CN112702318A - Communication encryption method, decryption method, client and server - Google Patents

Communication encryption method, decryption method, client and server Download PDF

Info

Publication number
CN112702318A
CN112702318A CN202011447223.4A CN202011447223A CN112702318A CN 112702318 A CN112702318 A CN 112702318A CN 202011447223 A CN202011447223 A CN 202011447223A CN 112702318 A CN112702318 A CN 112702318A
Authority
CN
China
Prior art keywords
key
ciphertext
information
encryption
des
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011447223.4A
Other languages
Chinese (zh)
Inventor
汪德嘉
孟啸龙
钱潇龄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Pay Egis Technology Co ltd
Jiangsu Tongfudun Information Security Technology Co ltd
Original Assignee
Jiangsu Pay Egis Technology Co ltd
Jiangsu Tongfudun Information Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Pay Egis Technology Co ltd, Jiangsu Tongfudun Information Security Technology Co ltd filed Critical Jiangsu Pay Egis Technology Co ltd
Priority to CN202011447223.4A priority Critical patent/CN112702318A/en
Publication of CN112702318A publication Critical patent/CN112702318A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a communication encryption method, a decryption method, a client and a server, wherein during encryption, the client encrypts a plaintext twice by using an RSA private key and a DES secret key generated randomly to generate a twice encrypted ciphertext; and sending the secondary encrypted ciphertext and the encrypted key to the server. During decryption, the server side decrypts the secondary encrypted ciphertext by using the receiving end private key and the DES key to obtain the primary encrypted ciphertext and the RSA public key, and decrypts the ciphertext information by using the RSA public key to obtain a plaintext after the key information passes verification. Therefore, the method, the client and the server provided by the invention adopt a mode of combining symmetric encryption and asymmetric encryption, the client encrypts the plaintext through the dynamic key, and the server decrypts and verifies the plaintext, so that protocol attack, man-in-the-middle attack and the like aiming at mobile application can be effectively prevented, the communication information safety is ensured, the communication data safety is ensured, and the risk that the communication data of a user is stolen is effectively reduced.

Description

Communication encryption method, decryption method, client and server
Technical Field
The present application relates to the field of communications technologies, and in particular, to a communication encryption method, a decryption method, a client, and a server.
Background
The rapid development of information technology enables a large amount of data to be transmitted and shared in a network, important information or privatized information has the possibility of being intercepted and stolen, and the confidentiality of transmitted data is threatened. More seriously, many security protection systems today are based on passwords, and the leakage of the passwords during transmission will lead to the overall breakdown of the security systems.
At present, the traditional communication encryption protection mode in the field of mobile internet usually adopts a single symmetric encryption (such as AES, DES, etc.) or asymmetric encryption (such as RSA), that is, data is transmitted in a mode of encryption by a sending end and decryption by a receiving end.
However, the single encryption mode has insufficient data security, and once the key is leaked, the data content can be completely acquired in a packet capturing mode. The obtained data can be tampered, the modified data is submitted by a simulation sender, and replay attack is executed.
Disclosure of Invention
The application provides a communication encryption method, a decryption method, a client and a server, which aim to solve the problem of low security of the existing communication encryption method.
In a first aspect, the present application provides a communication encryption method, applied to a client, including the following steps:
acquiring a plaintext to be sent and a receiving end public key, and randomly generating a DES secret key and a group of RSA public and private keys, wherein the receiving end public key is a public key of a server end;
encrypting the plaintext once by using the RSA private key to generate an encrypted ciphertext once;
performing secondary encryption on the primary encrypted ciphertext and the RSA public key by using the DES key to generate a secondary encrypted ciphertext;
encrypting the DES key by using the public key of the receiving end to obtain an encryption key;
and sending the ciphertext combination information generated by the secondary encryption ciphertext and the encryption key to a server.
In some embodiments of the present application, the encrypting the plaintext with the RSA private key to generate an encrypted ciphertext includes:
acquiring key information corresponding to the plaintext;
encrypting the plaintext once by using the RSA private key to obtain ciphertext information;
and combining the key information and the ciphertext information to obtain a primary encrypted ciphertext.
In some embodiments of the present application, the method further comprises: and adding a digest signature to the primary encrypted ciphertext by using the RSA private key.
In some embodiments of the present application, the performing, by using the DES key, a secondary encryption on the primary encryption ciphertext and the RSA public key to generate a secondary encryption ciphertext includes:
acquiring a digest signature of the primary encrypted ciphertext;
combining the primary encrypted ciphertext, the abstract signature and the RSA public key to obtain combined information;
and carrying out secondary encryption on the combined information by using the DES key to obtain a secondary encryption ciphertext.
In a second aspect, the present application further provides a communication decryption method, applied to a server, including the following steps:
receiving ciphertext combined information sent by a client, wherein the ciphertext combined information comprises a secondary encryption ciphertext and an encryption key;
decrypting the encrypted key by using a receiving end private key to obtain a DES (data encryption standard) key, wherein the receiving end private key is a private key of a server end;
decrypting the secondary encrypted ciphertext by using the DES key to obtain a primary encrypted ciphertext and an RSA public key, wherein the primary encrypted ciphertext comprises ciphertext information and key information;
verifying the key information;
and after the key information passes the verification, decrypting the ciphertext information by using the RSA public key to obtain a plaintext.
In some embodiments of the present application, decrypting the secondary encrypted ciphertext with the DES key to obtain a primary encrypted ciphertext and an RSA public key includes:
and decrypting the secondary encrypted ciphertext by using the DES key to obtain a primary encrypted ciphertext, a digest signature and an RSA public key.
In some embodiments of the present application, the method further comprises:
verifying the digest signature by using the RSA public key;
and after the digest signature passes the verification, verifying the key information.
In some embodiments of the present application, the key information includes a transmission timestamp; and, the verifying the key information includes:
acquiring the receiving time of the ciphertext combined information;
calculating the time difference between the receiving time and the time corresponding to the sending time stamp;
if the time difference exceeds a preset time value, determining that the verification of the key information fails;
and if the time difference does not exceed a preset time value, determining that the key information passes verification.
In a third aspect, the present application further provides a client, including:
the information acquisition and key generation module is used for acquiring a plaintext to be sent and a receiving end public key, and randomly generating a DES (data encryption standard) key and a group of RSA (rivest-Shamir-Adleman) public key, wherein the receiving end public key is a public key of a server end;
the primary encryption module is used for encrypting the plaintext once by using the RSA private key to generate a primary encryption ciphertext;
the secondary encryption module is used for carrying out secondary encryption on the primary encryption ciphertext and the RSA public key by using the DES key to generate a secondary encryption ciphertext;
the key encryption module is used for encrypting the DES key by using the public key of the receiving end to obtain an encryption key;
and the ciphertext combined information sending module is used for sending the ciphertext combined information generated by the secondary encrypted ciphertext and the encryption key to a server side.
In a fourth aspect, the present application further provides a server, which includes:
the ciphertext combination information receiving module is used for receiving ciphertext combination information sent by the client, and the ciphertext combination information comprises a secondary encryption ciphertext and an encryption key;
the key decryption module is used for decrypting the encrypted key by using a receiving end private key to obtain a DES key, wherein the receiving end private key is a server end private key;
the primary decryption module is used for decrypting the secondary encrypted ciphertext by using the DES key to obtain a primary encrypted ciphertext and an RSA public key, wherein the primary encrypted ciphertext comprises ciphertext information and key information;
the information checking module is used for checking the key information;
and the secondary decryption module is used for decrypting the ciphertext information by using the RSA public key after the key information passes the verification to obtain a plaintext.
In a fifth aspect, the present application further provides a storage medium, where the storage medium may store a program, and the program may implement, when executed, some or all of the steps in the embodiments of the communication encryption method and the communication decryption method provided in the present application.
According to the technical scheme, the communication encryption method, the decryption method, the client and the server provided by the embodiment of the invention have the advantages that during encryption, the client encrypts a plaintext once by using an RSA private key to generate an encrypted ciphertext once; carrying out secondary encryption on the primary encrypted ciphertext and the RSA public key by using the DES key generated randomly to generate a secondary encrypted ciphertext; and sending the secondary encrypted ciphertext and the encrypted key obtained by encrypting the DES key by using the public key of the receiving end to the server end. During decryption, the server side decrypts the encryption key by using a private key of the receiving end to obtain a DES key; and decrypting the secondary encrypted ciphertext by using the DES key to obtain a primary encrypted ciphertext and an RSA public key, and decrypting the ciphertext information by using the RSA public key after the key information passes verification to obtain a plaintext. Therefore, the method, the client and the server provided by the embodiment of the invention adopt a mode of combining symmetric encryption and asymmetric encryption, the client encrypts the plaintext through the dynamic key, and the server decrypts and verifies the plaintext to obtain the plaintext, so that protocol attack, man-in-the-middle attack and the like aiming at mobile application can be effectively prevented, the communication information safety is ensured, the protection capability of the mobile application on communication information leakage is improved, the communication data safety between the client and the server is ensured, and the risk that the communication data of a user is stolen is effectively reduced.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is a flowchart of a communication encryption method according to an embodiment of the present invention;
fig. 2 is a data flow diagram of a communication encryption method according to an embodiment of the present invention;
fig. 3 is a flowchart of a method for generating a one-time encrypted ciphertext according to an embodiment of the present invention;
fig. 4 is a flowchart of a method for generating a twice-encrypted ciphertext according to an embodiment of the present invention;
fig. 5 is a flowchart of a communication decryption method according to an embodiment of the present invention;
fig. 6 is a data flow diagram of a communication decryption method according to an embodiment of the present invention;
fig. 7 is a flowchart of a method for verifying key information according to an embodiment of the present invention;
fig. 8 is an interaction block diagram of a client and a server according to an embodiment of the present invention.
Detailed Description
When communication encryption is performed, a single symmetric encryption (such as AES, DES, etc.) or asymmetric encryption (such as RSA) mode is usually adopted, so that the problem of low security easily exists. Therefore, in order to avoid the key leakage, other people completely acquire data contents in a packet capturing mode; and the modified data is submitted by the simulation sender after the data is easily tampered by others, and the replay attack is executed. The embodiment of the invention provides a communication encryption method and a communication decryption method, which are applied to a client and a server, wherein the client is used as a sending end, and the server is used as a receiving end. The plaintext is encrypted by the client through the dynamic key in a mode of combining symmetric encryption and asymmetric encryption, and then is decrypted by the server and verified to obtain the plaintext.
Therefore, the embodiment of the invention adopts the above mode to transmit data, can effectively protect protocol attack, man-in-the-middle attack and the like aiming at mobile application, ensures the safety of communication information, improves the protection capability of the mobile application on communication information leakage, ensures the safety of communication data between a client and a server, and effectively reduces the risk of stealing user communication data.
Fig. 1 is a flowchart of a communication encryption method according to an embodiment of the present invention; fig. 2 is a data flow diagram of a communication encryption method according to an embodiment of the present invention. Referring to fig. 1 and fig. 2, a communication encryption method provided in an embodiment of the present invention is applied to a client, and includes the following steps:
s11, acquiring a plaintext to be sent and a receiving end public key, and randomly generating a DES secret key and a group of RSA public private keys, wherein the receiving end public key is a public key of the server.
The plaintext to be sent is information that the client needs to send, for example, when the client needs to perform login operation, the login information is the plaintext. In this embodiment, the client encrypts the login information and then sends the encrypted login information to the server for verification, and the login operation is executed after the verification is passed.
In order to ensure the security of data transmission, the encryption method provided in this embodiment adopts a combination of symmetric encryption and asymmetric encryption, that is, a DES key and a set of RSA public and private keys are randomly generated.
Des (data Encryption standard), a data Encryption standard, is a block algorithm using key Encryption. DES belongs to a symmetric encryption mode. Alternatively, the symmetric Encryption scheme may also be an AES (Advanced Encryption Standard, AES) Advanced Encryption Standard, which is a block Encryption Standard adopted by the federal government in the united states.
RSA is an asymmetric encryption algorithm, which uses different encryption and decryption keys. The public key of the receiving end is the public key of the server end, and the client end and the server end both generate a group of RSA public and private keys comprising the public key and the private key; the client and the server have corresponding RSA public and private keys, and the server has public RSA public and private keys as public information and can be held by anyone.
In this embodiment, the communication process adopts a combination of symmetric encryption and asymmetric encryption, which can ensure the high efficiency of the encryption and decryption process while protecting the data security. In addition, the key used in the encryption process is randomly generated, and is not a data encryption key which is fixedly stored locally, namely a dynamic key. The dynamic key is used, only one corresponding key is used for communication each time, and the key is used once, so that the key is effectively prevented from being cracked, and the communication safety is ensured.
And S12, encrypting the plaintext once by using the RSA private key to generate a once encrypted ciphertext.
When a sending end (client) encrypts a plaintext, two encryption processes are executed, and the plaintext is encrypted once by using an RSA private key in the first encryption to generate a once encrypted ciphertext.
In order to prevent the receiving end (server) from being attacked by replay, which causes the data information to be abnormal, in this embodiment, when encrypting the plaintext, key information is added to identify the plaintext sent at the current time. The key information comprises a sending time stamp, a UUID and the like, wherein the sending time stamp is used for identifying the time of sending the plaintext by the current client, and the UUID is used for identifying the exclusive serial number of the current sent plaintext.
Fig. 3 is a flowchart of a method for generating a one-time encrypted ciphertext according to an embodiment of the present invention. Referring to fig. 3, the client encrypts the plaintext with the RSA private key once to generate a once encrypted ciphertext, which includes:
and S121, acquiring key information corresponding to the plaintext.
And S122, encrypting the plaintext once by using an RSA private key to obtain ciphertext information.
And S123, combining the key information and the ciphertext information to obtain a primary encrypted ciphertext.
When the client side accurately sends the plaintext, key information such as a sending timestamp and a UUID is correspondingly generated. After plaintext is encrypted once by using an RSA private key, ciphertext information is obtained. And finally, combining the key information and the ciphertext information to obtain a primary encrypted ciphertext.
The key information such as the sending time stamp is added in the primary encrypted ciphertext, so that the server side can be prevented from being attacked by replay.
And S13, carrying out secondary encryption on the primary encrypted ciphertext and the RSA public key by using the DES key to generate a secondary encrypted ciphertext.
After the primary encrypted ciphertext is obtained, the primary encrypted ciphertext can be secondarily encrypted by using the DES key. During encryption, in order to ensure the security, the primary encrypted ciphertext and the RSA public key can be combined to obtain combined information, and the combined information is secondarily encrypted by the DES key, namely, the primary encrypted ciphertext and the RSA public key are secondarily encrypted by the DES key to generate a secondary encrypted ciphertext.
In another embodiment, after the client encrypts once, the client can add a digest signature to the once encrypted ciphertext, and the digest signature is used for the server to verify whether the received information is the information sent by the client, that is, to verify whether the received information is correct, so as to improve the security.
Therefore, in the communication encryption method provided in the embodiment of the present invention, after the client generates the encrypted ciphertext once, the method further includes: and adding the digest signature to the primary encrypted ciphertext by using an RSA private key.
Adding the digest signature is to create a key value pair, for example, key value 1 corresponds to the plaintext, key value 2 corresponds to the transmission timestamp, and key value 3 corresponds to the digest information. The digest information is used to identify necessary information for the plaintext after the current encryption.
And the digest signature is added, so that the ciphertext contains the digital signature, and the data is prevented from being tampered due to man-in-the-middle attack.
Fig. 4 is a flowchart of a method for generating a twice-encrypted ciphertext according to an embodiment of the present invention. Based on this, when the client generates the combined information, the client may also generate the combined information based on the digest signature, for this reason, referring to fig. 4, the client performs secondary encryption on the primary encrypted ciphertext and the RSA public key by using the DES key to generate a secondary encrypted ciphertext, including:
s131, acquiring the digest signature of the primary encrypted ciphertext.
And S132, combining the primary encrypted ciphertext, the digest signature and the RSA public key to obtain combined information.
S133, performing secondary encryption on the combined information by using the DES key to obtain a secondary encrypted ciphertext.
After the client adds the digest signature to the primary encrypted ciphertext, the digest signature and the RSA public key are combined to obtain combined information. The combined information is data with a special format, and is convenient to synthesize.
And performing secondary encryption on the combined information by using the DES key, namely performing secondary encryption on the primary encrypted ciphertext, the digest signature and the RSA public key by using the DES key to obtain a secondary encrypted ciphertext.
Because the DES key is generated randomly and belongs to a dynamic key, the dynamic key is used for secondary encryption, so that the ciphertext only corresponds to one key in the current information sending process, namely, the one-time key, the decryption of the key can be effectively prevented, and the communication safety is ensured.
S14, the DES key is encrypted by the public key of the receiving end to obtain an encryption key.
Although the DES key is a dynamic key, in order to further improve security, the DES key may be encrypted by using a public key of a receiving end to obtain an encryption key.
The public key of the receiving end is the public key of the server end, the public key of the receiving end can be obtained by the client end, the public key of the receiving end is used for independently encrypting and transmitting the DES secret key of the client end, the secret key is prevented from being cracked after being intercepted, and the data transmission safety is improved.
And S15, sending the ciphertext combination information generated by the secondary encryption ciphertext and the encryption key to the server.
And combining the secondary encrypted ciphertext with the encrypted key to generate ciphertext combined information, and sending the ciphertext combined information to the server. Although the ciphertext combination information combines the secondary encrypted ciphertext and the encryption key, the combination mode is only mechanically packed into an information file, namely, the secondary encrypted ciphertext and the encryption key are still mutually independent data. The ciphertext and the secret key are independently sent to the server side, and data transmission safety can be improved.
Therefore, the communication encryption method provided by the embodiment of the invention encrypts the plaintext by the client through the dynamic key in a manner of combining the symmetric encryption and the asymmetric encryption, can effectively protect protocol attack, man-in-the-middle attack and the like aiming at the mobile application, prevents the key from being cracked and data from being tampered, ensures the safety of communication information, improves the protection capability of the mobile application on communication information leakage, ensures the safety of communication data between the client and the server, and effectively reduces the risk of stealing the communication data of a user.
Fig. 5 is a flowchart of a communication decryption method according to an embodiment of the present invention; fig. 6 is a data flow diagram of a communication decryption method according to an embodiment of the present invention. Referring to fig. 5 and fig. 6, a communication decryption method provided in an embodiment of the present invention is applied to a server, and includes the following steps:
and S21, receiving ciphertext combination information sent by the client, wherein the ciphertext combination information comprises a secondary encrypted ciphertext and an encryption key.
The client sends the ciphertext combined information encrypted twice to the server, and the server receives the ciphertext combined information to obtain a twice-encrypted ciphertext and an encryption key which are obtained by encrypting the client.
And S22, decrypting the encryption key by using the private key of the receiving end to obtain the DES key.
The receiving end holds a private key, the private key of the receiving end is the private key of the server end, the private key can decrypt the encrypted secret key encrypted by the public key, namely, the private key of the receiving end is used for decrypting the encrypted secret key to obtain the DES secret key. The DES key is a symmetric key used in the communication process, namely a key for decrypting the encrypted ciphertext of the client.
If the client side is abnormal when sending the ciphertext combination information, the symmetric key (DES key) corresponding to the current sending process is invalid. At this time, if the server receives a ciphertext combination message, the private key held by the server cannot decrypt the encryption key, so that the security of data transmission can be ensured.
And S23, decrypting the secondary encrypted ciphertext by using the DES key to obtain a primary encrypted ciphertext and an RSA public key, wherein the primary encrypted ciphertext comprises ciphertext information and key information.
Because the client side performs two encryption processes when encrypting the plaintext, the server side also needs to perform two decryption processes correspondingly when decrypting the plaintext so as to obtain the plaintext.
When the first decryption is carried out, the DES key is a key for decrypting the ciphertext encrypted by the client, so that the server can decrypt the secondary encrypted ciphertext by using the DES key obtained by decryption to obtain the primary encrypted ciphertext and the RSA public key. The primary encrypted ciphertext is a ciphertext obtained by the client through primary encryption by using an RSA private key, and the primary encrypted ciphertext comprises ciphertext information and key information. The RSA public key is an asymmetric key that is randomly generated by the client.
And S24, verifying the key information.
After the encrypted ciphertext and the RSA public key are obtained once, the server needs to check the data sent this time to determine whether the data is attacked or tampered, so as to ensure the integrity of the transmitted data.
And when the server side checks, checking the key information of the plaintext. In some embodiments, the critical information includes a transmission timestamp.
Fig. 7 is a flowchart of a method for verifying key information according to an embodiment of the present invention. Referring to fig. 7, the server checks the key information, including:
and S241, acquiring the receiving time of the received ciphertext combination information.
And S242, calculating the time difference between the receiving time and the time corresponding to the sending time stamp.
And S243, if the time difference exceeds a preset time value, determining that the verification of the key information fails.
And S244, if the time difference does not exceed the preset time value, determining that the key information passes the verification.
Because the client sends the information and the server receives the information, the time interval of the two processes is not too far, if the time interval is far, the information is received by the server after being possibly tampered, debugged and intercepted by others after the client sends the information, namely, the data is abnormal.
Therefore, when the key information of the plaintext is verified, whether the data is abnormal or not can be determined by judging whether the time interval between the time when the server receives the information and the time when the client sends the information exceeds a preset time value or not.
And the server calculates the time difference between the receiving time of the received ciphertext combined information and the time corresponding to the sending time stamp of the client, if the time difference exceeds a preset time value, the data is abnormal, and the key information is determined to be failed in verification. And if the time difference does not exceed the preset time value, indicating that the data is normal, and determining that the key information passes verification.
In some embodiments, the preset time value may be set to 2 minutes, and if the time interval between the receiving time of the server and the sending time of the client exceeds 2 minutes, the data is abnormal, and it is determined that the verification of the key information fails. And if the time interval between the receiving time of the server and the sending time of the client is within 2 minutes, the data is normal, and the key information is determined to pass the verification.
And S25, after the key information passes the verification, decrypting the ciphertext information by using the RSA public key to obtain a plaintext.
After the key information passes the verification, the data security transmitted by the client is higher, and the encrypted information can be decrypted for the second time by using the RSA public key to obtain the plaintext. And after the server side obtains the plaintext sent by the client side, the operation corresponding to the plaintext can be executed.
For example, if the plaintext is login information, the server may perform verification according to the login information, and allow the client to log in after the verification is consistent.
In other embodiments, when the client performs the second encryption, the encrypted data source further includes the digest signature, so that after the server performs the first decryption, the obtained information further includes the digest signature. In some embodiments, the decrypting, by the server, the secondary encrypted ciphertext with the DES key to obtain the primary encrypted ciphertext and the RSA public key includes: and decrypting the secondary encrypted ciphertext by using the DES key to obtain the primary encrypted ciphertext, the digest signature and the RSA public key.
After the digest signature is obtained, the server side can verify the digest signature. After receiving the ciphertext combination information sent by the client, the server side can perform a secondary verification process, so that the data verification accuracy is further improved.
In some embodiments, after the server performs step S23, the communication decryption method performed by the server further includes:
0231, verifying the digest signature by using the RSA public key.
0232, after the digest signature passes verification, verifying the key information.
The digest signature of the once-encrypted ciphertext can indicate a plurality of key value pairs, namely, information corresponding to the plaintext, which is created when the client encrypts. Therefore, when the server side decrypts, the digest signature can be verified based on the RSA public key. The RSA public key is a secret key obtained after the server side decrypts the secret key and is an asymmetric secret key generated by the client side.
When the abstract signature is checked, whether the signature (key value pair) is correct is judged, namely whether the key value 1 corresponds to a plaintext, whether the key value 2 corresponds to a sending timestamp, whether the key value 3 corresponds to abstract information, and the like.
If the server side verifies the abstract signature, the key value can be solved, the data is not tampered, the abstract signature can be determined to be correct, and the verification is passed; if the key value can not be solved, the data is indicated to be tampered, the digest signature can be determined to be wrong, and the verification fails.
After the digest signature passes the verification, the key information may be verified, that is, the process of step S24 is executed, and the related process may refer to the content of step S24 in the foregoing embodiment, which is not described herein again.
The digest signature verification process and the key information verification process can be carried out simultaneously or sequentially, and the sequence of verification is not particularly limited. However, only after the digest signature check and the key information check are passed, which indicates that the communication content is not tampered, the RSA public key can be continuously utilized to perform secondary decryption on the ciphertext information to obtain the plaintext. And as long as any verification process fails to verify and the communication content is falsified, the secondary decryption is not executed any more, and the ciphertext combined information received this time is discarded.
Therefore, according to the communication decryption method provided by the embodiment of the invention, after the server receives the ciphertext combination information sent by the client, the server performs decryption processes twice and performs verification processes twice, so that the security of data transmission of the client is ensured, and the communication content is prevented from being tampered. The method can effectively prevent protocol attack, man-in-the-middle attack and the like aiming at the mobile application, prevent the key from being cracked and data from being tampered, guarantee the safety of communication information, improve the protection capability of the mobile application on communication information leakage, guarantee the safety of communication data between the client and the server and effectively reduce the risk of stealing user communication data.
Fig. 8 is an interaction block diagram of a client and a server according to an embodiment of the present invention. Referring to fig. 8, an embodiment of the present invention provides a client configured to execute the communication encryption method shown in fig. 1 and 2, where the client includes:
the information obtaining and key generating module 110 is configured to obtain a plaintext to be sent and a receiving end public key, and randomly generate a DES key and a group of RSA public and private keys, where the receiving end public key is a public key of a server;
a primary encryption module 120, configured to encrypt the plaintext with the RSA private key for a time to generate a primary encrypted ciphertext;
the secondary encryption module 130 is configured to perform secondary encryption on the primary encrypted ciphertext and the RSA public key by using the DES key to generate a secondary encrypted ciphertext;
a key encryption module 140, configured to encrypt the DES key with the public key of the receiving end to obtain an encryption key;
and a ciphertext combined information sending module 150, configured to send the ciphertext combined information generated by the secondary encrypted ciphertext and the encryption key to the server.
Referring to fig. 8, an embodiment of the present invention provides a server configured to execute the communication decryption method shown in fig. 5 and 6, where the server includes:
a ciphertext combination information receiving module 210, configured to receive ciphertext combination information sent by a client, where the ciphertext combination information includes a secondary encrypted ciphertext and an encryption key;
the key decryption module 220 is configured to decrypt the encrypted key by using a receiving end private key to obtain a DES key, where the receiving end private key is a server-side private key;
a primary decryption module 230, configured to decrypt the secondary encrypted ciphertext with the DES key to obtain a primary encrypted ciphertext and an RSA public key, where the primary encrypted ciphertext includes ciphertext information and key information;
an information checking module 240, configured to check the key information;
and the secondary decryption module 250 is configured to decrypt the ciphertext information by using the RSA public key after the key information passes the verification, so as to obtain a plaintext.
According to the technical scheme, the communication encryption method, the decryption method, the client and the server provided by the embodiment of the invention have the advantages that during encryption, the client encrypts a plaintext once by using an RSA private key to generate an encrypted ciphertext once; carrying out secondary encryption on the primary encrypted ciphertext and the RSA public key by using the DES key generated randomly to generate a secondary encrypted ciphertext; and sending the secondary encrypted ciphertext and the encrypted key obtained by encrypting the DES key by using the public key of the receiving end to the server end. During decryption, the server side decrypts the encryption key by using a private key of the receiving end to obtain a DES key; and decrypting the secondary encrypted ciphertext by using the DES key to obtain a primary encrypted ciphertext and an RSA public key, and decrypting the ciphertext information by using the RSA public key after the key information passes verification to obtain a plaintext. Therefore, the method, the client and the server provided by the embodiment of the invention adopt a mode of combining symmetric encryption and asymmetric encryption, the client encrypts the plaintext through the dynamic key, and the server decrypts and verifies the plaintext to obtain the plaintext, so that protocol attack, man-in-the-middle attack and the like aiming at mobile application can be effectively prevented, the communication information safety is ensured, the protection capability of the mobile application on communication information leakage is improved, the communication data safety between the client and the server is ensured, and the risk that the communication data of a user is stolen is effectively reduced.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in each embodiment of the communication encryption method and the decryption method provided by the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method in the embodiments or some parts of the embodiments of the present invention.
The same and similar parts in the various embodiments in this specification may be referred to each other. Especially, for the client and server embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (10)

1. A communication encryption method is applied to a client and is characterized by comprising the following steps:
acquiring a plaintext to be sent and a receiving end public key, and randomly generating a DES secret key and a group of RSA public and private keys, wherein the receiving end public key is a public key of a server end;
encrypting the plaintext once by using the RSA private key to generate an encrypted ciphertext once;
performing secondary encryption on the primary encrypted ciphertext and the RSA public key by using the DES key to generate a secondary encrypted ciphertext;
encrypting the DES key by using the public key of the receiving end to obtain an encryption key;
and sending the ciphertext combination information generated by the secondary encryption ciphertext and the encryption key to a server.
2. The method according to claim 1, wherein said encrypting said plaintext with said RSA private key a time to generate an encrypted ciphertext comprises:
acquiring key information corresponding to the plaintext;
encrypting the plaintext once by using the RSA private key to obtain ciphertext information;
and combining the key information and the ciphertext information to obtain a primary encrypted ciphertext.
3. The method of claim 1, further comprising:
and adding a digest signature to the primary encrypted ciphertext by using the RSA private key.
4. The method according to claim 3, wherein the second encrypting the primary encrypted ciphertext and the RSA public key using the DES key to generate a second encrypted ciphertext comprises:
acquiring a digest signature of the primary encrypted ciphertext;
combining the primary encrypted ciphertext, the abstract signature and the RSA public key to obtain combined information;
and carrying out secondary encryption on the combined information by using the DES key to obtain a secondary encryption ciphertext.
5. A communication decryption method is applied to a server side and is characterized by comprising the following steps:
receiving ciphertext combined information sent by a client, wherein the ciphertext combined information comprises a secondary encryption ciphertext and an encryption key;
decrypting the encrypted key by using a receiving end private key to obtain a DES (data encryption standard) key, wherein the receiving end private key is a private key of a server end;
decrypting the secondary encrypted ciphertext by using the DES key to obtain a primary encrypted ciphertext and an RSA public key, wherein the primary encrypted ciphertext comprises ciphertext information and key information;
verifying the key information;
and after the key information passes the verification, decrypting the ciphertext information by using the RSA public key to obtain a plaintext.
6. The method according to claim 5, wherein the decrypting the twice encrypted ciphertext using the DES key to obtain a once encrypted ciphertext and an RSA public key comprises:
and decrypting the secondary encrypted ciphertext by using the DES key to obtain a primary encrypted ciphertext, a digest signature and an RSA public key.
7. The method of claim 6, further comprising:
verifying the digest signature by using the RSA public key;
and after the digest signature passes the verification, verifying the key information.
8. The method of claim 7, wherein the critical information comprises a transmission timestamp; and, the verifying the key information includes:
acquiring the receiving time of the ciphertext combined information;
calculating the time difference between the receiving time and the time corresponding to the sending time stamp;
if the time difference exceeds a preset time value, determining that the verification of the key information fails;
and if the time difference does not exceed a preset time value, determining that the key information passes verification.
9. A client, comprising:
the information acquisition and key generation module is used for acquiring a plaintext to be sent and a receiving end public key, and randomly generating a DES (data encryption standard) key and a group of RSA (rivest-Shamir-Adleman) public key, wherein the receiving end public key is a public key of a server end;
the primary encryption module is used for encrypting the plaintext once by using the RSA private key to generate a primary encryption ciphertext;
the secondary encryption module is used for carrying out secondary encryption on the primary encryption ciphertext and the RSA public key by using the DES key to generate a secondary encryption ciphertext;
the key encryption module is used for encrypting the DES key by using the public key of the receiving end to obtain an encryption key;
and the ciphertext combined information sending module is used for sending the ciphertext combined information generated by the secondary encrypted ciphertext and the encryption key to a server side.
10. A server, comprising:
the ciphertext combination information receiving module is used for receiving ciphertext combination information sent by the client, and the ciphertext combination information comprises a secondary encryption ciphertext and an encryption key;
the key decryption module is used for decrypting the encrypted key by using a receiving end private key to obtain a DES key, wherein the receiving end private key is a server end private key;
the primary decryption module is used for decrypting the secondary encrypted ciphertext by using the DES key to obtain a primary encrypted ciphertext and an RSA public key, wherein the primary encrypted ciphertext comprises ciphertext information and key information;
the information checking module is used for checking the key information;
and the secondary decryption module is used for decrypting the ciphertext information by using the RSA public key after the key information passes the verification to obtain a plaintext.
CN202011447223.4A 2020-12-09 2020-12-09 Communication encryption method, decryption method, client and server Pending CN112702318A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011447223.4A CN112702318A (en) 2020-12-09 2020-12-09 Communication encryption method, decryption method, client and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011447223.4A CN112702318A (en) 2020-12-09 2020-12-09 Communication encryption method, decryption method, client and server

Publications (1)

Publication Number Publication Date
CN112702318A true CN112702318A (en) 2021-04-23

Family

ID=75508245

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011447223.4A Pending CN112702318A (en) 2020-12-09 2020-12-09 Communication encryption method, decryption method, client and server

Country Status (1)

Country Link
CN (1) CN112702318A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113299018A (en) * 2021-06-22 2021-08-24 上海和数软件有限公司 ATM software remote upgrading method
CN113612852A (en) * 2021-08-11 2021-11-05 山东爱德邦智能科技有限公司 Communication method, device, equipment and storage medium based on vehicle-mounted terminal
CN113630237A (en) * 2021-07-26 2021-11-09 珠海格力电器股份有限公司 Data encryption method and device and data decryption method and device
CN113794560A (en) * 2021-11-05 2021-12-14 深邦智能科技(青岛)有限公司 Super instrument data transmission encryption method and system
CN113868684A (en) * 2021-09-30 2021-12-31 成都卫士通信息产业股份有限公司 Signature method, device, server, medium and signature system
CN115208632A (en) * 2022-06-16 2022-10-18 国网浙江省电力有限公司营销服务中心 Front-end and back-end data encryption transmission method and system
CN115277225A (en) * 2022-07-29 2022-11-01 京东方科技集团股份有限公司 Data encryption method, data decryption method and related equipment
CN115348050A (en) * 2022-06-24 2022-11-15 国网浙江省电力有限公司嘉兴供电公司 Abnormal data transmission method for power distribution network equipment
CN115442132A (en) * 2022-09-01 2022-12-06 上海浦东发展银行股份有限公司 Method, device and storage medium for client and server data encryption transmission
CN116055207A (en) * 2023-01-31 2023-05-02 深圳市圣驼储能技术有限公司 Encryption method and system for communication data of Internet of things
CN116150796A (en) * 2023-04-18 2023-05-23 安羚科技(杭州)有限公司 Data protection method and device for data leakage prevention system
CN117062061B (en) * 2023-10-11 2024-01-12 浙江卡巴尔电气有限公司 Encryption transmission method for wireless communication

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140105382A1 (en) * 2010-11-29 2014-04-17 Beijing Z & W Technology Consullting Co., Ltd. Data Encryption and Decryption Method and Apparatus
CN106325775A (en) * 2016-08-24 2017-01-11 北京中科开迪软件有限公司 Optical storage hardware equipment and method for data redundancy/encryption
CN108737442A (en) * 2018-06-12 2018-11-02 北京多采多宜网络科技有限公司 A kind of cryptographic check processing method
CN110535868A (en) * 2019-09-05 2019-12-03 山东浪潮商用系统有限公司 Data transmission method and system based on Hybrid Encryption algorithm

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140105382A1 (en) * 2010-11-29 2014-04-17 Beijing Z & W Technology Consullting Co., Ltd. Data Encryption and Decryption Method and Apparatus
CN106325775A (en) * 2016-08-24 2017-01-11 北京中科开迪软件有限公司 Optical storage hardware equipment and method for data redundancy/encryption
CN108737442A (en) * 2018-06-12 2018-11-02 北京多采多宜网络科技有限公司 A kind of cryptographic check processing method
CN110535868A (en) * 2019-09-05 2019-12-03 山东浪潮商用系统有限公司 Data transmission method and system based on Hybrid Encryption algorithm

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113299018A (en) * 2021-06-22 2021-08-24 上海和数软件有限公司 ATM software remote upgrading method
CN113630237A (en) * 2021-07-26 2021-11-09 珠海格力电器股份有限公司 Data encryption method and device and data decryption method and device
CN113612852A (en) * 2021-08-11 2021-11-05 山东爱德邦智能科技有限公司 Communication method, device, equipment and storage medium based on vehicle-mounted terminal
CN113868684A (en) * 2021-09-30 2021-12-31 成都卫士通信息产业股份有限公司 Signature method, device, server, medium and signature system
CN113794560A (en) * 2021-11-05 2021-12-14 深邦智能科技(青岛)有限公司 Super instrument data transmission encryption method and system
CN113794560B (en) * 2021-11-05 2024-05-10 深邦智能科技集团(青岛)有限公司 Data transmission encryption method and system for ultrasonic treatment instrument
CN115208632B (en) * 2022-06-16 2023-11-07 国网浙江省电力有限公司营销服务中心 Front-end and back-end data encryption transmission method and system
CN115208632A (en) * 2022-06-16 2022-10-18 国网浙江省电力有限公司营销服务中心 Front-end and back-end data encryption transmission method and system
CN115348050A (en) * 2022-06-24 2022-11-15 国网浙江省电力有限公司嘉兴供电公司 Abnormal data transmission method for power distribution network equipment
CN115348050B (en) * 2022-06-24 2024-08-23 国网浙江省电力有限公司嘉兴供电公司 Abnormal data transmission method for power distribution network equipment
CN115277225A (en) * 2022-07-29 2022-11-01 京东方科技集团股份有限公司 Data encryption method, data decryption method and related equipment
CN115442132A (en) * 2022-09-01 2022-12-06 上海浦东发展银行股份有限公司 Method, device and storage medium for client and server data encryption transmission
CN116055207A (en) * 2023-01-31 2023-05-02 深圳市圣驼储能技术有限公司 Encryption method and system for communication data of Internet of things
CN116055207B (en) * 2023-01-31 2023-10-03 深圳市圣驼储能技术有限公司 Encryption method and system for communication data of Internet of things
CN116150796A (en) * 2023-04-18 2023-05-23 安羚科技(杭州)有限公司 Data protection method and device for data leakage prevention system
CN116150796B (en) * 2023-04-18 2023-12-08 安羚科技(杭州)有限公司 Data protection method and device for data leakage prevention system
CN117062061B (en) * 2023-10-11 2024-01-12 浙江卡巴尔电气有限公司 Encryption transmission method for wireless communication

Similar Documents

Publication Publication Date Title
CN112702318A (en) Communication encryption method, decryption method, client and server
CN107294937B (en) Data transmission method based on network communication, client and server
Albrecht et al. Plaintext recovery attacks against SSH
CN102077213B (en) Techniques for ensuring authentication and integrity of communications
EP3476078B1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
US11914754B2 (en) Cryptographic method for verifying data
CN111614621B (en) Internet of things communication method and system
CN113806772A (en) Information encryption transmission method and device based on block chain
CN110611670A (en) API request encryption method and device
CN108809936B (en) Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof
US11956367B2 (en) Cryptographic method for verifying data
CN114520727B (en) Security chip data protection method and system
CN115499250B (en) Data encryption method and device
CN112713995A (en) Dynamic communication key distribution method and device for terminal of Internet of things
CN114915396B (en) Hopping key digital communication encryption system and method based on national encryption algorithm
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN114499837B (en) Message leakage prevention method, device, system and equipment
Kwon et al. (In-) security of cookies in HTTPS: Cookie theft by removing cookie flags
CN110611679A (en) Data transmission method, device, equipment and system
CN110995671A (en) Communication method and system
CN116707778A (en) Data hybrid encryption transmission method and device and electronic equipment
CN111092860A (en) Medical data safety interaction transmission module
CN115549910A (en) Data transmission method, equipment and storage medium
CN116132025A (en) Key negotiation method, device and communication system based on preset key group
CN111431846B (en) Data transmission method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210423