CN111447276A - Encryption continuous transmission method with key agreement function - Google Patents
Encryption continuous transmission method with key agreement function Download PDFInfo
- Publication number
- CN111447276A CN111447276A CN202010227436.XA CN202010227436A CN111447276A CN 111447276 A CN111447276 A CN 111447276A CN 202010227436 A CN202010227436 A CN 202010227436A CN 111447276 A CN111447276 A CN 111447276A
- Authority
- CN
- China
- Prior art keywords
- data
- module
- key
- negotiation
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an encryption continuous transmission method with a key agreement function, which comprises a user key agreement module, a data processing and encryption module, a data decryption and verification module and a server key agreement module. The user key negotiation module carries out protocol interaction with the server key negotiation module to generate a session key; the data processing and encrypting module is used for realizing grouping of data and encrypting the grouped data; the data decryption and verification module is used for realizing data decryption, data integration and data integrity verification. The invention can provide a safe and continuous transmission communication method for data with different sizes through an unsafe Internet network.
Description
Technical Field
The invention relates to the field of computer network communication and the field of information security, in particular to an encryption continuous transmission method with a key agreement function.
Background
At present, the file uploading technology used in the mobile positioning system is the same as most of file uploading technologies, and has a common disadvantage that network failure is encountered, data needs to be retransmitted, and the problem that confidentiality and integrity cannot be guaranteed exists in the transmission process, so that the system lacks security and effectiveness. The file transmission technology researched by the patent of the invention is oriented to the open internet, various attack behaviors exist, and the security and the efficiency of data transmitted on the network are threatened all the time. In recent years, security problems caused by data hijacking problems are frequent, for example, AcFun is subjected to information hijacking attack by hackers, tens of millions of pieces of user information are leaked, 80 tens of thousands of pieces of data in Swiss telecommunication are stolen, MedEvolve in medical software company is hijacked up to 20 tens of thousands of pieces of information due to server bugs, and the like. In order to realize data security in a network, transmitted files or data can be acquired only by users meeting the requirements, so that the authentication technology and the encryption algorithm are applied to the data transmission technology, only the users meeting the requirements can receive the data, and the ciphertext is correctly decrypted so as to ensure the security of the transmitted data. Meanwhile, in the current network environment, high efficiency is always a commonly pursued target, and the breakpoint continuous transmission technology can ensure the high efficiency of data in network transmission. Therefore, the invention develops an encryption continuous transmission method with a key negotiation function aiming at the problems that the confidentiality and the integrity of the transmission data in an open Internet network cannot be protected and the transmission of data files is low in efficiency, is applied to file data transmission systems with different sizes and ensures the high efficiency and the safety of the file transmission systems.
The invention discloses a data breakpoint continuous transmission technical method (201610536678), which provides a data breakpoint continuous transmission technical method based on a linked list structure, solves the problem of low efficiency of the traditional data transmission system under the condition of network fault, realizes the breakpoint continuous transmission of data, can be used in the environment with extremely high requirement on the reliability of data transmission but uncertain network environment, such as wireless network, and the data is positioned in the application layer of a network protocol layer. However, this invention has the following drawbacks, first, the integrity of the transmitted data cannot be guaranteed; secondly, the transmission process is transmitted in a plaintext form, and the confidentiality of data cannot be guaranteed; thirdly, the identity of the two communication parties cannot be authenticated in the transmission process.
The patent application discloses a method and a system for breakpoint resume of file downloading (201610697034.X), which realize breakpoint resume of data by adopting a technology for controlling a preset life cycle of a file downloading address. The method for file downloading breakpoint continuous transmission comprises the following steps: step 1, creating a download address list of a first download address stored with a file; the effective time point of the first download address is a first life cycle; step 2, acquiring a second download address of the file at intervals of preset duration, judging whether a second life cycle of the second download address is equal to the first life cycle, and if not, entering step 3; step 3, associating the second download address with the first download address; and 4, when the downloading client downloads the file through the first downloading address, the first downloading address is linked to the second downloading address to download the file. And after the user suddenly loses power or is interrupted in the file downloading process, the old address is continuously used for downloading, and the proxy module links the old address to the new address, so that the file with the life cycle is continuously downloaded from the downloading server. The invention has the following defects that firstly, the integrity of the transmitted data can not be verified after the transmission is finished; secondly, the identities of the two communication parties cannot be confirmed; thirdly, the transmission process adopts plaintext transmission, which cannot ensure the confidentiality of the transmitted data.
The patent application discloses a dynamic window-based continuous transmission method (201611006503.5), which provides a dynamic window-based continuous transmission (DCW-ST) method for the case of traffic saturation of a small-scale visible light communication network. The method obtains a dynamic competition window which maximizes the network throughput based on the analysis of the network throughput, and then provides a dynamic competition window adjusting method which gives consideration to both the throughput and the time delay based on the analysis of the period time delay; furthermore, according to the number of network nodes, a continuous transmission scheme is provided to reduce the access delay of the nodes, thereby achieving the balance of the network throughput and the delay. However, the invention has the following defects that firstly, the identity authentication of both data interaction parties can not be carried out before data transmission; secondly, the transmission process is transmitted in plaintext, so that the security is low; thirdly, when the network is disconnected and other emergencies occur, retransmission is needed, and the system flexibility is poor.
The patent application discloses a file breakpoint resuming method (201810094808.9), which is based on the client-side obtaining breakpoint information, and executing file stream resuming based on the breakpoint information, the client-side initiating a file uploading request and a file checking request; the server side determines and stores the breakpoint position of the file; the client side obtains file breakpoint information; the server side responds to the file stream transmission resuming request; and the client receives the file uploading result identifier. The file breakpoint resume method can save the upload time and network resources of the file and can ensure the accuracy and stability of file resume. However, the invention has the following defects that firstly, the identity of both communication parties can not be confirmed before data transmission, and the integrity of received data can not be confirmed; secondly, the transmission process is carried out in a plaintext form, so that the security is low.
The invention discloses a data extraction method and a system (201811076270.5) supporting breakpoint continuous transmission, which are based on open source ET L tool-NIFI to carry out secondary development, a native processor supports data source configuration information, physical table configuration information, incremental extraction field configuration, and the maximum value of data of the field at the current time is stored in a processor state.
The patent application discloses a method and a device (201811539333.6) for downloading breakpoint continuous transmission, which are used for solving the problem that in the prior art, when downloading is interrupted, the whole video file needs to be downloaded again, so that time and flow are wasted. The method comprises the following steps: receiving a plurality of monitoring videos which are sent by a video recording system and matched with a first downloading video recording request; when the monitoring video stops sending the first target monitoring video, matching the received multiple first target monitoring videos with multiple first monitoring video files, and determining the first monitoring video files which are not successfully matched as second monitoring video files; and sending a second video downloading request to the video recording system through the server, wherein the video downloading request carries the starting time and the ending time of the second target monitoring video. The invention has the following defects that firstly, the downloading video recording process cannot authenticate the downloading center, and a plurality of sources cannot be confirmed; secondly, the video files are not encrypted in the transmission process, so that the safety is low, and the completeness of the video cannot be guaranteed after the transmission is finished.
The patent application discloses a cross-network breakpoint continuous transmission method and system (201811583080.2), which control the concurrency quantity through file fragmentation and asynchronous uploading technology, and realize breakpoint continuous transmission. The front end encrypts the file to be uploaded to obtain a file unique identifier and send the file unique identifier to the back end; the back end queries a database according to the unique file identifier, and directly returns file information to the front end if the file is uploaded; the front end starts to fragment the file to be uploaded according to the user-defined configuration to obtain a fragment file; the front end uploads the fragment file to the rear end, the uploading progress is displayed, and if the fragment uploading fails, the failed fragment is uploaded again; and the rear end receives the fragment files uploaded by the front end, unique identification verification is carried out, if the verification fails, failure information of uploading the files is returned to the front end, if the verification succeeds, whether all the fragments are uploaded is verified, after all the fragments are uploaded, the files are combined according to the sequencing of the fragments, the complete files are stored in a file server, complete file information is returned to the front end, and the complete file information is stored in a database. The method can save time, flow and storage space. The invention has the following defects that firstly, identity authentication can not be carried out on both transmission sides across the network; secondly, the transmission process adopts plaintext transmission, which cannot ensure the confidentiality of data.
The patent application discloses a method for transmitting a file continuously transmitted at a breakpoint (201811636717.X), which comprises the following steps: 1) when the channel is interrupted, the sending end caches the file to be sent in the channel interruption period to form a continuous transmission file; 2) when the channel is recovered, the sending end sends a continuous transmission file to the receiving end by taking a frame as a unit, the receiving end checks each continuous transmission file received by the receiving end and feeds back check information to the sending end, if the check information is correct, the sending end continues to send, and if the check information is wrong, the last frame is sent again; when the persistent file does not exist, the sending end sends test information to the receiving end, and the test information is fed back after the sending end receives the test information; when the sending end or the receiving end does not receive the information of the opposite side within the set time, restarting the channel; 3) when the transmission of the whole continuously-transmitted file is finished, the transmitting end transmits a file transmission finishing mark, and the receiving end verifies and corrects the length of the whole continuously-transmitted file and transmits correct confirmation information; and if the error occurs, sending error confirmation information and restarting the whole process. The invention can make the continuous file pass through the firewall and the security isolation gatekeeper. The invention has the following defects that firstly, the transmission data is transmitted in a plaintext form, and the integrity of the transmitted part cannot be ensured; second, the established channel cannot be identified, which results in the inability of both parties to authenticate the identity.
The patent applies for a breakpoint continuous transmission unmanned vehicle route data transmission system and a method (201910147368.3) thereof, and the problems of data discontinuity and information asynchronism existing in the existing data transmission system are solved through technologies of real-time sampling, verification, continuous uploading and the like. The system comprises a server and a vehicle-mounted terminal, wherein the vehicle-mounted terminal receives route data sent by the server, collects road condition information and vehicle condition information and uploads the road condition information and the vehicle condition information to the server when a vehicle runs, the server and the vehicle terminal are used as a sending end and a receiving end in turn to receive and send data, the sending end comprises a data partitioning module, a data sending module and a signal detection module, and the receiving end comprises a data receiving module and a data verification module. The invention can effectively ensure the continuity and the real-time performance of the data transmission of the air route of the vehicle in the driving process, reduce the data transmission time and improve the transmission efficiency. However, the current patent has the following defects that firstly, the integrity of data cannot be verified; secondly, plaintext transmission is adopted in the transmission process, and the safety of the route data cannot be guaranteed.
Patent application cluster type large data breakpoint continuous transmission standard uploading system (201910485216.4) based on cloud platform, comprising client, server and cloud platform. And the server is in communication connection with the client and the cloud platform respectively. In the process of uploading the bidding document, the client responds to the selected bidding document file, an uploading request is sent to the server, and the server identifies the number information and searches whether a corresponding uploading record exists or not. When the client side exists, calling the corresponding bidding document information from the database, and sending a continuous transmission request to the client side; and when the bidding document information does not exist, the server side sends an uploading command, and temporarily stores the bidding document information after receiving the bidding document information. After the server receives the bidding information, the bidding information is uploaded to the cloud platform and the temporarily stored bidding information is deleted, an uploading information verification mode is adopted, and by means of terminal interaction design, breakpoint continuous transmission can be achieved when uploading is interrupted, and efficiency of bidding uploading is improved. However, the existing system has the following defects that firstly, the uploaded bidding documents cannot ensure the integrity; secondly, plaintext transmission is adopted, so that the confidentiality of the bidding document data cannot be guaranteed; third, the identity of the recipient cannot be confirmed.
The journal paper is based on a file encryption transmission technology of L inux (computer measurement and control, stage 2015.12), the file encryption transmission technology of a L inux system client and a server is realized by using an RSA encryption algorithm and a L inux system thread pool technology, an asymmetric RSA encryption process is realized by configuring and installing an Openssl library on L inux, a file transmission process of a server and a plurality of clients is processed by using the thread pool technology, the network connection function of an embedded ARM client and a L inux server is finally realized, the file encryption and transmission processes based on a TCP/IP protocol are completed, a conclusion shows that an encryption system designed by an SS L protocol can complete the encryption and transmission processes, the privacy of data is fully guaranteed, and the embedded system with high safety level requirements can be conveniently transplanted.
A journal paper is based on an implementation scheme of HTM 865 large File breakpoint retransmission (computer and modernization 2016.3), in Web application, File uploading is a common function, the existing File uploading mode is not satisfactory in the aspect of processing large File uploading, uploading failure is often caused by overlarge files or network interruption, and the File breakpoint retransmission function has to be carried out again.
A method for realizing file breakpoint resume based on SIP and MSRP protocol (radio engineering, period 2018.5) is disclosed, in which after a file transmission process is interrupted, a file transmission service is required to have a breakpoint resume function in order to reduce the content of the file before the breakpoint is repeatedly transmitted next time, improve the transmission efficiency and improve the user experience. Through research on a Session Initiation Protocol (SIP) and a Message Session Relay Protocol (MSRP), a file transmission process for realizing breakpoint continuous transmission based on the SIP and the MSRP is provided, and detailed explanation is respectively carried out on 3 aspects of protocol field extension, a signaling process and breakpoint continuous transmission; the file transfer software architecture is designed. The application in a unified communication system shows that the method achieves the effect of seamless breakpoint continuous transmission. The paper has the following defects that firstly, although the transmission file supports breakpoint continuous transmission, the partial integrity and the whole integrity of the file cannot be guaranteed; second, the file transmission is transmitted in plaintext, and the confidentiality of the transmitted data cannot be guaranteed.
In the journal thesis dynamic symmetric key encryption algorithm, terminal upgrade file secure transmission (information technology 2019.12), in order to improve the secure transmission capability of the terminal upgrade file, file encryption design is required, and a terminal upgrade file encryption secure transmission method based on the dynamic symmetric key design is provided. Adopting a non-proxy key issuing protocol to perform access control on the terminal upgrade file and constructing a dynamic symmetric key of the terminal upgrade file; combining a bilinear mapping method to carry out key construction and arithmetic coding design in the process of safely encrypting the terminal upgrading file; and (4) carrying out scrambling degree rearrangement on the terminal upgrading file according to the strength of plaintext attack, and finishing dynamic symmetric key encryption of the terminal upgrading file by adopting a random linear coding method to realize safe transmission of the file. This paper has the drawback that, firstly, the system cannot guarantee the integrity of the transmitted file; secondly, when the interruption occurs in the transmission, the retransmission is needed, and the breakpoint transmission cannot be realized.
Disclosure of Invention
Aiming at the technical problems that the confidentiality of the file transmission is poor, partial and integral integrity verification cannot be carried out, data continuous transmission of interrupted transmission cannot be realized, one-time pad cannot be realized in the encryption process, and the system compatibility is poor, the invention provides an encryption continuous transmission method with a key negotiation function, and the invention provides a safe encryption breakpoint continuous transmission method capable of finishing one-time pad based on a breakpoint continuous transmission technology and a key negotiation technology, and the method can subdivide files with different sizes during transmission aiming at different file transmission systems, ensures that network congestion cannot occur in the transmission process, realizes that the next transmission can be continuously transmitted from an interrupted position under the condition of network interruption in the transmission process, simultaneously carries out encryption and integrity protection on the files in the transmission process, reserves the size of a transmission window which can be set so as to deal with the condition of the network, the expansibility is strong; in addition, the data security is ensured through data encryption, signature technology and integrity protection technology, and the high efficiency is ensured by adopting breakpoint continuous transmission technology. To achieve this object:
the invention provides an encryption continuous transmission method with a key agreement function, wherein a system matched with the encryption continuous transmission method with the key agreement function comprises a user key agreement module, a data processing and encryption module, a data decryption and verification module and a server key agreement module, and the specific steps are as follows;
firstly, a user key negotiation module is responsible for generating challenge information and carrying out protocol interaction with a server key negotiation module, and a group of session keys are generated through a self-designed session interaction protocol and are used for encrypting grouped communication data; the server key negotiation module generates a response message, completes protocol interaction with the user key negotiation module, and finally generates a group of session keys for decryption of the ciphertext;
then the data processing and encryption module is responsible for carrying out grouping marking on the data to be transmitted based on a genetic algorithm and carrying out encryption and integrity protection on the marked grouping data; finally, the data decryption and verification module decrypts all received ciphertexts and verifies the integrity of each group of decrypted plaintexts;
and finally, combining all the decrypted plaintexts, and carrying out integrity verification again.
As a further improvement of the present invention, the user key negotiation module includes a negotiation challenge generation module and a user group key calculation module; the system is responsible for initiating negotiation challenge and receiving response on the basis of authentication, generating a group of session keys and resisting man-in-the-middle attack in the key negotiation process;
the negotiation challenge generation module firstly stores a public key certificate Cert applied by a current communication entity to a trusted third partyAAnd a private key SKAWhile generating a private random number
And defining a large prime number p and its primitive root a, public p and a, then randomly selecting a private random number XA(XA< p), calculating current entity parameters
Generating a parameter Y containing the current entityAIs signed
And is encrypted by adopting the public key of the server to obtain
Finally, the parameter Y will be negotiatedA、CAAnd a public key certificate CertAAs a keyNegotiating parameters, and sending the parameters to a server group key calculation module in a server key negotiation module;
the user group key calculation module receives key negotiation parameters including cipher text sent by the negotiation response generation module
Parameter YBPublic key certificate CertBAnd Y generated by the negotiation challenge generation moduleA(ii) a Using private Key SKATo CBCarry out decryption to obtain
Then adopts public key certificate CertBPublic key PK in (1)BRecovered by signature verification recovery algorithm
Y to be recoveredB、
And received YB、
Comparing, and if the comparison result is consistent, judging that the system is normal; otherwise, stopping the current session; thereby verifying the authenticity of the data source, and then calculating the session key
And session key KABTransmitting to data processing and encrypting module, and calculating KABHash value of H (K)AB) Is combined with
Using the server side public key PKBPerforming encryption calculation to obtain
And sending the ciphertext to a server key negotiation module.
As a further improvement of the invention, the data processing and encryption module comprises a continuous transmission data preprocessing module based on a genetic algorithm and a data encryption module; the system is responsible for grouping and blocking the transmitted data based on the genetic algorithm, packaging and numbering, encrypting and integrity protecting by adopting the improved SM4 algorithm, and finally transmitting the encrypted grouped data to the data decryption and verification module, and the processing capacity and the safety of the system are improved by adopting the genetic algorithm and the improved SM4 algorithm;
the continuous transmission data preprocessing module based on the genetic algorithm receives plaintext data M required to be transmitted by a user through a TCP/IP transmission protocol based on a socket interface, and classifies and groups the data based on the genetic algorithm to obtain M1||…||MXM and num, the plaintext M after groupingXEncoding to generate corresponding data label Lx,L1I.e. 00000001, corresponds to the block plaintext M1Grouping plaintext data M with data labelX||LxTransmitting the service request to the data encryption module;
the data encryption module receives the service request data of the continuous transmission data preprocessing module based on the genetic algorithm and carries out data encryption on each group of data MXHash operation is carried out to obtain HX=Hash(MX) To MX、HX、LXUsing the modified SM4 algorithm, a session key K negotiated by a user Key negotiation Module is employedABPerforming encryption to obtain a ciphertext
Finally, the message is sent
According to LXThe labels are sequentially sent to the data decryption and verification module, and if the data decryption and verification module receives the data label information L returned by the data decryption and verification moduleXFrom the current data tag LXAfter the last group of data cipher text is sent out, H (M) is calculated1||…||MX) And using the session key KABEncrypted to obtain
Sending the data to the data decryption and verification module, and if the timeout information 111111000 returned by the data decryption and verification module is received twice in succession, retransmitting the data
To the data decryption and verification module.
As a further improvement of the present invention, the data decryption and verification module includes a data decryption module and a data integrity verification and aggregation module; the data decryption and verification module designs an improved SM4 encryption and decryption algorithm and an improved integrity verification module algorithm to realize decryption and integrity verification of multi-group ciphertexts, wherein the individual and collective consistency is ensured by respectively verifying the ciphertexts of each group; through the individual grouping and integral verification, the integral data has no safety risk and the safety of the data is ensured;
the data decryption module receives the data sent by the data encryption module
Ciphertext message and
obtaining session key K successfully negotiated by key negotiation module from serverABIf not receiving
Indicating that the data was not completely transferred, the data tag information L of the current transfer is returned to the data processing and encryption moduleXComparison LXIf the number of the label data is the same as num, the last group of label data is received, and if the number of the label data is different from num, the non-last group of data is received, and the next group of data is continuously transmitted; if not received within the specified time
Two successive directional dataThe processing and encryption module returns a timeout code 111111000, and if all messages are received normally, the data decryption module decrypts the received messages
To obtain MX、LX、HX;
The data integrity verification and aggregation module carries out classification verification respectively aiming at individual integrity and collective integrity through designing an improved integrity verification module algorithm, and the module carries out classification verification according to a label L corresponding to the sent informationXIntegrity verifying is performed on each packet data, and the obtained L is decrypted by a data decryption moduleXAnd L in the messageXComparing, judging whether the groups are the same, if so, indicating that the system is normal, and if not, stopping the conversation; using plaintext MXH in Hash value and decryption informationXComparing, if they are same, indicating that the system is normal, otherwise stopping conversation, according to the grouping characteristics of genetic algorithm and label information LXAggregating M-M of plaintext obtained by decryption1||…||MXFinally, Hash operation is carried out on the polymerized plaintext M to obtain H (M), and
and comparing, if the two are the same, normally finishing transmission by the system, otherwise, terminating the current session if the plaintext obtained by decryption by the system does not meet the integrity requirement.
As a further improvement of the present invention, the server key agreement module comprises an agreement response generation module and a server group key calculation module, and is responsible for receiving the challenge initiated by the user key agreement module and making a response on the basis of finishing authentication each time, then negotiating to generate a group of session keys, and resisting man-in-the-middle attack in the key agreement process;
the negotiation response generation module firstly stores a public key certificate Cert applied by a current entity to a trusted third partyBAnd a private key SKBWhile generating a private random number
Receiving a large prime number p and the primitive root a thereof disclosed by the negotiation challenge generating module, and then randomly selecting a private random number XB(XB< P), calculating current entity parameters
Generating a parameter Y containing the current entityBIs signed
Reusing user public key PKAIs encrypted to obtain
And will negotiate a parameter YBCiphertext CBAnd a public key certificate CertBAs a key negotiation parameter, sending the key negotiation parameter to a user group key calculation module;
the server group key calculation module receives a key negotiation parameter Y sent by the negotiation challenge generation moduleACiphertext CAAnd a public key certificate CertASimultaneously obtaining the key negotiation parameter Y transmitted by the negotiation response generation moduleBApplication server private Key SKBFor ciphertext
Decrypting to obtain
Reusing public key certificate CertAPublic key PK in (1)ARecovered by signature verification recovery algorithm
Y to be recoveredAAnd received YAComparing, if the two are consistent, the system is normal, and calculating to obtain a session key
Otherwise, stopping the current session; receiving a negotiation challengeSent by the generating module
By calculation of decryption
The result is compared with
Comparing, if the two are consistent, the system is normal; otherwise, stopping the current session; finally, the generated session key K is usedABAnd transmitting the data to a data decryption and verification module.
Has the advantages that:
compared with the prior art, the invention provides an encryption continuous transmission method with a key negotiation function based on a breakpoint continuous transmission technology, an encryption technology and key negotiation, and can classify and group transmitted data and files based on a genetic algorithm aiming at files or data transmission systems with different scales, thereby ensuring that the system can realize safe and efficient transmission during data transmission, and can continuously transmit from a breakpoint before a transmission fault when a network fault occurs, and realizing a balance between safety and efficiency. The space for file transmission systems with different sizes is reserved in the system so as to respond to the change of the size of the system, and the security expansibility is strong. The SM4 algorithm is improved to better encrypt the file type data; the use of the encryption continuous transmission method is not limited by any system; and when the user interacts with the server, data encryption, authentication and other technologies are adopted, so that the safety of data is ensured. The system is complete, the overall safety performance is good, the efficiency is high, and the expansibility and the stability are good.
Drawings
FIG. 1 is an overall block diagram of the present invention;
FIG. 2 is an overall schematic block diagram of the present invention;
FIG. 3 is a service response flow diagram of the present invention;
FIG. 4 is a block diagram of a user key agreement module of the present invention;
FIG. 5 is a block diagram of a data processing and encryption module of the present invention;
FIG. 6 is a block diagram of a data decryption and verification module of the present invention;
FIG. 7 is a block diagram of a server key agreement module of the present invention;
FIG. 8 is a key agreement schematic of the present invention;
reference numerals;
1. a user key negotiation module; 1-1, a negotiation challenge generating module; 1-2, a user group key calculation module; 2. a data processing and encryption module; 2-1, a data continuous transmission preprocessing module; 2-2, a data encryption module; 3. a data decryption and verification module; 3-1, a data decryption module; 3-2, a data integrity verification and aggregation module; 4. a server key negotiation module; 4-1, a negotiation response generating module; 4-2, a server group key calculation module.
Detailed Description
The invention is described in further detail below with reference to the following detailed description and accompanying drawings:
the invention is improved and designed based on the technologies of breakpoint continuous transmission technology, encryption authentication and the like, and provides a safe, efficient and extensible encryption continuous transmission method, which can classify and group files to be transmitted aiming at file transmission systems with different sizes, thereby ensuring that the breakpoint continuous transmission is realized, the balance of safety and efficiency is satisfied, and the characteristic of coexistence of the high efficiency and safety of file transmission is realized; the safety of data is ensured through key agreement, data encryption and authentication technologies, and the high efficiency of the system is ensured by improving the breakpoint continuous transmission technology and matching with the encryption technology.
As shown in fig. 1, which is an overall block diagram of the present invention, an encryption resume method with a key agreement function according to the present invention includes: the system comprises a user key negotiation module 1, a data processing and encrypting module 2, a data decrypting and verifying module 3 and a server key negotiation module 4. The invention is suitable for any file transmission system which can access the Internet through 3G/4G/WiFi. The user key negotiation module 1, the data processing and encryption module 2, the data decryption and verification module 3 and the server key negotiation module 4 all complete data interaction through socket interfaces.
As shown in fig. 2, the overall principle structure of the present invention mainly includes four major parts: the system comprises a user key negotiation module 1, a data processing and encrypting module 2, a data decrypting and verifying module 3 and a server key negotiation module 4. The user key negotiation module 1 comprises a negotiation challenge generation module 1-1 and a user group key calculation module 1-2. The data processing and encrypting module 2 comprises a continuous transmission data preprocessing module 2-1 based on a genetic algorithm and a data encrypting module 2-2. The data decryption and verification module 3 comprises a data decryption module 3-1 and a data integrity verification and aggregation module 3-2. The server key negotiation module 4 comprises a negotiation response generation module 4-1 and a server group key calculation module 4-2.
The service request flow of the present invention is shown in fig. 3:
firstly, a user initiates a file uploading or downloading request, and after a user key negotiation module 1 takes a public key certificate, a negotiation challenge generation module 1-1 sends negotiation challenge information; meanwhile, the negotiation response information sent by the negotiation response generation module 4-1 is received, then the user group key calculation module 1-2 integrates the information, calculates the current group key information and sends the current group key information to the data processing and encryption module 2, and the server group key calculation module 4-2 integrates the challenge information, calculates the group key information and sends the group key information to the data decryption and verification module 3.
Secondly, data processing and encryption; the continuous transmission data preprocessing module 2-1 based on the genetic algorithm firstly judges whether a processing record of the file exists or not, if not, classifies and groups the data which needs to be transmitted currently, gives a label, encrypts and protects the integrity of each grouped data by combining a group key through a design improved SM4 encryption algorithm, and transmits the grouped ciphertext data to the data decryption and verification module 3; if the processing record of the file exists, the data which is not transmitted is continuously sent to the data decryption and verification module 3 according to the transmission task which is not completed before the tag information is continued.
Thirdly, decrypting and verifying the data; firstly, the data decryption module 3-1 decrypts the received ciphertext data and restores the ciphertext data to a state before encryption, then the data integrity verification and aggregation module 3-2 judges whether the data is transmitted completely or not according to the tag information, if the data is transmitted completely, partial integrity verification and overall integrity verification are carried out on the restored data, and the restored plaintext data are integrated according to the tag information; if the data transmission is not finished, only the received ciphertext data is decrypted and the integrity verification of the part is finished, and the data is not integrated until the last group of ciphertext data is received;
fourthly, feeding back information; and the data integrity verification and aggregation module 4-2 integrates all received data, verifies the integrity information of the data, finally removes information such as labels and the like, and feeds back the data information to a user to finish data transmission.
As shown in fig. 4, the user key agreement module 1 includes an agreement challenge generation module 1-1 and a user group key calculation module 1-2; the system is responsible for initiating negotiation challenge and receiving response on the basis of authentication, generating a group of session keys and resisting man-in-the-middle attack in the key negotiation process; the negotiation challenge generation module 1-1 firstly stores a public key certificate Cert applied by a current communication entity to a trusted third partyAAnd a private key SKAWhile generating a private random number
Defining a large prime number p and its primitive root a, public p and a, then randomly selecting a private random number XA(XA< p), calculating current entity parameters
Generating a parameter Y containing the current entityAIs signed
And is encrypted by adopting the public key of the server to obtain
Finally, the parameter Y will be negotiatedA、CAAnd a public key certificate CertAAs a key agreement parameterSending the server group key to a server group key calculation module 4-2 in the server key negotiation module 4; the user group key calculation module 1-2 receives the key negotiation parameters including the cryptograph sent by the negotiation response generation module 4-1
Parameter YBPublic key certificate CertBAnd Y generated by the negotiation challenge generation module 1-1A(ii) a Using private Key SKATo CBCarry out decryption to obtain
Then adopts public key certificate CertBPublic key PK in (1)BRecovered by signature verification recovery algorithm
Y to be recoveredB、
And received YB、
Comparing, and if the comparison result is consistent, judging that the system is normal; otherwise, stopping the current session; thereby verifying the authenticity of the data source, and then calculating the session key
And session key KABTransmitting to the data processing and encryption module 2, and calculating K simultaneouslyABHash value of H (K)AB) Is combined with
Using the server side public key PKBPerforming encryption calculation to obtain
The ciphertext is sent to the server key agreement module 4.
Data processing and encryption module2 as shown in fig. 5, the data processing and encrypting module 2 comprises a continuous transmission data preprocessing module 2-1 based on a genetic algorithm and a data encrypting module 2-2; the system is responsible for grouping and blocking the transmitted data based on the genetic algorithm, packaging and numbering, encrypting and integrity protecting by adopting the improved SM4 algorithm, and finally transmitting the encrypted grouped data to the data decryption and verification module 3, and the processing capacity and the safety of the system are improved by adopting the genetic algorithm and the improved SM4 algorithm; the continuous transmission data preprocessing module 2-1 based on the genetic algorithm receives plaintext data M required to be transmitted by a user through a TCP/IP transmission protocol based on a socket interface, and classifies and groups the data based on the genetic algorithm to obtain M1||…||MXM and num, the plaintext M after groupingXEncoding to generate corresponding data label Lx(L1I.e. 00000001, corresponds to the block plaintext M1) Grouping plaintext data M with data labelX||LxThe data is transmitted to the data encryption module 2-2 in a service request mode; the data encryption module 2-2 receives the service request data of the continuous transmission data preprocessing module 2-1 based on the genetic algorithm, and for each group of data MXHash operation is carried out to obtain HX=Hash(MX) To MX、HX、LXUsing the modified SM4 algorithm, the session key K negotiated by the user key negotiation module 1 is usedABPerforming encryption to obtain a ciphertext
Finally, the message is sent
According to LXThe label is sequentially sent to the data decryption and verification module 3, and if the data decryption and verification module 3 receives the data label information L returned by the labelXFrom the current data tag LXAfter the last group of data cipher text is sent out, H (M) is calculated1||…||MX) And using the session key KABEncrypted to obtain
Sending the data to the data decryption and verification module, and if the timeout information 111111000 returned by the data decryption and verification module is received twice in succession, retransmitting the data
To the data decryption and verification module.
The data decryption and verification module 3 is shown in fig. 6, and the data decryption and verification module 3 includes a data decryption module 3-1 and a data integrity verification and aggregation module 3-2; the data decryption and verification module 3 designs an improved SM4 encryption and decryption algorithm and an improved integrity verification module algorithm to realize decryption and integrity verification of multi-group ciphertexts, wherein the individual and collective consistency is ensured by respectively verifying the ciphertexts of each group; through the individual grouping and integral verification, the integral data has no safety risk and the safety of the data is ensured; the data decryption module 3-1 receives the data sent by the data encryption module 2-2
Ciphertext message and
obtaining the session key K successfully negotiated by the key negotiation module 4 of the serverABIf not receiving
Indicating that the data transmission is not complete, the currently transmitted data tag information L is returned to the data processing and encryption module 2XComparison LXIf the number of the label data is the same as num, the last group of label data is received, and if the number of the label data is different from num, the non-last group of data is received, and the next group of data is continuously transmitted; if not received within the specified time
The timeout code 111111000 is returned to the data processing and encryption module 2 twice in succession, if allThe information is normally received, and the data decryption module 3-1 decrypts the received information
To obtain MX、LX、HXThe data integrity verification and aggregation module 3-2 carries out classification verification respectively aiming at individual integrity and collective integrity through designing an improved integrity verification module algorithm, and the module carries out classification verification according to a label L corresponding to the sent informationXIntegrity verification is performed on each packet data, and the obtained L is decrypted by the data decryption module 3-1XAnd L in the messageXComparing, judging whether the groups are the same, if so, indicating that the system is normal, and if not, stopping the conversation; using plaintext MXH in Hash value and decryption informationXComparing, if they are same, indicating that the system is normal, otherwise stopping conversation, according to the grouping characteristics of genetic algorithm and label information LXPolymerizing the plaintext obtained by decryption, and finally performing Hash operation on the polymerized plaintext M to obtain H (M), and
and comparing, if the two are the same, normally finishing transmission by the system, otherwise, terminating the current session if the plaintext obtained by decryption by the system does not meet the integrity requirement.
As shown in fig. 7, the server key agreement module 4 includes an agreement response generation module 4-1 and a server group key calculation module 4-2, and is responsible for receiving a challenge initiated by the user key agreement module 1 and making a response on the basis of finishing authentication each time, then negotiating to generate a group of session keys, and resisting man-in-the-middle attack in the key agreement process; the negotiation response generation module 4-1 firstly stores the public key certificate Cert applied by the current entity to the trusted third partyBAnd a private key SKBWhile generating a private random number
And receives the large prime number p and its primitive root a disclosed by the negotiation challenge generation module 1-1,then randomly selecting a private random number XB(XB< P), calculating current entity parameters
Generating a parameter Y containing the current entityBIs signed
Reusing user public key PKAIs encrypted to obtain
And will negotiate a parameter YBCiphertext CBAnd a public key certificate CertBAs a key negotiation parameter, sending the parameter to the user group key calculation module 1-2; the server group key calculation module 4-2 receives the key negotiation parameter Y sent by the negotiation challenge generation module 1-1ACiphertext CAAnd a public key certificate CertASimultaneously obtaining the key negotiation parameter Y transmitted by the negotiation response generation module 4-1BApplication server private Key SKBFor ciphertext
Decrypting to obtain
Reusing public key certificate CertAPublic key PK in (1)ARecovered by signature verification recovery algorithm
Y to be recoveredAAnd received YAComparing, if the two are consistent, the system is normal, and calculating to obtain a session key
Otherwise, stopping the current session; receiving the transmission of the negotiation challenge generation module 1-1
By calculation of decryption
The result is compared with
Comparing, if the two are consistent, the system is normal; otherwise, stopping the current session; finally, the generated session key K is usedABAnd transmitted to the data decryption and verification module 3.
The key agreement principle of the system is shown in fig. 8:
firstly, an entity A acquires a large prime number p and a primitive root a of p, discloses p and a, and then randomly selects a private random number XA(XA< p), by means of these three initialization parameters, the private key SKAAnd a public key certificate CertAComputing
By the parameter YAPrivate key SKAAnd a public key certificate CertACalculating the current entity parameter YAAnd identity random number(provided by the server authentication module) signature
Using the server public key PKBEncrypted to obtain ciphertext
And encrypt the ciphertext CAAnd a public key certificate CertAAnd negotiating parameter YASending to an entity B;
secondly, the entity B obtains the public big prime number p and the primitive root a of p, and receives the ciphertext C sent by the entity AAAnd a public key certificate CertAAnd negotiating parameter YAUsing the server private key SKBIs decrypted to obtain
Then through signature recovery algorithm
To obtain YAAnd
then randomly selecting a private random number XB(XB< p), by means of these three initialization parameters p, a, XB(XB< p) calculation
And by means of the parameter YBIdentity random number
(provided by the user authentication module), the private key SKBAnd a public key certificate CertBCalculating the current entity parameter YBIs signed
The signature is encrypted by using a public key of the user end
And encrypt the ciphertext CBAnd a public key certificate CertBAnd negotiating parameter YBSending the data to an entity A;
thirdly, the entity A receives the negotiation parameter, namely the ciphertext C, sent by the entity BBAnd a public key certificate CertBAnd YBUsing the private key SK of the user sideATo CBCarry out decryption to obtain
Reusing public key certificate CertBPublic key PK in (1)BComputing by signature verification recovery algorithm
Comparing Y in negotiation parameterB、
Whether the signature is consistent with the result of signature verification recovery or not, if so, the system is normal; otherwise, stopping the current session; thereby verifying the reliability of the data source and recalculating
Obtaining a session key, and finally sending by the entity A
To entity B;
fourth, entity B calculates
Obtaining the session key, receiving the authentication message sent by the entity A
Using private Key SKBPerforming calculation verification
If the result and the server identity authentication module receive
The same, the system is normal; otherwise, stopping the current session; thereby verifying the authenticity of the data source.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, but any modifications or equivalent variations made according to the technical spirit of the present invention are within the scope of the present invention as claimed.
Claims (5)
1. An encryption continuous transmission method with a key agreement function, wherein a system matched with the encryption continuous transmission method with the key agreement function comprises a user key agreement module (1), a data processing and encryption module (2), a data decryption and verification module (3) and a server key agreement module (4); the method is characterized by comprising the following specific steps;
firstly, a user key negotiation module (1) is responsible for generating challenge information, carries out protocol interaction with a server key negotiation module (4), and generates a group of session keys for encrypting grouped communication data through a self-designed session interaction protocol; the server key negotiation module (4) generates a response message, completes protocol interaction with the user key negotiation module (1), and finally generates a group of session keys for decryption of the ciphertext;
then the data processing and encryption module (2) is responsible for carrying out grouping marking on the data to be transmitted based on a genetic algorithm and carrying out encryption and integrity protection on the marked grouping data; finally, the data decryption and verification module (3) decrypts all received ciphertexts and verifies the integrity of each group of decrypted plaintexts;
and finally, combining all the decrypted plaintexts, and carrying out integrity verification again.
2. The encryption resume method with key agreement function as claimed in claim 1, wherein: the user key negotiation module (1) comprises a negotiation challenge generation module (1-1) and a user group key calculation module (1-2); the system is responsible for initiating negotiation challenge and receiving response on the basis of authentication, generating a group of session keys and resisting man-in-the-middle attack in the key negotiation process;
the negotiation challenge generation module (1-1) firstly stores a public key certificate Cert applied by the current communication entity to the trusted third partyAAnd a private key SKAWhile generating a private random number
Defining a large prime number p and its primitive root a, public p and a, then randomly selecting a private random number XA(XA< p), calculating current entity parameters
Generating a parameter Y containing the current entityAIs signed
And is encrypted by adopting the public key of the server to obtain
Finally, the parameter Y will be negotiatedA、CAAnd a public key certificate CertAAs a key agreement parameter, sending to a server group key calculation module (4-2) in the server key agreement module (4);
the user group key calculation module (1-2) receives key negotiation parameters sent by the negotiation response generation module (4-1), including ciphertext
Parameter YBPublic key certificate CertBAnd Y generated by the negotiation challenge generation module (1-1)A(ii) a Using private Key SKATo CBCarry out decryption to obtain
Then adopts public key certificate CertBPublic key PK in (1)BRecovered by signature verification recovery algorithm
Y to be recoveredB、
And received YB、
Comparing, and if the comparison result is consistent, judging that the system is normal; otherwise, stopping the current session; thereby verifying the authenticity of the data source, and then calculating the session key
And session key KABTransmitting to a data processing and encryption module (2) and calculating K simultaneouslyABHash value of H (K)AB) Is combined with
Using the server side public key PKBPerforming encryption calculation to obtain
And sending the ciphertext to a server key negotiation module (4).
3. The encryption resume method with key agreement function as claimed in claim 1, wherein: the data processing and encryption module (2) comprises a continuous transmission data preprocessing module (2-1) and a data encryption module (2-2) based on a genetic algorithm; the system is responsible for grouping and blocking the transmitted data based on the genetic algorithm, packaging and numbering, encrypting and integrity protecting by adopting the improved SM4 algorithm, and finally transmitting the encrypted grouped data to the data decryption and verification module (3), and the processing capacity and the safety of the system are improved by adopting the genetic algorithm and the improved SM4 algorithm;
the continuous transmission data preprocessing module (2-1) based on the genetic algorithm receives plaintext data M required to be transmitted by a user through a TCP/IP transmission protocol based on a socket interface, and classifies and groups the data based on the genetic algorithm to obtain M1||…||MXM and num, the plaintext M after groupingXEncoding to generate corresponding data label Lx,L1I.e. 00000001, corresponds to the block plaintext M1Grouping plaintext data M with data labelX||LxThe data is transmitted to the data encryption module (2-2) in a service request mode;
the data encryption module (2-2) receives the service request data of the continuous transmission data preprocessing module (2-1) based on the genetic algorithm, and for each group of data MXHash operation is carried out to obtain HX=Hash(MX) To MX、HX、LXUsing modified SM4 algorithm, adopting general useSession key K negotiated by user key negotiation module (1)ABPerforming encryption to obtain a ciphertext
Finally, the message is sent
According to LXThe labels are sequentially sent to the data decryption and verification module (3), and if the data decryption and verification module (3) receives the labels, the data label information L is returnedXFrom the current data tag LXAfter the last group of data cipher text is sent out, H (M) is calculated1||…||MX) And using the session key KABEncrypted to obtain
Sending the data to the data decryption and verification module (3), and if the timeout information 111111000 returned by the data decryption and verification module (3) is received twice in succession, retransmitting the data
To a data decryption and verification module (3).
4. The encryption resume method with key agreement function as claimed in claim 1, wherein: the data decryption and verification module (3) comprises a data decryption module (3-1) and a data integrity verification and aggregation module (3-2); the data decryption and verification module (3) designs an improved SM4 encryption and decryption algorithm and an improved integrity verification module algorithm to realize decryption and integrity verification of multi-group ciphertexts, wherein the individual and collective consistency is ensured by respectively verifying the ciphertexts of each group; through the individual grouping and integral verification, the integral data has no safety risk and the safety of the data is ensured;
the data decryption module (3-1) receives the data transmitted by the data encryption module (2-2)
Ciphertext message and
obtaining a session key K successfully negotiated by a key negotiation module (4) from a serverABIf not receiving
Indicating that the data transmission is not complete, the data tag information L of the current transmission is returned to the data processing and encryption module (2)XComparison LXIf the number of the label data is the same as num, the last group of label data is received, and if the number of the label data is different from num, the non-last group of data is received, and the next group of data is continuously transmitted; if not received within the specified time
Returning the overtime code 111111000 to the data processing and encryption module (2) twice in succession, if all the information is received normally, the data decryption module (3-1) decrypts the received information
To obtain MX、LX、HX;
The data integrity verification and aggregation module (3-2) respectively carries out classification verification on the individual integrity and the collective integrity by designing an improved integrity verification module algorithm, and the module carries out classification verification on the individual integrity and the collective integrity according to a label L corresponding to the sent informationXIntegrity verification is performed on each packet data, and the obtained L is decrypted by a data decryption module (3-1)XAnd L in the messageXComparing, judging whether the groups are the same, if so, indicating that the system is normal, and if not, stopping the conversation; using plaintext MXH in Hash value and decryption informationXComparing, if they are same, indicating that the system is normal, otherwise stopping conversation, according to the grouping characteristics of genetic algorithm and label information LXFor the plaintext obtained by decryptionCarrying out the polymerization with M ═ M1||…||MXFinally, Hash operation is carried out on the polymerized plaintext M to obtain H (M), and
and comparing, if the two are the same, normally finishing transmission by the system, otherwise, terminating the current session if the plaintext obtained by decryption by the system does not meet the integrity requirement.
5. The encryption resume method with key agreement function as claimed in claim 1, wherein: the server key negotiation module (4) comprises a negotiation response generation module (4-1) and a server group key calculation module (4-2), and is responsible for receiving the challenge initiated by the user key negotiation module (1) on the basis of finishing authentication each time, making a response, then negotiating to generate a group of session keys, and resisting man-in-the-middle attack in the key negotiation process;
the negotiation response generation module (4-1) firstly stores the public key certificate Cert applied by the current entity to the trusted third partyBAnd a private key SKBWhile generating a private random number
Receiving a large prime number p and a primitive root a thereof disclosed by a negotiation challenge generating module (1-1), and then randomly selecting a private random number XB(XB< P), calculating current entity parameters
Generating a parameter Y containing the current entityBIs signed
Reusing user public key PKAIs encrypted to obtain
And will negotiate a parameter YBCiphertext CBAnd public key certificateBook CertBAs a key agreement parameter, sending to a user group key calculation module (1-2);
the server group key calculation module (4-2) receives the key negotiation parameter Y sent by the negotiation challenge generation module (1-1)ACiphertext CAAnd a public key certificate CertASimultaneously obtaining the key negotiation parameter Y transmitted by the negotiation response generation module (4-1)BApplication server private Key SKBFor ciphertext
Decrypting to obtain
Reusing public key certificate CertAPublic key PK in (1)ARecovered by signature verification recovery algorithm
Y to be recoveredAAnd received YAComparing, if the two are consistent, the system is normal, and calculating to obtain a session key
Otherwise, stopping the current session; receiving a negotiation challenge sent by a module (1-1)
By calculation of decryption
The result is compared with
Comparing, if the two are consistent, the system is normal; otherwise, stopping the current session; finally, the generated session key K is usedABAnd transmitting the data to a data decryption and verification module (3).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010227436.XA CN111447276B (en) | 2020-03-27 | 2020-03-27 | Encryption continuous transmission method with key agreement function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010227436.XA CN111447276B (en) | 2020-03-27 | 2020-03-27 | Encryption continuous transmission method with key agreement function |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111447276A true CN111447276A (en) | 2020-07-24 |
| CN111447276B CN111447276B (en) | 2022-11-15 |
Family
ID=71648110
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010227436.XA Active CN111447276B (en) | 2020-03-27 | 2020-03-27 | Encryption continuous transmission method with key agreement function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111447276B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112039663A (en) * | 2020-08-27 | 2020-12-04 | 深圳供电局有限公司 | Data transmission method and system |
| CN112702332A (en) * | 2020-12-21 | 2021-04-23 | 张华� | Chain key exchange method, client, server and system |
| CN112702355A (en) * | 2020-12-29 | 2021-04-23 | 福建正孚软件有限公司 | Cross-border file transmission method and system fusing operation and maintenance system |
| CN113328993A (en) * | 2021-04-29 | 2021-08-31 | 北京连山科技股份有限公司 | Data security transmission method and system combining multimode communication and Aont transformation |
| CN114362919A (en) * | 2020-09-30 | 2022-04-15 | 深圳君正时代集成电路有限公司 | Symmetric encryption and decryption algorithm sub-packet processing method |
| CN114679314A (en) * | 2022-03-23 | 2022-06-28 | 腾讯科技(深圳)有限公司 | Data decryption method, device, equipment and storage medium |
| CN114915622A (en) * | 2022-05-31 | 2022-08-16 | 广东三维睿新科技有限公司 | HTTP-based file transmission method for web side |
| CN115860768A (en) * | 2023-02-16 | 2023-03-28 | 浙江天演维真网络科技股份有限公司 | Tracing method and device based on block chain and electronic equipment thereof |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603485A (en) * | 2016-10-31 | 2017-04-26 | 美的智慧家居科技有限公司 | Secret key negotiation method and device |
-
2020
- 2020-03-27 CN CN202010227436.XA patent/CN111447276B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603485A (en) * | 2016-10-31 | 2017-04-26 | 美的智慧家居科技有限公司 | Secret key negotiation method and device |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112039663A (en) * | 2020-08-27 | 2020-12-04 | 深圳供电局有限公司 | Data transmission method and system |
| CN112039663B (en) * | 2020-08-27 | 2023-08-04 | 深圳供电局有限公司 | Data transmission method and system |
| CN114362919A (en) * | 2020-09-30 | 2022-04-15 | 深圳君正时代集成电路有限公司 | Symmetric encryption and decryption algorithm sub-packet processing method |
| CN112702332A (en) * | 2020-12-21 | 2021-04-23 | 张华� | Chain key exchange method, client, server and system |
| CN112702332B (en) * | 2020-12-21 | 2022-09-16 | 张华� | Chain key exchange method, client, server and system |
| CN112702355A (en) * | 2020-12-29 | 2021-04-23 | 福建正孚软件有限公司 | Cross-border file transmission method and system fusing operation and maintenance system |
| CN113328993A (en) * | 2021-04-29 | 2021-08-31 | 北京连山科技股份有限公司 | Data security transmission method and system combining multimode communication and Aont transformation |
| CN114679314A (en) * | 2022-03-23 | 2022-06-28 | 腾讯科技(深圳)有限公司 | Data decryption method, device, equipment and storage medium |
| CN114679314B (en) * | 2022-03-23 | 2023-01-31 | 腾讯科技(深圳)有限公司 | Data decryption method, device, equipment and storage medium |
| CN114915622A (en) * | 2022-05-31 | 2022-08-16 | 广东三维睿新科技有限公司 | HTTP-based file transmission method for web side |
| CN114915622B (en) * | 2022-05-31 | 2024-01-30 | 广东三维睿新科技有限公司 | File transmission method based on http for web terminal |
| CN115860768A (en) * | 2023-02-16 | 2023-03-28 | 浙江天演维真网络科技股份有限公司 | Tracing method and device based on block chain and electronic equipment thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111447276B (en) | 2022-11-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111447276B (en) | Encryption continuous transmission method with key agreement function | |
| CN100581097C (en) | System and method for data transmission between two computers | |
| US10237241B2 (en) | Transport layer security latency mitigation | |
| CN111435913B (en) | Identity authentication method and device for terminal of Internet of things and storage medium | |
| GB2623015A (en) | Internet-of-vehicles communication security authentication method, system and device based on national cryptographic algorithm | |
| US20050086342A1 (en) | Techniques for client-transparent TCP migration | |
| US20200162434A1 (en) | Secure and encrypted heartbeat protocol | |
| US20050120203A1 (en) | Methods, systems and computer program products for automatic rekeying in an authentication environment | |
| US20060174106A1 (en) | System and method for obtaining a digital certificate for an endpoint | |
| JP2004515117A (en) | Encrypted data security system and method | |
| CN106941404B (en) | Key protection method and device | |
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| CN104836784B (en) | A kind of information processing method, client and server | |
| JP2014529238A (en) | System and method for providing secure multicast intra-cluster communication | |
| US10586065B2 (en) | Method for secure data management in a computer network | |
| WO2022099683A1 (en) | Data transmission method and apparatus, device, system, and storage medium | |
| US8914640B2 (en) | System for exchanging data between at least one sender and one receiver | |
| US6920556B2 (en) | Methods, systems and computer program products for multi-packet message authentication for secured SSL-based communication sessions | |
| CN114928503A (en) | Method for realizing secure channel and data transmission method | |
| CN110995730B (en) | Data transmission method and device, proxy server and proxy server cluster | |
| CN115567195A (en) | Secure communication method, client, server, terminal and network side equipment | |
| CN107835196B (en) | HDLC-based secure communication method | |
| Wu et al. | Making secure TCP connections resistant to server failures | |
| US20240154949A1 (en) | Devices and Methods for Performing Cryptographic Handshaking | |
| CN114244569A (en) | SSL VPN remote access method, system and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |