CN113852471B - Data communication method and device based on resource-limited scene - Google Patents
Data communication method and device based on resource-limited scene Download PDFInfo
- Publication number
- CN113852471B CN113852471B CN202111441231.2A CN202111441231A CN113852471B CN 113852471 B CN113852471 B CN 113852471B CN 202111441231 A CN202111441231 A CN 202111441231A CN 113852471 B CN113852471 B CN 113852471B
- Authority
- CN
- China
- Prior art keywords
- data
- authenticated
- terminal
- system side
- terminal side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
Abstract
The application relates to a data communication method and a device based on a resource limited scene, which relate to the technical field of communication, wherein the method comprises a dynamic authentication process, and the dynamic authentication process comprises the following steps: the terminal side generates terminal side encrypted data to be authenticated based on the terminal side fuzzy time and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side, and sends the terminal side encrypted data to be authenticated to the system side; and the system side encrypts the data to be authenticated on the basis of the system side, compares the data to be authenticated on the terminal encryption side, and receives authentication passing information fed back by the system side after the comparison. According to the method and the device, the information flow can be encrypted and the identity of the information sender can be verified under the condition that the transmission overhead is not increased through the specific authentication flow and the specific data encryption flow, so that the reliability of data communication is guaranteed.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a data communication method and apparatus based on a resource-constrained scenario.
Background
In the field of data communication, data encryption and authentication technologies based on IC cards are widely used, and data or authentication information to be transmitted is encrypted by using a block cipher algorithm such as DES or SM 4. Despite the widespread and gradual maturity of this technical approach, the following drawbacks still exist:
(1) additional communication resources are required to negotiate a random factor for encryption or authentication;
(2) additional communication resources are required for filling the data to be encrypted of insufficient packet length;
(3) most encryption modes for transmission data are ECBs with weak strength.
The above defects often cannot meet the requirements when dealing with the information stream encryption scene requiring strict control of communication channel resources. At present, although a cipher algorithm specially used for stream encryption exists, most of the civil consumption IC cards do not support the algorithm; even if the streaming encryption algorithm is implemented by adopting embedded software, the performance and the safety of the algorithm are greatly reduced.
Therefore, to meet the use requirement of data communication, a data communication technology based on a resource-limited scenario is provided.
Disclosure of Invention
The application provides a data communication method and device based on a resource-limited scene, which can realize encryption of information flow and identity verification of an information sender under the condition of not increasing transmission overhead through a specific authentication flow and a specific data encryption flow, thereby providing guarantee for reliability of data communication.
In a first aspect, the present application provides a data communication method based on a resource-constrained scenario, where the method includes a dynamic authentication process, where the dynamic authentication process includes the following steps:
the terminal side generates terminal side encrypted data to be authenticated based on the terminal side fuzzy time and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side, and sends the terminal side encrypted data to be authenticated to the system side;
when the system side encrypts data to be authenticated on the basis of the system side, the terminal side receives authentication passing information fed back by the system side after the data to be authenticated on the terminal encryption side is compared and passes the comparison; wherein the content of the first and second substances,
the system side encrypted data to be authenticated comprises first system side encrypted data to be authenticated, second system side encrypted data to be authenticated and third system side encrypted data to be authenticated, and the system side encrypted data to be authenticated is obtained by calculation based on system side fuzzy time, a time deviation threshold value, and a terminal unique identification code and an IC card unique identification code corresponding to the terminal side;
the system side encrypts the data to be authenticated based on the system side, and before comparing the data to be authenticated of the terminal encryption side, the method further comprises the following steps:
taking the data of the first preset bit corresponding to the terminal side encrypted data to be authenticated as a terminal side identity authentication check code;
taking the data of the first system side encrypted data to be authenticated, which corresponds to a first preset bit, as a first system side identity authentication check code;
taking the data of the first preset bit corresponding to the encrypted data to be authenticated at the second system side as a second system side identity authentication check code;
taking the data of the first preset bit corresponding to the encrypted data to be authenticated at the third system side as the identity authentication check code at the third system side;
the method further comprises a data encryption process, wherein the data encryption process comprises the following steps:
the terminal side encrypts to obtain terminal side encrypted transmission data based on a block cipher algorithm according to the terminal side identity authentication check code and the terminal side data to be transmitted, and sends the terminal side encrypted transmission data to the system side;
and the system side encrypts to obtain system side encrypted transmission data based on a block cipher algorithm according to the data to be transmitted by the system side and the second system side identity authentication check code or the third system side identity authentication check code corresponding to the terminal side identity authentication check code, and transmits the system side encrypted transmission data to the terminal side.
Specifically, the terminal side generates terminal side encrypted data to be authenticated based on the terminal side fuzzy time, and the terminal side unique identification code and the IC card unique identification code corresponding to the terminal side, and the method includes the following steps:
the terminal side is rounded upwards based on the current time to obtain the terminal side mold fuzzy time;
splicing to obtain terminal side data to be authenticated based on the terminal side mould fuzzy time and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side;
and generating the terminal side encrypted data to be authenticated based on the terminal side data to be authenticated by combining a preset encryption algorithm.
Further, the method further comprises a system side encryption data to be authenticated generation flow, and the system side encryption data to be authenticated generation flow comprises the following steps:
the system side obtains a first time of the system based on the current time and the upper rounding;
calculating to obtain a second system time and a third system time based on the time deviation threshold;
and obtaining the first time of the system, the second time of the system, the third time of the system, the unique identification code of the terminal corresponding to the terminal side and the unique identification code of the IC card, and calculating to obtain the encrypted data to be authenticated of the first system side, the encrypted data to be authenticated of the second system side and the encrypted data to be authenticated of the third system side.
Specifically, the system side encrypts the data to be authenticated based on the system side and compares the encrypted data to be authenticated with the terminal side, and the method comprises the following steps:
and when the terminal side identity authentication check code is matched with the terminal side identity authentication check code, the second system side identity authentication check code or the third system side identity authentication check code, judging that the comparison is passed.
In a second aspect, the present application provides a data communication apparatus based on a resource-constrained scenario, the apparatus comprising:
the terminal side authentication module is used for generating terminal side encrypted data to be authenticated based on terminal side mold fuzzy time, and a terminal unique identification code and an IC card unique identification code corresponding to the terminal side;
the system side authentication module is used for calculating and obtaining encrypted data to be authenticated of the system side based on system side fuzzy time, a time deviation threshold value, a terminal unique identification code and an IC card unique identification code corresponding to the terminal side;
the system side authentication module is further used for comparing the data to be authenticated of the terminal encryption side based on the data to be authenticated of the system side encryption, and if the data to be authenticated of the terminal encryption side passes the comparison, the authentication passing information fed back to the system side of the terminal side authentication module is fed back;
the system side encrypted data to be authenticated comprises first system side encrypted data to be authenticated, second system side encrypted data to be authenticated and third system side encrypted data to be authenticated, and the system side encrypted data to be authenticated is obtained by calculation based on system side fuzzy time, a time deviation threshold value, and a terminal unique identification code and an IC card unique identification code corresponding to the terminal side;
the system side authentication module is also used for taking the data of the first preset bit corresponding to the terminal side encrypted data to be authenticated as a terminal side identity authentication check code;
the system side authentication module is further used for taking the data of the first system side encrypted data to be authenticated, which corresponds to the first preset bit, as a first system side identity authentication check code;
the system side authentication module is also used for taking the data of the first preset bit corresponding to the encrypted data to be authenticated at the second system side as the second system side identity authentication check code;
the system side authentication module is also used for taking the data of the first preset bit corresponding to the third system side encrypted data to be authenticated as a third system side identity authentication check code;
the terminal side encryption transmission module is used for obtaining terminal side encryption transmission data through encryption according to the terminal side identity authentication check code and the terminal side data to be transmitted after the system side encryption data to be authenticated and the terminal encryption data to be authenticated are compared, and sending the terminal side encryption transmission data to the system side based on a block cipher algorithm;
and the system side encryption transmission module is used for encrypting to obtain system side encryption transmission data and sending the system side encryption transmission data to the terminal side according to the system side data to be transmitted and the second system side identity authentication check code or the third system side identity authentication check code corresponding to the terminal side identity authentication check code after the system side encryption data to be authenticated and the terminal side data to be authenticated are compared.
Further, the terminal side authentication module is further configured to round up based on the current time to obtain the terminal side fuzzy time;
the terminal side authentication module is also used for splicing to obtain terminal side data to be authenticated based on the terminal side template fuzzy time, and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side;
the terminal side authentication module is further used for generating the terminal side encrypted data to be authenticated by combining a preset encryption algorithm based on the data to be authenticated on the terminal side.
Further, the system side authentication module is further configured to round up based on the current time to obtain a first time of the system;
the system side authentication module is further used for calculating and obtaining a second system time and a third system time based on the time deviation threshold;
the system side authentication module is further used for obtaining the first time of the system, the second time of the system, the third time of the system, the terminal unique identification code and the IC card unique identification code corresponding to the terminal side, and calculating to obtain the first system side encrypted data to be authenticated, the second system side encrypted data to be authenticated and the third system side encrypted data to be authenticated.
The beneficial effect that technical scheme that this application provided brought includes:
according to the method and the device, the information flow can be encrypted and the identity of the information sender can be verified under the condition that the transmission overhead is not increased through the specific authentication flow and the specific data encryption flow, so that the reliability of data communication is guaranteed.
Drawings
Interpretation of terms:
HMAC: a Hash-based Message Authentication Code, which performs Hash operation on a Message Authentication Code;
and (3) CBC: cipher Block Chaining, Cipher text packet Chaining.
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart illustrating steps of a dynamic authentication procedure of a data communication method based on a resource-constrained scenario provided in an embodiment of the present application;
fig. 2 is a flowchart illustrating steps of a data encryption process of a data communication method based on a resource-constrained scenario provided in an embodiment of the present application;
fig. 3 is a schematic flowchart of identity authentication and data encryption and decryption of a data communication method based on a resource-constrained scenario provided in an embodiment of the present application;
fig. 4 is a schematic flowchart of a dynamic authentication process of a data communication method based on a resource-constrained scenario provided in an embodiment of the present application;
fig. 5 is a schematic flowchart of a data encryption process of the data communication method based on the resource-constrained scenario provided in the embodiment of the present application;
fig. 6 is a block diagram of a data communication apparatus based on a resource-constrained scenario provided in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The embodiment of the application provides a data communication method and device based on a resource-limited scene, and the method and device can encrypt information flow and verify the identity of an information sender through a specific authentication flow and a specific data encryption flow under the condition of not increasing transmission overhead, so that the reliability of data communication is guaranteed.
In order to achieve the technical effects, the general idea of the application is as follows:
a data communication method based on resource limited scene includes a dynamic authentication process, the dynamic authentication process includes the following steps:
a1, generating terminal side encrypted data to be authenticated by the terminal side based on the terminal side fuzzy time and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side, and sending the terminal side encrypted data to be authenticated to the system side;
a2, after the system side encrypts data to be authenticated based on the system side, compares the data to be authenticated of the terminal encryption side, and the terminal side receives authentication passing information fed back by the system side after the comparison is passed; wherein the content of the first and second substances,
the system side encrypted data to be authenticated is obtained by calculation based on system side fuzzy time, a time deviation threshold value, a terminal unique identification code and an IC card unique identification code corresponding to the terminal side.
Embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
In a first aspect, referring to fig. 1 to 5, an embodiment of the present application provides a data communication method based on a resource-constrained scenario, where the method includes a dynamic authentication process, where the dynamic authentication process includes the following steps:
a1, generating terminal side encrypted data to be authenticated by the terminal side based on the terminal side fuzzy time and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side, and sending the terminal side encrypted data to be authenticated to the system side;
a2, after the system side encrypts data to be authenticated based on the system side, compares the data to be authenticated of the terminal encryption side, and the terminal side receives authentication passing information fed back by the system side after the comparison is passed; wherein the content of the first and second substances,
the system side encrypted data to be authenticated is obtained by calculation based on system side fuzzy time, a time deviation threshold value, a terminal unique identification code and an IC card unique identification code corresponding to the terminal side.
According to the technical scheme in the embodiment of the application, the information flow can be encrypted and the identity of the information sender can be verified under the condition that the transmission overhead is not increased through the specific authentication flow and the specific data encryption flow, so that the reliability of data communication is guaranteed.
Specifically, the terminal side generates terminal side encrypted data to be authenticated based on the terminal side fuzzy time, and the terminal side unique identification code and the IC card unique identification code corresponding to the terminal side, and the method includes the following steps:
the terminal side is rounded upwards based on the current time to obtain the terminal side mold fuzzy time;
splicing to obtain terminal side data to be authenticated based on the terminal side mould fuzzy time and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side;
and generating the terminal side encrypted data to be authenticated based on the terminal side data to be authenticated by combining a preset encryption algorithm.
Further, the data communication method based on the resource-constrained scenario further includes a system-side encrypted data to be authenticated generation flow, where the system-side encrypted data to be authenticated generation flow includes the following steps:
the system side obtains a first time of the system based on the current time and the upper rounding;
calculating to obtain a second system time and a third system time based on the time deviation threshold;
and obtaining the first time of the system, the second time of the system, the third time of the system, the unique identification code of the terminal corresponding to the terminal side and the unique identification code of the IC card, and calculating to obtain the encrypted data to be authenticated of the first system side, the encrypted data to be authenticated of the second system side and the encrypted data to be authenticated of the third system side.
Further, in the data communication method based on the resource-constrained scenario, the system side encrypts the data to be authenticated based on the system side, and before comparing the data to be authenticated of the terminal encryption side, the method further includes the following steps:
taking the data of the first preset bit corresponding to the terminal side encrypted data to be authenticated as a terminal side identity authentication check code;
taking the data of the first system side encrypted data to be authenticated, which corresponds to a first preset bit, as a first system side identity authentication check code;
taking the data of the first preset bit corresponding to the encrypted data to be authenticated at the second system side as a second system side identity authentication check code;
and taking the data of the first preset bit corresponding to the encrypted data to be authenticated at the third system side as the identity authentication check code at the third system side.
Specifically, in the data communication method based on the resource-constrained scenario, the system side encrypts the data to be authenticated based on the system side, and compares the encrypted data to be authenticated of the terminal side, including the following steps:
and when the terminal side identity authentication check code is matched with the terminal side identity authentication check code, the second system side identity authentication check code or the third system side identity authentication check code, judging that the comparison is passed.
Further, the data communication method based on the resource-constrained scenario further includes a data encryption process, where the data encryption process includes the following steps:
b1, the terminal side encrypts to obtain terminal side encrypted transmission data based on a block cipher algorithm according to the terminal side identity authentication check code and the data to be transmitted of the terminal side, and sends the terminal side encrypted transmission data to the system side;
and B2, the system side encrypts the data to be transmitted according to the system side and the second system side identity authentication check code or the third system side identity authentication check code corresponding to the terminal side identity authentication check code based on a block cipher algorithm to obtain system side encrypted transmission data, and sends the system side encrypted transmission data to the terminal side.
The application scenario corresponding to the technical solution of the embodiment of the present application should include the following elements:
the transmission protocol based on the embodiment of the application has or can be inserted with a plurality of check codes, and the length of the check codes is recorded as m bits, namely m bits of a binary system;
the transmission protocol based on the embodiment of the application does not contain time parameters, but both the information receiving and transmitting parties, namely the terminal side and the system side, have the capability of acquiring the current time;
because the device is in a resource digital display scene, additional data is not allowed to be added in the transmission process based on the embodiment of the application;
in addition, the packet length of the reference block cipher algorithm used for data encryption is n bits, namely n bits of binary system.
The specific implementation of the technical scheme of the embodiment of the application consists of an encryption service module (namely, a system side) running on a system platform and an encryption application (namely, a terminal side) on an IC card;
the terminal side calculates the identity authentication check code and encrypts the transmission data, and the system side checks the identity authentication check code and decrypts the transmission data.
Therefore, the scenario applied by the technical scheme of the embodiment of the application at least comprises the following components:
1. IC card and its encryption application;
2. a terminal device carrying an IC card;
3. the system platform is responsible for managing the IC card and the terminal equipment and providing information transfer service, and the encryption service module is responsible for encryption operation.
In addition, the system platform should store the following information in its database:
and calculating an authentication key KeyA required by the identity authentication check code.
Calculating an encryption key KeyD required by data encryption;
the unique identification code of the terminal is marked as IDt;
and the unique identification code of the IC card is marked as IDi.
In specific implementation, the dynamic authentication process in the embodiment of the present application may be a special time fuzzy method and a dynamic identity authentication algorithm, and the operation process thereof is as follows:
firstly, both information receiving and transmitting parties respectively obtain current time;
in order to control the time error in the data transmission process within an allowable range and not affect the authentication efficiency, the terminal side and the system side need to perform time blurring according to the following rules:
setting an error base number as x;
the terminal side rounds the current time upwards by taking x as a module to obtain terminal side module fuzzy time y;
the system side rounds the current time upwards by taking x as a module to obtain fuzzy time z1 of the system side; then, z 2-z 1-x and z 3-z 1+ x are calculated, so that the system side obtains 3 fuzzy times z1, z2 and z3 in total, namely, the allowable time error is [ z1, z3 ].
Secondly, splicing IDt, IDi and y at the terminal side to obtain data P to be authenticated;
then, calculating ciphertext hash HDigest of data P to be authenticated by using a hash-based HMAC algorithm containing a key, wherein the HDigest is HMAC { KeyA, P }; wherein the content of the first and second substances,
KeyA is the authentication key used to calculate the ID check code.
It should be noted that the HMAC algorithm is an identity authentication method based on a Hash function and a secret key, which is widely applied to network communication.
Thirdly, the terminal side takes the leftmost m bits of HDigest as an authentication check code B1, namely B1 is transmitted to the system side in the communication process as part of the transmission protocol.
Fourthly, the terminal side takes the rightmost n bits of HDigest as an initial vector IV1 of data encryption operation;
the IV1 is retained only on the IC card for subsequent streaming encryption operations based on the block cipher algorithm and will be destroyed after encryption is complete.
Fifthly, after receiving the transmission data, the system side needs to check the identity authentication check code first and then decrypt the transmission data, and the specific operation is as follows:
1. and the system side takes out KeyA, IDt and IDi from the database according to the transmission protocol.
2. Checking for the first time: and splicing IDt, IDi and z1 to obtain data P1 to be authenticated. Calculating HDigest ═ HMAC { KeyA, P1 };
taking the leftmost m bits of HDigest' as an identity authentication check code B2;
comparing B1 with B2, if the B1 and the B2 are consistent, turning to the sixth step; otherwise, go to the fifth step, item 3.
3. And (4) second checking: splicing IDt, IDi and z2 to obtain data P2 to be authenticated;
calculating HDigest ═ HMAC { KeyA, P2 };
taking the leftmost m bits of HDigest' as an identity authentication check code B2;
comparing B1 with B2, if the B1 and the B2 are consistent, turning to the sixth step; otherwise, go to the fifth step, item 4.
4. And (3) checking for the third time: splicing IDt, IDi and z3 to obtain data P3 to be authenticated;
calculating HDigest ═ HMAC { KeyA, P3 };
taking the leftmost m bits of HDigest' as an identity authentication check code B2;
comparing B1 with B2, if the B1 and the B2 are consistent, turning to the sixth step; otherwise, go to the fifth step, item 5.
5. The system side returns an authentication error, and the process is terminated.
Sixthly, when the B1 is consistent with the B2, the identity authentication is passed;
in addition, it should be noted that HDigest and HDigest' should be consistent in the authentication process.
Seventhly, the system takes the rightmost n bits of HDigest' as an initial vector IV 2.
And eighthly, turning to a data encryption process, wherein the data encryption process can be a streaming encryption process based on a block cipher algorithm.
In practical implementation, the data encryption process in the embodiment of the present application may be a streaming encryption process based on a block cipher algorithm, and the operation process thereof is as follows:
in the first step, a standard symmetric algorithm (such as DES, SM4, etc.) forcibly supported by a domestic IC card is adopted as a reference block cipher algorithm, and the block length is n bits.
Secondly, if the data to be calculated is less than a whole byte, the data is filled according to the byte;
the padding bits for byte padding are discarded after the computation is finished, and the original length of the transmission data is not changed.
Thirdly, recording the supplemented data to be calculated as S, and recording the length of the S as L bit;
according to the block length n of the reference block cipher algorithm, the S is divided into two parts, namely a whole block G and a zero block F.
Fourthly, the whole group G is calculated and split as follows:
1. the whole group consists of a plurality of groups with the length equal to n bits, wherein n is the group length of the reference block cipher algorithm;
2. the entire packet is present when L is greater than n. Recording the number of the whole groups as m and the total length as L1;
3. calculating m, wherein m is (L/n), removing a remainder, and only keeping a quotient;
4. calculating L1, and L1 ═ m × n;
5. the leftmost L1 of S was truncated to give G.
Fifth, the calculation and splitting process of the zero packet F is as follows.
1. Zero packets must be present, with a length greater than 0, but not more than n bits;
2. the zero-stamped packet length is L2;
3. calculating L2, and if L is equal to n, then L2 is equal to n; conversely, L2 ═ n- (L% n);
4. the rightmost L2 bit of S is truncated to obtain F.
And sixthly, fetching the data encryption key KeyD.
Step seven, taking an initial vector IV:
1. terminal side, IV — IV 1;
2. system side, IV — IV 2.
Eighthly, if the whole packet G exists, carrying out cryptographic operation on the packet G by using a CBC mode of a reference block cipher algorithm to obtain a ciphertext E1; if the entire packet is not present, E1 is set to null; the specific cryptographic operation process is as follows:
e1 ═ CRYPT _ CBC { KeyD, IV, G }; wherein the content of the first and second substances,
CRYPT _ CBC represents a CBC mode of a reference block cipher algorithm, and the calculation process of the CRYPT _ CBC mode is defined by a public standard of a related algorithm;
algorithm parameters are arranged in braces behind CRYPT _ CBC;
KeyD is the encryption key required to compute data encryption;
IV is the initial vector required by the algorithm;
g is data to be operated on.
Ninthly, if the zero packet F exists certainly, carrying out password calculation on the zero packet F by using a CFB mode of a reference block cipher algorithm to obtain a ciphertext E2; the specific cryptographic operation process is as follows:
1. if the whole component exists, replacing IV with the rightmost n-bit of E1;
wherein 1 byte, i.e. 8 bits.
2. E2 ═ CRYPT _ CFB { KeyD, IV, F,8 }; wherein the content of the first and second substances,
CRYPT _ CFB represents a CFB pattern of a reference block cipher algorithm, and the calculation process thereof is defined by the published standard of the relevant algorithm;
algorithm parameters are arranged in braces behind the CRYPT _ CFB;
KeyD is the encryption key required to compute data encryption;
IV is the initial vector required by the algorithm;
f is data to be operated;
and 8 denotes a CFB mode operation parameter, which means that a single encrypted fragment has a length of 8 bits.
The tenth step, bit-wise splicing the leftmost side of E2 to the rightmost side of E1 to obtain a whole string of encrypted binary ciphertext data: e ═ E1| E2;
and according to the number of bits (marked as pad) of the padding bits used for byte padding in the second step, removing the rightmost pad bit of the E to obtain the encrypted data.
The technical scheme in the embodiment of the application aims to solve the problem that the streaming information is difficult to encrypt and dynamically authenticate under the condition that communication resources are limited.
The embodiment of the application provides a new password application technology, which can encrypt information streams with irregular lengths and verify the identity of an information sender under the condition of not increasing any transmission overhead through IC card embedded software and service-oriented system software.
In a second aspect, referring to fig. 6, an embodiment of the present application provides a data communication apparatus based on a resource-constrained scenario, where the apparatus includes:
the terminal side authentication module is used for generating terminal side encrypted data to be authenticated based on terminal side mold fuzzy time, and a terminal unique identification code and an IC card unique identification code corresponding to the terminal side;
the system side authentication module is used for calculating and obtaining encrypted data to be authenticated of the system side based on system side fuzzy time, a time deviation threshold value, a terminal unique identification code and an IC card unique identification code corresponding to the terminal side;
the system side authentication module is further used for comparing the data to be authenticated of the terminal encryption side based on the data to be authenticated of the system side encryption, and if the data to be authenticated of the terminal encryption side passes the comparison, the authentication passing information fed back to the system side of the terminal side authentication module is fed back.
According to the technical scheme in the embodiment of the application, the information flow can be encrypted and the identity of the information sender can be verified under the condition that the transmission overhead is not increased through the specific authentication flow and the specific data encryption flow, so that the reliability of data communication is guaranteed.
Further, the terminal side authentication module is further configured to round up based on the current time to obtain the terminal side fuzzy time;
the terminal side authentication module is also used for splicing to obtain terminal side data to be authenticated based on the terminal side template fuzzy time, and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side;
the terminal side authentication module is further used for generating the terminal side encrypted data to be authenticated by combining a preset encryption algorithm based on the data to be authenticated on the terminal side.
Further, the system side authentication module is further configured to round up based on the current time to obtain a first time of the system;
the system side authentication module is further used for calculating and obtaining a second system time and a third system time based on the time deviation threshold;
the system side authentication module is further used for obtaining the first time of the system, the second time of the system, the third time of the system, the terminal unique identification code and the IC card unique identification code corresponding to the terminal side, and calculating to obtain the first system side encrypted data to be authenticated, the second system side encrypted data to be authenticated and the third system side encrypted data to be authenticated.
Further, the data communication apparatus based on the resource restricted scenario further includes:
the terminal side encryption transmission module is used for obtaining terminal side encryption transmission data through encryption according to the terminal side identity authentication check code and the terminal side data to be transmitted after the system side encryption data to be authenticated and the terminal encryption data to be authenticated are compared, and sending the terminal side encryption transmission data to the system side based on a block cipher algorithm;
and the system side encryption transmission module is used for encrypting to obtain system side encryption transmission data and sending the system side encryption transmission data to the terminal side according to the system side data to be transmitted and the second system side identity authentication check code or the third system side identity authentication check code corresponding to the terminal side identity authentication check code after the system side encryption data to be authenticated and the terminal side data to be authenticated are compared.
It should be noted that the working principle, technical problem and technical effect of the data communication apparatus based on the resource limited scenario according to the embodiment of the present application are similar to the data communication method based on the resource limited scenario mentioned in the first aspect. If necessary, the apparatus may perform a corresponding operational procedure of the method of the first aspect.
It is noted that, in the present application, relational terms such as "first" and "second", and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present application and are presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. A data communication method based on a resource-constrained scene is characterized by comprising a dynamic authentication process, wherein the dynamic authentication process comprises the following steps:
the terminal side generates terminal side encrypted data to be authenticated based on the terminal side fuzzy time and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side, and sends the terminal side encrypted data to be authenticated to the system side;
when the system side encrypts data to be authenticated on the basis of the system side, the terminal side receives authentication passing information fed back by the system side after the data to be authenticated on the terminal encryption side is compared and passes the comparison; wherein the content of the first and second substances,
the system side encrypted data to be authenticated comprises first system side encrypted data to be authenticated, second system side encrypted data to be authenticated and third system side encrypted data to be authenticated, and the system side encrypted data to be authenticated is obtained by calculation based on system side fuzzy time, a time deviation threshold value, and a terminal unique identification code and an IC card unique identification code corresponding to the terminal side;
the system side encrypts the data to be authenticated based on the system side, and before comparing the data to be authenticated of the terminal encryption side, the method further comprises the following steps:
taking the data of the first preset bit corresponding to the terminal side encrypted data to be authenticated as a terminal side identity authentication check code;
taking the data of the first system side encrypted data to be authenticated, which corresponds to a first preset bit, as a first system side identity authentication check code;
taking the data of the first preset bit corresponding to the encrypted data to be authenticated at the second system side as a second system side identity authentication check code;
taking the data of the first preset bit corresponding to the encrypted data to be authenticated at the third system side as the identity authentication check code at the third system side;
the method further comprises a data encryption process, wherein the data encryption process comprises the following steps:
the terminal side encrypts to obtain terminal side encrypted transmission data based on a block cipher algorithm according to the terminal side identity authentication check code and the terminal side data to be transmitted, and sends the terminal side encrypted transmission data to the system side;
and the system side encrypts to obtain system side encrypted transmission data based on a block cipher algorithm according to the data to be transmitted by the system side and the second system side identity authentication check code or the third system side identity authentication check code corresponding to the terminal side identity authentication check code, and transmits the system side encrypted transmission data to the terminal side.
2. The data communication method based on the resource-constrained scenario as claimed in claim 1, wherein the terminal side generates the terminal-side encrypted data to be authenticated based on the terminal-side fuzzy time and the terminal-side corresponding terminal-unique identification code and IC card-unique identification code, and includes the following steps:
the terminal side is rounded upwards based on the current time to obtain the terminal side mold fuzzy time;
splicing to obtain terminal side data to be authenticated based on the terminal side mould fuzzy time and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side;
and generating the terminal side encrypted data to be authenticated based on the terminal side data to be authenticated by combining a preset encryption algorithm.
3. The data communication method based on the resource-constrained scenario as claimed in claim 1, wherein the method further comprises a system-side encrypted data-to-be-authenticated generation procedure, and the system-side encrypted data-to-be-authenticated generation procedure comprises the following steps:
the system side obtains a first time of the system based on the current time and the upper rounding;
calculating to obtain a second system time and a third system time based on the time deviation threshold;
and obtaining the first time of the system, the second time of the system, the third time of the system, the unique identification code of the terminal corresponding to the terminal side and the unique identification code of the IC card, and calculating to obtain the encrypted data to be authenticated of the first system side, the encrypted data to be authenticated of the second system side and the encrypted data to be authenticated of the third system side.
4. The data communication method based on the resource-constrained scenario as claimed in claim 1, wherein the system side encrypts the data to be authenticated based on the system side, and compares the data to be authenticated of the terminal encryption side, comprising the following steps:
and when the terminal side identity authentication check code is matched with the terminal side identity authentication check code, the second system side identity authentication check code or the third system side identity authentication check code, judging that the comparison is passed.
5. A data communication apparatus based on a resource constrained scenario, the apparatus comprising:
the terminal side authentication module is used for generating terminal side encrypted data to be authenticated based on terminal side mold fuzzy time, and a terminal unique identification code and an IC card unique identification code corresponding to the terminal side;
the system side authentication module is used for calculating and obtaining encrypted data to be authenticated of the system side based on system side fuzzy time, a time deviation threshold value, a terminal unique identification code and an IC card unique identification code corresponding to the terminal side;
the system side authentication module is further used for comparing the data to be authenticated of the terminal encryption side based on the data to be authenticated of the system side encryption, and if the data to be authenticated of the terminal encryption side passes the comparison, the authentication passing information fed back to the system side of the terminal side authentication module is fed back;
the system side encrypted data to be authenticated comprises first system side encrypted data to be authenticated, second system side encrypted data to be authenticated and third system side encrypted data to be authenticated, and the system side encrypted data to be authenticated is obtained by calculation based on system side fuzzy time, a time deviation threshold value, and a terminal unique identification code and an IC card unique identification code corresponding to the terminal side;
the system side authentication module is also used for taking the data of the first preset bit corresponding to the terminal side encrypted data to be authenticated as a terminal side identity authentication check code;
the system side authentication module is further used for taking the data of the first system side encrypted data to be authenticated, which corresponds to the first preset bit, as a first system side identity authentication check code;
the system side authentication module is also used for taking the data of the first preset bit corresponding to the encrypted data to be authenticated at the second system side as the second system side identity authentication check code;
the system side authentication module is also used for taking the data of the first preset bit corresponding to the third system side encrypted data to be authenticated as a third system side identity authentication check code;
the terminal side encryption transmission module is used for obtaining terminal side encryption transmission data through encryption according to the terminal side identity authentication check code and the terminal side data to be transmitted after the system side encryption data to be authenticated and the terminal encryption data to be authenticated are compared, and sending the terminal side encryption transmission data to the system side based on a block cipher algorithm;
and the system side encryption transmission module is used for encrypting to obtain system side encryption transmission data and sending the system side encryption transmission data to the terminal side according to the system side data to be transmitted and the second system side identity authentication check code or the third system side identity authentication check code corresponding to the terminal side identity authentication check code after the system side encryption data to be authenticated and the terminal side data to be authenticated are compared.
6. The resource constrained scenario based data communication apparatus of claim 5, wherein:
the terminal side authentication module is also used for rounding up based on the current time to obtain the terminal side mold fuzzy time;
the terminal side authentication module is also used for splicing to obtain terminal side data to be authenticated based on the terminal side template fuzzy time, and the terminal unique identification code and the IC card unique identification code corresponding to the terminal side;
the terminal side authentication module is further used for generating the terminal side encrypted data to be authenticated by combining a preset encryption algorithm based on the data to be authenticated on the terminal side.
7. The resource constrained scenario based data communication apparatus of claim 5, wherein:
the system side authentication module is also used for rounding up based on the current time to obtain the first time of the system;
the system side authentication module is further used for calculating and obtaining a second system time and a third system time based on the time deviation threshold;
the system side authentication module is further used for obtaining the first time of the system, the second time of the system, the third time of the system, the terminal unique identification code and the IC card unique identification code corresponding to the terminal side, and calculating to obtain the first system side encrypted data to be authenticated, the second system side encrypted data to be authenticated and the third system side encrypted data to be authenticated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111441231.2A CN113852471B (en) | 2021-11-30 | 2021-11-30 | Data communication method and device based on resource-limited scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111441231.2A CN113852471B (en) | 2021-11-30 | 2021-11-30 | Data communication method and device based on resource-limited scene |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113852471A CN113852471A (en) | 2021-12-28 |
| CN113852471B true CN113852471B (en) | 2022-04-01 |
Family
ID=78982555
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111441231.2A Active CN113852471B (en) | 2021-11-30 | 2021-11-30 | Data communication method and device based on resource-limited scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113852471B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905195A (en) * | 2012-12-28 | 2014-07-02 | 中国电信股份有限公司 | User card authentication method and system based on dynamic password |
| DE102014212038A1 (en) * | 2014-06-24 | 2015-12-24 | Qsc Ag | Network system with end-to-end encryption |
| CN109190341A (en) * | 2018-07-26 | 2019-01-11 | 平安科技(深圳)有限公司 | A kind of login management system and method |
| CN111444499A (en) * | 2020-03-31 | 2020-07-24 | 中国人民解放军海军潜艇学院 | User identity authentication method and system |
-
2021
- 2021-11-30 CN CN202111441231.2A patent/CN113852471B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905195A (en) * | 2012-12-28 | 2014-07-02 | 中国电信股份有限公司 | User card authentication method and system based on dynamic password |
| DE102014212038A1 (en) * | 2014-06-24 | 2015-12-24 | Qsc Ag | Network system with end-to-end encryption |
| CN109190341A (en) * | 2018-07-26 | 2019-01-11 | 平安科技(深圳)有限公司 | A kind of login management system and method |
| CN111444499A (en) * | 2020-03-31 | 2020-07-24 | 中国人民解放军海军潜艇学院 | User identity authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113852471A (en) | 2021-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7571320B2 (en) | Circuit and method for providing secure communications between devices | |
| US7991158B2 (en) | Secure messaging | |
| CN1950777B (en) | Integrity protection of streamed content | |
| US20060195402A1 (en) | Secure data transmission using undiscoverable or black data | |
| US20060080528A1 (en) | Platform and method for establishing provable identities while maintaining privacy | |
| CN108347419A (en) | Data transmission method and device | |
| CN109818741B (en) | Decryption calculation method and device based on elliptic curve | |
| WO2009143749A1 (en) | Data encryption and decryption method, device and communications system | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CN101662458A (en) | Authentication method | |
| CN107294964B (en) | Information transmission method | |
| CN113079022B (en) | Secure transmission method and system based on SM2 key negotiation mechanism | |
| CN111614621A (en) | Internet of things communication method and system | |
| CN1316405C (en) | Method for obtaining digital siguature and realizing data safety | |
| CN110198320B (en) | Encrypted information transmission method and system | |
| CN115276978A (en) | Data processing method and related device | |
| CN113591109B (en) | Method and system for communication between trusted execution environment and cloud | |
| CN102064935A (en) | Decryption display method and system and related equipment | |
| CN113852471B (en) | Data communication method and device based on resource-limited scene | |
| CN104868994A (en) | Collaboration secret key management method, device and system | |
| CN115022042A (en) | Compliance code verification method for protecting data privacy and computer readable medium | |
| CN113158218A (en) | Data encryption method and device and data decryption method and device | |
| EP3185504A1 (en) | Security management system for securing a communication between a remote server and an electronic device | |
| CN103634113B (en) | Encryption and decryption method and device with user/equipment identity authentication | |
| CN102474413B (en) | Private key compression |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |