment after timeout.
Embodiments of the present invention also provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, sending an access request to the server, wherein the access request carries verification information which is used for indicating the server to verify the identity of the access equipment;
s2, when the identity of the access device passes the verification, public key information is sent to the server, wherein the public key information is generated by the access device by using a first encryption algorithm;
and S3, receiving the communication key sent by the server, wherein the communication key is carried in a ciphertext, the ciphertext is obtained by encrypting the communication key by the server by using public key information, and the communication key is used for encrypting communication data between the server and the access equipment.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s11, receiving an access request sent by access equipment, wherein the access request carries verification information which is used for indicating a server to verify the identity of the access equipment;
s12, when the identity of the access equipment passes the verification, public key information sent by the access equipment is received, wherein the public key information is information generated by the access equipment by using a first encryption algorithm;
and S13, sending a communication key to the access equipment according to the key request sent by the access equipment, wherein the communication key is carried in a ciphertext, the ciphertext is obtained by the server after encrypting the communication key by using public key information, and the communication key is used for encrypting communication data between the server and the access equipment.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, sending an access request to the server, wherein the access request carries verification information which is used for indicating the server to verify the identity of the access equipment;
s2, when the identity of the access device passes the verification, public key information is sent to the server, wherein the public key information is generated by the access device by using a first encryption algorithm;
and S3, receiving the communication key sent by the server, wherein the communication key is carried in a ciphertext, the ciphertext is obtained by encrypting the communication key by the server by using public key information, and the communication key is used for encrypting communication data between the server and the access equipment.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s11, receiving an access request sent by access equipment, wherein the access request carries verification information which is used for indicating a server to verify the identity of the access equipment;
s12, when the identity of the access equipment passes the verification, public key information sent by the access equipment is received, wherein the public key information is information generated by the access equipment by using a first encryption algorithm;
and S13, sending a communication key to the access equipment according to the key request sent by the access equipment, wherein the communication key is carried in a ciphertext, the ciphertext is obtained by the server after encrypting the communication key by using public key information, and the communication key is used for encrypting communication data between the server and the access equipment.
For specific examples in this embodiment, reference may be made to the examples described in the above embodiments and optional implementation manners, and details of this embodiment are not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the principle of the present invention should be included in the protection scope of the present invention.
Claims (14)
1. A method for receiving a communication key, comprising:
sending an access request to a server, wherein the access request carries verification information, and the verification information is used for indicating the server to verify the identity of access equipment;
when the identity of the access equipment passes verification, public key information is sent to a server, wherein the public key information is information generated by the access equipment by using a first encryption algorithm;
and receiving a communication key sent by the server, wherein the communication key is carried in a ciphertext, the ciphertext is obtained by encrypting the communication key by using the public key information by the server, and the communication key is used for encrypting communication data between the server and the access equipment.
2. The method of claim 1, wherein sending public key information to a server when the identity of the access device is verified comprises:
generating a pair of public key information and private key information by using a first encryption algorithm in a pair, wherein the first encryption algorithm is an asymmetric encryption algorithm;
and sending the public key information to the server.
3. The method of claim 2, wherein generating a pair of public key information and private key information using a first cryptographic algorithm comprises:
and encrypting the ECC algorithm by using an elliptic curve, and generating a pair of public key information and private key information according to different elliptic curve parameters and base points, wherein the elliptic curve parameters and the base points of the ECC algorithm corresponding to different equipment numbers of the access equipment are different.
4. The method of claim 2, wherein receiving the correspondent key sent by the server comprises:
receiving ciphertext information sent by the server, wherein the ciphertext information carries the communication key;
and decrypting the ciphertext information by using the private key information to obtain the communication key.
5. The method of claim 1, wherein after receiving the correspondent key sent by the server, the method further comprises:
sending key confirmation information to the server, wherein the key confirmation information is used for indicating the access equipment to successfully access the server;
starting the failure countdown of the communication key;
when the expiration time of the communication key is reached, the connection between the access equipment and the server is disconnected;
and sending the access request to the server again.
6. The method according to any one of claims 1 to 5, further comprising:
disconnecting the access equipment from the server and resending the access request information to the server when at least one of the following conditions occurs:
if the access equipment is overtime, whether the authentication of the access equipment passes or not is not confirmed;
confirming that authentication of the access device fails;
if the server receives the public key information, the server is not confirmed to be overtime;
confirming that the server does not receive the public key information;
receiving no communication key sent by the server after overtime;
and the received communication key data is wrong.
7. A method for sending a communication key, comprising:
receiving an access request sent by access equipment, wherein the access request carries verification information, and the verification information is used for indicating a server to verify the identity of the access equipment;
when the identity of the access equipment passes verification, public key information sent by the access equipment is received, wherein the public key information is information generated by the access equipment by using a first encryption algorithm;
and sending a communication key to the access equipment according to the key request sent by the access equipment, wherein the communication key is carried in a cipher text, the cipher text is obtained by encrypting the communication key by the server by using the public key information, and the communication key is used for encrypting communication data between the server and the access equipment.
8. The method of claim 1 or 7, wherein after receiving the communication key sent by the server or after sending the communication key to the access device, the method further comprises:
and encrypting and/or decrypting the communication data by using a second encryption algorithm and the communication key.
9. The method of claim 8, wherein encrypting and/or decrypting the communication data using a second encryption algorithm and the communication key comprises:
encrypting and/or decrypting the communication data using a symmetric encryption algorithm and the communication key, wherein the symmetric encryption algorithm comprises: encryption algorithm of AES-128 based on chip.
10. The method of claim 7, further comprising:
disconnecting the server from the access device when at least one of:
if the access equipment receives the communication key, the access equipment does not determine whether the communication key is received or not;
after confirming that the access equipment receives the communication key, the communication data sent by the access equipment is not received within overtime;
the received communication data sent by the access equipment are wrong;
confirming that authentication of the access device fails;
receiving no public key information sent by the access equipment when overtime;
and receiving no key request sent by the access equipment after timeout.
11. A receiving apparatus for a communication key, comprising:
the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending an access request to a server, the access request carries verification information, and the verification information is used for indicating the server to verify the identity of access equipment;
the second sending module is used for sending public key information to a server when the identity of the access equipment passes verification, wherein the public key information is information generated by the access equipment by using a first encryption algorithm;
the first receiving module is configured to receive a communication key sent by the server, where the communication key is carried in a ciphertext, the ciphertext is obtained by the server by encrypting the communication key using the public key information, and the communication key is used to encrypt communication data between the server and the access device.
12. A communication key transmitting apparatus, comprising:
the second receiving module is used for receiving an access request sent by access equipment, wherein the access request carries verification information, and the verification information is used for indicating a server to verify the identity of the access equipment;
a third receiving module, configured to receive public key information sent by the access device when the identity of the access device passes verification, where the public key information is information generated by the access device using a first encryption algorithm;
and a third sending module, configured to send a communication key to the access device according to a key request sent by the access device, where the communication key is carried in a ciphertext, the ciphertext is obtained by the server by encrypting the communication key using the public key information, and the communication key is used to encrypt communication data between the server and the access device.
13. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 10 when executed.
14. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010177883.9A CN111416718A (en) | 2020-03-13 | 2020-03-13 | Method and device for receiving communication key, method and device for sending communication key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010177883.9A CN111416718A (en) | 2020-03-13 | 2020-03-13 | Method and device for receiving communication key, method and device for sending communication key |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111416718A true CN111416718A (en) | 2020-07-14 |
Family
ID=71494266
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010177883.9A Pending CN111416718A (en) | 2020-03-13 | 2020-03-13 | Method and device for receiving communication key, method and device for sending communication key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111416718A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112261103A (en) * | 2020-10-16 | 2021-01-22 | 深圳市网心科技有限公司 | Node access method and related equipment |
| CN113225352A (en) * | 2021-05-28 | 2021-08-06 | 国网绿色能源有限公司 | Data transmission method and device, electronic equipment and storage medium |
| CN116260653A (en) * | 2023-03-20 | 2023-06-13 | 浪潮智慧科技有限公司 | Data transmission method, device and medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106101111A (en) * | 2016-06-24 | 2016-11-09 | 郑州信大捷安信息技术股份有限公司 | Vehicle electronics safe communication system and communication means |
| WO2016202130A1 (en) * | 2015-06-17 | 2016-12-22 | 广州市巽腾信息科技有限公司 | Device for image information collection and encryption method therefor |
| CN106357403A (en) * | 2016-11-23 | 2017-01-25 | 神州融安科技(北京)有限公司 | Device and method for encryption protection of link communication and safety message processing system |
| WO2018076365A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Key negotiation method and device |
| CN108173644A (en) * | 2017-12-04 | 2018-06-15 | 珠海格力电器股份有限公司 | Data transfer encryption method, device, storage medium, equipment and server |
| US20190253249A1 (en) * | 2016-10-26 | 2019-08-15 | Alibaba Group Holding Limited | Data transmission method, apparatus and system |
| CN110659468A (en) * | 2019-08-21 | 2020-01-07 | 江苏大学 | File encryption and decryption system based on C/S architecture and speaker identification technology |
-
2020
- 2020-03-13 CN CN202010177883.9A patent/CN111416718A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016202130A1 (en) * | 2015-06-17 | 2016-12-22 | 广州市巽腾信息科技有限公司 | Device for image information collection and encryption method therefor |
| CN106101111A (en) * | 2016-06-24 | 2016-11-09 | 郑州信大捷安信息技术股份有限公司 | Vehicle electronics safe communication system and communication means |
| US20190253249A1 (en) * | 2016-10-26 | 2019-08-15 | Alibaba Group Holding Limited | Data transmission method, apparatus and system |
| WO2018076365A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Key negotiation method and device |
| CN106357403A (en) * | 2016-11-23 | 2017-01-25 | 神州融安科技(北京)有限公司 | Device and method for encryption protection of link communication and safety message processing system |
| CN108173644A (en) * | 2017-12-04 | 2018-06-15 | 珠海格力电器股份有限公司 | Data transfer encryption method, device, storage medium, equipment and server |
| CN110659468A (en) * | 2019-08-21 | 2020-01-07 | 江苏大学 | File encryption and decryption system based on C/S architecture and speaker identification technology |
Non-Patent Citations (1)
| Title |
|---|
| 张波 等编: "《电子商务安全》", 华东理工大学出版社, pages: 50 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112261103A (en) * | 2020-10-16 | 2021-01-22 | 深圳市网心科技有限公司 | Node access method and related equipment |
| CN113225352A (en) * | 2021-05-28 | 2021-08-06 | 国网绿色能源有限公司 | Data transmission method and device, electronic equipment and storage medium |
| CN116260653A (en) * | 2023-03-20 | 2023-06-13 | 浪潮智慧科技有限公司 | Data transmission method, device and medium |
| CN116260653B (en) * | 2023-03-20 | 2023-10-13 | 浪潮智慧科技有限公司 | Data transmission method, device and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106537961B (en) | Method and apparatus for installing configuration file of embedded universal integrated circuit card | |
| CN106464499B (en) | Communication network system, transmission node, reception node, message checking method, transmission method, and reception method | |
| CN113497778B (en) | Data transmission method and device | |
| US11778458B2 (en) | Network access authentication method and device | |
| CN111416718A (en) | Method and device for receiving communication key, method and device for sending communication key | |
| CN106464690B (en) | Security authentication method, configuration method and related equipment | |
| EP2590356A1 (en) | Method, device and system for authenticating gateway, node and server | |
| CN105847247A (en) | Authentication system and working method thereof | |
| CN100512201C (en) | Method for dealing inserted-requested message of business in groups | |
| CN111935712A (en) | Data transmission method, system and medium based on NB-IoT communication | |
| CN111783068A (en) | Device authentication method, system, electronic device and storage medium | |
| CN111131300B (en) | Communication method, terminal and server | |
| CN107465994B (en) | Service data transmission method, device and system | |
| CN109729000B (en) | Instant messaging method and device | |
| CN101527714A (en) | Method, device and system for accreditation | |
| US20230171100A1 (en) | Personalization of a secure element | |
| CN111699706A (en) | Master-slave system for communication over bluetooth low energy connections | |
| CN105007163A (en) | Pre-shared key (PSK) transmitting and acquiring methods and transmitting and acquiring devices | |
| CN114520976A (en) | Authentication method and device for user identity identification card and nonvolatile storage medium | |
| CN114189863B (en) | Binding method and device of intelligent door lock, storage medium and electronic device | |
| CN112040484A (en) | Password updating method and device, storage medium and electronic device | |
| CN107819766A (en) | Safety certifying method, system and computer-readable recording medium | |
| CN111787514B (en) | Method and device for acquiring equipment control data, storage medium and electronic device | |
| CN110875902A (en) | Communication method, device and system | |
| CN114338132A (en) | Secret-free login method, client application, operator server and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |