CN112738643B - System and method for realizing safe transmission of monitoring video by using dynamic key - Google Patents
System and method for realizing safe transmission of monitoring video by using dynamic key Download PDFInfo
- Publication number
- CN112738643B CN112738643B CN202011555000.XA CN202011555000A CN112738643B CN 112738643 B CN112738643 B CN 112738643B CN 202011555000 A CN202011555000 A CN 202011555000A CN 112738643 B CN112738643 B CN 112738643B
- Authority
- CN
- China
- Prior art keywords
- key
- client
- server
- consumption
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000005540 biological transmission Effects 0.000 title claims abstract description 21
- 238000012544 monitoring process Methods 0.000 title abstract description 7
- 238000012795 verification Methods 0.000 claims abstract description 69
- 238000012545 processing Methods 0.000 claims abstract description 19
- 230000000977 initiatory effect Effects 0.000 claims abstract description 4
- 238000004891 communication Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 9
- 238000005336 cracking Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/60—Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client
- H04N21/63—Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
- H04N21/633—Control signals issued by server directed to the network components or client
- H04N21/6332—Control signals issued by server directed to the network components or client directed to client
- H04N21/6334—Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/60—Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client
- H04N21/63—Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
- H04N21/637—Control signals issued by the client directed to the server or network components
- H04N21/6377—Control signals issued by the client directed to the server or network components directed to server
- H04N21/63775—Control signals issued by the client directed to the server or network components directed to server for uploading keys, e.g. for a client to communicate its public key to the server
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/60—Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client
- H04N21/63—Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
- H04N21/647—Control signaling between network components and server or clients; Network processes for video distribution between server and clients, e.g. controlling the quality of the video stream, by dropping packets, protecting content from unauthorised alteration within the network, monitoring of network load, bridging between two different networks, e.g. between IP and wireless
- H04N21/64715—Protecting content from unauthorized alteration within the network
Abstract
The invention discloses a system and a method for realizing the safe transmission of a monitoring video by using a dynamic key, wherein the system comprises the following steps: a key generator for generating a key; the key server is in data connection with the key generator and is used for executing tasks of client secondary certificate verification, client tertiary certificate downloading, server tertiary certificate verification and key downloading according to the received different messages; each key consumption client is internally preset with a respective client secondary certificate, is in data connection with the key server and is used for initiating commands of client tertiary certificate downloading, client tertiary certificate verification and key downloading to the key server; and the key consumption server is internally provided with a server three-level certificate, is in data connection with the key server and each key consumption client, and is used for receiving the encrypted data sent by any key consumption client and carrying out decryption processing.
Description
Technical Field
The invention relates to the field of data security, in particular to a system and a method for realizing secure transmission of a monitoring video by using a dynamic key.
Background
Network security issues are becoming more and more important, especially in the field of video surveillance. The existing video monitoring system has the problems that a video source is replaced, the video is intercepted and tampered in the video transmission process, a camera device can be easily cracked and restored by using a network data packet capturing tool without verifying an access network, and audio and video data plaintext transmission or fixed key encryption transmission.
By using certificate verification and dynamic key encryption technology, access of illegal camera equipment can be avoided, the safety and reliability of transmission of important data such as audio and video can be guaranteed, and data can be prevented from being illegally stolen and tampered.
Disclosure of Invention
In order to solve the above problems, the present invention provides a system and method for implementing secure transmission of surveillance video using a dynamic key, which is used to prevent an illegal device from accessing a network, and ensure that only a device that passes the authentication is allowed to access the network by using certificate authentication, and at the same time, prevent brute force from cracking by using the dynamic key to encrypt data, and ensure the security and reliability of the transmission of surveillance audio and video data.
In order to achieve the above object, the present invention provides a system for implementing secure transmission of surveillance video using dynamic keys, which includes:
a key generator for generating a key;
the key server is in data connection with the key generator and is used for executing tasks of client secondary certificate verification, client tertiary certificate downloading, server tertiary certificate verification and key downloading according to different received messages;
each key consumption client is internally preset with a respective client secondary certificate, is in data connection with the key server and is used for initiating commands of client tertiary certificate downloading, client tertiary certificate verification and key downloading to the key server;
and the key consumption server is internally provided with a server three-level certificate, is in data connection with the key server and each key consumption client, and is used for receiving encrypted data sent by any key consumption client and carrying out decryption processing.
In an embodiment of the present invention, each key consuming client is a webcam.
In an embodiment of the present invention, the key consumption server is a data monitoring center.
In an embodiment of the present invention, the key consumption server and each key consumption client have different communication passwords, and each key consumption client and the key consumption server keep heartbeat connection.
In order to achieve the above object, the present invention further provides a method for implementing secure transmission of surveillance video using dynamic keys, which is used for executing the dynamic key transmission process of the foregoing system, and includes the following steps:
s1: starting a key server, waiting for any key consumption client and any key consumption server to be connected with the key server, and executing a corresponding processing task by the key server according to the received message;
s2: starting a key consumption server, sending a server three-level certificate verification request to a key server, and if the verification fails, failing to start the key consumption server; if the verification is passed, the key consumption server starts message receiving, and executes a corresponding processing task according to the received message;
s3: starting any key consumption client, checking whether a client three-level certificate exists or not, if the client three-level certificate does not exist, entering a client three-level certificate downloading process, and entering a client three-level certificate verification process after downloading is finished; if the client-side tertiary certificate exists, directly entering a client-side tertiary certificate verification process;
s4: and the corresponding key consumption client encrypts the video data by using the cached dynamic key and transmits the encrypted video data to the key consumption server, and the key consumption server takes out the corresponding key according to the client ID of the corresponding key consumption client and decrypts the received video data.
In an embodiment of the present invention, in step S1, the specific step of the key server executing the corresponding processing task according to the received message is:
when the key server receives a client-side secondary certificate verification message of any key consumption client, verifying a client-side secondary certificate sent by a corresponding key consumption client by using an open source OpenSSL library;
when the key server receives a client-side tertiary certificate downloading message of any key consumption client, an open source OpenSSL library is used for generating a corresponding client-side tertiary certificate according to a client-side secondary certificate sent by a corresponding key consumption client;
when the key server receives a client-side tertiary certificate verification message of any key consumption client, verifying a client-side tertiary certificate sent by a corresponding key consumption client by using an open source OpenSSL library;
and when the key server receives the key downloading message of any key consumption client, the key is obtained from the key generator and pushed to the corresponding key consumption client and the key consumption server.
In an embodiment of the present invention, in step S2, the key consumption server executes a corresponding processing task according to the received message specifically:
if receiving the key message pushed by the key server, the key consumption server caches the received key to the local according to the client ID of the corresponding key consumption client, and is used for decrypting the encrypted data sent by the corresponding key consumption client;
if the client verification message pushed by the key server is received, the key consumption server side updates a key consumption client list which is locally cached by the key consumption server side and permits connection according to the message type;
and if receiving the encrypted data sent by any key consumption client, the key consumption server side takes out the corresponding key according to the client ID of the corresponding key consumption client side, and decrypts the received data.
In an embodiment of the present invention, the downloading process of the third-level certificate at the client specifically includes:
s301: any key consumption client sends a preset client secondary certificate to a key server;
s302: the key server verifies the client-side secondary certificate, and if the client-side secondary certificate fails to be verified, the corresponding key consumption client-side fails to start; if the client passes the verification of the secondary certificate, the key server returns a verification result to the corresponding key consumption client, and the corresponding key consumption client sends a command of downloading the client tertiary certificate to the key server;
s303: the key server downloads the client-side tertiary certificate, wherein when the client-side tertiary certificate is downloaded, the key server stores the client-side ID corresponding to the key consumption client in association with the tertiary certificate number and generates a client-side tertiary certificate private key;
s304: and the key server returns a client tertiary certificate containing the private key to the corresponding key consumption client.
In an embodiment of the present invention, the process of verifying the third-level certificate at the client specifically includes:
s311: any key consumption client sends the private key information of the client-side tertiary certificate to the key server;
s312: the key server searches a locally stored client side three-level certificate public key according to the client side ID and the three-level certificate number of the corresponding key consumption client side, then verifies the client side three-level certificate and returns a verification result to the corresponding key consumption client side, and if the client side three-level certificate verification fails, the corresponding key consumption client side is failed to start; if the client passes the verification of the third-level certificate, entering the next step;
s313: the corresponding key consumption client sends a key downloading command to the key server, and the key server obtains a key from the key generator after receiving the key downloading command and encrypts the key by using a random number in the certificate;
s314: the key server pushes the key obtained in step S313 to the key consumption server and stores the key in the memory of the key consumption server, and then returns the same key to the corresponding key consumption client, where the corresponding key consumption client caches the key.
Compared with the prior art, the invention has the advantages that:
(1) the network security is improved, the illegal equipment is prevented from accessing the network, and the risk that the network is invaded by hackers or illegal organizations is guaranteed;
(2) the video data security is guaranteed, the possibility that the video source is replaced is avoided, and the risk that the video source is grabbed by a packet grabbing tool and violently cracked in the data transmission process is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below.
FIG. 1 is a system architecture diagram of the present invention;
FIG. 2 is a timing diagram illustrating an initial boot process of a key consuming client according to the present invention;
FIG. 3 is a timing diagram illustrating a secondary boot process of a key consuming client according to the present invention;
FIG. 4 is a timing diagram illustrating the encryption and decryption of data according to the present invention;
FIG. 5 is a system architecture diagram of an embodiment of the present invention;
FIG. 6 is a flowchart illustrating a process for booting a key server according to an embodiment of the invention;
FIG. 7 is a flowchart illustrating a process for starting the key consumption server according to an embodiment of the present invention;
FIG. 8 is a flowchart illustrating a process for booting a key-consuming client according to an embodiment of the invention.
Description of the reference numerals: 101-a key generator; 102-a key server; 103-key consumption server; 104-key consuming client.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
Fig. 1 is a system architecture diagram of the present invention, and as shown in fig. 1, the present invention provides a system for implementing secure transmission of surveillance video using dynamic keys, which includes:
a key generator (101) for generating a key;
the key server (102) is in data connection with the key generator (101) and is used for executing tasks of client secondary certificate verification, client tertiary certificate downloading, server tertiary certificate verification and key downloading according to different received messages;
each key consumption client (104) is internally preset with a respective client secondary certificate, is in data connection with the key server (102) and is used for initiating commands of client tertiary certificate downloading, client tertiary certificate verification and key downloading to the key server;
and the key consumption server (103) is internally provided with the server third-level certificate, is in data connection with the key server (102) and each key consumption client (104), and is used for receiving the encrypted data sent by any key consumption client (104) and carrying out decryption processing.
In one embodiment of the invention, each key consuming client (104) includes an initial boot and a secondary boot function:
fig. 2 is a sequence diagram of the initial start-up processing of the key-consuming client according to the present invention, where the initial start-up of the key-consuming client is used to complete the tasks of the client-side secondary certificate authentication and the client-side tertiary certificate download, and as shown in fig. 2, the specific process of the initial start-up of any key-consuming client is as follows:
when the key consumption client is started, a preset client secondary certificate is sent to the key server, and the key server returns a verification result to the key consumption client;
after the client passes the verification of the secondary certificate, the key consumption client sends a command of downloading the tertiary certificate of the client to the key server, the key server downloads the tertiary certificate of the client and returns the tertiary certificate to the key consumption client, and meanwhile, the key server associates the client ID (Identity document, used as an Identity identification) of the corresponding key consumption client device with the number of the tertiary certificate.
Fig. 3 is a timing diagram of secondary start processing of a key consumption client according to the present invention, where secondary start of the key consumption client is used to complete tasks of client tertiary certificate verification and key download, and as shown in fig. 3, a specific process of secondary start of any key consumption client is as follows:
the key consumption client sends a client-side three-level certificate to the key server, and the key server returns a verification result to the key consumption client;
after the client passes the verification of the three-level certificate, the key consumption client sends a key downloading command to the key server, and the key server obtains a key from the key generator after receiving the command;
the key server firstly pushes the key to the key consumption server side, and then returns the same key to the key consumption client side.
The key consumption service end does not actively request the key from the key server, the key downloading request is initiated by the key consumption client, and the key obtained by the key consumption service end is actively pushed by the key server, so the key consumption service end must be started before the key consumption client is started.
The key consumption server side is connected with a plurality of key consumption clients simultaneously, the communication passwords of the key consumption server side and each key consumption client are different, so that the absolute safety of communication is guaranteed, and after receiving the encrypted data sent by any key consumption client, the key consumption server side takes out the corresponding key and starts decryption. Fig. 4 is a timing chart of data encryption and decryption of the present invention, and as shown in fig. 4, the specific process of data encryption and decryption is as follows:
the key consumption client side and the key consumption server side keep heartbeat connection, the key consumption client side initiates a key synchronization request to the key consumption server side, and the key consumption server side returns a synchronization result:
if the key synchronization fails, the key consumption client encrypts data by using the key before synchronization and sends the data encrypted by using the key to the key consumption server, and the key consumption server decrypts the data by using the same key after receiving the data;
if the key synchronization is successful, the key consumption client encrypts data by using the key which is successful in synchronization and sends the data encrypted by using the key to the key consumption server, and the key consumption server decrypts the data by using the same key after receiving the data.
Fig. 5 is a system architecture diagram according to an embodiment of the present invention, as shown in fig. 5, the present embodiment is to perform security authentication and monitoring data encryption on monitoring devices in a certain cell, the entire system includes a key server (102), a plurality of key consumption clients (104) (only one key consumption client is shown), a key consumption server (103), and a key generator (101) (not shown in the figure), in the present embodiment, any key consumption client (104) is a network camera, and the key consumption server (103) is a data monitoring center.
In this embodiment, the communication passwords of the key consumption server (103) and each key consumption client (104) are different, so as to ensure the absolute security of the communication, and each key consumption client (104) and the key consumption server (103) maintain heartbeat connection.
The invention also provides a method for realizing the safe transmission of the surveillance video by using the dynamic key, which is used for executing the transmission process of the dynamic key of the system and comprises the following steps:
s1: starting a key server, waiting for any key consumption client and any key consumption server to be connected with the key server, and executing a corresponding processing task by the key server according to the received message;
fig. 6 is a flowchart of a start-up process of the key server in an embodiment of the present invention, as shown in fig. 6, where the key server executes a corresponding processing task according to the received message specifically:
when a key server receives a client-side secondary certificate verification message of any key consumption client, an open source OpenSSL library is used for verifying a client-side secondary certificate sent by a corresponding key consumption client, wherein the OpenSSL is a software library packet of an open source code, an application program can use the packet to carry out safe communication, eavesdropping is avoided, the identity of a connector at the other end is confirmed, and the OpenSSL is widely applied to a webpage server of the Internet;
when the key server receives a client-side tertiary certificate downloading message of any key consumption client, an open source OpenSSL library is used for generating a corresponding client-side tertiary certificate according to a client-side secondary certificate sent by a corresponding key consumption client;
when the key server receives a client-side tertiary certificate verification message of any key consumption client, verifying a client-side tertiary certificate sent by a corresponding key consumption client by using an open source OpenSSL library;
and when the key server receives the key downloading message of any key consumption client, the key is obtained from the key generator and is pushed to the corresponding key consumption client and the key consumption server.
In this embodiment, the specific process of the key server verifying the secondary certificate of the client and downloading the tertiary certificate of the client is as follows:
the key consumption client sends a preset client secondary certificate to the key server, and the key server returns a verification result to the key consumption client;
and after the client-side secondary certificate passes the verification, the key consumption client-side sends a command for downloading the client-side tertiary certificate to the key server, the key server downloads the client-side tertiary certificate and returns the client-side tertiary certificate to the key consumption client-side, and meanwhile, the key server associates the client-side ID corresponding to the key consumption client-side equipment with the tertiary certificate number.
In this embodiment, the specific process of the key server performing the client-side third-level certificate verification and the key download includes:
the key consumption client sends a client-side three-level certificate to the key server, and the key server returns a verification result to the key consumption client;
after the client passes the verification of the three-level certificate, the key consumption client sends a key downloading command to the key server, and the key server receives the command and then obtains a key from the key generator;
the key server firstly pushes the key to the key consumption server side, and then returns the same key to the key consumption client side.
The key consumption server does not actively request the key from the key server, the key download request is initiated by the key consumption client, and the key obtained by the key consumption server is actively pushed by the key server, so the key consumption server must be started before the key consumption client is started.
S2: starting a key consumption server, sending a server three-level certificate verification request to a key server, and if the verification fails, failing to start the key consumption server; if the verification is passed, the key consumption server side starts message receiving, and executes a corresponding processing task according to the received message;
fig. 7 is a flowchart of a start-up processing of the key consumption server according to an embodiment of the present invention, and as shown in fig. 7, in this embodiment, the key consumption server executes a corresponding processing task according to the received message specifically includes:
if receiving the key message pushed by the key server, the key consumption server caches the received key to the local according to the client ID of the corresponding key consumption client, and is used for decrypting the encrypted data sent by the corresponding key consumption client;
if the client verification message pushed by the key server is received, the key consumption server updates a connection-permitted key consumption client list locally cached by the key consumption server according to the message type (such as an additional client or a deletion client);
and if receiving the encrypted data sent by any key consumption client, the key consumption server side takes out the corresponding key according to the client ID of the corresponding key consumption client and decrypts the received data.
S3: starting any key consumption client, checking whether a client three-level certificate exists or not, entering a client three-level certificate downloading process if the client three-level certificate does not exist, and entering a client three-level certificate verification process after downloading is finished; if the client-side tertiary certificate exists, directly entering a client-side tertiary certificate verification process;
s4: and the corresponding key consumption client encrypts the video data by using the cached dynamic key and transmits the encrypted video data to the key consumption server, and the key consumption server takes out the corresponding key according to the client ID of the corresponding key consumption client and decrypts the received video data.
In an embodiment of the present invention, the downloading process of the third-level certificate at the client specifically includes:
s301: any key consumption client sends a preset client secondary certificate to the key server;
s302: the key server verifies the client-side secondary certificate, and if the client-side secondary certificate fails to verify, the corresponding key consumption client-side fails to start; if the client passes the verification of the secondary certificate, the key server returns a verification result to the corresponding key consumption client, and the corresponding key consumption client sends a command of downloading the client tertiary certificate to the key server;
s303: the key server downloads the client-side tertiary certificate, wherein when the client-side tertiary certificate is downloaded, the key server stores the client-side ID corresponding to the key consumption client in association with the tertiary certificate number and generates a client-side tertiary certificate private key;
s304: and the key server returns a client tertiary certificate containing the private key to the corresponding key consumption client.
In an embodiment of the present invention, the process of verifying the third-level certificate of the client specifically includes:
s311: any key consumption client sends the private key information of the client-side tertiary certificate to the key server;
s312: the key server searches a locally stored client side three-level certificate public key according to the client side ID and the three-level certificate number of the corresponding key consumption client side, then verifies the client side three-level certificate and returns a verification result to the corresponding key consumption client side, and if the client side three-level certificate verification fails, the corresponding key consumption client side is failed to start; if the client passes the verification of the third-level certificate, entering the next step;
s313: the corresponding key consumption client sends a key downloading command to the key server, and the key server obtains a key from the key generator after receiving the key downloading command and encrypts the key by using a random number in the certificate;
s314: the key server pushes the key obtained in step S313 to the key consumption server and stores the key in the memory of the key consumption server, and then returns the same key to the corresponding key consumption client, where the corresponding key consumption client caches the key.
Fig. 8 is a flowchart of a process for starting a key consumption client according to an embodiment of the present invention, and as shown in fig. 8, a starting process of a network camera (key consumption client) includes:
A. downloading a third-level certificate: if the third-level certificate already exists, skipping the step; if the third-level certificate does not exist, sending a second-level message to the key server, and starting to download the third-level certificate after the second-level certificate passes verification; and if the verification of the secondary certificate fails, the starting of the network camera fails.
B. And (4) verifying the third-level certificate: sending private key information of the third-level certificate to a key server, and if the verification of the third-level certificate fails, starting the network camera fails; and if the third-level certificate passes the verification, continuing to execute the caching key.
C. And (4) normal operation: and encrypting the video data by using the dynamic key, transmitting the encrypted video data to a data monitoring center, and starting to download and cache the key if the key is consumed to the level needing to be supplemented.
The invention ensures that only the equipment which passes the verification is allowed to access the network by using the certificate verification, prevents brute force cracking by using the dynamic secret key to encrypt data, and ensures the safety and reliability of monitoring the transmission of audio and video data.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (9)
1. A system for secure transmission of surveillance video using dynamic keys, comprising:
a key generator for generating a key;
the key server is in data connection with the key generator and is used for executing tasks of client secondary certificate verification, client tertiary certificate downloading, server tertiary certificate verification and key downloading according to different received messages;
each key consumption client is internally preset with a respective client secondary certificate, is in data connection with the key server and is used for initiating commands of client tertiary certificate downloading, client tertiary certificate verification and key downloading to the key server;
and the key consumption server is internally provided with a server three-level certificate, is in data connection with the key server and each key consumption client, and is used for receiving the encrypted data sent by any key consumption client and carrying out decryption processing.
2. The system of claim 1, wherein each key-consuming client is a webcam.
3. The system of claim 1, wherein the key consumption server is a data monitoring center.
4. The system according to claim 1, wherein the key consumption server and each key consumption client have different communication passwords, and each key consumption client and the key consumption server maintain heartbeat connection.
5. A method for realizing secure transmission of surveillance video by using dynamic keys, which is used for executing the dynamic key transmission process of any system of claims 1-4, and is characterized by comprising the following steps:
s1: starting a key server, waiting for any key consumption client and key consumption server to be connected with the key server, and executing corresponding processing tasks by the key server according to received messages;
s2: starting a key consumption server, sending a server three-level certificate verification request to a key server, and if the verification fails, failing to start the key consumption server; if the verification is passed, the key consumption server side starts message receiving, and executes a corresponding processing task according to the received message;
s3: starting any key consumption client, checking whether a client three-level certificate exists or not, entering a client three-level certificate downloading process if the client three-level certificate does not exist, and entering a client three-level certificate verification process after downloading is finished; if the client-side tertiary certificate exists, directly entering a client-side tertiary certificate verification process;
s4: and the corresponding key consumption client encrypts the video data by using the cached dynamic key and transmits the encrypted video data to the key consumption server, and the key consumption server takes out the corresponding key according to the client ID of the corresponding key consumption client and decrypts the received video data.
6. The method according to claim 5, wherein in step S1, the key server executing the corresponding processing task according to the received message specifically includes:
when the key server receives a client-side secondary certificate verification message of any key consumption client, verifying a client-side secondary certificate sent by a corresponding key consumption client by using an open source OpenSSL library;
when the key server receives a client-side tertiary certificate downloading message of any key consumption client, an open source OpenSSL library is used for generating a corresponding client-side tertiary certificate according to a client-side secondary certificate sent by a corresponding key consumption client;
when the key server receives a client-side tertiary certificate verification message of any key consumption client, verifying a client-side tertiary certificate sent by a corresponding key consumption client by using an open source OpenSSL library;
and when the key server receives the key downloading message of any key consumption client, acquiring the key from the key generator and pushing the key to the corresponding key consumption client and the key consumption server.
7. The method according to claim 6, wherein in step S2, the key consumption server executes the corresponding processing task according to the received message specifically:
if the key message pushed by the key server is received, the key consumption server caches the received key to the local according to the client ID of the corresponding key consumption client, and the received key is used for decrypting the encrypted data sent by the corresponding key consumption client;
if the client verification message pushed by the key server is received, the key consumption server side updates a key consumption client list which is locally cached by the key consumption server side and permits connection according to the message type;
and if receiving the encrypted data sent by any key consumption client, the key consumption server side takes out the corresponding key according to the client ID of the corresponding key consumption client and decrypts the received data.
8. The method according to claim 7, wherein the client-side tertiary certificate downloading process specifically comprises:
s301: any key consumption client sends a preset client secondary certificate to the key server;
s302: the key server verifies the secondary certificate of the client, and if the secondary certificate of the client fails to verify, the corresponding key consumption client fails to start; if the client passes the verification of the secondary certificate, the key server returns a verification result to the corresponding key consumption client, and the corresponding key consumption client sends a command of downloading the client tertiary certificate to the key server;
s303: the key server downloads the client-side tertiary certificate, wherein when the client-side tertiary certificate is downloaded, the key server stores the client-side ID corresponding to the key consumption client in association with the tertiary certificate number and generates a client-side tertiary certificate private key;
s304: and the key server returns a client tertiary certificate containing a private key to the corresponding key consumption client.
9. The method according to claim 8, wherein the client-side tertiary certificate verification process specifically comprises:
s311: any key consumption client sends private key information of a client tertiary certificate to the key server;
s312: the key server searches a locally stored client side three-level certificate public key according to the client side ID and the three-level certificate number of the corresponding key consumption client side, then verifies the client side three-level certificate and returns a verification result to the corresponding key consumption client side, and if the client side three-level certificate verification fails, the corresponding key consumption client side is failed to start; if the client passes the verification of the third-level certificate, entering the next step;
s313: a corresponding key consumption client sends a key downloading command to the key server, and the key server obtains a key from the key generator after receiving the key downloading command and encrypts the key by using a random number in a certificate;
s314: the key server pushes the key obtained in step S313 to the key consumption server and stores the key in the memory of the key consumption server, and then returns the same key to the corresponding key consumption client, where the corresponding key consumption client caches the key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011555000.XA CN112738643B (en) | 2020-12-24 | 2020-12-24 | System and method for realizing safe transmission of monitoring video by using dynamic key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011555000.XA CN112738643B (en) | 2020-12-24 | 2020-12-24 | System and method for realizing safe transmission of monitoring video by using dynamic key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112738643A CN112738643A (en) | 2021-04-30 |
| CN112738643B true CN112738643B (en) | 2022-09-23 |
Family
ID=75615569
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011555000.XA Active CN112738643B (en) | 2020-12-24 | 2020-12-24 | System and method for realizing safe transmission of monitoring video by using dynamic key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112738643B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113259723B (en) * | 2021-06-28 | 2021-09-21 | 杭州海康威视数字技术股份有限公司 | Decentralized video key management method, device and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7231516B1 (en) * | 2002-04-11 | 2007-06-12 | General Instrument Corporation | Networked digital video recording system with copy protection and random access playback |
| WO2008008243A2 (en) * | 2006-07-07 | 2008-01-17 | Sandisk Corporation | Control system and method using identity objects |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080010458A1 (en) * | 2006-07-07 | 2008-01-10 | Michael Holtzman | Control System Using Identity Objects |
| CN101562813B (en) * | 2009-05-12 | 2012-01-11 | 中兴通讯股份有限公司 | Method for implementing real-time data service, real-time data service system and mobile terminal |
-
2020
- 2020-12-24 CN CN202011555000.XA patent/CN112738643B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7231516B1 (en) * | 2002-04-11 | 2007-06-12 | General Instrument Corporation | Networked digital video recording system with copy protection and random access playback |
| WO2008008243A2 (en) * | 2006-07-07 | 2008-01-17 | Sandisk Corporation | Control system and method using identity objects |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112738643A (en) | 2021-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347835B (en) | Information transmission method, client, server, and computer-readable storage medium | |
| CN101404576B (en) | Network resource query method and system | |
| CN108243176B (en) | Data transmission method and device | |
| CN110690956B (en) | Bidirectional authentication method and system, server and terminal | |
| EP4322464A1 (en) | Information transmission method, storage medium and electronic device | |
| CN103138939A (en) | Secret key use time management method based on credible platform module under cloud storage mode | |
| WO2020114377A1 (en) | Secure distributed key management system | |
| CN107368737A (en) | A kind of processing method for preventing copy-attack, server and client | |
| CN113472793A (en) | Personal data protection system based on hardware password equipment | |
| CN113032772A (en) | Method and system for encrypting and authenticating login information | |
| CN110635901A (en) | Local Bluetooth dynamic authentication method and system for Internet of things equipment | |
| CN113225352A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN113572788A (en) | BACnet/IP protocol equipment authentication safety method | |
| CN112738643B (en) | System and method for realizing safe transmission of monitoring video by using dynamic key | |
| JP2005301577A (en) | Authentication system, authentication program for server, and authentication program for client | |
| CN110807210B (en) | Information processing method, platform, system and computer storage medium | |
| CN111291398B (en) | Block chain-based authentication method and device, computer equipment and storage medium | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| KR101341047B1 (en) | Downloadable Conditional Access and Method of Using Conditional Access Image | |
| CN110912857B (en) | Method and storage medium for sharing login between mobile applications | |
| WO2020253662A1 (en) | Decryption method, apparatus, and system, medium, and device | |
| CN109302284B (en) | Hardware wallet | |
| CN113517981A (en) | Key management method, code version management method and device | |
| CN112688949B (en) | Access method, device, equipment and computer readable storage medium | |
| CN114218598B (en) | Service processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Room 711c, 7 / F, block a, building 1, yard 19, Ronghua Middle Road, Beijing Economic and Technological Development Zone, Daxing District, Beijing 102600 Patentee after: Beijing Zhongke Flux Technology Co.,Ltd. Address before: Room 711c, 7 / F, block a, building 1, yard 19, Ronghua Middle Road, Beijing Economic and Technological Development Zone, Daxing District, Beijing 102600 Patentee before: Beijing Ruixin high throughput technology Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |