CN113014572A - Message communication system, method and device - Google Patents

Message communication system, method and device Download PDF

Info

Publication number
CN113014572A
CN113014572A CN202110199203.8A CN202110199203A CN113014572A CN 113014572 A CN113014572 A CN 113014572A CN 202110199203 A CN202110199203 A CN 202110199203A CN 113014572 A CN113014572 A CN 113014572A
Authority
CN
China
Prior art keywords
key
information
communication
working
communication device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110199203.8A
Other languages
Chinese (zh)
Inventor
刘福光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Seashell Housing Beijing Technology Co Ltd
Original Assignee
Beijing Fangjianghu Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Fangjianghu Technology Co Ltd filed Critical Beijing Fangjianghu Technology Co Ltd
Priority to CN202110199203.8A priority Critical patent/CN113014572A/en
Publication of CN113014572A publication Critical patent/CN113014572A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the disclosure discloses a message communication system, a method and a device. The system comprises a first communication device, a second communication device and a key management device; the first communication equipment is used for sending a key initialization request which points to the second communication equipment and carries the first identity information of the first communication equipment to the key management equipment; the key management device is used for generating a working key according to the first identity information, generating key mark information according to the working key, and returning the working key and the key mark information to the first communication device; and the second communication equipment is used for judging whether the key mark information is stored locally or not after acquiring the communication message carrying the communication data ciphertext and the key mark information from the first communication equipment, acquiring the working key in a corresponding mode according to the judgment result, and decrypting the communication data ciphertext by using the working key. The embodiment of the disclosure can avoid the system resource consumption increase caused by the message translation link, and can ensure the communication efficiency.

Description

Message communication system, method and device
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a message communication system, method, and apparatus.
Background
At present, a message communication system is very commonly used, the message communication system may include a plurality of communication participants, and in order to implement message communication (which is generally encrypted communication) between different communication participants, a central server is further required to be arranged in the message communication system, so that the central server translates messages, on one hand, system resources are increased due to the increase of a message translation link, and on the other hand, the processing capability of the central server on data greatly affects communication efficiency.
Disclosure of Invention
The present disclosure is proposed to solve the above technical problems. The embodiment of the disclosure provides a message communication system, a message communication method and a message communication device.
According to an aspect of the embodiments of the present disclosure, there is provided a message communication system, including: a first communication device, a second communication device and a key management device; wherein the content of the first and second substances,
the first communication device is configured to send a key initialization request, which is directed to the second communication device and carries first identity information of the first communication device, to the key management device;
the key management device is configured to generate a working key according to the first identity information after receiving the key initialization request, generate key flag information according to the working key, and return the working key and the key flag information to the first communication device;
and the second communication device is used for judging whether the key mark information is stored locally or not after acquiring the communication message carrying the communication data ciphertext and the key mark information from the first communication device, acquiring the working key in a corresponding mode according to a judgment result, and decrypting the communication data ciphertext by using the working key.
In one alternative example of this, the user may,
the second communication device is specifically configured to, when the determination result indicates that the key identifier information is not locally stored, send a key acquisition request carrying second identity information of the second communication device to the key management device, so as to acquire the working key returned by the key management device according to the second identity information after receiving the key acquisition request, and locally store the key identifier information and the working key correspondingly:
the second communication device is specifically configured to, when the determination result indicates that the key flag information is locally stored, locally acquire the working key stored in correspondence to the key flag information.
In one alternative example of this, the user may,
the key management device is specifically configured to, after receiving the key initialization request, obtain a root key identifier and time factor information, perform key derivation processing according to a root key having the root key identifier, the first identity information, and the time factor information to generate the working key, and generate the key flag information according to the root key identifier, the time factor information, and the working key;
the second communication device is specifically configured to send a key acquisition request carrying the key identifier information and second identity information of the second communication device to the key management device when the determination result indicates that the key identifier information is not locally stored;
the key management device is further configured to, after receiving the key acquisition request, acquire the time factor information according to the key flag information, perform key derivation processing according to the root key, the second identity information, and the time factor information to recover the working key, and return the working key to the second communication device.
In an optional example, the key initialization request further carries a key usage identification parameter or a key usage scenario identification parameter;
the key management device is specifically configured to generate a first intermediate key from the root key through key derivation processing using the first identity information as a derivation parameter, generate a second intermediate key from the first intermediate key through key derivation processing using the key usage identification parameter or the key usage scenario identification parameter as a derivation parameter, and generate the working key from the second intermediate key through key derivation processing using the time factor information as a derivation parameter.
In an optional example, the key management device is specifically configured to, after receiving the key initialization request, obtain a root key identifier, a key rotation period, time factor information, and an algorithm identifier of a specific encryption algorithm, generate first check information according to the root key identifier, the key rotation period, the time factor information, the specific encryption algorithm, and the work key, generate second check information according to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information, and generate the key flag information according to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information.
In an optional example, the key management device is specifically configured to sequentially connect the root key identifier, the key rotation cycle, and the time factor information by using a first preset symbol to generate a first connection result, generate padding data according to the first connection result and a specified data length constraint, connect the first connection result and the padding data by using a second preset symbol to generate a second connection result meeting the specified data length constraint, use the working key as an encryption key, and encrypt the second connection result by using the specified encryption algorithm to generate the first verification information.
In an optional example, the key management device is specifically configured to perform data length adjustment processing on the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information, so that the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information respectively conform to corresponding data length constraints, and perform cyclic redundancy check operation according to the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information, so as to generate the second check information.
In an optional example, the key management device is specifically configured to perform data length adjustment processing on the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information, respectively, so that the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information respectively conform to corresponding data length constraints, and sequentially connect the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information by using a third preset symbol, so as to generate the key flag information.
According to another aspect of the embodiments of the present disclosure, there is provided a message communication method applied to a key management device in a message communication system, the method including:
receiving a key initialization request which is sent by first communication equipment in the system, points to second communication equipment in the system and carries first identity information of the first communication equipment;
generating a working key according to the first identity information;
generating key mark information according to the working key;
returning the working key and the key mark information to the first communication equipment so that the first communication equipment can send a communication message which is directed to the second communication equipment and carries a communication data ciphertext and the key mark information; and the communication data ciphertext is obtained by encrypting the working key.
In one alternative example of this, the user may,
generating a working key according to the first identity information, comprising:
acquiring a root key identifier and time factor information;
performing key derivation processing according to the root key with the root key identifier, the first identity information, and the time factor information to generate the working key;
generating key mark information according to the working key, including:
generating the key mark information according to the root key identification, the time factor information and the working key;
the method further comprises the following steps:
after receiving a key acquisition request which is from the second communication device and carries the key mark information and second identity information of the second communication device, acquiring the time factor information according to the key mark information;
and performing key derivation processing according to the root key, the second identity information and the time factor information to recover the working key, and returning the working key to the second communication device.
In an optional example, the generating key flag information according to the working key includes:
acquiring a root key identifier, a key alternation cycle, time factor information and an algorithm identifier of a specified encryption algorithm;
generating first check information according to the root key identification, the key alternation cycle, the time factor information, the specified encryption algorithm and the working key;
generating second check information according to the root key identification, the key alternation cycle, the time factor information, the algorithm identification and the first check information;
and generating the key mark information according to the root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information.
In an optional example, the generating first check information according to the root key identifier, the key rotation period, the time factor information, the specified encryption algorithm, and the working key includes:
connecting the root key identification, the key alternation cycle and the time factor information in sequence by using a first preset symbol to generate a first connection result;
generating filling data according to the first connection result and the specified data length constraint, and connecting the first connection result with the filling data by using a second preset symbol to generate a second connection result conforming to the specified data length constraint;
and using the working key as an encryption key, and encrypting the second connection result by using the specified encryption algorithm to generate the first verification information.
In an optional example, the generating second check-up information according to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check-up information includes:
respectively carrying out data length adjustment processing on the root key identifier, the key alternation cycle, the time factor information, the algorithm identifier and the first check information so as to enable the processed root key identifier, the key alternation cycle, the time factor information, the algorithm identifier and the first check information to respectively accord with corresponding data length constraints;
and performing cyclic redundancy check operation according to the processed root key identification, the key alternation cycle, the time factor information, the algorithm identification and the first check information to generate the second check information.
In an optional example, the generating the key flag information according to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information includes:
respectively performing data length adjustment processing on the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information and the second check information so that the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information and the second check information respectively accord with corresponding data length constraints;
and connecting the processed root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information in sequence by using a third preset symbol to generate the key mark information.
According to still another aspect of the embodiments of the present disclosure, there is provided a message communication method applied to a second communication device in a message communication system, the method including:
acquiring a communication message which is from the first communication equipment and carries a communication data ciphertext and key mark information;
judging whether the key mark information is stored locally or not, and acquiring the working key in a corresponding mode according to a judgment result;
and decrypting the communication data ciphertext by using the working key.
According to another aspect of the embodiments of the present disclosure, there is provided a message communication apparatus applied to a key management device in a message communication system, the apparatus including:
a receiving module, configured to receive a key initialization request, which is sent by a first communication device in the system, points to a second communication device in the system, and carries first identity information of the first communication device;
a first generation module, configured to generate a work key according to the first identity information:
the second generation module is used for generating key mark information according to the working key;
a sending module, configured to return the working key and the key identifier information to the first communication device, so that the first communication device sends a communication packet that is directed to the second communication device and carries a communication data ciphertext and the key identifier information; and the communication data ciphertext is obtained by encrypting the working key.
In one alternative example of this, the user may,
the first generation module includes:
the first obtaining submodule is used for obtaining the root key identification and the time factor information;
the first generation submodule is used for carrying out key derivation processing according to the root key with the root key identifier, the first identity information and the time factor information so as to generate the working key;
the second generation module is specifically configured to:
generating the key mark information according to the root key identification, the time factor information and the working key;
the device further comprises:
an obtaining module, configured to obtain the time factor information according to the key identifier information after receiving a key obtaining request, which is from the second communication device and carries the key identifier information and second identity information of the second communication device;
and the processing module is used for performing key derivation processing according to the root key, the second identity information and the time factor information so as to recover the working key and return the working key to the second communication device.
In one optional example, the second generating module includes:
the second obtaining submodule is used for obtaining a root key identifier, a key alternation period, time factor information and an algorithm identifier of a specified encryption algorithm;
the second generation submodule is used for generating first check information according to the root key identification, the key alternation cycle, the time factor information, the specified encryption algorithm and the working key;
a third generating sub-module, configured to generate second check information according to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information:
and the fourth generation submodule is configured to generate the key identifier information according to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information.
In one optional example, the second generation submodule includes:
a first generating unit, configured to connect the root key identifier, the key alternation cycle, and the time factor information in sequence by using a first preset symbol to generate a first connection result:
a second generating unit, configured to generate padding data according to the first connection result and a specified data length constraint, and connect the first connection result and the padding data by using a second preset symbol to generate a second connection result that meets the specified data length constraint;
and a third generating unit, configured to encrypt the second connection result by using the specified encryption algorithm with the work key as an encryption key to generate the first verification information.
In one optional example, the third generating sub-module comprises:
a first processing unit, configured to perform data length adjustment processing on the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information, respectively, so that the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information respectively conform to corresponding data length constraints;
and the fourth generating unit is configured to perform cyclic redundancy check operation according to the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information, so as to generate the second check information.
In an optional example, the third generating unit includes:
a second processing unit, configured to perform data length adjustment processing on the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information, respectively, so that the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information respectively conform to corresponding data length constraints;
a fifth generating unit, configured to sequentially connect the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information by using a third preset symbol, so as to generate the key identifier information.
According to another aspect of the embodiments of the present disclosure, there is provided a message communication apparatus applied to a second communication device in a message communication system, the apparatus including:
the first acquisition module is used for acquiring a communication message which is from the first communication equipment and carries a communication data ciphertext and key mark information;
the second acquisition module is used for judging whether the key mark information is stored locally or not and acquiring the working key in a corresponding mode according to a judgment result;
and the decryption module is used for decrypting the communication data ciphertext by using the working key.
According to still another aspect of an embodiment of the present disclosure, there is provided a computer-readable storage medium storing a computer program for executing any of the message communication methods described above.
According to still another aspect of an embodiment of the present disclosure, there is provided an electronic device including:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instruction from the memory and execute the instruction to implement any of the above message communication methods.
In the embodiment of the disclosure, the message communication system includes a first communication device, a second communication device, and a key management device, the first communication device may send a key initialization request carrying first identity information of the first communication device to the key management device, the key management device may respond to the key initialization request, generating a working key according to the first identity information, generating key flag information according to the working key, and the working key and the key mark information are returned to the first communication device, then the second communication device can judge whether the key mark information is stored locally after acquiring the communication message which is from the first communication device and carries the communication data cipher text and the key mark information, and according to the judgment result, and acquiring the working key in a corresponding mode, and decrypting the communication data ciphertext by using the working key. It can be seen that, in the embodiment of the present disclosure, the key management device plays a role in generating and distributing a working key and key flag information, so that a data packet sent by a first communication device and directed to a second communication device may carry the key flag information, after the second communication device acquires a communication packet, the second communication device may automatically acquire the working key in an appropriate manner according to whether the key flag information carried in the communication packet is stored locally, and thus, both the first communication device and the second communication device serving as communication participants have working keys, so that message communication between the first communication device and the second communication device can be implemented, that is, in the embodiment of the present disclosure, a special device is not required to be provided to perform message translation, and therefore, compared with the related art, the embodiment of the present disclosure can avoid an increase in system resources caused by a message translation link, and the communication efficiency among different communication participants can be effectively ensured.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in more detail embodiments of the present disclosure with reference to the attached drawings. The accompanying drawings are included to provide a further understanding of the embodiments of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the principles of the disclosure and not to limit the disclosure. In the drawings, like reference numbers generally represent like parts or steps.
Fig. 1 is a schematic structural diagram of a message communication system according to an exemplary embodiment of the present disclosure.
Fig. 2 is another schematic structural diagram of a message communication system according to an exemplary embodiment of the present disclosure.
Fig. 3 is a flowchart illustrating a message communication method according to an exemplary embodiment of the present disclosure.
Fig. 4 is a flowchart illustrating a message communication method according to another exemplary embodiment of the present disclosure.
Fig. 5 is a schematic structural diagram of a message communication apparatus according to an exemplary embodiment of the present disclosure.
Fig. 6 is a schematic structural diagram of a message communication apparatus according to another exemplary embodiment of the present disclosure.
Fig. 7 is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present disclosure.
Detailed Description
Hereinafter, example embodiments according to the present disclosure will be described in detail with reference to the accompanying drawings. It is to be understood that the described embodiments are merely a subset of the embodiments of the present disclosure and not all embodiments of the present disclosure, with the understanding that the present disclosure is not limited to the example embodiments described herein.
It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
It will be understood by those of skill in the art that the terms "first," "second," and the like in the embodiments of the present disclosure are used merely to distinguish one element from another, and are not intended to imply any particular technical meaning, nor is the necessary logical order between them.
It is also understood that in embodiments of the present disclosure, "a plurality" may refer to two or more and "at least one" may refer to one, two or more.
It is also to be understood that any reference to any component, data, or structure in the embodiments of the disclosure, may be generally understood as one or more, unless explicitly defined otherwise or stated otherwise.
In addition, the term "and/or" in the present disclosure is only one kind of association relationship describing an associated object, and means that three kinds of relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in the present disclosure generally indicates that the former and latter associated objects are in an "or" relationship.
It should also be understood that the description of the various embodiments of the present disclosure emphasizes the differences between the various embodiments, and the same or similar parts may be referred to each other, so that the descriptions thereof are omitted for brevity.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
The disclosed embodiments may be applied to electronic devices such as terminal devices, computer systems, servers, etc., which are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known terminal devices, computing systems, environments, and/or configurations that may be suitable for use with electronic devices, such as terminal devices, computer systems, servers, and the like, include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set top boxes, programmable consumer electronics, network pcs, minicomputer systems, mainframe computer systems, distributed cloud computing environments that include any of the above systems, and the like.
Electronic devices such as terminal devices, computer systems, servers, etc. may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. The computer system/server may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.
Exemplary System
Fig. 1 is a schematic structural diagram of a message communication system according to an exemplary embodiment of the present disclosure. The system shown in fig. 1 comprises: a first communication device 11, a second communication device 13, and a key management device 15; wherein the content of the first and second substances,
a first communication device 11, configured to send a key initialization request, which is directed to a second communication device 13 and carries first identity information of the first communication device 11, to a key management device 15;
a key management device 15 configured to generate a work key based on the first identity information after receiving the key initialization request, generate key flag information based on the work key, and return the work key and the key flag information to the first communication device 11;
and the second communication device 13 is configured to, after acquiring the communication packet carrying the communication data ciphertext and the key flag information from the first communication device 11, determine whether the key flag information is stored locally, acquire the working key in a corresponding manner according to a determination result, and decrypt the communication data ciphertext by using the working key.
Here, the first communication device 11 may be a terminal device deployed with the APP1 in fig. 2, and the second communication device 13 may be a terminal device deployed with the APP2 in fig. 2; the terminal devices include, but are not limited to, a mobile phone, a tablet computer, and the like, which are not listed here.
Here, the key management device 15 may include a first service module that may be used to implement a key generation function and a key distribution function, and a second service module that may be used to implement functions other than the functions implemented by the first service module; the first service module may be a key management service module KMS in fig. 2, the second service module may be an SVR in fig. 2, and the KMS and the SVR may be deployed integrally or may be deployed independently.
In the embodiment of the present disclosure, when message communication is required between the first communication device 11 and the second communication device 13, the first communication device 11 may send a key initialization request, which is directed to the second communication device 13 and carries the first identity information of the first communication device 11, to the key management device 15. Optionally, the first identity information may include an identity ID of the first communication device 11, for example, the identity ID of the first communication device 11, a group ID (which may also be referred to as GroupID) of a communication group to which the first communication device 11 belongs, and the like, and it should be noted that a change in members of any communication group does not result in a change in the group ID of the communication group.
Next, the key management device 15 may receive the key initialization request, extract the first identity information in the key initialization request, and determine whether the first identity information matches the true identity of the first communication device 11 using an identity authentication technique. In the case where the first identity information matches the true identity of the first communication device 11, the key management device 15 may generate an operation key based on the first identity information, the algorithm used in generating the operation key includes, but is not limited to, a key derivation algorithm, and the generated operation key may be used as a communication encryption/decryption key used in message communication between the first communication device 11 and the second communication device 13. In addition, the key management device 15 may also generate key flag information from the work key, where there may be a one-to-one correspondence between the key flag information and the work key.
Then, the key management device 15 may return the generated working key and the key flag information to the first communication device 11, so that the first communication device 11 can receive the working key and the key flag information, and the first communication device 11 may subsequently send a communication packet which is directed to the second communication device 13 and carries the communication data ciphertext and the key flag information; wherein, the communication data ciphertext can be obtained by encrypting the working key. Alternatively, the communication message may be sent directly from the first communication device 11 to the second communication device 13; alternatively, the communication packet may be sent to the key management device 15 by the first communication device 11 and then forwarded to the second communication device 13 by the key management device 15.
Then, the second communication device 13 may obtain a communication packet carrying the communication data cipher text and the key flag information from the first communication device 11, and the second communication device 13 may extract the key flag information in the communication packet, determine whether the key flag information is stored locally, to obtain a determination result, and obtain the working key in a corresponding manner according to the determination result.
Finally, the second communication device 13 may decrypt the communication data ciphertext by using the working key to obtain a corresponding communication data plaintext, and optionally, the second communication device 13 may further send, by using the working key, a communication packet that is directed to the first communication device and carries the encrypted feedback information for the communication data plaintext, so that the packet communication between the first communication device 11 and the second communication device 13 is realized.
In the embodiment of the present disclosure, the message communication system includes a first communication device 11, a second communication device 13, and a key management device 15, the first communication device 11 may send a key initialization request directed to the second communication device 13 and carrying first identity information of the first communication device 11 to the key management device 15, the key management device 15 may generate a work key according to the first identity information in response to the key initialization request, generate key flag information according to the work key, and return the work key and the key flag information to the first communication device 11, and then, the second communication device 13 may determine whether the key flag information is stored locally after acquiring a communication message carrying a communication data cipher text and the key flag information from the first communication device 11, and acquire the work key in a corresponding manner according to a determination result, and the working key is utilized to decrypt the communication data ciphertext. It can be seen that, in the embodiment of the present disclosure, the key management device 15 plays a role of generating and distributing a work key and key flag information, so that a data packet sent by the first communication device 11 and directed to the second communication device 13 may carry the key flag information, after the second communication device 13 acquires a communication packet, the second communication device 13 may acquire the work key in an appropriate manner according to whether the key flag information carried in the communication packet is stored locally, so that both the first communication device 11 and the second communication device 13 as communication participants have work keys, thereby enabling message communication between the first communication device 11 and the second communication device 13, that is, the embodiment of the present disclosure does not need to provide a special device to perform message translation, and therefore, compared with the related art, the embodiment of the present disclosure can avoid increase of system resources caused by link of message translation, and the communication efficiency among different communication participants can be effectively ensured.
In one alternative example of this, the user may,
the second communication device 13 is specifically configured to send a key acquisition request carrying second identity information of the second communication device 13 to the key management device 15 under the condition that the determination result represents that the key identifier information is not locally stored, so as to acquire a working key returned by the key management device 15 according to the second identity information after receiving the key acquisition request, and locally and correspondingly store the key identifier information and the working key;
the second communication device 13 is specifically configured to, in a case that the determination result indicates that the key flag information is locally stored, locally acquire the working key stored in correspondence to the key flag information.
In the embodiment of the present disclosure, after acquiring the communication packet from the first communication device 11, the second communication device 13 may extract the key flag information in the communication packet, and determine whether the key flag information is stored locally, so as to obtain a determination result.
In a case that the determination result indicates that the key flag information is not locally stored, the second communication device 13 may send a key acquisition request carrying the second identity information of the second communication device 13 to the key management device 15. Alternatively, the second identity information may include an identity ID of the second communication device 13, for example, a device ID of the second communication device 13, a group ID of a communication group to which the second communication device 13 belongs, and the like.
Next, the key management device 15 may receive the key obtaining request, extract the second identity information in the key obtaining request, and determine whether the second identity information matches the true identity of the second communication device 13 by using an identity authentication technique. In the case that the second identity information matches the real identity of the second communication device 13, the key management device 15 may return the working key to the second communication device 13 according to the second identity information, and locally store the key flag information and the working key correspondingly. It should be noted that, after the key management device 15 generates the working key and the key identifier information in response to the key initialization request from the first communication device 11, the key management device 15 may store the corresponding relationship among the group ID of the first communication device 11, the generated working key, and the generated key identifier information, so that once the second identity information matches the real identity of the second communication device 13, the working key corresponding to the group ID of the second communication device 13 may be determined conveniently and reliably based on the corresponding relationship, so as to return the working key to the second communication device 13; alternatively, once the second identity information matches the true identity of the second communication device 13, the key management device 15 may recover the working key itself according to the second identity information, so as to return the working key to the second communication device 13.
In the case that the determination result indicates that the key flag information is locally stored, it may be considered that the key flag information and the working key are locally and correspondingly stored, and then, the second communication device 13 may directly obtain the working key stored corresponding to the key flag information from the local without sending a key obtaining request.
It can be seen that, in the embodiment of the present disclosure, no matter whether the second communication device 13 locally stores the key flag information, the second communication device 13 can conveniently and reliably obtain the working key in a suitable manner, so as to implement the message communication with the first communication device 11.
In an optional example, the key management device 15 is specifically configured to, after receiving the key initialization request, obtain a root key identifier, a key rotation period, time factor information, and an algorithm identifier specifying an encryption algorithm, generate first check information according to the root key identifier, the key rotation period, the time factor information, the specified encryption algorithm, and the work key, generate second check information according to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information, and generate key flag information according to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information.
In the embodiment of the disclosure, after receiving the key initialization request, a root key identifier, a key alternation cycle, time factor information, and an algorithm identifier of a specified encryption algorithm may be obtained; the root key identifier may be represented as a rootID, the key rotation period may be represented as a cycle, the time factor information may be represented as a timeactor, and the algorithm identifier specifying the encryption algorithm may be represented as alg.
It should be noted that a root key (which may be denoted as Rootkey) may be preset in the key management device 15, and the storage and usage environment of the root key may be suitably protected to prevent leakage. Alternatively, the root key preset in the key management device 15 may be updated periodically, and the root key identifier may refer to an identifier of the root key currently placed in the key management device 15.
In order to acquire the time factor information, a target timestamp and a preset key alternation cycle can be acquired; wherein, the target timestamp may be a timestamp of receiving the key initialization request, or the target timestamp may be a key generation timestamp; the key rotation period may also be referred to as a life cycle of the key, and may take a value of minutes, and is set to 0x5a0 if the key is updated on a daily basis, and is set to 0x2760 if the key is updated on a weekly basis. Next, the target timestamp may be divided by the key rotation period to obtain the time factor information, so that if the target timestamp is denoted by timestamp, the key rotation period is denoted by cycle, and the time factor information is denoted by timeactor, there are: the timeactor is a timetag/cycle.
Additionally, the specified encryption algorithm may be a symmetric cryptographic encryption algorithm or other encryption algorithm.
After acquiring the root key identifier, the key rotation period, the time factor information, and the algorithm identifier of the specific encryption algorithm, the key management device 15 may generate the first check information according to the root key identifier, the key rotation period, the time factor information, the specific encryption algorithm, and the work key.
In one embodiment, the key management device 15 is specifically configured to sequentially connect the root key identifier, the key rotation cycle, and the time factor information by using a first preset symbol to generate a first connection result, generate padding data according to the first connection result and a specified data length constraint, connect the first connection result and the padding data by using a second preset symbol to generate a second connection result conforming to the specified data length constraint, and encrypt the second connection result by using a specified encryption algorithm by using the working key as the encryption key to generate the first verification information.
Here, the first preset symbol may be expressed as |; the specified data length constraint can specify the requirement of an encryption algorithm on the data length, and the specified data length constraint can indicate that the number of bytes contained in the data is a specified number; the second preset symbol may be expressed as | |.
Assuming that the root key identifier is expressed as rootID, the key rotation period is expressed as cycle, the time factor information is expressed as timeactor, and both the first preset symbol and the second preset symbol are expressed as | |, the first connection result may be expressed as rootID | | cycle | | timeactor. Next, the number of bytes included in the first connection result may be determined, and then, in combination with a specified data length constraint, the generation of padding data is performed in a fixed manner, the generated padding data may be represented as PS, and the second connection result may be represented as a rootID | | cycle | | timeactor | | | PS, and here, it is required to ensure that the number of bytes included in the rootID | | cycle | | timeactor | | PS is a specified number. Then, the working key may be used as an encryption key, and the rootID | | | cycle | | | time effector | | | PS as the second concatenation result may be encrypted by using a specified encryption algorithm to generate the first verification information. Assuming that the first check information is represented as CV, the algorithm identifier of the specified encryption algorithm is represented as alg, and the work key is represented as WorkKey, then:
CV=Encrypt(alg,WorkKey,[rootID||cycle||timefactor||PS])
wherein Encrypt represents an encryption operation function.
By adopting the implementation mode, the generation of the first check information can be conveniently and reliably realized by combining the root key identification, the key alternation period, the time factor information, the specified encryption algorithm and the working key.
After generating the first check information, the key management device 15 may generate second check information from the root key identification, the key rotation cycle, the time factor information, the algorithm identification, and the first check information.
In a specific embodiment, the key management device 15 is specifically configured to perform data length adjustment processing on the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information, so that the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information respectively conform to corresponding data length constraints, and perform a cyclic redundancy check operation according to the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information, so as to generate the second check information.
Here, the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information may have corresponding data length constraints, respectively, and the data length constraints corresponding to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information may be the same or different.
Optionally, the data length constraints corresponding to the root key identifier, the key rotation period, and the algorithm identifier may all indicate that the number of bytes included in the data is 2, the data length constraints corresponding to the time factor information and the first verification information may all indicate that the number of bytes included in the data is 4, when the root key identifier is expressed as a rootID, the key rotation period is expressed as a cycle, the time factor information is expressed as a timeactor, the algorithm identifier is expressed as alg, and the first verification information is expressed as a CV, after the data length adjustment processing is performed on the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first verification information, the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first verification information may be sequentially expressed as a rootID: 2B, cycle: 2B, timefactor: 4B, alg: 2B, CV: 4B. After that, the data can be read from the rootID: 2B, cycle: 2B, timefactor: 4B, alg: 2B, CV: and 4B, performing Cyclic Redundancy Check (CRC) operation to generate second Check information.
By adopting the implementation mode, the data length adjustment processing is carried out on the root key identification, the key alternation cycle, the time factor information, the algorithm identification and the first check information, and the generation of the second check information can be conveniently and reliably realized by combining the CRC operation.
After generating the second check information, the key management device 15 may generate the key flag information from the root key identification, the key rotation cycle, the time factor information, the algorithm identification, the first check information, and the second check information.
In an embodiment, the key management device 15 is specifically configured to perform data length adjustment processing on the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information, respectively, so that the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information respectively conform to corresponding data length constraints, and sequentially connect the processed root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information by using a third preset symbol to generate the key flag information.
Here, the third preset symbol may be expressed as |; the second check information may be represented as CRC; the key flag information may be expressed as KeyID.
Here, the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information may have corresponding data length constraints, respectively; the data length constraint corresponding to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information may refer to the above description, and is not repeated here: the data length constraint corresponding to the second check information may indicate that the number of bytes included in the data is 2, and after the data length adjustment processing is performed on the second check information, the processed second check information may be represented as CRC: 2B. The processed root key identification, key alternation cycle, time factor information, algorithm identification, first check information and second check information can be sequentially expressed as rootID: 2B, cycle: 2B, timefactor: 4B, alg: 2B, CV: 4B, CRC: 2B, then:
KeyID=[rootID:2B||cycle:2B||timefactor:4B||alg:2B||CV:4B||CRC:2B]
by adopting the implementation mode, the generation of the key mark information can be conveniently and reliably realized by carrying out data length adjustment processing on the root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information and combining data connection processing.
In the embodiment of the disclosure, the generation of the key identification information can be conveniently and reliably realized by combining the root key identification, the key alternation cycle, the time factor information, the algorithm identification of the specified encryption algorithm, the specified encryption algorithm and the working key, and, in the case that the key flag information carries time factor information, the time factor information can play the role of flag action time and prevent key duplication, and, by controlling the precision of the time factor information according to the key life cycle, the key periodic alternation can be realized, in the case where the key flag information carries verification information such as the first verification information and the second verification information, the check information may perform a key check function, for example, the first check information may check the correctness of the key, and the second check information may check whether an error occurs in the key transmission process.
In one alternative example of this, the user may,
the key management device 15 is specifically configured to, after receiving the key initialization request, obtain a root key identifier and time factor information, perform key derivation processing according to the root key having the root key identifier, the first identity information, and the time factor information to generate a working key, and generate key flag information according to the root key identifier, the time factor information, and the working key;
the second communication device 13 is specifically configured to send a key acquisition request carrying the key identifier information and second identity information of the second communication device 13 to the key management device 15 when the determination result indicates that the key identifier information is not locally stored;
the key management device 15 is further configured to, after receiving the key obtaining request, obtain the time factor information according to the key flag information, perform key derivation processing according to the root key, the second identity information, and the time factor information to recover the working key, and return the working key to the second communication device 13.
In the embodiment of the present disclosure, after receiving the key initialization request, the key management device 15 may obtain the root key identifier and the time factor information, and the obtaining manner of the root key identifier and the time factor information may refer to the above description, which is not described herein again.
After acquiring the root key identifier and the time factor information, a key derivation process may be performed based on the root key having the root key identifier, the first identity information, and the time factor information to generate a working key.
In a specific implementation manner, the key initialization request also carries a key use identification parameter or a key use scenario identification parameter;
the key management device 15 is specifically configured to generate a first intermediate key from the root key through key derivation processing using the first identity information as a derivation parameter, generate a second intermediate key from the first intermediate key through key derivation processing using the key-use identification parameter or the key-use scenario identification parameter as a derivation parameter, and generate a work key from the second intermediate key through key derivation processing using the time factor information as a derivation parameter.
Here, the key use identification parameter may be used to identify the use of the work key, and the key use scenario identification parameter may be used to identify the use scenario of the work key.
Assuming that the key initialization request also carries a key usage identification parameter, in a specific implementation, first identity information and the key usage identification parameter may be extracted from the key initialization request, and then the first identity information is used as a derivative parameter, and a root key (i.e., Rootkey) is subjected to a first key derivation process to generate a first intermediate key, where the first intermediate key may be regarded as a session master key and may be represented as a MasterKey; next, a second intermediate key may be generated from the first intermediate key through a second key derivation process, with the key usage identification parameter as a derivation parameter, and the second intermediate key may be regarded as a region key, and may be denoted as ZoneKey; then, the time factor information (i.e., timeactor) may be used as a derivation parameter to generate a work key through a third key derivation process from the second intermediate key, where the work key may be considered as a key for a specific session and a function scenario, and the work key may be denoted as WorkKey.
It should be noted that, in the upper stage, the Key derivation process is performed three times, and each Key derivation process may be expressed in the form of Key '═ KDF (Key, arg), that is, a lower-level Key' is derived from an upper-level Key using a derivation parameter arg.
In this embodiment, the generation of the working key can be realized easily and reliably based on the several derivation parameters and the several key derivation processes.
The embodiment of generating the working key by performing the key derivation process based on the root key having the root key identifier, the first identity information, and the time factor information is not limited to this, and for example, more derived parameters may be added to the derived parameters according to the above-described embodiment, or the number of times the key derivation process is performed may be increased.
After generating the working key, the key management device 15 may generate the key identifier information according to the root key identifier, the time factor information, and the working key, for example, similar to the above, may first generate the first check information according to the root key identifier, the key rotation period, the time factor information, the specified encryption algorithm, and the working key, then generate the second check information according to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information, and then generate the key identifier information according to the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information, and generate the first check information, the second check information, and the key identifier information may refer to the above description, which is not repeated herein. After that, the key management device 15 may return the generated work key to the first communication device 11 together with the key flag information.
After acquiring the communication packet carrying the communication data ciphertext and the key flag information from the first communication device 11, the second communication device 13 may extract the key flag information from the communication packet, and determine whether the key flag information is locally stored, and in a case that the determination result indicates that the key flag information is not locally stored, the second communication device 13 may send a key acquisition request carrying the key flag information and second identity information of the second communication device 13 to the key management device 15.
After that, the key management device 15 may receive the key acquisition request, extract the key flag information and the second identity information in the key acquisition request, and may acquire the time factor information based on the key flag information, for example, when the key flag information KeyID ═ rootID: 2B | | cycle: 2B | | timeactor: 4B | | | alg: 2B | | CV: 4B | | CRC: 2B ], a timeactor serving as time factor information may be extracted from the KeyID, and in addition, a key derivation process may be performed according to the root key, the second identity information, and the time factor information to recover the working key, and a key derivation process may be performed according to the root key, the second identity information, and the time factor information, and a key derivation process may be performed in a manner similar to that described above according to the root key, the first identity information, and the time factor information to generate the working key.
After recovering the working key, the key management device 15 may return the working key to the second communication device 13, whereby the second communication device 13 may perform message communication with the first communication device 11.
In the embodiment of the present disclosure, in response to the key initialization request from the first communication device 11, the key management device 15 may perform the key derivation process based on the root key, the first identity information, and the time factor information, to realize the generation of the working key and to generate the key mark information according to the root key identification, the time factor information and the working key, so that, in the case where the second communication device 13 does not locally store the key identifier information, the second communication device 13 may send a key acquisition request carrying the key identifier information and the second identity information to the key management device 15, and in response to the key acquisition request, the key management device 15 may acquire the time factor information according to the key identifier information, and based on the root key, the second identity information and the time factor information, the recovery of the working key is achieved so as to provide the working key to the second communication device 13. It can be seen that, in the embodiment of the present disclosure, even if the second communication device 13 does not locally store the key flag information, the recovery of the working key can be conveniently and reliably implemented in a suitable manner, so as to implement the message communication between the first communication device 11 and the second communication device 13.
It should be noted that, since the working Key is to be recovered, in the embodiment of the present disclosure, it is required to ensure that the Key derivation algorithm used when performing the Key derivation process is a certain algorithm (e.g., a hash algorithm, a symmetric cryptographic encryption algorithm, etc.), that is, the output result obtained by calculating the same derived parameter through the Key derivation algorithm for multiple times is the same, and then, in the case that the Key derivation process is expressed in the form of Key ' ═ KDF (Key, arg), the value of Key ' can be accurately calculated through Key and arg, but the value of Key cannot be calculated through Key ' and arg, so that the embodiment of the present disclosure can recover the original Key for data decryption in the scenarios of auditing or judicial evidence obtaining of historical data, and the Key recovery process does not need to depend on a storage system such as a database, thereby reducing the requirement of high reliability of Key availability on the storage system, and the search efficiency impact with the increasing number of records.
In summary, the embodiments of the present disclosure can achieve the following effects: (1) a set of key management scheme for protecting user information is designed; (2) the key management scheme can protect the streamed sensitive data in a data stream scene and provides the capacity of legally using the data encryption key for an application system with the legal data access authority; (3) two-stage check logic is designed, the first-stage check uses CRC to check potential data transmission errors, and the second-stage check uses CV to prevent key forgery and parameter falsification; (4) the identity information of the communication participants, parameters for identifying scenes (such as the above-mentioned key using scene identification parameters) and the like are made to participate in the generation process of the working key, so that the generated key is logically and naturally isolated, the key access authority control is completed only by realizing identity authentication, and complex authentication rule data does not need to be maintained: (5) through the structured KeyID format and the corresponding hierarchical key system, the dependence of key management work on data storage capacity and a central service system is effectively eliminated, and the method is more suitable for information systems with distributed architectures.
Exemplary method
Fig. 3 is a flowchart illustrating a message communication method according to an exemplary embodiment of the present disclosure. The method shown in fig. 3 is applied to a key management device (e.g., the key management device 15 in fig. 1) in a messaging system, and the method shown in fig. 3 may include steps 301, 302, 303 and 304.
Step 301, receiving a key initialization request which is sent by a first communication device in the system, points to a second communication device in the system, and carries first identity information of the first communication device;
step 302, generating a working key according to the first identity information;
step 303, generating key mark information according to the working key;
step 304, returning the working key and the key mark information to the first communication equipment so that the first communication equipment can send a communication message which points to the second communication equipment and carries the communication data ciphertext and the key mark information; and the communication data ciphertext is obtained by encrypting the working key.
In one alternative example of this, the user may,
generating a working key according to the first identity information, comprising:
acquiring a root key identifier and time factor information;
performing key derivation processing according to the root key with the root key identifier, the first identity information and the time factor information to generate a working key;
generating key flag information according to the working key, comprising:
generating key mark information according to the root key identification, the time factor information and the working key;
the method further comprises the following steps:
after receiving a key acquisition request which is from the second communication equipment and carries key mark information and second identity information of the second communication equipment, acquiring time factor information according to the key mark information;
and performing key derivation processing according to the root key, the second identity information and the time factor information to recover the working key, and returning the working key to the second communication device.
In one optional example, generating key flag information from the working key includes:
acquiring a root key identifier, a key alternation cycle, time factor information and an algorithm identifier of a specified encryption algorithm;
generating first check information according to the root key identification, the key alternation cycle, the time factor information, the appointed encryption algorithm and the working key;
generating second check information according to the root key identification, the key alternation cycle, the time factor information, the algorithm identification and the first check information;
and generating key mark information according to the root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information.
In an alternative example, generating the first check information according to the root key identification, the key rotation period, the time factor information, the specified encryption algorithm and the working key includes:
connecting the root key identification, the key alternation cycle and the time factor information in sequence by using a first preset symbol to generate a first connection result;
generating filling data according to the first connection result and the specified data length constraint, and connecting the first connection result with the filling data by using a second preset symbol to generate a second connection result conforming to the specified data length constraint;
and using the working key as an encryption key, and encrypting the second connection result by using a specified encryption algorithm to generate first verification information.
In an optional example, generating the second check-up information according to the root key identification, the key rotation period, the time factor information, the algorithm identification and the first check-up information includes:
respectively carrying out data length adjustment processing on the root key identifier, the key alternation cycle, the time factor information, the algorithm identifier and the first check information so as to enable the processed root key identifier, the key alternation cycle, the time factor information, the algorithm identifier and the first check information to respectively accord with corresponding data length constraints;
and performing cyclic redundancy check operation according to the processed root key identification, the key alternation cycle, the time factor information, the algorithm identification and the first check information to generate second check information.
In an alternative example, generating the key flag information according to the root key identification, the key rotation period, the time factor information, the algorithm identification, the first check information and the second check information includes:
respectively carrying out data length adjustment processing on the root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information so as to enable the processed root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information to respectively accord with corresponding data length constraints;
and connecting the processed root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information in sequence by using a third preset symbol to generate key mark information.
Fig. 4 is a flowchart illustrating a message communication method according to an exemplary embodiment of the present disclosure. The method shown in fig. 4 is applied to a second communication device (for example, the second communication device 13 in fig. 1) in a message communication system, and the method shown in fig. 4 may include step 401, step 402, and step 403, which are described below.
Step 401, obtaining a communication packet carrying a communication data ciphertext and key flag information from a first communication device:
step 402, judging whether the key mark information is stored locally, and acquiring a working key in a corresponding mode according to a judgment result;
and step 403, decrypting the communication data ciphertext by using the working key.
It should be noted that, for the specific implementation process of the method embodiment, reference may be made to the description of the corresponding part of the specific implementation process of the system embodiment, and details are not described here.
Exemplary devices
Fig. 5 is a schematic structural diagram of a message communication apparatus according to an exemplary embodiment of the present disclosure, where the apparatus shown in fig. 5 is applied to a key management device (e.g., the key management device 15 in fig. 1) in a message communication system, and the apparatus shown in fig. 5 includes a receiving module 501, a first generating module 502, a second generating module 503, and a sending module 504.
A receiving module 501, configured to receive a key initialization request, which is sent by a first communication device in the system, is directed to a second communication device in the system, and carries first identity information of the first communication device:
a first generating module 502, configured to generate a work key according to the first identity information;
a second generating module 503, configured to generate key identifier information according to the working key;
a sending module 504, configured to return the working key and the key identifier information to the first communication device, so that the first communication device sends a communication packet that is directed to the second communication device and carries a communication data ciphertext and the key identifier information; and the communication data ciphertext is obtained by encrypting the working key.
In one alternative example of this, the user may,
a first generating module 502, comprising:
the first obtaining submodule is used for obtaining the root key identification and the time factor information:
the first generation submodule is used for performing key derivation processing according to the root key with the root key identifier, the first identity information and the time factor information to generate a working key;
the second generating module 503 is specifically configured to:
generating key mark information according to the root key identification, the time factor information and the working key;
the device also includes:
the acquisition module is used for acquiring the time factor information according to the key mark information after receiving a key acquisition request which is from the second communication equipment and carries the key mark information and the second identity information of the second communication equipment;
and the processing module is used for performing key derivation processing according to the root key, the second identity information and the time factor information so as to recover the working key and return the working key to the second communication equipment.
In an optional example, the second generating module 503 includes:
the second obtaining submodule is used for obtaining the root key identification, the key alternation cycle, the time factor information and the algorithm identification of the appointed encryption algorithm:
the second generation submodule is used for generating first check information according to the root key identification, the key alternation cycle, the time factor information, the specified encryption algorithm and the working key;
the third generation submodule is used for generating second check information according to the root key identification, the key alternation cycle, the time factor information, the algorithm identification and the first check information;
and the fourth generation submodule is used for generating key mark information according to the root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information.
In one optional example, the second generation submodule includes:
the first generating unit is used for connecting the root key identification, the key alternation cycle and the time factor information in sequence by using a first preset symbol so as to generate a first connecting result;
the second generation unit is used for generating filling data according to the first connection result and the specified data length constraint, and connecting the first connection result with the filling data by using a second preset symbol so as to generate a second connection result conforming to the specified data length constraint;
and a third generating unit, configured to encrypt the second connection result by using the specified encryption algorithm using the working key as an encryption key to generate the first verification information.
In one optional example, the third generating sub-module comprises:
the first processing unit is used for respectively carrying out data length adjustment processing on the root key identifier, the key alternation cycle, the time factor information, the algorithm identifier and the first check information so as to enable the processed root key identifier, the key alternation cycle, the time factor information, the algorithm identifier and the first check information to respectively accord with corresponding data length constraints;
and the fourth generating unit is used for performing cyclic redundancy check operation according to the processed root key identifier, the key alternation cycle, the time factor information, the algorithm identifier and the first check information to generate second check information.
In one optional example, the third generating unit comprises:
the second processing unit is used for respectively carrying out data length adjustment processing on the root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information so as to enable the processed root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information to respectively accord with corresponding data length constraints;
and the fifth generating unit is used for connecting the processed root key identification, the key alternation cycle, the time factor information, the algorithm identification, the first check information and the second check information in sequence by using a third preset symbol so as to generate key mark information.
Fig. 6 is a schematic structural diagram of a message communication apparatus according to an exemplary embodiment of the present disclosure, where the apparatus shown in fig. 6 is applied to a second communication device (for example, the second communication device 13 in fig. 1) in a message communication system, and the apparatus shown in fig. 6 includes a first obtaining module 601, a second obtaining module 602, and a decryption module 603.
A first obtaining module 601, configured to obtain a communication packet that carries a communication data ciphertext and key flag information from a first communication device;
a second obtaining module 602, configured to determine whether key flag information is stored locally, and obtain a working key in a corresponding manner according to a determination result;
and a decryption module 603, configured to decrypt the communication data ciphertext using the working key.
It should be noted that, the specific implementation process of the apparatus embodiment may refer to the description of the specific implementation process of the system embodiment, and is not described herein again.
Exemplary electronic device
Next, an electronic apparatus according to an embodiment of the present disclosure is described with reference to fig. 7. The electronic device may be either or both of the first device and the second device, or a stand-alone device separate from them, which stand-alone device may communicate with the first device and the second device to receive the acquired input signals therefrom.
Fig. 7 illustrates a block diagram of an electronic device 700 in accordance with an embodiment of the disclosure.
As shown in fig. 7, the electronic device 700 includes one or more processors 701 and memory 702.
The processor 701 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device 700 to perform desired functions.
Memory 702 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, Random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, Read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium and executed by the processor 701 to implement the messaging methods of the various embodiments of the disclosure described above and/or other desired functions. Various contents such as an input signal, a signal component, a noise component, etc. may also be stored in the computer-readable storage medium.
In one example, the electronic device 700 may further include: an input device 703 and an output device 704, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
For example, when the electronic device 700 is a first device or a second device, the input means 703 may be a microphone or a microphone array. When the electronic device 700 is a stand-alone device, the input means 703 may be a communication network connector for receiving the acquired input signals from the first device and the second device.
The input device 703 may include, for example, a keyboard, a mouse, and the like.
The output device 704 may output various information to the outside. The output devices 704 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, among others.
Of course, for simplicity, only some of the components of the electronic device 700 relevant to the present disclosure are shown in fig. 7, omitting components such as buses, input/output interfaces, and the like. In addition, electronic device 700 may include any other suitable components depending on the particular application.
Exemplary computer program product and computer-readable storage Medium
In addition to the above-described methods and apparatus, embodiments of the present disclosure may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the steps in a messaging method according to various embodiments of the present disclosure described in the "exemplary methods" section of this specification above.
The computer program product may write program code for carrying out operations for embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform steps in a messaging method according to various embodiments of the present disclosure described in the "exemplary methods" section above of this specification.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing describes the general principles of the present disclosure in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present disclosure are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present disclosure. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the disclosure is not intended to be limited to the specific details so described.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts in the embodiments are referred to each other. For the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The block diagrams of devices, apparatuses, systems referred to in this disclosure are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. The words "or" and "as used herein mean, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
The methods and apparatus of the present disclosure may be implemented in a number of ways. For example, the methods and apparatus of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
It is also noted that in the devices, apparatuses, and methods of the present disclosure, each component or step can be decomposed and/or recombined. These decompositions and/or recombinations are to be considered equivalents of the present disclosure.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. The present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit embodiments of the disclosure to the form disclosed herein. While a number of example aspects and embodiments have been discussed above, those of skill in the art will recognize certain variations, modifications, alterations, additions and sub-combinations thereof.

Claims (10)

1. A message communication system, comprising: a first communication device, a second communication device and a key management device; wherein the content of the first and second substances,
the first communication device is configured to send a key initialization request, which is directed to the second communication device and carries first identity information of the first communication device, to the key management device;
the key management device is configured to generate a working key according to the first identity information after receiving the key initialization request, generate key flag information according to the working key, and return the working key and the key flag information to the first communication device;
and the second communication device is used for judging whether the key mark information is stored locally or not after acquiring the communication message carrying the communication data ciphertext and the key mark information from the first communication device, acquiring the working key in a corresponding mode according to a judgment result, and decrypting the communication data ciphertext by using the working key.
2. The system of claim 1,
the second communication device is specifically configured to send a key obtaining request carrying second identity information of the second communication device to the key management device under the condition that the judgment result indicates that the key identifier information is not locally stored, so as to obtain the working key returned by the key management device according to the second identity information after the key obtaining request is received by the key management device, and locally and correspondingly store the key identifier information and the working key;
the second communication device is specifically configured to, when the determination result indicates that the key flag information is locally stored, locally acquire the working key stored in correspondence to the key flag information.
3. The method of claim 1,
the key management device is specifically configured to, after receiving the key initialization request, obtain a root key identifier and time factor information, perform key derivation processing according to a root key having the root key identifier, the first identity information, and the time factor information to generate the working key, and generate the key flag information according to the root key identifier, the time factor information, and the working key;
the second communication device is specifically configured to send a key acquisition request carrying the key identifier information and second identity information of the second communication device to the key management device when the determination result indicates that the key identifier information is not locally stored;
the key management device is further configured to, after receiving the key acquisition request, acquire the time factor information according to the key flag information, perform key derivation processing according to the root key, the second identity information, and the time factor information to recover the working key, and return the working key to the second communication device.
4. The method according to claim 3, wherein the key initialization request further carries a key usage identification parameter or a key usage scenario identification parameter;
the key management device is specifically configured to generate a first intermediate key from the root key through key derivation processing using the first identity information as a derivation parameter, generate a second intermediate key from the first intermediate key through key derivation processing using the key usage identification parameter or the key usage scenario identification parameter as a derivation parameter, and generate the working key from the second intermediate key through key derivation processing using the time factor information as a derivation parameter.
5. The system according to claim 1, wherein the key management device is specifically configured to, after receiving the key initialization request, obtain a root key identifier, a key rotation period, time factor information, and an algorithm identifier of a specific encryption algorithm, generate first check information from the root key identifier, the key rotation period, the time factor information, the specific encryption algorithm, and the work key, generate second check information from the root key identifier, the key rotation period, the time factor information, the algorithm identifier, and the first check information, and generate the key flag information from the root key identifier, the key rotation period, the time factor information, the algorithm identifier, the first check information, and the second check information.
6. The system according to claim 5, wherein the key management device is specifically configured to sequentially connect the root key identifier, the key rotation cycle, and the time factor information by using a first preset symbol to generate a first connection result, generate padding data according to the first connection result and a specified data length constraint, connect the first connection result and the padding data by using a second preset symbol to generate a second connection result conforming to the specified data length constraint, and encrypt the second connection result by using the specified encryption algorithm by using the working key as an encryption key to generate the first verification information.
7. A message communication method is applied to a key management device in a message communication system, and the method comprises the following steps:
receiving a key initialization request which is sent by first communication equipment in the system, points to second communication equipment in the system and carries first identity information of the first communication equipment;
generating a working key according to the first identity information;
generating key mark information according to the working key;
returning the working key and the key mark information to the first communication equipment so that the first communication equipment can send a communication message which is directed to the second communication equipment and carries a communication data ciphertext and the key mark information; and the communication data ciphertext is obtained by encrypting the working key.
8. A message communication method, applied to a second communication device in a message communication system, the method comprising:
acquiring a communication message which is from the first communication equipment and carries a communication data ciphertext and key mark information;
judging whether the key mark information is stored locally or not, and acquiring the working key in a corresponding mode according to a judgment result;
and decrypting the communication data ciphertext by using the working key.
9. A message communication apparatus, applied to a key management device in a message communication system, the apparatus comprising:
a receiving module, configured to receive a key initialization request, which is sent by a first communication device in the system, points to a second communication device in the system, and carries first identity information of the first communication device;
the first generation module is used for generating a working key according to the first identity information;
the second generation module is used for generating key mark information according to the working key;
a sending module, configured to return the working key and the key identifier information to the first communication device, so that the first communication device sends a communication packet that is directed to the second communication device and carries a communication data ciphertext and the key identifier information; and the communication data ciphertext is obtained by encrypting the working key.
10. A message communication apparatus, for use in a second communication device in a message communication system, the apparatus comprising:
the first acquisition module is used for acquiring a communication message which is from the first communication equipment and carries a communication data ciphertext and key mark information;
the second acquisition module is used for judging whether the key mark information is stored locally or not and acquiring the working key in a corresponding mode according to a judgment result;
and the decryption module is used for decrypting the communication data ciphertext by using the working key.
CN202110199203.8A 2021-02-22 2021-02-22 Message communication system, method and device Pending CN113014572A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110199203.8A CN113014572A (en) 2021-02-22 2021-02-22 Message communication system, method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110199203.8A CN113014572A (en) 2021-02-22 2021-02-22 Message communication system, method and device

Publications (1)

Publication Number Publication Date
CN113014572A true CN113014572A (en) 2021-06-22

Family

ID=76406693

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110199203.8A Pending CN113014572A (en) 2021-02-22 2021-02-22 Message communication system, method and device

Country Status (1)

Country Link
CN (1) CN113014572A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114091088A (en) * 2022-01-18 2022-02-25 云丁网络技术(北京)有限公司 Method and apparatus for improving communication security
CN114785556A (en) * 2022-03-28 2022-07-22 中国建设银行股份有限公司 Encrypted communication method, device, computer equipment and storage medium
CN114785556B (en) * 2022-03-28 2024-04-30 中国建设银行股份有限公司 Encryption communication method, device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103313241A (en) * 2012-03-15 2013-09-18 中国移动通信集团公司 SE (secure element) key management method, service platform, management platform and system
CN104580167A (en) * 2014-12-22 2015-04-29 腾讯科技(深圳)有限公司 Data transmission method, device and system
US20160352517A1 (en) * 2015-05-29 2016-12-01 Microsoft Technology Licensing, Llc Sharing encrypted data with enhanced security
CN109167801A (en) * 2018-11-08 2019-01-08 蓝信移动(北京)科技有限公司 Encrypted data communication system
CN111740828A (en) * 2020-07-29 2020-10-02 北京信安世纪科技股份有限公司 Key generation method, device and equipment and encryption method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103313241A (en) * 2012-03-15 2013-09-18 中国移动通信集团公司 SE (secure element) key management method, service platform, management platform and system
CN104580167A (en) * 2014-12-22 2015-04-29 腾讯科技(深圳)有限公司 Data transmission method, device and system
US20160352517A1 (en) * 2015-05-29 2016-12-01 Microsoft Technology Licensing, Llc Sharing encrypted data with enhanced security
CN109167801A (en) * 2018-11-08 2019-01-08 蓝信移动(北京)科技有限公司 Encrypted data communication system
CN111740828A (en) * 2020-07-29 2020-10-02 北京信安世纪科技股份有限公司 Key generation method, device and equipment and encryption method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114091088A (en) * 2022-01-18 2022-02-25 云丁网络技术(北京)有限公司 Method and apparatus for improving communication security
CN114091088B (en) * 2022-01-18 2022-09-06 云丁网络技术(北京)有限公司 Method and apparatus for improving communication security
CN114785556A (en) * 2022-03-28 2022-07-22 中国建设银行股份有限公司 Encrypted communication method, device, computer equipment and storage medium
CN114785556B (en) * 2022-03-28 2024-04-30 中国建设银行股份有限公司 Encryption communication method, device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
US9430655B1 (en) Split tokenization
US10937339B2 (en) Digital cryptosystem with re-derivable hybrid keys
CN112929172A (en) System, method and device for dynamically encrypting data based on key bank
JP2014002365A (en) Encrypted data inquiry method and system which can protect privacy
US20040123111A1 (en) Method and system for verifying originality of data
CN105262592A (en) Data interaction method and API interface
CN114338247B (en) Data transmission method and apparatus, electronic device, storage medium, and program product
EP4020265A1 (en) Method and device for storing encrypted data
CN108199847A (en) Security processing method, computer equipment and storage medium
CN107306254B (en) Digital copyright protection method and system based on double-layer encryption
CN110222809B (en) Information combination and encryption method of two-dimensional code and two-dimensional code encryption machine
CN110198320B (en) Encrypted information transmission method and system
CN113014572A (en) Message communication system, method and device
CN112865965B (en) Train service data processing method and system based on quantum key
WO2022046330A1 (en) Data management and encryption in a distributed computing system
CN115982247B (en) Block chain-based account information query method and device, equipment and medium
US20230299971A1 (en) Data protection apparatus, electronic apparatus, method, and storage medium
CN115514578A (en) Block chain based data authorization method and device, electronic equipment and storage medium
CN113672955B (en) Data processing method, system and device
CN115225365A (en) Data secure transmission method, platform and system based on cryptographic algorithm
CN109218009A (en) It is a kind of to improve the method for device id safety, client and server
WO2020243010A1 (en) Key-ladder protected personalization data conversion from global to unique encryption
CN113595962A (en) Safety control method and device and safety control equipment
JP2007096413A (en) Packet recording support apparatus, packet recording support method, and packet recording support program
CN115664861B (en) Identity information verification method and device based on block chain, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20210816

Address after: 100085 Floor 101 102-1, No. 35 Building, No. 2 Hospital, Xierqi West Road, Haidian District, Beijing

Applicant after: Seashell Housing (Beijing) Technology Co.,Ltd.

Address before: 101300 room 24, 62 Farm Road, Erjie village, Yangzhen Town, Shunyi District, Beijing

Applicant before: Beijing fangjianghu Technology Co.,Ltd.

TA01 Transfer of patent application right
RJ01 Rejection of invention patent application after publication

Application publication date: 20210622

RJ01 Rejection of invention patent application after publication