CN112543189A - Data secure transmission method and system - Google Patents

Data secure transmission method and system Download PDF

Info

Publication number
CN112543189A
CN112543189A CN202011360713.0A CN202011360713A CN112543189A CN 112543189 A CN112543189 A CN 112543189A CN 202011360713 A CN202011360713 A CN 202011360713A CN 112543189 A CN112543189 A CN 112543189A
Authority
CN
China
Prior art keywords
data
key
session key
identification
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011360713.0A
Other languages
Chinese (zh)
Other versions
CN112543189B (en
Inventor
王奔
邓伟
欧清海
赵晴
李庭瑞
涂珂
罗睿
李锐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongdian Feihua Communication Co Ltd
Original Assignee
State Grid Information and Telecommunication Co Ltd
Beijing Zhongdian Feihua Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Information and Telecommunication Co Ltd, Beijing Zhongdian Feihua Communication Co Ltd filed Critical State Grid Information and Telecommunication Co Ltd
Priority to CN202011360713.0A priority Critical patent/CN112543189B/en
Publication of CN112543189A publication Critical patent/CN112543189A/en
Application granted granted Critical
Publication of CN112543189B publication Critical patent/CN112543189B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

One or more embodiments of the present specification provide a method and system for secure data transmission; the method comprises the following steps: calling a software development kit by a sending end for producing a session key; symmetrically encrypting the acquired plaintext data by using the produced session key to form ciphertext data, and sending the encrypted ciphertext data to a receiving end of data transmission through a ground communication network; at the same time, the session key is asymmetrically encrypted, the process is carried out by using the identification public key, and the encrypted session key forms a digital envelope form and is sent to a receiving end through a satellite communication network; and finally, after the receiving end receives the digital envelope, decrypting by using the identification private key to obtain a session key, and decrypting the ciphertext data by using the session key to obtain final plaintext data. The scheme realizes the purpose of separately transmitting the session key and the ciphertext data, greatly reduces the risk of hijacking the data and controls the transmission cost.

Description

Data secure transmission method and system
Technical Field
One or more embodiments of the present disclosure relate to the field of information security technologies, and in particular, to a method and a system for secure data transmission.
Background
In the process of realizing data secure transmission, plaintext data is encrypted into ciphertext data by using a key, and then the ciphertext data and the key are transmitted. In the prior art, a secret key and ciphertext data are packed together and transmitted by using a single channel, so that the ciphertext data and the secret key are hijacked simultaneously when the data is subjected to illegal hijacking in the transmission process, and the risk of data cracking and leakage is increased; or a public key system based on the digital certificate is adopted for encryption, and the satellite network is used for transmission, so that the problems caused by the scheme are that the satellite network transmission cost is high, the content of the digital certificate is more, and the load on the transmission cost is further increased.
Based on this, a scheme capable of reducing the risk that the ciphertext data and the key are hijacked at the same time and effectively reducing the data transmission cost is needed.
Disclosure of Invention
In view of the above, one or more embodiments of the present disclosure are directed to a method and system for secure data transmission.
In view of the above, one or more embodiments of the present specification provide a method for secure data transmission, including:
firstly, calling a software development kit by an Internet of things terminal serving as a data sending end to produce a session key; applying the produced session key to an encryption process of the collected plaintext data, wherein the encryption process is symmetric encryption, so that the plaintext data are changed into ciphertext data, and the ciphertext data are sent to an Internet of things cloud service system serving as a receiving end through a ground communication network; meanwhile, the sending end carries out asymmetric encryption on the generated session key by using the identification public key to obtain a digital envelope containing the session key, and sends the digital envelope to the Internet of things cloud service system through the satellite communication network; and finally, after the Internet of things cloud service system receives the digital envelope and the ciphertext data, firstly, the digital envelope is decrypted by using the identification private key corresponding to the identification public key to obtain a session key in the digital envelope, and then the ciphertext data is decrypted by using the obtained session key to obtain final plaintext data.
Based on the same inventive concept, one or more embodiments of the present specification further provide a data secure transmission system, including:
a terminal portion configured to: generating a random session key in response to receiving an identification public key distributed by a key center through a satellite communication network; carrying out symmetric encryption on plaintext data to be transmitted by using the session key to obtain ciphertext data, and sending the ciphertext data to a cloud system through a ground communication network; carrying out asymmetric encryption on the session key by using the identification public key to obtain a digital envelope, and sending the digital envelope to the cloud system through the satellite communication network
A cloud-end system portion configured to: and in response to the ciphertext data and the digital envelope received from the terminal, decrypting the digital envelope by using a pre-stored identification private key corresponding to the identification public key to obtain the session key, and decrypting the ciphertext data by using the obtained session key to obtain the plaintext data.
Based on the same inventive concept, one or more embodiments of the present specification further provide an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the data secure transmission method as described in any one of the above.
Based on the same inventive concept, one or more embodiments of the present specification further provide a non-transitory computer-readable storage medium, wherein the non-transitory computer-readable storage medium stores computer instructions for causing the computer to execute the data security transmission method as described above.
As can be seen from the above description, the method and system for data secure transmission provided in one or more embodiments of the present disclosure comprehensively consider the cost of data transmission and the risk of data hijacking based on the technical fields of data encryption and satellite communication; the method has the advantages that the cryptograph data and the session key are transmitted in different paths, risks that the data are hijacked and the cryptograph is leaked are obviously reduced, in addition, in the transmission of the session key, a public key system based on a digital certificate is replaced by an identification secret key system in a mode that a ground communication network and a satellite communication network are transmitted separately, and the high cost of independently depending on the satellite network for data transmission is greatly reduced.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, and it is obvious that the drawings in the following description are only one or more embodiments of the present specification, and that other drawings may be obtained by those skilled in the art without inventive effort from these drawings.
FIG. 1 is a flow diagram illustrating a method for secure data transmission according to one or more embodiments of the present disclosure;
FIG. 2 is a system diagram of secure transfer of data according to one or more embodiments of the present disclosure;
fig. 3 is a schematic transmission diagram of a data sender and a data receiver according to one or more embodiments of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to one or more embodiments of the present disclosure.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It is to be noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present specification should have the ordinary meaning as understood by those of ordinary skill in the art to which this disclosure belongs. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect.
As described in the background section, the existing secure data transmission method is also difficult to satisfy the requirement of ciphertext data and key transmission. In the process of implementing the present disclosure, the applicant finds that the existing data secure transmission method has the main problems that: during the data transmission process, the encrypted ciphertext data and a session key for decryption are packed together and transmitted, so that the ciphertext data is greatly cracked when the data is subjected to illegal hijack; therefore, the invention transmits the ciphertext data and the session key through different transmission paths respectively so as to reduce the risk; and in the transmission of the session key, a system of an identification secret key is used for replacing a public key system based on a digital certificate, so that the high cost of satellite communication network transmission is greatly reduced.
In view of this, one or more embodiments of the present disclosure provide a method for secure data transmission, specifically, first, a software development kit is called by an internet of things terminal serving as a data sending end to generate a session key; applying the produced session key to an encryption process of the collected plaintext data, wherein the encryption process is symmetric encryption, so that the plaintext data are changed into ciphertext data, and the ciphertext data are sent to an Internet of things cloud service system serving as a receiving end through a ground communication network; the sending end carries out asymmetric encryption on the generated session key by using the identification public key to obtain a digital envelope containing the session key, and sends the digital envelope to the Internet of things cloud service system through the satellite communication network; and finally, after the Internet of things cloud service system receives the digital envelope and the ciphertext data, firstly, the digital envelope is decrypted by using the identification private key corresponding to the identification public key to obtain a session key in the digital envelope, and then the ciphertext data is decrypted by using the obtained session key to obtain final plaintext data.
The technical method in one or more embodiments of the present disclosure is described in detail below by using a specific embodiment and with reference to fig. 3, which is a schematic diagram of a specific data security transmission device, where an internet of things terminal in fig. 3 is a sender and is responsible for sending encrypted ciphertext data and a session key; the internet of things cloud service system in the figure is a specific receiver and receives ciphertext data and a session key sent by an internet of things terminal; the terrestrial communication network and the satellite communication network in fig. 3 are two different data transmission paths between the sender and the receiver.
Referring to fig. 1, a method for secure data transmission according to an embodiment of the present specification includes the following steps:
step S101, in response to receiving the identification public key distributed by the key center through the satellite communication network, the terminal generates a random session key.
In this step, the device of the terminal of the internet of things calls an SDK (software development kit) as a program interface and a configuration tool to produce a random number r, where 0< r < n; wherein, a point on the elliptic curve Ep (a, b) is selected as a base point G, and n is the order of the base point G.
And calculating and generating skey (session key) by using the produced random number r and the elliptic curve base point G by adopting the following formula:
skey=x mod n;
wherein, the relation between the random number r and the elliptic curve base point G is as follows: (x, y) ═ r × G, mod in the formula represents a modulo operation.
Since both r and G participate as random numbers in the calculation of the encryption key, the generated encryption key skey also has a random attribute that is difficult to crack.
And S102, the terminal symmetrically encrypts plaintext data to be transmitted by using the session key to obtain ciphertext data, and sends the ciphertext data to a cloud system through a ground communication network.
In the step, plaintext data acquired by the internet of things terminal is expressed by data, and the skey obtained in the previous step is used for encrypting the data. The encryption process is symmetric encryption, namely the process of encrypting the data by the Internet of things terminal serving as a sender and the process of decrypting the data by the Internet of things cloud service system serving as a receiver both use the same skey as a session key; in the embodiment, the encryption operation is implemented by using a packet symmetry algorithm SM4 in the cryptographic algorithm, and is specifically expressed as the following formula:
C=Esk(data)
wherein C represents encrypted ciphertext data; eskRepresenting the cryptographic calculation process of the implemented cryptographic algorithm SM 4.
Further, with reference to the schematic diagram of the data security transmission device in fig. 3, the ciphertext data C after being encrypted is sent to the internet of things cloud service system from the internet of things terminal through the ground communication network, that is, the ciphertext data path marked in the diagram.
In this embodiment, the type of symmetric encryption algorithm is not specifically limited, for example: according to specific situations and needs, the algorithm can be a group symmetric algorithm SM4 in a cryptographic algorithm, and can also be an international algorithm DES algorithm, or an RC algorithm and the like.
And S103, the terminal uses the identification public key to carry out asymmetric encryption on the session key to obtain a digital envelope, and the digital envelope is sent to the cloud system through the satellite communication network.
In this step, the process of encrypting the skey is identification key encryption, and is an asymmetric encryption mode, that is, the process of encrypting the internet of things terminal serving as the sender and the process of decrypting the internet of things cloud service system serving as the receiver use different identification keys; specifically, the encryption process in this step is completed by using an identification public key, and the decryption process of the internet of things cloud service system in the following steps is completed by using an identification private key, and with reference to fig. 3, the identification public key is generated by performing algorithm operation through a public key seed matrix by using an identification of a receiving party by an SDK accessed by an internet of things terminal in the figure. In the asymmetric encryption algorithm in the embodiment, an asymmetric encryption algorithm SM2 in the national encryption algorithm is adopted to realize encryption operation on skey, so that a digital envelope is obtained; specifically, the expression is as follows:
DE=E′IPK(skey)
wherein, E'IPKRepresents the above-mentioned asymmetric encryption algorithm SM 2; DE stands for digital envelope, i.e., encrypted skey data.
The identification public key used in this embodiment is obtained by selecting a corresponding element from a public key seed matrix through a mapping algorithm to perform ECC (elliptic curve cryptography) algorithm point addition.
Further, with reference to the schematic diagram of the data security transmission device in fig. 3, the skey that is encrypted, that is, the key ciphertext path marked in the diagram, is sent to the internet of things cloud service system from the internet of things terminal through the satellite communication network.
In this embodiment, the type of asymmetric encryption algorithm is not specifically limited, for example: according to specific situations and requirements, the algorithm can be an asymmetric algorithm SM2 in a cryptographic algorithm, an RSA algorithm, a DSA algorithm and the like.
Step S104, in response to receiving the ciphertext data and the digital envelope, the cloud system decrypts the digital envelope by using a pre-stored identification private key corresponding to the identification public key to obtain the session key, and decrypts the ciphertext data by using the obtained session key to obtain the plaintext data.
In this step, the cloud system, that is, the internet of things cloud service system, first decrypts the digital envelope received from the satellite communication network, and since the digital envelope is asymmetrically encrypted, it needs to decrypt the digital envelope using the identification private key corresponding to the identification public key. In the embodiment, the identification private key is obtained by selecting corresponding elements from a private key seed matrix through a mapping algorithm and performing large-scale modulo addition, and in combination with fig. 3, in the specific process, a KMC (key management center) uses an SM2 algorithm to realize the production of the identification private key and is responsible for being distributed to a terminal part in the graph, and then the identification private key is written into the internet of things cloud service system through an SDK; in order to ensure autonomous security and controllability, as shown in fig. 3, the KMC in this embodiment is a separately deployed production management system established by a user rather than a third party, and provides key services including producing and distributing identification private keys, saving, updating, recovering, querying, and the like as an important component of a public key infrastructure.
Internet of things cloud business system decryption digital envelope DE ═ E'IPKThe (skey) identification private key may be stored, for example, in: in storage media such as a security chip, a U shield, or a software shield of the IPK, specific storage media are not specifically limited in this embodiment.
In the embodiment, the digital envelope DE ═ E'IPKThe decryption process of (skey) is performed using the same cryptographic algorithm SM2 as the encryption process of skey. Decrypted digital envelope DE ═ E'IPK(skey) may obtain skey for further decryption of the ciphertext data.
Further, the obtained skey is used to encrypt the ciphertext data, i.e., C ═ EskAnd (data) decrypting, and when encrypting with plaintext data, adopting the same session key skey and adopting the same cryptographic block symmetry algorithm SM4 to decrypt, and finally obtaining the plaintext data sent by the Internet of things terminal at the Internet of things cloud service system.
It can be seen that the data security transmission method in one or more embodiments of the present specification, based on the technical fields of data encryption and satellite communication, comprehensively considers the cost of data transmission and the risk of data hijacking; the method has the advantages that the cryptograph data and the session key are transmitted in different paths, risks that the data are hijacked and the cryptograph is leaked are obviously reduced, in addition, in the transmission of the session key, a public key system based on a digital certificate is replaced by an identification secret key system in a mode that a ground communication network and a satellite communication network are transmitted separately, and the high cost of independently depending on the satellite network for data transmission is greatly reduced.
It should be noted that the method of one or more embodiments of the present disclosure may be performed by a single device, such as a computer or server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may perform only one or more steps of the method of one or more embodiments of the present disclosure, and the devices may interact with each other to complete the method.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Based on the same inventive concept, corresponding to any embodiment method, one or more embodiments of the present specification further provide a data secure transmission system. With reference to fig. 3, a specific data security transmission system is disclosed, in which the terminal of the internet of things in fig. 3 is a sender and is responsible for sending encrypted ciphertext data and a session key; the internet of things cloud service system in the figure is a specific receiver and receives ciphertext data and a session key sent by an internet of things terminal; the terrestrial communication network and the satellite communication network in fig. 3 are two different data transmission paths between the sender and the receiver.
Referring to fig. 2, the data secure transmission system includes:
a terminal S201 configured to: generating a random session key in response to receiving an identification public key distributed by a key center through a satellite communication network; carrying out symmetric encryption on plaintext data to be transmitted by using the session key to obtain ciphertext data, and sending the ciphertext data to a cloud system through a ground communication network; carrying out asymmetric encryption on the session key by using the identification public key to obtain a digital envelope, and sending the digital envelope to the cloud system through the satellite communication network
A cloud system S202 configured to: and in response to the ciphertext data and the digital envelope received from the terminal, decrypting the digital envelope by using a pre-stored identification private key corresponding to the identification public key to obtain the session key, and decrypting the ciphertext data by using the obtained session key to obtain the plaintext data.
As an alternative embodiment, the terminal S201 is specifically configured to invoke an SDK (software development kit) as a program interface and configuration tool by a device of the terminal of the internet of things, and generate a random number r, where 0< r < n; wherein, a point on the elliptic curve Ep (a, b) is selected as a base point G, and n is the order of the base point G.
And calculating and generating skey (session key) by using the produced random number r and the elliptic curve base point G by adopting the following formula:
skey=x mod n;
wherein, the relation between the random number r and the elliptic curve base point G is as follows: (x, y) ═ r × G, mod in the formula represents a modulo operation.
Since both r and G participate as random numbers in the calculation of the encryption key, the generated encryption key skey also has a random attribute that is difficult to crack.
Further, plaintext data acquired by the internet of things terminal is expressed by data, and the skey obtained in the previous step is used for encrypting the data. The encryption process is symmetric encryption, namely the process of encrypting the data by the Internet of things terminal serving as a sender and the process of decrypting the data by the Internet of things cloud service system serving as a receiver both use the same skey as a session key; in the embodiment, the encryption operation is implemented by using a packet symmetry algorithm SM4 in the cryptographic algorithm, and is specifically expressed as the following formula:
C=Esk(data)
wherein C represents encrypted ciphertext data; eskRepresenting the cryptographic calculation process of the implemented cryptographic algorithm SM 4.
Further, with reference to the schematic diagram of the data security transmission device in fig. 3, the ciphertext data C after being encrypted is sent to the internet of things cloud service system from the internet of things terminal through the ground communication network, that is, the ciphertext data path marked in the diagram.
In this embodiment, the type of symmetric encryption algorithm is not specifically limited, for example: according to specific situations and needs, the algorithm can be a group symmetric algorithm SM4 in a cryptographic algorithm, and can also be an international algorithm DES algorithm, or an RC algorithm and the like.
In the embodiment of the invention, the process of encrypting the skey is identification key encryption, and is an asymmetric encryption mode, namely, the process of encrypting the internet of things terminal serving as a sender and the process of decrypting the internet of things cloud service system serving as a receiver use different identification keys; specifically, the encryption process in this step is completed by using an identification public key, and the decryption process of the internet of things cloud service system in the following steps is completed by using an identification private key, and with reference to fig. 3, the identification public key is generated by performing algorithm operation through a public key seed matrix by using an identification of a receiving party by an SDK accessed by an internet of things terminal in the figure. In the asymmetric encryption algorithm in the embodiment, an asymmetric encryption algorithm SM2 in the national encryption algorithm is adopted to realize encryption operation on skey, so that a digital envelope is obtained; specifically, the expression is as follows:
DE=E′IPK(skey)
wherein, E'IPKRepresents the above-mentioned asymmetric encryption algorithm SM 2; DE stands for digital envelope, i.e., encrypted skey data.
The identification public key used in this embodiment is obtained by selecting a corresponding element from a public key seed matrix through a mapping algorithm to perform ECC (elliptic curve cryptography) algorithm point addition.
Further, with reference to the schematic diagram of the data security transmission device in fig. 3, the skey that is encrypted, that is, the key ciphertext path marked in the diagram, is sent to the internet of things cloud service system from the internet of things terminal through the satellite communication network.
In this embodiment, the type of asymmetric encryption algorithm is not specifically limited, for example: according to specific situations and requirements, the algorithm can be an asymmetric algorithm SM2 in a cryptographic algorithm, an RSA algorithm, a DSA algorithm and the like.
As an optional embodiment, the cloud system S202 is specifically configured to decrypt, by the internet of things cloud service system, a digital envelope received from the satellite communication network first, and since the digital envelope is asymmetrically encrypted, the digital envelope needs to be decrypted by using an identification private key corresponding to the identification public key. In the embodiment, the identification private key is obtained by selecting corresponding elements from a private key seed matrix through a mapping algorithm and performing large-scale modulo addition, and in combination with fig. 3, in the specific process, a KMC (key management center) uses an SM2 algorithm to realize the production of the identification private key and is responsible for being distributed to a terminal part in the graph, and then the identification private key is written into the internet of things cloud service system through an SDK; in order to ensure autonomous security and controllability, as shown in fig. 3, the KMC in this embodiment is a separately deployed production management system established by a user rather than a third party, and provides key services including producing and distributing identification private keys, saving, updating, recovering, querying, and the like as an important component of a public key infrastructure.
Internet of things cloud business system decryption digital envelope DE ═ E'IPKThe (skey) identification private key may be stored, for example, in: in storage media such as a security chip, a U shield, or a software shield of the IPK, specific storage media are not specifically limited in this embodiment.
In the embodiment, the digital envelope DE ═ E'IPK(skey) decryption procedure, encryption procedure using skeyThe same cryptographic algorithm SM 2. Decrypted digital envelope DE ═ E'IPK(skey) may obtain skey for further decryption of the ciphertext data.
Further, the obtained skey is used to encrypt the ciphertext data, i.e., C ═ EskAnd (data) decrypting, and when encrypting with plaintext data, adopting the same session key skey and adopting the same cryptographic block symmetry algorithm SM4 to decrypt, and finally obtaining the plaintext data sent by the Internet of things terminal at the Internet of things cloud service system.
The system of the foregoing embodiment is used to implement the corresponding data secure transmission method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Based on the same inventive concept, corresponding to any of the above-mentioned embodiments, one or more embodiments of the present specification further provide an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the data security transmission method according to any of the above-mentioned embodiments.
Fig. 4 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The apparatus of the foregoing embodiment is used to implement the corresponding data secure transmission method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Based on the same inventive concept, corresponding to any of the above-described embodiment methods, one or more embodiments of the present specification further provide a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform the data security transmission method according to any of the above-described embodiments.
Computer-readable media of the present embodiments, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiment are used to enable the computer to execute the data security transmission method according to any of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the spirit of the present disclosure, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of different aspects of one or more embodiments of the present description as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures, for simplicity of illustration and discussion, and so as not to obscure one or more embodiments of the disclosure. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the understanding of one or more embodiments of the present description, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the one or more embodiments of the present description are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that one or more embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
It is intended that the one or more embodiments of the present specification embrace all such alternatives, modifications and variations as fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of one or more embodiments of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (10)

1. A method for secure data transmission, comprising:
in response to receiving the identification public key distributed by the key center through the satellite communication network, the terminal generates a random session key;
the terminal symmetrically encrypts plaintext data to be transmitted by using the session key to obtain ciphertext data, and sends the ciphertext data to a cloud system through a ground communication network;
the terminal carries out asymmetric encryption on the session key by using the identification public key to obtain a digital envelope, and sends the digital envelope to the cloud system through the satellite communication network;
in response to receiving the ciphertext data and the digital envelope, the cloud system decrypts the digital envelope by using a pre-stored identification private key corresponding to the identification public key to obtain the session key, and decrypts the ciphertext data by using the obtained session key to obtain the plaintext data.
2. The method according to claim 1, wherein the terminal is an internet of things terminal, and the cloud system is an internet of things cloud service system.
3. The method of claim 1, wherein the random session key is generated by the terminal by invoking an identify public key software development kit.
4. The method of claim 1, wherein the identification private key is distributed by the key center and pre-stored in a secure chip in the cloud system.
5. The method according to any one of claims 1 to 4, wherein the identification public key is obtained by performing an elliptic curve cryptography algorithm on the identification based on a public key seed matrix.
6. The method according to any one of claims 1 to 4, wherein the identification private key is obtained by performing a large number addition algorithm on the identification based on a private key seed matrix.
7. The method according to any of claims 1 to 4, characterized in that said symmetric encryption utilizes the SM4 block cipher algorithm.
8. The method according to any of claims 1 to 4, wherein the asymmetric encryption utilizes the SM2 elliptic curve public key cryptography algorithm.
9. A data security transmission system is characterized in that the system comprises a terminal and a cloud system,
wherein the terminal is configured to: generating a random session key in response to receiving an identification public key distributed by a key center through a satellite communication network; carrying out symmetric encryption on plaintext data to be transmitted by using the session key to obtain ciphertext data, and sending the ciphertext data to a cloud system through a ground communication network; carrying out asymmetric encryption on the session key by using the identification public key to obtain a digital envelope, and sending the digital envelope to the cloud system through the satellite communication network;
the cloud system is configured to: and in response to the ciphertext data and the digital envelope received from the terminal, decrypting the digital envelope by using a pre-stored identification private key corresponding to the identification public key to obtain the session key, and decrypting the ciphertext data by using the obtained session key to obtain the plaintext data.
10. The system of claim 9, wherein the terminal is an internet of things terminal, and the cloud system is an internet of things cloud service system.
CN202011360713.0A 2020-11-27 2020-11-27 Data security transmission method and system Active CN112543189B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011360713.0A CN112543189B (en) 2020-11-27 2020-11-27 Data security transmission method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011360713.0A CN112543189B (en) 2020-11-27 2020-11-27 Data security transmission method and system

Publications (2)

Publication Number Publication Date
CN112543189A true CN112543189A (en) 2021-03-23
CN112543189B CN112543189B (en) 2023-05-09

Family

ID=75015288

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011360713.0A Active CN112543189B (en) 2020-11-27 2020-11-27 Data security transmission method and system

Country Status (1)

Country Link
CN (1) CN112543189B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112989391A (en) * 2021-04-15 2021-06-18 广州蚁比特区块链科技有限公司 Hybrid encryption method, hybrid decryption method, system, device and storage medium
CN114938304A (en) * 2022-05-23 2022-08-23 贵州大学 Method and system for safely transmitting data of industrial Internet of things
WO2022199404A1 (en) * 2021-03-26 2022-09-29 北京三快在线科技有限公司 Communication encryption
WO2022199186A1 (en) * 2021-03-24 2022-09-29 嘉兴企树网络科技有限公司 Internet-of-things communication system based on quantum technology

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1241862A (en) * 1998-05-12 2000-01-19 索尼公司 Data transmission controlling method and data transmission system
CN110912872A (en) * 2019-11-04 2020-03-24 国网思极神往位置服务(北京)有限公司 New energy power plant dispatching data acquisition system based on Beidou electric power application
CN110995716A (en) * 2019-12-06 2020-04-10 国网浙江省电力有限公司电力科学研究院 Data transmission encryption and decryption method and system for transformer substation inspection robot

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1241862A (en) * 1998-05-12 2000-01-19 索尼公司 Data transmission controlling method and data transmission system
CN110912872A (en) * 2019-11-04 2020-03-24 国网思极神往位置服务(北京)有限公司 New energy power plant dispatching data acquisition system based on Beidou electric power application
CN110995716A (en) * 2019-12-06 2020-04-10 国网浙江省电力有限公司电力科学研究院 Data transmission encryption and decryption method and system for transformer substation inspection robot

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022199186A1 (en) * 2021-03-24 2022-09-29 嘉兴企树网络科技有限公司 Internet-of-things communication system based on quantum technology
WO2022199404A1 (en) * 2021-03-26 2022-09-29 北京三快在线科技有限公司 Communication encryption
CN112989391A (en) * 2021-04-15 2021-06-18 广州蚁比特区块链科技有限公司 Hybrid encryption method, hybrid decryption method, system, device and storage medium
CN112989391B (en) * 2021-04-15 2024-01-16 广州蚁比特区块链科技有限公司 Hybrid encryption method, hybrid decryption method, system, device and storage medium
CN114938304A (en) * 2022-05-23 2022-08-23 贵州大学 Method and system for safely transmitting data of industrial Internet of things
CN114938304B (en) * 2022-05-23 2023-04-28 贵州大学 Method and system for safely transmitting industrial Internet of things data

Also Published As

Publication number Publication date
CN112543189B (en) 2023-05-09

Similar Documents

Publication Publication Date Title
CN112543189B (en) Data security transmission method and system
US10187361B2 (en) Method for secure communication using asymmetric and symmetric encryption over insecure communications
EP3293934B1 (en) Cloud storage method and system
CN112615660A (en) Data security transmission method and system for satellite short message communication
EP3633913A1 (en) Provisioning a secure connection using a pre-shared key
US11283778B2 (en) Data exchange system, method and device
CN106134128B (en) Use the system and method for the faster public key encryption in associated private key part
EP4322465A2 (en) Method and device for secure communications over a network using a hardware security engine
WO2019071886A1 (en) Softphone encryption and decryption method and apparatus, and computer-readable storage medium
CN107483192B (en) Data transmission method and device based on quantum communication
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN110224976A (en) A kind of encryption communication method, device and computer readable storage medium
CN112054896B (en) White box encryption method, white box encryption device, terminal and storage medium
US11783091B2 (en) Executing entity-specific cryptographic code in a cryptographic coprocessor
EP3010173B1 (en) Key storage device, key storage method, and program therefor
CN117081740B (en) Key management method and device based on cipher machine resource pool
US20230396432A1 (en) Methods and systems for updatable encryption
CN112948867A (en) Method and device for generating and decrypting encrypted message and electronic equipment
US20230153445A1 (en) Enhanced security systems and methods using a hybrid security solution
CN115828310A (en) Data query method and device based on privacy calculation and storage medium
CN113645235A (en) Distributed data encryption and decryption system and encryption and decryption method
JP5945525B2 (en) KEY EXCHANGE SYSTEM, KEY EXCHANGE DEVICE, ITS METHOD, AND PROGRAM
US20210111901A1 (en) Executing entity-specific cryptographic code in a trusted execution environment
JP2016139861A (en) Encryption device, encryption method and distribution system
KR102418016B1 (en) Identity-based encryption mtthod based on lattices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20211110

Address after: 100089 south building, block a, Dongxu International Center, Fanyang Road, Fengtai District, Beijing

Applicant after: Beijing Zhongdian Feihua Communication Co.,Ltd.

Address before: 100070 south building, block a, Dongxu International Center, Fanyang Road, Fengtai District, Beijing

Applicant before: Beijing Zhongdian Feihua Communication Co.,Ltd.

Applicant before: STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant