CN111447276B - Encryption continuous transmission method with key agreement function - Google Patents
Encryption continuous transmission method with key agreement function Download PDFInfo
- Publication number
- CN111447276B CN111447276B CN202010227436.XA CN202010227436A CN111447276B CN 111447276 B CN111447276 B CN 111447276B CN 202010227436 A CN202010227436 A CN 202010227436A CN 111447276 B CN111447276 B CN 111447276B
- Authority
- CN
- China
- Prior art keywords
- data
- module
- key
- negotiation
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an encryption continuous transmission method with a key agreement function, which comprises a user key agreement module, a data processing and encryption module, a data decryption and verification module and a server key agreement module. The user key negotiation module carries out protocol interaction with the server key negotiation module to generate a session key; the data processing and encrypting module is used for realizing grouping of data and encrypting the grouped data; the data decryption and verification module is used for realizing data decryption, data integration and data integrity verification. The invention can provide a safe and continuous transmission communication method for data with different sizes through an unsafe Internet network.
Description
Technical Field
The invention relates to the field of computer network communication and the field of information security, in particular to an encryption continuous transmission method with a key agreement function.
Background
At present, the file uploading technology used in the mobile positioning system is the same as most file uploading technologies, and has a common disadvantage that when a network fault occurs, data needs to be retransmitted, and the problem that confidentiality and integrity cannot be guaranteed exists in the transmission process, so that the system lacks safety and effectiveness. The file transmission technology researched by the patent of the invention is oriented to the open internet, various attack behaviors exist, and the security and the efficiency of data transmitted on the network are threatened all the time. In recent years, security problems caused by data hijacking problems are frequent, for example, acFun is subjected to information hijacking attack by hackers, tens of millions of pieces of user information are leaked, 80 tens of thousands of pieces of data in Swiss telecommunication are stolen, medEvolve in medical software company is hijacked up to 20 tens of thousands of pieces of information due to server bugs, and the like. In order to realize data security in a network, transmitted files or data can be acquired only by users meeting the requirements, so that the authentication technology and the encryption algorithm are applied to the data transmission technology, only the users meeting the requirements can receive the data, and the ciphertext is correctly decrypted so as to ensure the security of the transmitted data. Meanwhile, in the current network environment, high efficiency is always a commonly pursued target, and the breakpoint continuous transmission technology can ensure the high efficiency of data in network transmission. Therefore, the invention develops an encryption continuous transmission method with a key negotiation function aiming at the problems that the confidentiality and the integrity of the transmission data in an open Internet network cannot be protected and the transmission of data files is low in efficiency, is applied to file data transmission systems with different sizes and ensures the high efficiency and the safety of the file transmission systems.
The invention provides a data breakpoint resume technical method (201610536678) based on a linked list structure, solves the problem of low efficiency of a traditional data transmission system under the condition of network failure, realizes the breakpoint resume of data, can be used in an environment with high requirement on data transmission reliability but uncertain network environment, such as a wireless network, and the data is positioned at an application layer of a network protocol layer. However, this invention has the drawback that firstly, the integrity of the transmitted data cannot be guaranteed; secondly, the transmission process is transmitted in a plaintext form, and the confidentiality of data cannot be guaranteed; thirdly, the identity of the two communication parties cannot be authenticated in the transmission process.
The patent application discloses a method and a system for breakpoint resume of file downloading (201610697034. X), which realize breakpoint resume of data by adopting a technology for controlling a preset life cycle of a file downloading address. The method for file downloading breakpoint continuous transmission comprises the following steps: step 1, creating a download address list of a first download address stored with a file; the effective time point of the first download address is a first life cycle; step 2, acquiring a second download address of the file at preset time intervals, judging whether a second life cycle of the second download address is equal to the first life cycle, and if not, entering step 3; step 3, associating the second download address with the first download address; and 4, when the downloading client downloads the file through the first downloading address, the first downloading address is linked to the second downloading address to download the file. And after the user suddenly loses power or is interrupted in the file downloading process, the old address is continuously used for downloading, and the proxy module links the old address to the new address, so that the file with the life cycle is continuously downloaded from the downloading server. The invention has the following defects that firstly, the integrity of the transmitted data can not be verified after the transmission is finished; secondly, the identities of the two communication parties cannot be confirmed; thirdly, the transmission process adopts plaintext transmission, which cannot ensure the confidentiality of the transmitted data.
The patent application discloses a continuous transmission method (201611006503.5) based on a dynamic window, and provides a continuous transmission (DCW-ST) method based on the dynamic window aiming at the condition of small-scale visible light communication network flow saturation. The method obtains a dynamic competition window which maximizes the network throughput based on the analysis of the network throughput, and then provides a dynamic competition window adjusting method which gives consideration to both the throughput and the time delay based on the analysis of the period time delay; furthermore, according to the number of network nodes, a continuous transmission scheme is provided to reduce the access delay of the nodes, thereby achieving the balance between the network throughput and the delay. However, the invention has the following defects that firstly, the identity authentication of the two data interaction parties can not be carried out before the data transmission; secondly, the transmission process is transmitted in plaintext, so that the security is low; thirdly, when the network is disconnected and other emergencies occur, retransmission is needed, and the system flexibility is poor.
The patent application discloses a file breakpoint resuming method (201810094808.9), which is based on the method that a client acquires breakpoint information and executes file stream resuming based on the breakpoint information, and the client initiates a file uploading request and a file checking request; the server side determines and stores the breakpoint position of the file; the client side obtains file breakpoint information; the server side responds to the file stream transmission resuming request; and the client receives the file uploading result identifier. The file breakpoint resume method can save the upload time and network resources of the file and can ensure the accuracy and stability of file resume. However, the invention has the following defects that firstly, the identity of both communication parties can not be confirmed before data transmission, and the integrity of received data can not be confirmed; secondly, the transmission process is carried out in a plaintext form, so that the security is low.
The patent application discloses a data extraction method and system (201811076270.5) supporting breakpoint resume, secondary development is carried out based on an open source ETL tool-NIFI, a native processor supports data source configuration information, physical table configuration information, incremental extraction fields are configured, and the maximum value of data of the fields at the current time is stored in a processor state. The method is characterized by setting the maximum record number extracted every time, the record number extracted every scheduling paging, the starting time and the interval time, and recording the total extracted record number, the last extracted record number, the scheduling times, the record number of completed scheduling extraction, the total divided page number and other information of the current scheduling extraction, so as to realize the breakpoint continuous transmission function. The data extraction method can avoid the overlarge load of the server, ensure the stability of the server, avoid repeatedly extracting the finished data and improve the efficiency of data extraction. However, the invention has the security defect that the extraction system is transmitted in the clear text, so that the security problem of data leakage exists.
The patent application discloses a method and a device (201811539333.6) for downloading breakpoint continuous transmission, which are used for solving the problem that in the prior art, when downloading is interrupted, the whole video file needs to be downloaded again, so that time and flow are wasted. The method comprises the following steps: receiving a plurality of monitoring videos which are sent by a video recording system and matched with a first downloading video recording request; when the monitoring video stops sending the first target monitoring video, matching the received multiple first target monitoring videos with multiple first monitoring video files, and determining the first monitoring video files which are not successfully matched as second monitoring video files; and sending a second video downloading request to the video recording system through the server, wherein the video downloading request carries the starting time and the ending time of the second target monitoring video. The invention has the following defects that firstly, the downloading video recording process cannot authenticate the downloading center, and a plurality of sources cannot be confirmed; secondly, the video files are not encrypted in the transmission process, so that the safety is low, and the integrity of the video cannot be ensured after the transmission is finished.
According to the patent application, a cross-network breakpoint continuous transmission method and system (201811583080.2) are adopted, and the concurrency quantity is controlled through a file fragmentation and asynchronous uploading technology, so that breakpoint continuous transmission is realized. The front end encrypts the file to be uploaded to obtain a file unique identifier and send the file unique identifier to the back end; the back end inquires the database according to the unique file identifier, and if the file is uploaded, the file information is directly returned to the front end; the front end starts to fragment the file to be uploaded according to the user-defined configuration to obtain a fragment file; the front end uploads the fragment file to the rear end, the uploading progress is displayed, and if the fragment uploading fails, the failed fragment is uploaded again; and the rear end receives the fragment files uploaded by the front end, unique identification verification is carried out, if the verification fails, failure information of uploading the files is returned to the front end, if the verification succeeds, whether all the fragments are uploaded is verified, after all the fragments are uploaded, the files are combined according to the sequencing of the fragments, the complete files are stored in a file server, complete file information is returned to the front end, and the complete file information is stored in a database. The method can save time, flow and storage space. The invention has the following defects that firstly, identity authentication can not be carried out on both transmission sides across the network; secondly, the transmission process adopts plaintext transmission, which cannot ensure the confidentiality of data.
The patent application discloses a method for transmitting a file continuously transmitted at a breakpoint (201811636717. X), which comprises the following steps: 1) When the channel is interrupted, the sending end caches the file to be sent in the channel interruption period to form a continuous transmission file; 2) When the channel is recovered, the sending end sends a continuous transmission file to the receiving end by taking a frame as a unit, the receiving end checks each continuous transmission file received by the receiving end and feeds back check information to the sending end, if the check information is correct, the sending end continues to send, and if the check information is wrong, the last frame is sent again; when the persistent file does not exist, the sending end sends test information to the receiving end, and the test information is fed back after the sending end receives the test information; when the sending end or the receiving end does not receive the information of the opposite side within the set time, restarting the channel; 3) When the transmission of the whole continuously-transmitted file is finished, the transmitting end transmits a file transmission finishing mark, and the receiving end verifies and corrects the length of the whole continuously-transmitted file and transmits correct confirmation information; and if the error occurs, sending error confirmation information and restarting the whole process. The invention can make the continuously transmitted file pass through the firewall and the security isolation gatekeeper. The invention has the following defects that firstly, the transmission data is transmitted in a plaintext form, and the integrity of the transmitted part cannot be ensured; second, the established channel cannot be identified, which results in that the two parties in communication cannot authenticate their identities.
The patent applies to a breakpoint continuous transmission unmanned vehicle route data transmission system and a method thereof (201910147368.3), and the problems of data discontinuity and information asynchrony existing in the existing data transmission system are solved through technologies of real-time sampling, verification, continuous uploading and the like. The system comprises a server and a vehicle-mounted terminal, wherein the vehicle-mounted terminal receives route data sent by the server, collects road condition information and vehicle condition information and uploads the road condition information and the vehicle condition information to the server when a vehicle runs, the server and the vehicle terminal are used as a sending end and a receiving end in turn to receive and send data, the sending end comprises a data partitioning module, a data sending module and a signal detection module, and the receiving end comprises a data receiving module and a data verification module. The invention can effectively ensure the continuity and the real-time performance of the data transmission of the air route of the vehicle in the driving process, reduce the data transmission time and improve the transmission efficiency. However, the current patent has the following defects that firstly, the integrity of data cannot be verified; secondly, plaintext transmission is adopted in the transmission process, and the safety of the route data cannot be guaranteed.
Patent application cluster type cloud platform-based large data breakpoint continuous transmission bidding document uploading system (201910485216.4) comprises a client, a server and a cloud platform. And the server is in communication connection with the client and the cloud platform respectively. In the process of uploading the bidding document, the client responds to the selected bidding document, an uploading request is sent to the server, and the server identifies the number information and searches whether a corresponding uploading record exists. When the client side exists, calling the corresponding bidding document information from the database, and sending a continuous transmission request to the client side; and when the bidding document information does not exist, the server side sends an uploading command and temporarily stores the bidding document information after receiving the bidding document information. After the server receives the bidding information, the bidding information is uploaded to the cloud platform and the temporarily stored bidding information is deleted, an uploading information verification mode is adopted, and by means of terminal interaction design, breakpoint continuous transmission can be achieved when uploading is interrupted, and efficiency of bidding uploading is improved. However, the existing system has the following defects that firstly, the uploaded bidding documents cannot ensure the integrity; secondly, plaintext transmission is adopted, so that the confidentiality of the bidding document data cannot be guaranteed; third, the identity of the recipient cannot be confirmed.
The journal paper is based on a file encryption transmission technology of Linux (computer measurement and control 2015.12), and the file encryption transmission technology of a client and a server of a Linux system is realized by using an RSA encryption algorithm and a Linux system thread pool technology; the method comprises the steps that an Opensl library is configured and installed on Linux to achieve an asymmetric RSA encryption process, and a thread pool technology is used for processing a file transmission process of a server and a plurality of clients; finally, the network connection function of the embedded ARM client and the Linux server is realized, and the file encryption and transmission process based on the TCP/IP protocol is completed; the conclusion shows that the encryption system designed by the SSL protocol can complete the encryption and transmission processes, fully ensure the privacy of the data and be conveniently transplanted to an embedded system with high security level requirement. This paper has the drawback that, firstly, integrity verification cannot be performed on the transmitted file; secondly, transmission is interrupted, retransmission is needed, and breakpoint continuous transmission cannot be realized; thirdly, public key encryption is cumbersome and complex, and a one-time pad mechanism cannot be realized.
Journal paper is based on an implementation scheme of breakpoint continuous transmission of HTML5 large files (2016.3 of computer and modernization), file uploading is a common function in Web applications, while the existing file uploading mode is not satisfactory in processing large file uploading, and uploading is often failed due to overlarge files or network interruption, and the files have to be uploaded again. By using a series of APIs for operating files, such as File List, blob, file, fileReader and other interface technologies, the Web end can perform fragment operation on the local File by using Java Script so as to realize the File breakpoint resume function. On the basis, the problem that a user waits for overtime in the process of combining the files at the server side and the problem of how to ensure the correctness of the combined files are solved. The thesis has the following defects that firstly, after the large file is transmitted, the integrity of a part of the file and the integrity of the whole file cannot be verified; secondly, identity authentication cannot be carried out on two parties transmitting the file; thirdly, the file is transmitted in a plaintext form, and the confidentiality of the file cannot be guaranteed.
A method for realizing file breakpoint resume based on SIP and MSRP protocol (radio engineering, 2018.5) is disclosed, wherein after a file transmission process is interrupted, the file content before the breakpoint is repeatedly transmitted next time is reduced, the transmission efficiency is improved, the user experience is improved, and a file transmission service is required to have a breakpoint resume function. Through researching a Session Initiation Protocol (SIP) and a Message Session Relay Protocol (MSRP), a file transmission process for realizing breakpoint continuous transmission based on the SIP and the MSRP is provided, and detailed explanation is respectively carried out on 3 aspects of protocol field expansion, a signaling process and breakpoint continuous transmission; the file transfer software architecture is designed. The application in the unified communication system shows that the method achieves the effect of seamless breakpoint transmission. The paper has the following defects that firstly, although the transmission file supports breakpoint continuous transmission, the partial integrity and the whole integrity of the file cannot be guaranteed; second, the file transmission is transmitted in the clear, and the confidentiality of the transmitted data cannot be guaranteed.
In the journal thesis dynamic symmetric key encryption algorithm, terminal upgrade files are transmitted safely (in 2019.12), file encryption design is required to improve the safe transmission capability of the terminal upgrade files, and a terminal upgrade file encryption safe transmission method based on the dynamic symmetric key design is provided. Adopting a non-proxy key issuing protocol to perform access control on the terminal upgrade file and constructing a dynamic symmetric key of the terminal upgrade file; combining a bilinear mapping method to carry out key construction and arithmetic coding design in the process of safely encrypting the terminal upgrading file; and carrying out scrambling degree rearrangement on the terminal upgrading file according to the strength of plaintext attack, and finishing dynamic symmetric key encryption of the terminal upgrading file by adopting a random linear coding method to realize safe transmission of the file. This paper has the drawback that, firstly, the system cannot guarantee the integrity of the transmitted file; secondly, when the transmission is interrupted, the transmission needs to be retransmitted, and the breakpoint transmission cannot be realized.
Disclosure of Invention
Aiming at the technical problems that the confidentiality of the file transmission is poor, partial and integral integrity verification cannot be carried out, data continuous transmission of interrupted transmission cannot be realized, one-time pad cannot be realized in the encryption process, and the system compatibility is poor, the invention provides an encryption continuous transmission method with a key negotiation function, and the invention provides a safe encryption breakpoint continuous transmission method capable of completing one-time pad based on a breakpoint continuous transmission technology and a key negotiation technology, and the method can subdivide files with different sizes during transmission aiming at different file transmission systems, so that network congestion cannot occur in the transmission process, the next transmission can be continuously transmitted from an interrupted position under the condition that the network is interrupted in the transmission process, meanwhile, the files are encrypted and subjected to integrity protection in the transmission process, and the size of a transmission window is reserved and can be set so as to deal with the condition of the network, and the expansibility is strong; in addition, the data security is ensured through data encryption, signature technology and integrity protection technology, and the high efficiency is ensured by adopting breakpoint continuous transmission technology. To this end:
the invention provides an encryption continuous transmission method with a key agreement function, wherein a system matched with the encryption continuous transmission method with the key agreement function comprises a user key agreement module, a data processing and encryption module, a data decryption and verification module and a server key agreement module, and the specific steps are as follows;
firstly, a user key negotiation module is responsible for generating challenge information, carries out protocol interaction with a server key negotiation module, and generates a group of session keys for encrypting grouped communication data through a self-designed session interaction protocol; the server key negotiation module generates a response message, completes protocol interaction with the user key negotiation module, and finally generates a group of session keys for decryption of the ciphertext;
then the data processing and encryption module is responsible for carrying out grouping marking on the data to be transmitted based on a genetic algorithm and carrying out encryption and integrity protection on the marked grouping data; finally, the data decryption and verification module decrypts all received ciphertexts and verifies the integrity of each group of decrypted plaintexts;
and finally, combining all the decrypted plaintexts, and carrying out integrity verification once again.
As a further improvement of the present invention, the user key negotiation module comprises a negotiation challenge generation module and a user group key calculation module; the system is responsible for initiating negotiation challenge and receiving response on the basis of authentication, generating a group of session keys and resisting man-in-the-middle attack in the key negotiation process;
the negotiation challenge generating module firstly stores the public applied by the current communication entity to the trusted third partyKey certificate Cert A And a private key SK A While generating a private random number
Defining a large prime number p and its primitive root a, public p and a, then randomly selecting a private random number X A (X A < p), calculating the current entity parameters
Generating a list containing current entity parameters Y A Is signed
And is encrypted by adopting the public key of the server to obtain
Finally, the parameter Y will be negotiated A 、C A And a public key certificate Cert A As a key negotiation parameter, sending the key negotiation parameter to a server group key calculation module in a server key negotiation module;
the user group key calculation module receives key negotiation parameters including cipher text sent by the negotiation response generation module
Parameter Y B Public key certificate Cert B And Y generated by the negotiation challenge generation module A (ii) a Using private Key SK A To C B Carry out decryption to obtain
Then adopts public key certificate Cert B Public key PK in (1) B Recovered by signature verification recovery algorithm
Y to be recovered B 、
And received Y B 、
Comparing, and if the comparison result is consistent, judging that the system is normal; otherwise, stopping the current conversation; thereby verifying the authenticity of the data source, and then calculating the session key
And session key K AB Transmitting to data processing and encrypting module, and calculating K AB Hash value of H (K) AB ) Is combined with
Using the server side public key PK B Performing encryption calculation to obtain
And sending the ciphertext to a server key negotiation module.
As a further improvement of the invention, the data processing and encryption module comprises a continuous transmission data preprocessing module based on a genetic algorithm and a data encryption module; the system is responsible for grouping and blocking the transmitted data based on the genetic algorithm, packaging and numbering, encrypting and integrity protecting by adopting the improved SM4 algorithm, and finally transmitting the encrypted grouped data to the data decryption and verification module, and the processing capacity and the safety of the system are improved due to the adoption of the genetic algorithm and the improved SM4 algorithm;
the continuous transmission data preprocessing module based on the genetic algorithm receives plaintext data M required to be transmitted by a user through a TCP/IP transmission protocol based on a socket interface, and classifies and groups the data based on the genetic algorithm to obtain M 1 ||…||M X = M and number of groups num, for plaintext M after grouping X Encoding is carried out to generate a corresponding data label L x ,L 1 I.e. 00000001, corresponds to the block plaintext M 1 Grouping plaintext data M with data label X ||L x Transmitting the service request to the data encryption module;
the data encryption module is used for encrypting the data,receiving service request data of a continuous transmission data preprocessing module based on a genetic algorithm, and processing each group of data M X Hash operation is carried out to obtain H X =Hash(M X ) To M X 、H X 、L X Using the improved SM4 algorithm with the session key K negotiated by the user Key negotiation Module AB Encrypting to obtain a ciphertext
Finally, the message is sent
According to L X The labels are sequentially sent to the data decryption and verification module, and if the data decryption and verification module receives the data label information L returned by the data decryption and verification module X From the current data tag L X Sending, after the last group of data cipher text is sent out, calculating H (M) = H (M) 1 ||…||M X ) And using the session key K AB Encryption to obtain
Sending the data to the data decryption and verification module, and if the timeout information 111111000 returned by the data decryption and verification module is received twice continuously, retransmitting the data
To the data decryption and verification module.
As a further improvement of the present invention, the data decryption and verification module includes a data decryption module and a data integrity verification and aggregation module; the data decryption and verification module designs an improved SM4 encryption and decryption algorithm and an improved integrity verification module algorithm to realize decryption and integrity verification of multi-group ciphertexts, wherein the individual and collective consistency is ensured by respectively verifying the ciphertexts of each group; through the individual grouping and integral verification, the integral data has no safety risk and the safety of the data is ensured;
the data decryption module receives the data from the data encryption module
Ciphertext message and
obtaining the session key K successfully negotiated by the key negotiation module of the server AB If not receiving
If the data is not completely transmitted, returning the currently transmitted data label information L to the data processing and encrypting module X Comparison of L X If the number of the label data is the same as num, the last group of label data is received, and if the number of the label data is different from num, the non-last group of data is received, and the next group of data is continuously transmitted; if not received within the specified time
Returning the overtime code 111111000 to the data processing and encrypting module twice continuously, if all the information is received normally, the data decrypting module decrypts the received information
To obtain M X 、L X 、H X ;
The data integrity verification and aggregation module carries out classification verification respectively aiming at the individual integrity and the collective integrity through designing an improved integrity verification module algorithm, and the module verifies the individual integrity and the collective integrity according to a label L corresponding to the sent information X Integrity verification is performed on each packet data, and the obtained L is decrypted by a data decryption module X And L in the message X Comparing, judging whether the groups are the same, if so, indicating that the system is normal, and if not, stopping the conversation; using plaintext M X H in the Hash value and decryption information of X Comparing, if the two are the same, indicating that the system is normal, otherwise, stopping conversation; grouping characteristics and tag information L according to genetic algorithm X And aggregating the decrypted plaintext with M = M 1 ||…||M X Finally, hash operation is performed on the polymerized plaintext M to obtain H (M), and
and comparing, if the two are the same, normally finishing transmission by the system, otherwise, terminating the current session if the plaintext obtained by decryption by the system does not meet the integrity requirement.
The server key negotiation module comprises a negotiation response generation module and a server group key calculation module, and is responsible for receiving the challenge initiated by the user key negotiation module and making a response on the basis of finishing authentication each time, then negotiating to generate a group of session keys and resisting man-in-the-middle attack in the key negotiation process;
the negotiation response generation module firstly stores a public key certificate Cert applied by the current entity to the trusted third party B And a private key SK B While generating private random numbers
Receiving a large prime number p and the primitive root a thereof disclosed by the negotiation challenge generating module, and then randomly selecting a private random number X B (X B < P), calculating the current entity parameters
Generating a list containing current entity parameters Y B Is signed
Reusing user public key PK A Is encrypted to obtain
And will negotiate a parameter Y B Ciphertext C B And a public key certificate Cert B As a key negotiation parameter, sending the key negotiation parameter to a user group key calculation module;
the server group key calculation module receives the key negotiation parameter Y sent by the negotiation challenge generation module A Ciphertext C A And a public key certificate Cert A Simultaneously obtaining the key negotiation parameter Y transmitted by the negotiation response generation module B Application of the Server private Key SK B For ciphertext
Decrypting to obtain
Reusing public key certificate Cert A Public key PK in (1) A Recovered by signature verification recovery algorithm
Y to be recovered A And received Y A Comparing, if the two are consistent, the system is normal, and calculating to obtain a session key
Otherwise, stopping the current conversation; receiving the transmission of the negotiation challenge generation module
By calculation of decryption
Combining the results with
Comparing, if the two are consistent, the system is normal; otherwise, stopping the current session; finally, the generated session key K is used AB And transmitting the data to a data decryption and verification module.
Has the advantages that:
compared with the prior art, the invention provides an encryption continuous transmission method with a key negotiation function based on a breakpoint continuous transmission technology, an encryption technology and key negotiation, and can classify and group transmitted data and files based on a genetic algorithm aiming at files or data transmission systems with different scales, thereby ensuring that the system can realize safe and efficient transmission during data transmission, and can continuously transmit from a breakpoint before a transmission fault when a network fault occurs, and realizing a balance between safety and efficiency. Space for file transmission systems with different sizes is reserved in the system so as to respond to the change of the size of the system, and the security expansibility is strong. The SM4 algorithm is improved so as to better encrypt the file type data; the use of the encryption continuous transmission method is not limited by any system; and when the user interacts with the server, data encryption, authentication and other technologies are adopted, so that the safety of data is ensured. The system is complete, the overall safety performance is good, the efficiency is high, and the expansibility and the stability are good.
Drawings
FIG. 1 is an overall block diagram of the present invention;
FIG. 2 is an overall schematic block diagram of the present invention;
FIG. 3 is a service response flow diagram of the present invention;
FIG. 4 is a block diagram of a user key agreement module of the present invention;
FIG. 5 is a block diagram of a data processing and encryption module of the present invention;
FIG. 6 is a block diagram of a data decryption and verification module of the present invention;
FIG. 7 is a block diagram of a server key agreement module of the present invention;
FIG. 8 is a key agreement schematic of the present invention;
reference numerals;
1. a user key negotiation module; 1-1, a negotiation challenge generating module; 1-2, a user group key calculation module; 2. a data processing and encryption module; 2-1, a data continuous transmission preprocessing module; 2-2, a data encryption module; 3. a data decryption and verification module; 3-1, a data decryption module; 3-2, a data integrity verification and aggregation module; 4. a server key negotiation module; 4-1, a negotiation response generating module; 4-2, a server group key calculation module.
Detailed Description
The invention is described in further detail below with reference to the following detailed description and accompanying drawings:
the invention is improved and designed based on the technologies of breakpoint continuous transmission technology, encryption authentication and the like, and provides a safe, efficient and extensible encryption continuous transmission method, which can classify and group files to be transmitted aiming at file transmission systems with different sizes, thereby ensuring that the breakpoint continuous transmission is realized, the balance of safety and efficiency is satisfied, and the characteristic of coexistence of the high efficiency and safety of file transmission is realized; the security of data is ensured through key agreement, data encryption and authentication technologies, and the breakpoint continuous transmission technology is improved to be matched with the encryption technology to ensure the high efficiency of the system.
As shown in fig. 1, which is an overall block diagram of the present invention, an encryption resume method with a key agreement function according to the present invention includes: the system comprises a user key negotiation module 1, a data processing and encrypting module 2, a data decrypting and verifying module 3 and a server key negotiation module 4. The invention is suitable for any file transmission system which can access the Internet through 3G/4G/WiFi. The user key negotiation module 1, the data processing and encryption module 2, the data decryption and verification module 3 and the server key negotiation module 4 all complete data interaction through socket interfaces.
As shown in fig. 2, the overall principle structure diagram of the present invention mainly includes four parts: the system comprises a user key negotiation module 1, a data processing and encrypting module 2, a data decrypting and verifying module 3 and a server key negotiation module 4. The user key negotiation module 1 comprises a negotiation challenge generation module 1-1 and a user group key calculation module 1-2. The data processing and encrypting module 2 comprises a continuous transmission data preprocessing module 2-1 based on a genetic algorithm and a data encrypting module 2-2. The data decryption and verification module 3 comprises a data decryption module 3-1 and a data integrity verification and aggregation module 3-2. The server key negotiation module 4 comprises a negotiation response generation module 4-1 and a server group key calculation module 4-2.
The service request flow of the present invention is shown in fig. 3:
firstly, a user initiates a file uploading or downloading request, and after a user key negotiation module 1 takes a public key certificate, a negotiation challenge generation module 1-1 sends negotiation challenge information; meanwhile, the negotiation response information sent by the negotiation response generation module 4-1 is received, then the user group key calculation module 1-2 integrates the information, calculates the current group key information and sends the current group key information to the data processing and encryption module 2, and the server group key calculation module 4-2 integrates the challenge information, calculates the group key information and sends the group key information to the data decryption and verification module 3.
Secondly, data processing and encryption; the continuous transmission data preprocessing module 2-1 based on the genetic algorithm firstly judges whether a processing record of the file exists or not, if not, the data which needs to be transmitted at present are classified and grouped, a label is given, each grouped data is encrypted and integrity protected by combining an improved SM4 encryption algorithm and a group key, and the grouped ciphertext data is transmitted to a data decryption and verification module 3; if the processing record of the file exists, the previous unfinished transmission task is continued according to the label information, and the data which is not completely transmitted is continuously sent to the data decryption and verification module 3.
Thirdly, decrypting and verifying the data; firstly, the data decryption module 3-1 decrypts the received ciphertext data and restores the ciphertext data to a state before encryption, then the data integrity verification and aggregation module 3-2 judges whether the data is transmitted completely or not according to the tag information, if the data is transmitted completely, the data after restoration is subjected to partial integrity verification and overall integrity verification, and the restored plaintext data is integrated according to the tag information; if the data transmission is not finished, only the received ciphertext data is decrypted and the integrity verification of the part is finished, and the data is not integrated until the last group of ciphertext data is received;
fourthly, feeding back information; and the data integrity verification and aggregation module 4-2 integrates all received data, verifies the integrity information of the data, finally removes information such as labels and the like, and feeds back the data information to a user to finish data transmission.
As shown in fig. 4, the user key agreement module 1 includes an agreement challenge generation module 1-1 and a user group key calculation module 1-2; the system is responsible for initiating negotiation challenge and receiving response on the basis of authentication, generating a group of session keys and resisting man-in-the-middle attack in the key negotiation process; the negotiation challenge generating module 1-1 firstly stores the current communication entity to apply for the trusted third partyPublic key certificate Cert of A And a private key SK A While generating private random numbers
Defining a large prime number p and its primitive root a, public p and a, then randomly selecting a private random number X A (X A < p), calculating current entity parameters
Generating a list containing current entity parameters Y A Is signed by
And is encrypted by adopting the public key of the server to obtain
Finally, the parameter Y will be negotiated A 、C A And a public key certificate Cert A As a key negotiation parameter, sending the key negotiation parameter to a server group key calculation module 4-2 in the server key negotiation module 4; the user group key calculation module 1-2 receives the key negotiation parameters including the cryptograph sent by the negotiation response generation module 4-1
Parameter Y B Public key certificate Cert B And Y generated by the negotiation challenge generation module 1-1 A (ii) a Using the private Key SK A To C B Carry out decryption to obtain
Then adopts public key certificate Cert B Public key PK in (1) B Recovered by signature verification recovery algorithm
Y to be recovered B 、
And received Y B 、
Comparing, and if the comparison result is consistent, judging that the system is normal; otherwise, stopping the current session; thereby verifying the authenticity of the data source, and then calculating the session key
And session key K AB Transmitting to the data processing and encryption module 2, and calculating K AB Hash value of H (K) AB ) In combination with
Using the server side public key PK B Performing encryption calculation to obtain
The cipher text is sent to the server key agreement module 4.
The data processing and encrypting module 2 is shown in fig. 5, and the data processing and encrypting module 2 comprises a continuous transmission data preprocessing module 2-1 and a data encrypting module 2-2 based on a genetic algorithm; the system is responsible for grouping and blocking the transmitted data based on the genetic algorithm, packaging and numbering, encrypting and integrity protecting by adopting the improved SM4 algorithm, and finally transmitting the encrypted grouped data to the data decryption and verification module 3, and the processing capacity and the safety of the system are improved by adopting the genetic algorithm and the improved SM4 algorithm; the continuous transmission data preprocessing module 2-1 based on the genetic algorithm receives plaintext data M required to be transmitted by a user through a TCP/IP transmission protocol based on a socket interface, and classifies and groups the data based on the genetic algorithm to obtain M 1 ||…||M X = M and number of groups num, for plaintext M after grouping X Encoding is carried out to generate a corresponding data label L x (L 1 I.e. 00000001, corresponding to the block plaintext M 1 ) Grouping plaintext data M with data tag X ||L x The data is transmitted to the data encryption module 2-2 in a service request mode; the data encryption module 2-2 receives the continuous transmission data preprocessing module 2-1 based on the genetic algorithmService request data, for each group of data M X Hash operation is carried out to obtain H X =Hash(M X ) To M X 、H X 、L X Using the modified SM4 algorithm, using the session key K negotiated by the user Key negotiation Module 1 AB Performing encryption to obtain a ciphertext
Finally, the message is sent
According to L X The label is sequentially sent to the data decryption and verification module 3, and if the data decryption and verification module 3 receives the label information L, the data label information L is returned X Then from the current data tag L X Sending, after the last group of data cipher text is sent out, calculating H (M) = H (M) 1 ||…||M X ) And using the session key K AB Encrypted to obtain
Sending the data to the data decryption and verification module, and if the timeout information 111111111000 returned by the data decryption and verification module is received twice in succession, retransmitting the data
To the data decryption and verification module.
As shown in fig. 6, the data decryption and verification module 3 includes a data decryption module 3-1 and a data integrity verification and aggregation module 3-2; the data decryption and verification module 3 designs an improved SM4 encryption and decryption algorithm and an improved integrity verification module algorithm to realize decryption and integrity verification of multi-group ciphertexts, wherein the individual and collective consistency is ensured by respectively verifying the ciphertexts of each group; through the individual grouping and integral verification, the integral data has no safety risk and the safety of the data is ensured; the data decryption module 3-1 receives the data sent by the data encryption module 2-2
Ciphertext message and
obtaining the session key K successfully negotiated by the key negotiation module 4 of the server AB If not receiving
Indicating that the data is not completely transmitted, and returning the currently transmitted data label information L to the data processing and encryption module 2 X Comparison of L X If the number of the label data is the same as num, the last group of label data is received, and if the number of the label data is different from num, the non-last group of data is received, and the next group of data is continuously transmitted; if not received within the specified time
The timeout code 111111000 is continuously returned to the data processing and encryption module 2 twice, if all the information is normally received, the data decryption module 3-1 decrypts the received information
To obtain M X 、L X 、H X (ii) a The data integrity verification and aggregation module 3-2 respectively performs classification verification aiming at individual integrity and collective integrity through designing an improved integrity verification module algorithm, and the module verifies the individual integrity and the collective integrity according to a label L corresponding to the sent information X Performing integrity verification on each packet data, and decrypting the obtained L by using a data decryption module 3-1 X And L in the message X Comparing, judging whether the groups are the same, if so, indicating that the system is normal, and if not, stopping the conversation; using plaintext M X H in Hash value and decryption information X Comparing, if the two are the same, indicating that the system is normal, otherwise, stopping conversation; grouping characteristics and tag information L according to genetic algorithm X Polymerizing the plaintext obtained by decryption, finally performing Hash operation on the polymerized plaintext M to obtain H (M), mixing with
And comparing, if the two are the same, normally finishing transmission by the system, otherwise, decrypting by the system to obtain a plaintext which does not meet the integrity requirement, and stopping the current session.
As shown in fig. 7, the server key agreement module 4 includes an agreement response generation module 4-1 and a server group key calculation module 4-2, and is responsible for receiving a challenge initiated by the user key agreement module 1 and making a response on the basis of finishing authentication each time, then negotiating to generate a group of session keys, and resisting man-in-the-middle attack in the key agreement process; the negotiation response generation module 4-1 firstly stores the public key certificate Cert applied by the current entity to the trusted third party B And a private key SK B While generating private random numbers
Receiving a large prime number p and a primitive root a thereof disclosed by a negotiation challenge generating module 1-1, and then randomly selecting a private random number X B (X B < P), calculating the current entity parameters
Generating a list containing current entity parameters Y B Is signed
Reusing user public key PK A Is encrypted to obtain
And will negotiate a parameter Y B Ciphertext C B And a public key certificate Cert B As a key negotiation parameter, sending the key negotiation parameter to a user group key calculation module 1-2; the server group key calculation module 4-2 receives the key negotiation parameter Y sent by the negotiation challenge generation module 1-1 A Ciphertext C A And a public key certificate Cert A Simultaneously obtaining the key negotiation parameter Y transmitted by the negotiation response generation module 4-1 B Application server private Key SK B For ciphertext
Decrypting to obtain
Reusing public key certificate Cert A Public key PK in (1) A Recovered by signature verification recovery algorithm
Y to be recovered A And received Y A Comparing, if the two are consistent, the system is normal, and calculating to obtain a session key
Otherwise, stopping the current conversation; receiving the transmission of the negotiation challenge generation module 1-1
By calculation of decryption
The result is compared with
Comparing, if the two are consistent, the system is normal; otherwise, stopping the current session; finally, the generated session key K is used AB And transmitted to the data decryption and verification module 3.
The key agreement principle of the system is shown in fig. 8:
firstly, an entity A acquires a large prime number p and a primitive root a of p, discloses p and a, and then randomly selects a private random number X A (X A < p), by means of these three initialization parameters, the private key SK A And a public key certificate Cert A Computing
By the parameter Y A Private key SK A And a public key certificate Cert A Calculating the current entity parameter Y A And identity random number
(provided by the server authentication module) signature
Using the server public key PK B Encrypted to obtain ciphertext
And encrypt the ciphertext C A And a public key certificate Cert A And negotiating a parameter Y A Sending to an entity B;
secondly, the entity B obtains the public big prime number p and the primitive root a of p, and receives the ciphertext C sent by the entity A A And a public key certificate Cert A And negotiating parameter Y A Using the server private key SK B Is decrypted to obtain
Then through signature recovery algorithm
To obtain Y A And
then randomly selecting a private random number X B (X B < p), by means of these three initialization parameters p, a, X B (X B < p) calculation
And passing the parameter Y B Identity random number
(provided by the user authentication module), the private key SK B And a public key certificate Cert B Calculating the current entity parameter Y B Is signed by
The signature is encrypted by using a public key of the user end
And encrypt the ciphertext C B And a public key certificate Cert B And negotiating parameter Y B Sending the data to an entity A;
thirdly, the entity A receives the negotiation parameter, namely the ciphertext C, sent by the entity B B And a public key certificate Cert B And Y B Using the private key SK of the user side A To C B Carry out decryption to obtain
Reusing public key certificate Cert B Public key PK in (1) B Computing by signature verification recovery algorithm
Comparing Y in negotiation parameter B 、
Whether the signature is consistent with the result of signature verification recovery or not, if so, the system is normal; otherwise, stopping the current session; thereby verifying the reliability of the data source and recalculating
Obtaining a session key, and finally sending by the entity A
To entity B;
fourth, entity B calculates
Obtaining the session key, receiving the authentication message sent by the entity A
Using private Key SK B Performing calculation verification
If the result and the server identity authentication module receive
The same, the system is normal; otherwise, stopping the current session; thereby verifying the authenticity of the data source.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any modifications or equivalent variations made in accordance with the technical spirit of the present invention may fall within the scope of the present invention as claimed.
Claims (1)
1. An encryption continuous transmission method with a key agreement function, wherein a system matched with the encryption continuous transmission method with the key agreement function comprises a user key agreement module (1), a data processing and encryption module (2), a data decryption and verification module (3) and a server key agreement module (4); the method is characterized by comprising the following specific steps;
the user key negotiation module (1) comprises a negotiation challenge generation module (1-1) and a user group key calculation module (1-2); the system is responsible for initiating negotiation challenge and receiving response on the basis of authentication, generating a group of session keys and resisting man-in-the-middle attack in the key negotiation process;
the negotiation challenge generation module (1-1) firstly stores a public key certificate Cert applied to a trusted third party by a current communication entity A And a private key SK A While generating a private random number
Defining a large prime number p and its primitive root a, public p and a, then randomly selecting a private random number X A ,X A < p, calculating current entity negotiation parameters
Using private key SK A Generating a negotiation parameter Y containing the current entity A Is signed
And adopts the public key PK of the server B Is encrypted to obtain
Finally, the current entity negotiates the parameter Y A 、C A And a public key certificate Cert A As a key agreement parameter, sending to a server group key calculation module (4-2) in the server key agreement module (4);
the user group key calculation module (1-2) receives the key negotiation parameters sent by the negotiation response generation module (4-1) from the server key negotiation module (4), including the ciphertext
Parameter Y B Public key certificate Cert B And Y generated by the negotiation challenge generation module (1-1) A (ii) a Using private Key SK A To C B Carry out decryption to obtain
Then adopts public key certificate Cert B Public key PK in (1) B Recovered by signature verification recovery algorithm
Y to be recovered B 、
And received Y B 、
Comparing, and if the comparison result is consistent, judging that the system is normal; otherwise, stopping the current session; thereby verifying the authenticity of the data source, and then calculating the session key
And session key K AB Transmitting to a data processing and encryption module (2) and calculating K simultaneously AB Hash value of H (K) AB ) In combination with N IDB Using the server side public key PK B Performing encryption calculation to obtain
Sending the ciphertext to a server key negotiation module (4);
the data processing and encryption module (2) comprises a continuous transmission data preprocessing module (2-1) and a data encryption module (2-2) based on a genetic algorithm; the system is responsible for grouping and blocking the transmitted data based on the genetic algorithm, packaging and numbering, encrypting and integrity protecting by adopting the improved SM4 algorithm, and finally transmitting the encrypted grouped data to the data decryption and verification module (3), and the processing capacity and the safety of the system are improved by adopting the genetic algorithm and the improved SM4 algorithm;
the continuous transmission data preprocessing module (2-1) based on the genetic algorithm receives plaintext data M required to be transmitted by a user through a TCP/IP transmission protocol based on a socket interface, and classifies and groups the data based on the genetic algorithm to obtain M 1 ||…||M X = M and number of groups num, for plaintext M after grouping X Encoding to generate corresponding data label information L x ,L 1 I.e. 00000001, corresponding to the block plaintext M 1 Grouping plaintext data M with data label X ||L x The data is transmitted to the data encryption module (2-2) in a service request mode;
the data encryption module (2-2) receives the service request data of the continuous transmission data preprocessing module (2-1) based on the genetic algorithm, and for each group of data M X Hash operation is carried out to obtain H X =Hash(M X ) To M X 、H X 、L X Using the modified SM4 algorithm with a session key K negotiated by a user Key negotiation Module (1) AB Performing encryption to obtain a ciphertext
Finally, theMessage sending
According to the data tag information L X The labels are sequentially sent to the data decryption and verification module (3), and if the data decryption and verification module (3) receives the labels, the data label information L is returned X From the current data tag information L X Sending, after the last group of data cipher text is sent out, calculating H (M) = H (M) 1 ||…||M X ) And using the session key K AB Encrypted to obtain
Sending the data to the data decryption and verification module (3), and if the timeout code 111111000 returned by the data decryption and verification module (3) is received twice in succession, retransmitting the data
To a data decryption and verification module (3);
the data decryption and verification module (3) comprises a data decryption module (3-1) and a data integrity verification and aggregation module (3-2); the data decryption and verification module (3) designs an improved SM4 encryption and decryption algorithm and an improved integrity verification module algorithm to realize decryption and integrity verification of multi-group ciphertexts, wherein the individual and collective consistency is ensured by respectively verifying the ciphertexts of each group; through the individual grouping and integral verification, the integral data has no safety risk and the safety of the data is ensured;
the data decryption module (3-1) adopts a session key K AB Receiving the ciphertext sent by the data encryption module (2-2)
Message and
obtaining a session key K successfully negotiated by a key negotiation module (4) from a server AB If not receiving
If the data is not completely transmitted, returning the currently transmitted data label information L to the data processing and encrypting module (2) X Comparison of L X If the number of the data packets is the same as num, the last group of tag data is received, and if the number of the data packets is different from num, the non-last group of data is received, and the next group of data is continuously transmitted; if not received within the specified time
Returning the timeout code 111111000 to the data processing and encryption module (2) twice in succession, if all the information is received normally, the data decryption module (3-1) adopts the session key K AB Decrypting received messages
To obtain M X 、L X 、H X ;
The data integrity verification and aggregation module (3-2) respectively carries out classification verification on the individual integrity and the collective integrity through designing an improved integrity verification module algorithm, and the module verifies the individual integrity and the collective integrity according to the data label information L corresponding to the sent information X Performing integrity verification on each packet data, and decrypting the obtained L by using a data decryption module (3-1) X And L in the message X Comparing, judging whether the groups are the same, if so, indicating that the system is normal, and if not, stopping the conversation; using plaintext M X H in the Hash value and decryption information of X Comparing, if the two are the same, indicating that the system is normal, otherwise, stopping conversation; grouping characteristics and data tag information L according to genetic algorithm X And aggregating the decrypted plaintext with M = M 1 ||…||M X Finally, hash operation is carried out on the polymerized plaintext M to obtain H (M), and
performing comparison, the
To be used at
Speech key K AB For is to
Decrypting, if the two are the same, normally finishing transmission by the system, otherwise, decrypting by the system to obtain a plaintext which does not accord with the integrity requirement, and stopping the current session;
the server key negotiation module (4) comprises a negotiation response generation module (4-1) and a server group key calculation module (4-2), and is responsible for receiving the challenge initiated by the user key negotiation module (1) on the basis of finishing authentication each time, making a response, then negotiating to generate a group of session keys, and resisting man-in-the-middle attack in the key negotiation process;
the negotiation response generation module (4-1) firstly stores a public key certificate Cert applied by the current entity to the trusted third party B And a private key SK B While generating a private random number
Receiving a large prime number p and a primitive root a thereof disclosed by a negotiation challenge generating module (1-1), and then randomly selecting a private random number X B ,X B < P, calculating the current entity negotiation parameters
Using private key SK B Generating a negotiation parameter Y containing the current entity B Is signed by
Reusing user public key PK A Is encrypted to obtain
And negotiates the current entity with a parameter Y B Ciphertext C B And a public key certificate Cert B As a key agreement parameter, sending to a user group key calculation module (1-2);
the server group key calculation module (4-2) receives the negotiation parameter Y of the current entity from the negotiation challenge generation module (1-1) A Ciphertext C A And a public key certificate Cert A Simultaneously obtaining the current entity negotiation parameter Y transmitted by the negotiation response generation module (4-1) B Application server private Key SK B For ciphertext
Decrypting to obtain
Reusing public key certificate Cert A Public key PK in (1) A Recovered by signature verification recovery algorithm
Y to be recovered A And received Y A Comparing, if the two are consistent, the system is normal, and calculating to obtain a session key
Otherwise, stopping the current session; receiving a negotiation challenge sent by a module (1-1)
By using the private key SK B By calculation of decryption
Combining the results with
Comparing, if the two are consistent, the system is normal; otherwise, stopping the current session; finally, the generated session key K is used AB Transmitting to a data decryption and verification module (3);
firstly, a user key negotiation module (1) is responsible for generating challenge information, carries out protocol interaction with a server key negotiation module (4), and generates a group of session keys for encrypting grouped communication data through a self-designed session interaction protocol; the server key negotiation module (4) generates a response message, completes protocol interaction with the user key negotiation module (1), and finally generates a group of session keys for decryption of the ciphertext;
then the data processing and encryption module (2) is responsible for carrying out grouping marking on the data to be transmitted based on a genetic algorithm and carrying out encryption and integrity protection on the marked grouping data; finally, the data decryption and verification module (3) decrypts all received ciphertexts and verifies the integrity of each group of decrypted plaintexts;
and finally, combining all the decrypted plaintexts, and carrying out integrity verification again.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010227436.XA CN111447276B (en) | 2020-03-27 | 2020-03-27 | Encryption continuous transmission method with key agreement function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010227436.XA CN111447276B (en) | 2020-03-27 | 2020-03-27 | Encryption continuous transmission method with key agreement function |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111447276A CN111447276A (en) | 2020-07-24 |
| CN111447276B true CN111447276B (en) | 2022-11-15 |
Family
ID=71648110
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010227436.XA Active CN111447276B (en) | 2020-03-27 | 2020-03-27 | Encryption continuous transmission method with key agreement function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111447276B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112039663B (en) * | 2020-08-27 | 2023-08-04 | 深圳供电局有限公司 | Data transmission method and system |
| CN112702332B (en) * | 2020-12-21 | 2022-09-16 | 张华� | Chain key exchange method, client, server and system |
| CN112702355B (en) * | 2020-12-29 | 2023-07-25 | 福建正孚软件有限公司 | Cross-border file transmission method and system integrating operation and maintenance system |
| CN113328993B (en) * | 2021-04-29 | 2022-01-18 | 北京连山科技股份有限公司 | Data security transmission method and system combining multimode communication and Aont transformation |
| CN114679314B (en) * | 2022-03-23 | 2023-01-31 | 腾讯科技(深圳)有限公司 | Data decryption method, device, equipment and storage medium |
| CN114915622B (en) * | 2022-05-31 | 2024-01-30 | 广东三维睿新科技有限公司 | File transmission method based on http for web terminal |
| CN115860768B (en) * | 2023-02-16 | 2023-06-02 | 浙江天演维真网络科技股份有限公司 | Source tracing method and device based on blockchain and electronic equipment thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603485B (en) * | 2016-10-31 | 2020-03-03 | 美的智慧家居科技有限公司 | Key agreement method and device |
-
2020
- 2020-03-27 CN CN202010227436.XA patent/CN111447276B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111447276A (en) | 2020-07-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111447276B (en) | Encryption continuous transmission method with key agreement function | |
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| CN100581097C (en) | System and method for data transmission between two computers | |
| CN111435913B (en) | Identity authentication method and device for terminal of Internet of things and storage medium | |
| US20050120203A1 (en) | Methods, systems and computer program products for automatic rekeying in an authentication environment | |
| CN106941404B (en) | Key protection method and device | |
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| US20200162434A1 (en) | Secure and encrypted heartbeat protocol | |
| JP2004515117A (en) | Encrypted data security system and method | |
| US10586065B2 (en) | Method for secure data management in a computer network | |
| CN111914291A (en) | Message processing method, device, equipment and storage medium | |
| Chen et al. | An approach to verifying data integrity for cloud storage | |
| US20210144130A1 (en) | Method for securing communication without management of states | |
| US20230283479A1 (en) | Data Transmission Method and Apparatus, Device, System, and Storage Medium | |
| CN111010399A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN114584306A (en) | Data processing method and related device | |
| CN113986470B (en) | Batch remote proving method for virtual machines without perception of users | |
| CN114666040B (en) | Radio frequency identification authentication system and method based on quantum cryptography network | |
| CN111901301B (en) | Security protection method based on network multimedia equipment data transmission | |
| CN113242235A (en) | System and method for encrypting and authenticating railway signal secure communication protocol RSSP-I | |
| CN114928503B (en) | Method for realizing secure channel and data transmission method | |
| CN110995730B (en) | Data transmission method and device, proxy server and proxy server cluster | |
| CN115567195A (en) | Secure communication method, client, server, terminal and network side equipment | |
| CN107835196B (en) | HDLC-based secure communication method | |
| JP5932709B2 (en) | Transmission side device and reception side device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |