CN111885055A - Communication method and device - Google Patents
Communication method and device Download PDFInfo
- Publication number
- CN111885055A CN111885055A CN202010712538.0A CN202010712538A CN111885055A CN 111885055 A CN111885055 A CN 111885055A CN 202010712538 A CN202010712538 A CN 202010712538A CN 111885055 A CN111885055 A CN 111885055A
- Authority
- CN
- China
- Prior art keywords
- message
- terminal
- cloud system
- communication
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a communication method and a communication device, and belongs to the technical field of communication. The communication method comprises the following steps: sending a request message to a cloud system; receiving an authentication certificate returned by the cloud system, and checking the authentication certificate; when the authentication certificate passes the verification, a random key is generated and sent to the cloud system; receiving a verification message returned by the cloud system, and comparing whether the verification message is consistent with the request message or not; when the verification message is consistent with the request message, the communication with the cloud system is carried out according to a predetermined communication mode, so that the problem that the communication content is leaked due to the leakage of the secret key is avoided, and the safe communication between the terminal and the cloud system can be guaranteed.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a communication method and apparatus.
Background
With the development of communication technology and cloud technology, the terminal can communicate with the cloud system. In the communication process, in order to prevent a man-in-the-middle attack from tampering or stealing the communication message, the communication message needs to be encrypted to ensure the communication security. In some embodiments, the two communication parties encrypt the communication message by using their own private keys and then send the communication message to the opposite party, and the communication message is cracked by using the reserved public key of the opposite party after receiving the communication message sent by the opposite party. However, the public key used for decrypting the communication message is easily intercepted illegally, so that the communication content is cracked, which poses a great threat to the communication security. For example, the man-in-the-middle intercepts the public key of one communication party and replaces the public key with the public key of the man-in-the-middle, and the other communication party is unaware of the replacement of the public key, so that the public key of the man-in-the-middle is used for encrypting and then sending the communication message, the man-in-the-middle can intercept the communication message and crack the communication message by using the private key of the man-in-the-middle, and the communication content is leaked.
Therefore, how to avoid the communication content leakage caused by the key leakage and establish the secure communication between the terminal and the cloud system becomes an urgent problem to be solved in the field.
Disclosure of Invention
Therefore, the invention provides a communication method and a communication device, which aim to solve the problem that communication safety cannot be guaranteed due to the fact that communication contents are leaked because secret keys are easy to leak.
In order to achieve the above object, a first aspect of the present invention provides a communication method applied to a terminal, including:
sending a request message to a cloud system;
receiving an authentication certificate returned by the cloud system, and checking the authentication certificate;
when the authentication certificate passes the verification, generating a random key, and sending the random key to the cloud system;
receiving a verification message returned by the cloud system, and comparing whether the verification message is consistent with the request message;
and when the verification message is consistent with the request message, communicating with the cloud system according to a pre-agreed communication mode.
Further, said verifying said certificate of authenticity comprises:
and calling a certificate signature verification function, and verifying the certificate by using a public key of a root certificate of authentication prefabricated by the terminal.
Further, the communicating with the cloud system according to a pre-agreed communication method includes:
generating an uplink communication message according to a predetermined communication message format;
encrypting the uplink communication message by using the random key to obtain an uplink encrypted communication message;
and sending the uplink encrypted communication message to the cloud system.
Further, after the sending the uplink encrypted communication message to the cloud system, the method further includes:
and receiving the downlink encrypted communication message generated and sent by the cloud system.
In order to achieve the above object, a second aspect of the present invention provides a communication method applied to a cloud system, including:
receiving a request message sent by a terminal;
sending an authentication certificate to the terminal;
receiving a random key sent by the terminal;
and generating a verification message according to a preset encryption algorithm based on the random key and the request message, sending the verification message to the terminal so that the terminal can compare whether the verification message is consistent with the request message or not, and communicating with the current cloud system according to a predetermined communication mode when the verification message is consistent with the request message.
Further, before receiving the request message sent by the terminal, the method further includes:
creating a socket and binding the socket with an internet protocol address and a port;
monitoring the connection state of a transmission control protocol of the terminal through the socket;
and when the connection state of the transmission control protocol is monitored to be the initial connection state, establishing transmission control protocol connection with the terminal.
Further, after sending the verification message to the terminal, the method further includes:
receiving an uplink encrypted communication message sent by the terminal; wherein the uplink encrypted communication message is a message generated by the terminal when the verification message coincides with the request message.
Further, after receiving the uplink encrypted communication message sent by the terminal, the method further includes:
generating a downlink communication message according to a predetermined communication message format;
encrypting the downlink communication message by using the random key to obtain a downlink encrypted communication message;
and sending the downlink encrypted communication message to the terminal.
In order to achieve the above object, a third aspect of the present invention provides a communication apparatus, applied to a terminal, including:
the terminal sending module is used for sending a request message to the cloud system; sending the random key to the cloud system;
the terminal receiving module is used for receiving the authentication certificate returned by the cloud system; receiving a verification message returned by the cloud system;
the signature verification module is used for verifying the certificate;
the key generation module is used for generating the random key when the authentication certificate passes the signature verification;
a comparison module for comparing whether the verification message is consistent with the request message;
and the communication module is used for communicating with the cloud system according to a pre-agreed communication mode when the verification message is consistent with the request message.
In order to achieve the above object, a fourth aspect of the present invention provides a communication apparatus applied in a cloud system, including:
the cloud receiving module is used for receiving a request message sent by the terminal; receiving a random key sent by the terminal;
the cloud sending module is used for sending an authentication certificate to the terminal; sending a verification message to the terminal so that the terminal can compare whether the verification message is consistent with the request message or not, and when the verification message is consistent with the request message, communicating with the current cloud system according to a predetermined communication mode;
and the message generation module is used for generating the verification message according to a preset encryption algorithm based on the random key and the request message.
The invention has the following advantages:
the communication method provided by the invention sends a request message to a cloud system; receiving an authentication certificate returned by the cloud system, and checking the authentication certificate; when the authentication certificate passes the verification, a random key is generated and sent to the cloud system; receiving a verification message returned by the cloud system, and comparing whether the verification message is consistent with the request message or not; when the verification message is consistent with the request message, the communication with the cloud system is carried out according to a predetermined communication mode, so that the problem that the communication content is leaked due to the leakage of the secret key is avoided, and the safe communication between the terminal and the cloud system can be guaranteed.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.
Fig. 1 is a flowchart of a communication method according to a first embodiment of the present invention;
fig. 2 is a flowchart of a communication method according to a second embodiment of the present invention;
fig. 3 is a flowchart of a communication method according to a third embodiment of the present invention;
fig. 4 is a flowchart of a communication method according to a fourth embodiment of the present invention;
fig. 5 is a flowchart of a communication method according to a fifth embodiment of the present invention;
fig. 6 is a flowchart of a communication method according to a sixth embodiment of the present invention;
fig. 7 is a schematic block diagram of a communication device according to a seventh embodiment of the present invention;
fig. 8 is a schematic block diagram of a communication device according to an eighth embodiment of the present invention;
in the drawings:
701: terminal sending module 702: terminal receiving module
703: the signature verification module 704: key generation module
705: the comparison module 706: communication module
801: cloud receiving module 802: cloud sending module
803: message generation module
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
The communication method and the communication device provided by the invention consider that when the two communication parties use the pre-agreed secret key to encrypt the communication message to carry out the communication process, the secret key is easy to intercept, so that the communication content is divulged, and the communication safety of the two communication parties is threatened. In view of this, a new communication method is provided, which can avoid the problem that the communication content is leaked due to the leakage of the secret key, thereby ensuring the communication security of both communication parties.
Fig. 1 is a flowchart of a communication method according to a first embodiment of the present invention, which is applied to a terminal. As shown in fig. 1, the communication method may include the steps of:
step S101, sending a request message to a cloud system.
Wherein the request message includes a plurality of types. In practice, the terminal may select an appropriate type of request message according to actual requirements to obtain the expected response and feedback information.
In the process of communication between the terminal and the cloud system, in order to avoid leakage of communication content, a secret key for encrypting the communication message is generally agreed between the terminal and the cloud system in advance, and the communication message is encrypted by using the secret key and then transmitted. However, if an illegal broker intercepts the secret key, the broker may perform illegal communication with the terminal or the cloud system through the secret key to obtain communication content, and the terminal or the cloud system cannot judge whether the broker is a trusted correspondent node or an illegal correspondent node due to trust of the secret key. Therefore, the authentication certificate is introduced, the secret key is transmitted in the authentication certificate mode, the receiver can determine the legal identity of the opposite communication terminal through the authentication certificate, and then safe communication is carried out according to the secret key, and the purpose of effectively avoiding man-in-the-middle attack is achieved.
At present, in the internet, specifically to an application Layer, an SSL (Secure Sockets Layer) Protocol is often used to perform authentication and data encryption of both communication parties, and the SSL Protocol and an HTTP (hypertext transfer Protocol) Protocol are often combined to form an HTTPs (Secure hypertext transfer Protocol) Protocol, and the authentication and the encrypted data transmission of both communication parties are completed through the HTTPs Protocol. In some embodiments, the terminal and the cloud system implement HTTPS connection by creating a socket and a TCP (Transmission Control Protocol) connection of a transport layer.
In one embodiment, the terminal establishes a connection with the cloud system and sends a request message to the cloud system. Specifically, the cloud system creates a socket, binds the socket with an internet protocol address and a port, and then monitors the connection state of the transmission control protocol of the terminal through the socket. Correspondingly, the terminal also creates a socket and initiates a tcp connection request to the cloud system (at this time, the connection status of the tcp of the terminal becomes the connection initiating status). When the cloud system monitors that the connection state of the transmission control protocol of the terminal is the connection initiating state, the transmission control protocol connection is established with the terminal, and the terminal sends a request message to the cloud system.
And step S102, receiving the authentication certificate returned by the cloud system, and checking the authentication certificate.
The authentication certificate comprises a plurality of types, and the type of the authentication certificate is related to the type of a request message sent by the terminal to the cloud system. Certificate certificates are typically issued by a CA (certificate authority) authority, an authoritative third party that is trusted and approved by both the relevant industry and the corresponding public. After receiving the certificate, the user can verify the authenticity of the certificate, and when the certificate is verified to be a real certificate, the user confirms that the identity of the opposite end sending the certificate is real and credible. In some embodiments, the content of the certificate of authenticity includes, but is not limited to, CA authority information, user information, public keys, signatures, and certificate validity periods.
In one embodiment, after receiving an authentication certificate returned by a cloud system, a terminal calls a certificate verification function, and verifies the authentication certificate by using a public key of a root authentication certificate prefabricated by the terminal. When the authentication certificate passes the verification, the identity of the cloud system is true and credible, otherwise, the identity of the cloud system is false.
It should be noted that other signature verification methods may also be adopted for the signature verification authentication certificate, and the specific signature verification method is not used to limit the protection scope of the embodiment of the present application.
And step S103, when the certificate passes the signature verification, generating a random key, and sending the random key to the cloud system.
The random key is a random number or a random character string, and may be generated according to a random number generation function or obtained by using a random number generator. The random key has certain randomness, and is more difficult to crack than a fixed key, so that the communication security can be increased. In actual use, the length of the random key and the supported character types can be further specified, so that the random keys with different cracking difficulties can be obtained, and the method is suitable for application scenes with different security levels.
In one embodiment, when the authentication certificate passes the verification, it is indicated that the identity of the cloud system sending the authentication certificate is authentic and trusted, and the cloud system obtains the trust of the terminal. Therefore, the terminal calls a random number generation function to generate a 128-bit pseudo-random number K, uses the K as a random key, and sends the K to the cloud system.
It should be noted that the terminal may further encrypt the random key to generate an encrypted random key, and then send the encrypted random key to the cloud system, so as to increase the security of the random key and prevent the random key from being decrypted to some extent.
It can be understood that, when the random key sent by the terminal to the cloud system is the encrypted random key, after the cloud system receives the encrypted random key, the encrypted random key needs to be decrypted to obtain the random key. The method of encrypting the random key and decrypting the random key includes any encryption or decryption method that occurs now or in the future.
And step S104, receiving a verification message returned by the cloud system, and comparing whether the verification message is consistent with the request message.
The verification message is generated by the cloud system based on the request message and the random key.
In one embodiment, after receiving the random key sent by the terminal, the cloud system encrypts the content of the request message by using the random key to generate a verification message, and sends the verification message to the terminal. And the terminal receives the verification message sent by the cloud system and further compares whether the verification message is consistent with the request message. When the verification message is consistent with the request message, the request message and the random key received by the cloud system are both true, and the message transmitted by the terminal and the cloud system in the current communication process is not subjected to illegal tampering, so that the communication safety is further proved; otherwise, the current communication process is unsafe, and the terminal and the cloud system stop communicating.
And step S105, when the verification message is consistent with the request message, communicating with the cloud system according to a predetermined communication mode.
When the verification message is consistent with the request message, the communication between the terminal and the cloud system is safe, so that the terminal and the cloud system can transmit the communication message according to a predetermined communication mode, and safe information interaction is realized.
In one embodiment, when the verification message is consistent with the request message, the terminal generates an uplink communication message according to a pre-agreed communication message format, encrypts the uplink communication message by using a random key to obtain an uplink encrypted communication message, and then sends the uplink encrypted communication message to the cloud system.
Fig. 2 is a flowchart of a communication method according to a second embodiment of the present invention, which is applied to a terminal, and is substantially the same as the first embodiment of the present invention, except that: after the terminal communicates with the cloud system according to a predetermined communication mode, the terminal receives a downlink encrypted communication message sent by the cloud system. As shown in fig. 2, the communication method may include the steps of:
step S201, a request message is sent to the cloud system.
Step S201 in this embodiment is the same as step S101 in the first embodiment of the present invention, and is not described herein again.
Step S202, receiving the authentication certificate returned by the cloud system, and checking the authentication certificate.
Step S202 in this embodiment is the same as step S102 in the first embodiment of the present invention, and is not described herein again.
Step S203, when the certificate passes the signature verification, a random key is generated and sent to the cloud system.
Step S203 in this embodiment is the same as step S103 in the first embodiment of the present invention, and is not described herein again.
Step S204, receiving the verification message returned by the cloud system, and comparing whether the verification message is consistent with the request message.
Step S204 in this embodiment is the same as step S104 in the first embodiment of the present invention, and is not described herein again.
And step S205, when the verification message is consistent with the request message, communicating with the cloud system according to a predetermined communication mode.
Step S205 in this embodiment is the same as step S105 in the first embodiment of the present invention, and is not described herein again.
Step S206, receiving the downlink encrypted communication message generated and sent by the cloud system.
When the terminal determines that the verification message is consistent with the request message, the terminal can perform safe communication with the cloud system, the terminal can send an uplink message to the cloud system, and similarly, the cloud system can also send a downlink message to the terminal.
In one embodiment, when the terminal and the cloud system determine that communication is in a safe state, the cloud system generates a downlink communication message according to a pre-agreed communication message format, encrypts the downlink communication message by using a random key to obtain a downlink encrypted communication message, and then sends the downlink encrypted communication message to the terminal. And the terminal receives a downlink encrypted communication message sent by the cloud system.
Fig. 3 is a flowchart of a communication method according to a third embodiment of the present invention, applied to a cloud system. As shown in fig. 3, the communication method may include the steps of:
step S301, receiving a request message sent by a terminal.
The request message comprises multiple types, and the cloud system needs to make a corresponding type response according to the type of the request message.
In one embodiment, the cloud system establishes a connection with the terminal, and then receives a request message sent by the terminal. Specifically, the cloud system creates a socket, binds the socket with an internet protocol address and a port, and then monitors the connection state of the transmission control protocol of the terminal through the socket. Correspondingly, the terminal also creates a socket and initiates a transmission control protocol connection request to the cloud system (at this time, the connection state of the transmission control protocol of the terminal is changed into an initiation connection state). When the cloud system monitors that the connection state of the transmission control protocol of the terminal is the connection initiating state, the cloud system establishes transmission control protocol connection with the terminal, the terminal sends a request message to the cloud system, and the cloud system receives the request message.
It should be noted that, the cloud system in the present application refers to a software system, and may be a device or a system in hardware.
Step S302, an authentication certificate is sent to the terminal.
The cloud system needs to determine the type of the authentication certificate to be returned according to the type of the request message.
In one embodiment, after receiving a request message sent by a terminal, a cloud system determines a type of an authentication certificate to be returned in response to the request message, and sends DER (unique encoding rule) encoded data of the corresponding authentication certificate to the terminal, so that the terminal can obtain content of the authentication certificate according to the DER encoded data of the authentication certificate, and further verify the identity of the cloud system according to the content of the authentication certificate.
It should be noted that DER encoded data (including authentication certificate data in other formats) of the authentication certificate sent by the cloud system to the terminal may be encrypted data. Correspondingly, after receiving the DER encoded data of the encrypted authentication certificate, the terminal needs to decrypt the DER encoded data of the authentication certificate through a predetermined decryption algorithm, and then further verify the authentication certificate.
Step S303, receiving the random key sent by the terminal.
The random key is generated by the terminal based on a random number generation function or a random number generator, and compared with a fixed key, the random key is difficult to crack, so that the communication safety can be improved.
In one embodiment, after receiving the authentication certificate, the terminal checks the authentication certificate, and when the authentication certificate passes the check, the terminal determines that the identity of the cloud system sending the authentication certificate is authentic and authentic, so that the terminal invokes a random number generation function to generate a 128-bit pseudo-random number K, uses the K as a random key, and sends the K to the cloud system. And the cloud system receives the random key sent by the terminal.
And step S304, based on the random key and the request message, generating a verification message according to a preset encryption algorithm, sending the verification message to the terminal, so that the terminal can compare whether the verification message is consistent with the request message, and when the verification message is consistent with the request message, communicating with the current cloud system according to a predetermined communication mode.
In order to prevent the random key and the request message from being illegally tampered in the transmission process, the cloud system generates a verification message based on the random key and the request message, and sends the verification message to the terminal so that the terminal can conduct verification again.
In one embodiment, after receiving the random key sent by the terminal, the cloud system encrypts the content of the request message by using the random key to generate a verification message, and sends the verification message to the terminal. And the terminal receives the verification message sent by the cloud system and further compares whether the verification message is consistent with the request message. When the verification message is consistent with the request message, the request message and the random key received by the cloud system are both real, the message transmitted by the terminal and the cloud system in the current communication process is not subjected to illegal tampering, and the terminal and the cloud system can communicate in a predetermined communication mode; otherwise, the current communication process is unsafe, and the terminal and the cloud system stop communicating.
Fig. 4 is a flowchart of a communication method according to a fourth embodiment of the present invention, which is applied to a cloud system, and is substantially the same as the third embodiment of the present invention, except that: before receiving the request message of the terminal, the connection is established with the terminal. As shown in fig. 4, the communication method may include the steps of:
step S401, create a socket and bind the socket with an internet protocol address and a port.
Sockets are abstractions of endpoints that communicate bi-directionally between application processes on different hosts in a network. Specifically, when the application layer performs data communication through the transport layer, TCP and UDP (User Datagram Protocol) may encounter a problem of providing concurrent services for multiple application processes at the same time. Multiple TCP connections or multiple application processes may need to transmit data through the same TCP protocol port. In order to distinguish different application program processes and connections, the computer operating system provides a corresponding interface for the interaction of the application program and a TCP/IP (Internet Protocol), wherein the interface is a socket and is used for distinguishing network communication and connection among different application program processes. Similarly, the communication between the terminal and the cloud system is ultimately the communication between the application processes of the terminal and the cloud system. Considering that the port number is in one-to-one correspondence with the application program process, the internet protocol address and the port number are used to uniquely determine a certain application program process of the terminal or the cloud system, and then the corresponding communication connection is established.
In one embodiment, the cloud system firstly creates a socket, binds the socket with an internet protocol address and a port of the cloud system, creates a corresponding main thread, receives a connection request sent by a terminal through the main thread, and achieves the purpose of monitoring the connection state of the terminal through the port.
Step S402, monitoring the connection state of the transmission control protocol of the terminal through the socket.
The connection state of the transmission control protocol includes an originating connection state, a connected state, and an unconnected state. The cloud system can monitor the bound ports through the sockets, so that the connection state of the transmission control protocol of the terminal is obtained.
Step S403, when it is monitored that the connection status of the transmission control protocol is the connection initiation status, establishing a transmission control protocol connection with the terminal.
When the terminal sends a transmission control protocol connection request to the cloud system, the connection state of the transmission control protocol of the terminal becomes an initiated connection state. And when monitoring that the connection state of the transmission control protocol of the terminal is the connection initiating state, the cloud system establishes transmission control protocol connection with the terminal and creates a new working thread to process the request message sent by the terminal. In the working thread, the cloud system firstly needs to establish a secure communication process with the terminal. The process of establishing the secure communication between the cloud system and the terminal may refer to the description related to the first embodiment and the third embodiment of the present invention, and details are not described herein again.
Step S404, receiving the request message sent by the terminal.
Step S404 in this embodiment is the same as step S301 in the third embodiment of the present invention, and is not described herein again.
Step S405, sends the authentication certificate to the terminal.
Step S405 in this embodiment is the same as step S302 in the third embodiment of the present invention, and is not described herein again.
Step S406, receives the random key sent by the terminal.
Step S406 in this embodiment is the same as step S303 in the third embodiment of the present invention, and is not described herein again.
Step S407, based on the random key and the request message, generating a verification message according to a preset encryption algorithm, and sending the verification message to the terminal, so that the terminal can compare whether the verification message is consistent with the request message, and when the verification message is consistent with the request message, communicating with the current cloud system according to a predetermined communication mode.
Step S407 in this embodiment is the same as step S304 in the third embodiment of the present invention, and is not described herein again.
Fig. 5 is a flowchart of a communication method according to a fifth embodiment of the present invention, which is applied to a cloud system, and is substantially the same as the third embodiment of the present invention, except that: and after the secure communication is established with the terminal, receiving an uplink message sent by the terminal. As shown in fig. 5, the communication method may include the steps of:
step S501, receiving a request message sent by a terminal.
Step S501 in this embodiment is the same as step S301 in the third embodiment of the present invention, and is not described herein again.
Step S502, an authentication certificate is sent to the terminal.
Step S502 in this embodiment is the same as step S302 in the third embodiment of the present invention, and is not described herein again.
Step S503, receiving the random key sent by the terminal.
Step S503 in this embodiment is the same as step S303 in the third embodiment of the present invention, and is not described herein again.
Step S504, based on the random key and the request message, generating a verification message according to a preset encryption algorithm, and sending the verification message to the terminal, so that the terminal can compare whether the verification message is consistent with the request message, and when the verification message is consistent with the request message, communicating with the current cloud system according to a predetermined communication mode.
Step S504 in this embodiment is the same as step S304 in the third embodiment of the present invention, and is not described herein again.
And step S505, receiving the uplink encrypted communication message sent by the terminal.
Wherein the uplink encrypted communication message is a message generated by the terminal when the verification message is identical to the request message.
In one embodiment, when the verification message is consistent with the request message, the terminal generates an uplink communication message according to a pre-agreed communication message format, encrypts the uplink communication message by using a random key to obtain an uplink encrypted communication message, and then sends the uplink encrypted communication message to the cloud system. And the cloud system receives the uplink encrypted message sent by the terminal, and decrypts the uplink encrypted communication message according to a predetermined decryption method to obtain the communication content.
Fig. 6 is a flowchart of a communication method according to a sixth embodiment of the present invention, which is applied to a cloud system, and is substantially the same as the fifth embodiment of the present invention, except that: and after establishing the secure communication with the terminal, sending a downlink message to the terminal. As shown in fig. 6, the communication method may include the steps of:
step S601, receiving a request message sent by the terminal.
Step S601 in this embodiment is the same as step S501 in the fifth embodiment of the present invention, and is not described herein again.
Step S602, sending the authentication certificate to the terminal.
Step S602 in this embodiment is the same as step S502 in the fifth embodiment of the present invention, and is not described herein again.
Step S603, receiving the random key sent by the terminal.
Step S603 in this embodiment is the same as step S503 in the fifth embodiment of the present invention, and is not described herein again.
Step S604, based on the random key and the request message, generating a verification message according to a preset encryption algorithm, and sending the verification message to the terminal, so that the terminal can compare whether the verification message is consistent with the request message, and when the verification message is consistent with the request message, communicating with the current cloud system according to a predetermined communication mode.
Step S604 in this embodiment is the same as step S504 in the fifth embodiment of the present invention, and is not described herein again.
Step S605, receiving the uplink encrypted communication message sent by the terminal.
Step S605 in this embodiment is the same as step S505 in the fifth embodiment of the present invention, and is not repeated herein.
Step S606, a downlink communication message is generated according to a communication message format agreed in advance.
Wherein the different types of communication messages have different communication message formats.
In one embodiment, when the cloud system needs to send a message to the terminal, the cloud system determines a corresponding communication message format according to a type of the communication message to be sent, and then generates a corresponding downlink communication message according to the communication message format.
Step S607, the downlink communication message is encrypted by using the random key, and the downlink encrypted communication message is obtained.
In order to avoid communication message leakage and guarantee communication safety of the terminal and the cloud system, the cloud system encrypts the downlink communication message by using a random key after generating the downlink communication message to obtain the downlink encrypted communication message.
Step S608, sending the downlink encrypted communication message to the terminal.
And the cloud system sends the generated downlink encrypted communication message to the terminal. After receiving the downlink encrypted communication message, the terminal may decrypt the downlink encrypted communication message, thereby obtaining the message content.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
Fig. 7 is a schematic block diagram of a communication device according to a seventh embodiment of the present invention, which is applied to a terminal. As shown in fig. 7, the communication apparatus includes: a terminal sending module 701, a terminal receiving module 702, a signature verification module 703, a key generation module 704, a comparison module 705 and a communication module 706.
A terminal sending module 701, configured to send a request message to a cloud system; and sending the random key to the cloud system.
The request message is a message sent by the terminal to the cloud system according to the requirement, the random key terminal generates a key after verifying the identity of the cloud system, and the random key can be used for encrypting the communication message.
In one embodiment, the terminal establishes a connection with the cloud system, and sends a request message to the cloud system through the terminal sending module 701. Specifically, the cloud system creates a socket, binds the socket with an internet protocol address and a port, and then monitors the connection state of the transmission control protocol of the terminal through the socket. Correspondingly, the terminal also creates a socket and initiates a tcp connection request to the cloud system (at this time, the connection status of the tcp of the terminal becomes the connection initiating status). When the cloud system monitors that the connection state of the transmission control protocol of the terminal is the connection initiation state, the cloud system establishes a transmission control protocol connection with the terminal, and the terminal sends a request message to the cloud system through the terminal sending module 701.
In another embodiment, after the terminal determines the authenticity of the cloud system identity through the authentication certificate, the terminal generates a random key, and sends the random key to the cloud system through the terminal sending module 701.
A terminal receiving module 702, configured to receive an authentication certificate returned by the cloud system; and receiving a verification message returned by the cloud system.
The authentication certificate is a certificate which is returned to the terminal by the cloud system and is used for indicating the identity of the cloud system; the verification message is generated by the cloud system based on the random key and the request message and according to a predetermined algorithm.
In one embodiment, after the terminal sends the request message to the cloud system, the terminal receiving module 702 receives an authentication certificate returned by the cloud system, so as to determine the authenticity of the identity of the cloud system according to the authentication certificate.
In another embodiment, after receiving the random key sent by the terminal, the cloud system encrypts the content of the request message by using the random key, generates a verification message, and sends the verification message to the terminal. The terminal receives the verification message sent by the cloud system through the terminal receiving module 702.
And the signature verification module 703 is configured to verify a signature of the authentication certificate.
In one embodiment, after receiving the authentication certificate returned by the cloud system, the terminal invokes a certificate verification function through the verification module 703, and verifies the authentication certificate by using a public key of a root authentication certificate pre-made by the terminal factory. When the authentication certificate passes the verification, the identity of the cloud system is true and credible, otherwise, the identity of the cloud system is false.
And a key generation module 704, configured to generate a random key when the certificate passes the signature verification.
The random key is a random number or a random character string, and may be generated according to a random number generation function or obtained by using a random number generator.
In one embodiment, when the authentication certificate passes the verification, it is indicated that the identity of the cloud system sending the authentication certificate is authentic and trusted, and the cloud system obtains the trust of the terminal. Therefore, the terminal generates a 128-bit pseudo random number K by calling a random number generation function through the key generation module 704, and takes K as a random key.
A comparing module 705 for comparing whether the verification message is consistent with the request message.
The verification message is generated by the cloud system based on the request message and the random key.
In one embodiment, after receiving the random key sent by the terminal, the cloud system encrypts the content of the request message by using the random key to generate a verification message, and sends the verification message to the terminal. The terminal receives the verification message sent by the cloud system, and further compares whether the verification message is consistent with the request message through the comparison module 705. Specifically, when the verification message is consistent with the request message, it is indicated that the request message and the random key received by the cloud system are both real, and the message transmitted by the terminal and the cloud system in the current communication process is not subjected to illegal tampering, so that the communication security is further proved; otherwise, the current communication process is unsafe, and the terminal and the cloud system stop communicating.
The communication module 706 is configured to communicate with the cloud system according to a predetermined communication method when the verification message is consistent with the request message.
In one embodiment, when the verification message is consistent with the request message, the terminal generates an uplink communication message according to a pre-agreed communication message format through the communication module 706, encrypts the uplink communication message by using a random key to obtain an uplink encrypted communication message, and then sends the uplink encrypted communication message to the cloud system. Correspondingly, the terminal also receives a downlink encrypted communication message which is generated by the cloud system according to a predetermined communication mode and is sent to the terminal.
Fig. 8 is a schematic block diagram of a communication device according to an eighth embodiment of the present invention, which is applied to a cloud system. As shown in fig. 8, the communication apparatus includes: a cloud receiving module 801, a cloud sending module 802 and a message generating module 803.
The cloud receiving module 801 is configured to receive a request message sent by a terminal; and receiving the random key sent by the terminal.
In one embodiment, the cloud system receives a request message sent by a terminal through the cloud receiving module 801, and returns a corresponding feedback message to the terminal according to the type and specific content of the request message.
In another embodiment, after verifying the authenticity of the cloud system identity, the terminal generates a random key and sends the random key to the cloud system. The cloud system receives the random key sent by the terminal through the cloud receiving module 801, so as to encrypt the communication message by using the random key in the subsequent communication process with the terminal.
The cloud sending module 802 is configured to send an authentication certificate to the terminal; and sending the verification message to the terminal so that the terminal can compare whether the verification message is consistent with the request message or not, and when the verification message is consistent with the request message, communicating with the current cloud system according to a predetermined communication mode.
In one embodiment, after receiving the request message of the terminal, the cloud system determines the type of the authentication certificate to be returned in response to the request message, and sends the DER encoded data of the corresponding authentication certificate to the terminal through the cloud sending module 802, so that the terminal can obtain the content of the authentication certificate according to the DER encoded data of the authentication certificate, and further verify the identity of the cloud system according to the content of the authentication certificate.
In another embodiment, after the cloud system encrypts the content of the request message by using the random key, a verification message is generated, and the verification message is sent to the terminal through the cloud sending module 802. And after receiving the verification message, the terminal compares whether the verification message is consistent with the request message, and when the verification message is consistent with the request message, the terminal communicates with the cloud system according to a predetermined communication mode.
A message generating module 803, configured to generate a verification message according to a preset encryption algorithm based on the random key and the request message.
In order to prevent the random key and the request message from being illegally tampered in the transmission process, the cloud system generates a verification message based on the random key and the request message, and sends the verification message to the terminal so that the terminal can conduct verification again.
In one embodiment, after receiving the random key sent by the terminal, the cloud system encrypts the content of the request message by using the random key, generates a verification message through the message generation module 803, and then sends the verification message to the terminal so that the terminal can compare whether the verification message is consistent with the request message, and determines whether to establish a secure communication connection according to the comparison result.
It should be noted that each module referred to in this embodiment is a logical module, and in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, and may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, elements that are not so closely related to solving the technical problems proposed by the present invention are not introduced in the present embodiment, but this does not indicate that other elements are not present in the present embodiment.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.
Claims (10)
1. A communication method applied to a terminal is characterized by comprising the following steps:
sending a request message to a cloud system;
receiving an authentication certificate returned by the cloud system, and checking the authentication certificate;
when the authentication certificate passes the verification, generating a random key, and sending the random key to the cloud system;
receiving a verification message returned by the cloud system, and comparing whether the verification message is consistent with the request message;
and when the verification message is consistent with the request message, communicating with the cloud system according to a pre-agreed communication mode.
2. The communication method according to claim 1, wherein said signing the authentication certificate comprises:
and calling a certificate signature verification function, and verifying the certificate by using a public key of a root certificate of authentication prefabricated by the terminal.
3. The communication method according to claim 1, wherein the communicating with the cloud system according to the pre-agreed communication method includes:
generating an uplink communication message according to a predetermined communication message format;
encrypting the uplink communication message by using the random key to obtain an uplink encrypted communication message;
and sending the uplink encrypted communication message to the cloud system.
4. The communication method of claim 3, wherein after sending the upstream encrypted communication message to the cloud system, further comprising:
and receiving the downlink encrypted communication message generated and sent by the cloud system.
5. A communication method is applied to a cloud system and is characterized by comprising the following steps:
receiving a request message sent by a terminal;
sending an authentication certificate to the terminal;
receiving a random key sent by the terminal;
and generating a verification message according to a preset encryption algorithm based on the random key and the request message, sending the verification message to the terminal so that the terminal can compare whether the verification message is consistent with the request message or not, and communicating with the current cloud system according to a predetermined communication mode when the verification message is consistent with the request message.
6. The communication method according to claim 5, wherein before receiving the request message sent by the terminal, the method further comprises:
creating a socket and binding the socket with an internet protocol address and a port;
monitoring the connection state of a transmission control protocol of the terminal through the socket;
and when the connection state of the transmission control protocol is monitored to be the initial connection state, establishing transmission control protocol connection with the terminal.
7. The communication method according to claim 5, wherein after sending the verification message to the terminal, further comprising:
receiving an uplink encrypted communication message sent by the terminal; wherein the uplink encrypted communication message is a message generated by the terminal when the verification message coincides with the request message.
8. The communication method according to claim 7, wherein after receiving the uplink encrypted communication message sent by the terminal, the method further comprises:
generating a downlink communication message according to a predetermined communication message format;
encrypting the downlink communication message by using the random key to obtain a downlink encrypted communication message;
and sending the downlink encrypted communication message to the terminal.
9. A communication apparatus applied to a terminal, comprising:
the terminal sending module is used for sending a request message to the cloud system; sending the random key to the cloud system;
the terminal receiving module is used for receiving the authentication certificate returned by the cloud system; receiving a verification message returned by the cloud system;
the signature verification module is used for verifying the certificate;
the key generation module is used for generating the random key when the authentication certificate passes the signature verification;
a comparison module for comparing whether the verification message is consistent with the request message;
and the communication module is used for communicating with the cloud system according to a pre-agreed communication mode when the verification message is consistent with the request message.
10. A communication device applied to a cloud system is characterized by comprising:
the cloud receiving module is used for receiving a request message sent by the terminal; receiving a random key sent by the terminal;
the cloud sending module is used for sending an authentication certificate to the terminal; sending a verification message to the terminal so that the terminal can compare whether the verification message is consistent with the request message or not, and when the verification message is consistent with the request message, communicating with the current cloud system according to a predetermined communication mode;
and the message generation module is used for generating the verification message according to a preset encryption algorithm based on the random key and the request message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010712538.0A CN111885055B (en) | 2020-07-22 | 2020-07-22 | Communication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010712538.0A CN111885055B (en) | 2020-07-22 | 2020-07-22 | Communication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111885055A true CN111885055A (en) | 2020-11-03 |
| CN111885055B CN111885055B (en) | 2023-01-31 |
Family
ID=73156199
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010712538.0A Active CN111885055B (en) | 2020-07-22 | 2020-07-22 | Communication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111885055B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005094264A2 (en) * | 2004-03-23 | 2005-10-13 | Passmark Security, Inc. | Method and apparatus for authenticating entities by non-registered users |
| CN101090316A (en) * | 2006-06-16 | 2007-12-19 | 普天信息技术研究院 | Identify authorization method between storage card and terminal equipment at off-line state |
| WO2008146667A1 (en) * | 2007-05-24 | 2008-12-04 | Nec Corporation | Anonymous authenticating system and anonymous authenticating method |
| CN101958913A (en) * | 2010-10-29 | 2011-01-26 | 四川长虹电器股份有限公司 | Bidirectional ID (Identity) authentication method based on dynamic password and digital certificate |
| WO2015161699A1 (en) * | 2014-04-25 | 2015-10-29 | 天地融科技股份有限公司 | Secure data interaction method and system |
| US20170063843A1 (en) * | 2015-08-28 | 2017-03-02 | Texas Instruments Incorporated | Authentication of Networked Devices Having Low Computational Capacity |
| CN107547573A (en) * | 2017-10-23 | 2018-01-05 | 中国联合网络通信集团有限公司 | Authentication method, RSP terminals and management platform applied to eSIM |
| CN110380868A (en) * | 2019-08-22 | 2019-10-25 | 广东浪潮大数据研究有限公司 | A kind of communication means, device and communication system and storage medium |
| CN110380852A (en) * | 2019-07-22 | 2019-10-25 | 中国联合网络通信集团有限公司 | Mutual authentication method and communication system |
-
2020
- 2020-07-22 CN CN202010712538.0A patent/CN111885055B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005094264A2 (en) * | 2004-03-23 | 2005-10-13 | Passmark Security, Inc. | Method and apparatus for authenticating entities by non-registered users |
| CN101090316A (en) * | 2006-06-16 | 2007-12-19 | 普天信息技术研究院 | Identify authorization method between storage card and terminal equipment at off-line state |
| WO2008146667A1 (en) * | 2007-05-24 | 2008-12-04 | Nec Corporation | Anonymous authenticating system and anonymous authenticating method |
| CN101958913A (en) * | 2010-10-29 | 2011-01-26 | 四川长虹电器股份有限公司 | Bidirectional ID (Identity) authentication method based on dynamic password and digital certificate |
| WO2015161699A1 (en) * | 2014-04-25 | 2015-10-29 | 天地融科技股份有限公司 | Secure data interaction method and system |
| US20170063843A1 (en) * | 2015-08-28 | 2017-03-02 | Texas Instruments Incorporated | Authentication of Networked Devices Having Low Computational Capacity |
| CN107547573A (en) * | 2017-10-23 | 2018-01-05 | 中国联合网络通信集团有限公司 | Authentication method, RSP terminals and management platform applied to eSIM |
| CN110380852A (en) * | 2019-07-22 | 2019-10-25 | 中国联合网络通信集团有限公司 | Mutual authentication method and communication system |
| CN110380868A (en) * | 2019-08-22 | 2019-10-25 | 广东浪潮大数据研究有限公司 | A kind of communication means, device and communication system and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| N.DEEPA ASSISTANT PROFESSOR ET AL: "A BATCH AUTHENTICATION SCHEMA TO IDENTIFY THE INVALID SIGNATURE IN WIRELESS NETWORK", 《INTERNATIONAL JOURNAL OF ENGINEERING SCIENCES & RESEARCH TECHNOLOGY》 * |
| 朱智强等: "基于数字证书的 openstack 身份认证协议", 《通信学报》 * |
| 王伟等: "基于新Ⅳ分配机制的改进WEP协议的研究", 《中国新技术新产品》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111885055B (en) | 2023-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7584505B2 (en) | Inspected secure communication protocol | |
| KR20100050846A (en) | System and method for interchanging key | |
| CN111934884B (en) | Certificate management method and device | |
| CN112637136A (en) | Encrypted communication method and system | |
| CN103118363A (en) | Method, system, terminal device and platform device of secret information transmission | |
| CN113904809B (en) | Communication method, device, electronic equipment and storage medium | |
| JP4783340B2 (en) | Protecting data traffic in a mobile network environment | |
| CN116318997A (en) | Bidirectional identity authentication method between terminal and gateway | |
| US8046820B2 (en) | Transporting keys between security protocols | |
| CN110611679A (en) | Data transmission method, device, equipment and system | |
| CN114928503B (en) | Method for realizing secure channel and data transmission method | |
| CN111885055B (en) | Communication method and device | |
| KR20110043371A (en) | Attack detection method and system with secure sip protocol | |
| CN114760034A (en) | Identity authentication method and device | |
| CN107835196B (en) | HDLC-based secure communication method | |
| CN112069487A (en) | Intelligent equipment network communication safety implementation method based on Internet of things | |
| CN117650951B (en) | IKE authentication and negotiation method based on identification cipher algorithm | |
| Bozkurt et al. | Exploring the Vulnerabilities and Countermeasures of SSL/TLS Protocols in Secure Data Transmission Over Computer Networks | |
| CN114039793B (en) | Encryption communication method, system and storage medium | |
| CN115835194B (en) | NB-IOT terminal safety access system and access method | |
| CN115412252B (en) | Data transmission method, transmission initiating terminal and transmission receiving terminal | |
| CN115150099B (en) | Data anti-repudiation transmission method, data sending end and data receiving end | |
| JP2005165671A (en) | Multiplex system for authentication server and multiplex method therefor | |
| CN118075021A (en) | Encryption communication establishment method and system and encryption communication method and system | |
| WO2023151427A1 (en) | Quantum key transmission method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |