CN114095156A - Data protection method for rail transit mobile terminal - Google Patents

Data protection method for rail transit mobile terminal Download PDF

Info

Publication number
CN114095156A
CN114095156A CN202111244907.9A CN202111244907A CN114095156A CN 114095156 A CN114095156 A CN 114095156A CN 202111244907 A CN202111244907 A CN 202111244907A CN 114095156 A CN114095156 A CN 114095156A
Authority
CN
China
Prior art keywords
data
key
mobile terminal
encryption
terminal equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111244907.9A
Other languages
Chinese (zh)
Other versions
CN114095156B (en
Inventor
黄辉
王美茜
韩熠
华晟
周学兵
苏阿峰
马钰昕
刘螺辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Casco Signal Cherngdu Ltd
Original Assignee
Casco Signal Cherngdu Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Casco Signal Cherngdu Ltd filed Critical Casco Signal Cherngdu Ltd
Priority to CN202111244907.9A priority Critical patent/CN114095156B/en
Publication of CN114095156A publication Critical patent/CN114095156A/en
Application granted granted Critical
Publication of CN114095156B publication Critical patent/CN114095156B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a data protection method for a rail transit mobile terminal, which relates to the technical field of rail transit data protection, and comprises a server end operation step, a mobile end initialization step and a mobile end operation step, wherein the method is designed by optimizing encryption and decryption processes in the mobile application data storage and transmission process and simultaneously adopting a one-machine one-secret mechanism when data of a plurality of mobile terminals are returned to a server end, namely, one mobile terminal uses a pair of mobile terminal public and private keys and a public key of the server end, so that the difficulty of obtaining and cracking the secret key is greatly improved, and rail transit mobile application data are stored and returned by selecting a domestic encryption algorithm, and the safety of the mobile application data is ensured.

Description

Data protection method for rail transit mobile terminal
Technical Field
The invention relates to the technical field of rail transit data protection, in particular to a rail transit mobile terminal data protection method.
Background
Along with the development of urban intelligent subways, mobile technology in rail transit is also more and more widely applied, for example, mobile terminal devices used in intelligent operation and maintenance and intelligent operation and maintenance APP application programs developed on the mobile terminal devices are used, and the mobile terminal devices are connected with the internet to exchange data in real time.
In an intelligent operation and maintenance APP application program, data on mobile terminal equipment needs to be stored safely, meanwhile, the data needs to be transmitted back to a background server side for data analysis, and the data storage of the mobile application adopts an encryption mode which is the safest method.
In other words, under the use environment of the mobile terminal device, the data of the intelligent operation and maintenance APP application program is stored in the clear text, and the mobile terminal device and the server interact with each other through a public or wireless network. Therefore, in consideration of security, a typical technical solution in the prior art is to employ an encryption technology to encrypt and store data, and transmit back a copy of the encrypted data and a password to a server for storage, that is, a software encryption and decryption module is developed in a mobile terminal device, and the encryption and decryption module is used to encrypt and transmit back the data, however, rail transit operation data is easily stolen or tampered by an attacker during transmission in a public network with a high network security risk, and once the data is hijacked and tampered, important operation data of a rail transit operation system is leaked, and further operation security of the rail transit system is affected.
Therefore, when the mobile terminal device is used for rail transit data transmission in the public network, the encryption technology with good anti-hijack and anti-deciphering needs to be ensured.
Disclosure of Invention
The invention aims to solve the problem of insufficient security in the data transmission process of the existing mobile terminal equipment in a public network, and provides a data protection method which aims at optimizing encryption and decryption processes in the mobile application data storage and transmission process and simultaneously adopting a one-machine one-secret mechanism when returning data of a plurality of mobile terminals to a server, namely, one mobile terminal uses a pair of public and private keys of the mobile terminal and a public key of the server, thereby greatly improving the difficulty of obtaining and cracking the secret key, and storing and returning the rail transit mobile application data through selecting a domestic encryption algorithm to ensure the security of the mobile application data.
The purpose of the invention is realized by the following technical scheme:
a data protection method for a rail transit mobile terminal comprises the following steps:
and a server side runs, runs a server side program of the intelligent operation and maintenance APP application program, collects various rail transit operation data, calls an encryption platform to generate a random symmetric key, encrypts the rail transit operation data by using an SM4 symmetric algorithm in a domestic encryption algorithm and the symmetric key, stores the encrypted rail transit operation data in a local database, calculates an abstract of a client side program of the intelligent operation and maintenance APP application program by using SM3 in the domestic encryption algorithm and stores the abstract, and then releases the client side program to the mobile terminal equipment.
In the operation step of the server side, an encryption platform is called to generate a random symmetric key, specifically, the intelligent operation and maintenance APP application program calls an SDK interface function of the encryption platform adopting a domestic cryptographic algorithm and executes a random session key negotiation process to generate the random symmetric key.
A mobile terminal initialization step, wherein a client program issued in the server end operation step is operated in mobile terminal equipment, the mobile terminal equipment randomly generates a pair of symmetric keys and uploads the symmetric keys to the server end in an mk encryption mode, the server end correspondingly generates another group of public and private key pairs and sends the public keys to the mobile terminal equipment as public keys of subsequent digital envelopes, one-machine and one-secret key initialization is completed, then the client program is subjected to legal version verification, and the legal version verification is performed to complete mutual trust authentication between the mobile terminal equipment and the server end so as to prevent twice-packaged emulational APP from stealing data;
more specifically, in the mobile terminal initialization step, a secret key initialization is completed, and specifically, the method includes the following steps:
step 1, in the initialization process of running a client program, mobile terminal equipment creates an MSK library, generates a master key Mk and encrypts the master key Mk by using an initial public key of an intelligent operation and maintenance APP application program;
step 2, the mobile terminal equipment randomly generates a pair of asymmetric keys, stores private keys of the asymmetric keys in a secure storage area, and uploads a public key PK _ APP of the asymmetric keys, the main key Mk encrypted by the initial public key in the step 1 and the ID of the mobile terminal equipment to a server side;
step 3, the server side calls a private key in a random symmetric key generated by the encryption platform, decrypts the master key Mk, converts the master key Mk into a master key Lmk of the server side, encrypts the master key and stores the master key Mk into the encryption platform, and the server side calls the encryption platform to store the public key PK _ APP;
step 4, the mobile terminal equipment randomly generates a pair of symmetric keys, encrypts the symmetric keys by the master key Mk and sends the encrypted symmetric keys to the server;
step 5, the server side calls an encryption platform to guide the symmetric key in the step 4 into the encryption platform to be stored;
step 6, the server side calls an encryption platform to generate another group of public and private key pairs, and a public key PK _ ESSC in the public key pair is encrypted by using the public key PK _ APP and then returned to the mobile terminal equipment;
step 7, the mobile terminal equipment decrypts to obtain and store the public key PK _ ESSC, and the public key is used as the public key of a subsequent digital envelope, and meanwhile, the public key also provides key guarantee for bidirectional authentication;
step 8, the server side calls the encryption platform to generate seeds and returns the seeds to the mobile terminal equipment;
and 9, importing the seeds by the mobile terminal equipment to finish one secret per machine of the mobile terminal.
In this process, PK _ APP is randomly generated and unique by mobile terminals, each using a different PK _ APP, and PK _ ESSC is also generated for ID information of mobile terminals, each using a different PK _ ESSC. The process thus completes a one-secret key initialization.
Preferably, in the mobile terminal initializing step, the copyright verification of the client program includes the following steps:
step 1, a client program operated by mobile terminal equipment calls a legal version verification interface of a mobile encryption module SMTP to obtain a dynamic signature and sends the dynamic signature to a server;
and 2, the server side calls the encryption platform signature to pass through, and then the user of the mobile terminal equipment can see the interactive interface.
A mobile terminal operation step, in which a client program operated in the mobile terminal equipment requests the server terminal for the rail transit operation data, and the server terminal generates an SM2 public and private KEY pair and a random KEY SESSION _ KEY of an SM4 algorithm after calling the corresponding rail transit operation data in a local database thereof, encrypts the data, sends the encrypted data to the client program operated in the mobile terminal equipment, and displays the operation state on the mobile terminal equipment; a client program operated by the mobile terminal equipment generates new operation data, a mobile encryption module SMTP is called to generate an SM2 public and private KEY pair (a public KEY PUB _ KEY _ APP and a private KEY PRI _ KEY _ APP) and a random KEY SESSION _ KEY of an SM4 algorithm, the public KEY PUB _ KEY and the private KEY PRI _ KEY are stored in a safe storage area, then the new operation data are encrypted through the random KEY SESSION _ KEY and are transmitted back to a server, and the server classifies the new operation data and establishes a table for encrypted storage;
further, in the mobile terminal operation step, the new operation data includes user registration information, service data, and an operation log.
More specifically, in the mobile terminal operation step, after receiving the encrypted rail transit operation data from the server, the mobile terminal device performs integrity check by using a domestic encryption algorithm, performs random key decryption by using an asymmetric encryption algorithm SM2 to obtain a random key, and performs data decryption on the rail transit operation data by using the random key.
More preferably, in the mobile terminal operation step, the server classifies the new operation data and establishes a table for encrypted storage, and specifically includes the following steps:
a table building step, namely building and storing a table, wherein the table comprises an encrypted column name and a non-encrypted column name;
data definition, namely classifying and defining data to be stored in new operation data, wherein the data to be stored comprises user information, service data and logs, defining data belonging to secret information to an encrypted column name, and defining data belonging to common information to a non-encrypted column name;
a data ID creating step, wherein a corresponding data ID is created for each item of data belonging to secret information or common information and is stored in the data, each data ID is randomly generated and is different from each other, and each data ID is associated with a corresponding encrypted column name or a corresponding unencrypted column name;
a data encryption step, namely screening a data ID corresponding to the encrypted column name from the table, calling an encryption platform to encrypt the confidential information corresponding to the data ID by identifying the data ID in the data and generating encrypted data;
and a data storage step, namely, according to the classification definition of the new operation data by the data definition step station, using the service data and the log as secret information, carrying out encryption storage by using a national secret SM4 algorithm, and using the user information as common information, and carrying out abstract calculation storage by using a national secret SM3 algorithm.
Compared with the prior art, the scheme has the following technical advantages:
the invention adopts a domestic encryption algorithm to safely store data at the mobile terminal and the server end which are provided with the special APP for the rail transit operation, calculates the abstract by using SM3 based on the domestic cryptographic algorithm and completes the legal version verification of the APP when the APP of the mobile terminal is initialized, and can realize the purposes of resisting replay attack and resisting unauthorized user access.
After authentication is completed between a mobile terminal provided with a special APP for rail transit operation and a service end of a rail transit operation system, the mobile terminal randomly generates a pair of random public and private keys (private keys are placed in a safe storage area) belonging to the mobile end, and further obtains a random and independent public key belonging to the mobile end from the service end in a safe mode, so that the purpose that one mobile terminal uses a pair of public and private keys of the mobile end and the public key of the service end is achieved, and the key characteristic of one machine and one secret is formed. The secret key with one secret can effectively protect the confidentiality of the operation data of the rail transit system, and even if an attacker obtains a certain secret key, the risk of operation data leakage can be effectively reduced because the secret key is randomly generated and only belongs to one mobile terminal. Because the message digest field used for integrity check is filled in the encrypted data message before the encrypted data message is sent, the attack of malicious tampering of the operation data can be effectively resisted.
The rail transit mobile application can complete APP application data encryption storage and safe communication and data transmission of a server side through a mobile safety terminal, and the method is based on a domestic cryptographic algorithm, overcomes the defects of an international standard encryption algorithm and realizes autonomous control; the home-made password is used for realizing the mobile APP copyright authentication, preventing the attacker from replaying and ensuring the reliable communication; in the data transmission process, one secret is used, and random symmetric keys are used for encrypting data in each transmission, so that the confidentiality of the transmitted data is ensured; and integrity check is carried out after data is received, so that the data is prevented from being tampered midway, and the data transmission integrity is ensured.
Drawings
The foregoing and following detailed description of the invention will be apparent when read in conjunction with the following drawings, in which:
FIG. 1 is a schematic view of the overall technical solution of the present invention;
fig. 2 is a schematic diagram of a mobile device and a server according to the present invention;
FIG. 3 is a logic diagram of "one secret at a time" in the present invention.
Detailed Description
The technical solutions for achieving the objects of the present invention are further illustrated by the following specific examples, and it should be noted that the technical solutions claimed in the present invention include, but are not limited to, the following examples.
Example 1
As a specific implementation scheme of the present invention, this embodiment provides a data protection method for a rail transit mobile terminal, including a server side operation step, a mobile side initialization step, and a mobile side operation step.
Specifically, as shown in fig. 1 and 2, the server side operates to operate a server side program of the intelligent operation and maintenance APP application program, collect various rail transit operation data, call an encryption platform to generate a random symmetric key, encrypt the rail transit operation data by using a symmetric key and using an SM4 symmetric algorithm in a domestic encryption algorithm, and store the encrypted rail transit operation data in a local database, and at the same time, the server side calculates an abstract of a client side program of the intelligent operation and maintenance APP application program by using an SM3 in the domestic encryption algorithm and stores the abstract by the server side, and then the server side issues the client side program to the mobile terminal device.
The mobile terminal initializes, the client program issued in the server operation is operated in the mobile terminal device, as shown in fig. 3, the mobile terminal device randomly generates a pair of symmetric keys and uploads the symmetric keys to the server by mk encryption, the server correspondingly generates another group of public and private key pairs and sends the public keys to the mobile terminal device as the public keys of subsequent digital envelopes, one-secret key initialization is completed, then the client program is subjected to legal version verification, and the legal version verification is performed to complete mutual trust authentication between the mobile terminal device and the server so as to prevent twice-packaged emulational APP from stealing data;
the mobile terminal operation step, requesting the rail transit operation data from the server terminal through a client program operated by the mobile terminal equipment, generating an SM2 public and private KEY pair and a random KEY SESSION _ KEY of an SM4 algorithm after the server terminal calls the corresponding rail transit operation data in a local database thereof, encrypting the data, transmitting the encrypted data to the client program operated by the mobile terminal equipment, and displaying the operation state on the mobile terminal equipment; a client program operated by the mobile terminal equipment generates new operation data, a mobile encryption module SMTP is called to generate an SM2 public and private KEY pair (a public KEY PUB _ KEY _ APP and a private KEY PRI _ KEY _ APP) and a random KEY SESSION _ KEY of an SM4 algorithm, the public KEY PUB _ KEY and the private KEY PRI _ KEY are stored in a safe storage area, then the new operation data are encrypted through the random KEY SESSION _ KEY and are transmitted back to a server, and the server classifies the new operation data and establishes a table for encrypted storage;
in the technical scheme of the embodiment, a domestic encryption algorithm is adopted for safely storing data at a mobile terminal and a server side which are provided with special APP for rail transit operation, when the APP of the mobile terminal is initialized, the SM3 based on the domestic cryptographic algorithm is used for calculating the abstract and completing the legal version verification of the APP, and the purposes of resisting replay attack and resisting unauthorized user access can be achieved. After authentication is completed between a mobile terminal provided with a special APP for rail transit operation and a service end of a rail transit operation system, the mobile terminal randomly generates a pair of random public and private keys (private keys are placed in a safe storage area) belonging to the mobile end, and further obtains a random and independent public key belonging to the mobile end from the service end in a safe mode, so that the purpose that one mobile terminal uses a pair of public and private keys of the mobile end and the public key of the service end is achieved, and the key characteristic of one machine and one secret is formed. The secret key with one secret can effectively protect the confidentiality of the operation data of the rail transit system, and even if an attacker obtains a certain secret key, the risk of operation data leakage can be effectively reduced because the secret key is randomly generated and only belongs to one mobile terminal. Because the message digest field used for integrity check is filled in the encrypted data message before the encrypted data message is sent, the attack of malicious tampering of the operation data can be effectively resisted.
Example 2
As a specific implementation of the present invention, this embodiment provides a method for protecting data of a rail transit mobile terminal, as shown in fig. 1 and 2, including the following steps:
and a server side operation step, namely, operating an application APP program at the server side, collecting various rail transit operation data, calling an encryption platform to generate a random symmetric key, encrypting the rail transit operation data by using a symmetric key and using an SM4 symmetric algorithm in a domestic encryption algorithm, and then storing the rail transit operation data in a local database, meanwhile, calculating the abstract of the application APP program by using SM3 in the domestic encryption algorithm and storing the abstract by the server side, and then issuing the operated application APP program to the mobile terminal equipment by the server side.
In the operation step of the server side, an encryption platform is called to generate a random symmetric key, specifically, the intelligent operation and maintenance APP application program calls an SDK interface function of the encryption platform adopting a domestic cryptographic algorithm and executes a random session key negotiation process to generate the random symmetric key.
A mobile terminal initialization step, wherein a client program issued in the server end operation step is operated in mobile terminal equipment, the mobile terminal equipment randomly generates a pair of symmetric keys and uploads the symmetric keys to the server end in an mk encryption mode, the server end correspondingly generates another group of public and private key pairs and sends the public keys to the mobile terminal equipment as public keys of subsequent digital envelopes, one-machine and one-secret key initialization is completed, then the client program is subjected to legal version verification, and the legal version verification is performed to complete mutual trust authentication between the mobile terminal equipment and the server end so as to prevent twice-packaged emulational APP from stealing data;
more specifically, in the mobile terminal initialization step, a secret key initialization is completed, and specifically, as shown in fig. 3, the method includes the following steps:
step 1, in the initialization process of running a client program, mobile terminal equipment creates an MSK library, generates a master key Mk and encrypts the master key Mk by using an initial public key of an intelligent operation and maintenance APP application program;
step 2, the mobile terminal equipment randomly generates a pair of asymmetric keys, stores private keys of the asymmetric keys in a secure storage area, and uploads a public key PK _ APP of the asymmetric keys, the main key Mk encrypted by the initial public key in the step 1 and the ID of the mobile terminal equipment to a server side;
step 3, the server side calls a private key in a random symmetric key generated by the encryption platform, decrypts the master key Mk, converts the master key Mk into a master key Lmk of the server side, encrypts the master key and stores the master key Mk into the encryption platform, and the server side calls the encryption platform to store the public key PK _ APP;
step 4, the mobile terminal equipment randomly generates a pair of symmetric keys, encrypts the symmetric keys by the master key Mk and sends the encrypted symmetric keys to the server;
step 5, the server side calls an encryption platform to guide the symmetric key in the step 4 into the encryption platform to be stored;
step 6, the server side calls an encryption platform to generate another group of public and private key pairs, and a public key PK _ ESSC in the public key pair is encrypted by using the public key PK _ APP and then returned to the mobile terminal equipment;
step 7, the mobile terminal equipment decrypts to obtain and store the public key PK _ ESSC, and the public key is used as the public key of a subsequent digital envelope, and meanwhile, the public key also provides key guarantee for bidirectional authentication;
step 8, the server side calls the encryption platform to generate seeds and returns the seeds to the mobile terminal equipment;
and 9, importing the seeds by the mobile terminal equipment to finish one secret per machine of the mobile terminal.
In this process, PK _ APP is randomly generated and unique by mobile terminals, each using a different PK _ APP, and PK _ ESSC is also generated for ID information of mobile terminals, each using a different PK _ ESSC. The process thus completes a one-secret key initialization.
Preferably, in the mobile terminal initializing step, the copyright verification of the client program includes the following steps:
step 1, a client program operated by mobile terminal equipment calls a legal version verification interface of a mobile encryption module SMTP to obtain a dynamic signature and sends the dynamic signature to a server;
and 2, the server side calls the encryption platform signature to pass through, and then the user of the mobile terminal equipment can see the interactive interface.
A mobile terminal operation step, in which a client program operated in the mobile terminal equipment requests the server terminal for the rail transit operation data, and the server terminal generates an SM2 public and private KEY pair and a random KEY SESSION _ KEY of an SM4 algorithm after calling the corresponding rail transit operation data in a local database thereof, encrypts the data, sends the encrypted data to the client program operated in the mobile terminal equipment, and displays the operation state on the mobile terminal equipment; a client program operated by the mobile terminal equipment generates new operation data, a mobile encryption module SMTP is called to generate an SM2 public and private KEY pair (a public KEY PUB _ KEY _ APP and a private KEY PRI _ KEY _ APP) and a random KEY SESSION _ KEY of an SM4 algorithm, the public KEY PUB _ KEY and the private KEY PRI _ KEY are stored in a safe storage area, then the new operation data are encrypted through the random KEY SESSION _ KEY and are transmitted back to a server, and the server classifies the new operation data and establishes a table for encrypted storage;
further, in the mobile terminal operation step, the new operation data includes user registration information, service data, and an operation log.
More specifically, in the mobile terminal operation step, after receiving the encrypted rail transit operation data from the server, the mobile terminal device performs integrity check by using a domestic encryption algorithm, performs random key decryption by using an asymmetric encryption algorithm SM2 to obtain a random key, and performs data decryption on the rail transit operation data by using the random key.
More preferably, in the mobile terminal operation step, the server classifies the new operation data and establishes a table for encrypted storage, and specifically includes the following steps:
a table building step, namely building and storing a table, wherein the table comprises an encrypted column name and a non-encrypted column name;
data definition, namely classifying and defining data to be stored in new operation data, wherein the data to be stored comprises user information, service data and logs, defining data belonging to secret information to an encrypted column name, and defining data belonging to common information to a non-encrypted column name;
a data ID creating step, wherein a corresponding data ID is created for each item of data belonging to secret information or common information and is stored in the data, each data ID is randomly generated and is different from each other, and each data ID is associated with a corresponding encrypted column name or a corresponding unencrypted column name;
a data encryption step, namely screening a data ID corresponding to the encrypted column name from the table, calling an encryption platform to encrypt the confidential information corresponding to the data ID by identifying the data ID in the data and generating encrypted data;
and a data storage step, namely, according to the classification definition of the new operation data by the data definition step station, using the service data and the log as secret information, carrying out encryption storage by using a national secret SM4 algorithm, and using the user information as common information, and carrying out abstract calculation storage by using a national secret SM3 algorithm.

Claims (7)

1. A data protection method for a rail transit mobile terminal is characterized by comprising the following steps:
the method comprises the steps that a server side runs a server side program of an intelligent operation and maintenance APP application program, collects various rail transit operation data, calls an encryption platform to generate a random symmetric key, encrypts the rail transit operation data by using an SM4 symmetric algorithm in a domestic encryption algorithm and then stores the encrypted rail transit operation data in a local database, and meanwhile, the server side calculates an abstract of a client side program of the intelligent operation and maintenance APP application program by using SM3 in the domestic encryption algorithm and stores the abstract, and then the server side issues the client side program to mobile terminal equipment;
a mobile terminal initialization step, wherein the client program issued in the server operation step is operated in the mobile terminal equipment, the mobile terminal equipment randomly generates a pair of symmetric keys and uploads the symmetric keys to the server end in mk encryption, the server end correspondingly generates another group of public and private key pairs and sends the public keys to the mobile terminal equipment as public keys of a subsequent digital envelope, one-machine-one-secret key initialization is completed, and then the client program is subjected to legal version verification;
a mobile terminal operation step, in which a client program operated in the mobile terminal equipment requests the server terminal for the rail transit operation data, and the server terminal generates an SM2 public and private KEY pair and a random KEY SESSION _ KEY of an SM4 algorithm after calling the corresponding rail transit operation data in a local database thereof, encrypts the data, sends the encrypted data to the client program operated in the mobile terminal equipment, and displays the operation state on the mobile terminal equipment; the method comprises the steps that a client program operated by the mobile terminal equipment generates new operation data, a mobile encryption module SMTP is called to generate an SM2 public and private KEY pair (a public KEY PUB _ KEY _ APP and a private KEY PRI _ KEY _ APP) and a random KEY SESSION _ KEY of an SM4 algorithm and store the generated KEY SESSION _ KEY in a safe storage area, then the new operation data are encrypted through the random KEY SESSION _ KEY and are transmitted back to a server, and the server classifies the new operation data and establishes a table for encrypted storage.
2. The method for protecting data of the rail transit mobile terminal as claimed in claim 1, wherein: and calling an encryption platform to generate a random symmetric key, specifically, calling an SDK interface function of the encryption platform adopting a domestic cryptographic algorithm by the intelligent operation and maintenance APP application program, and executing a random session key negotiation process to generate the random symmetric key.
3. The method for protecting data of a rail transit mobile terminal according to claim 1, wherein in the mobile terminal initialization step, a secret key initialization is completed, and specifically, the method comprises the following steps:
step 1, in the initialization process of running a client program, mobile terminal equipment creates an MSK library, generates a master key Mk and encrypts the master key Mk by using an initial public key of an intelligent operation and maintenance APP application program;
step 2, the mobile terminal equipment randomly generates a pair of asymmetric keys, stores private keys of the asymmetric keys in a secure storage area, and uploads a public key PK _ APP of the asymmetric keys, the main key Mk encrypted by the initial public key in the step 1 and the ID of the mobile terminal equipment to a server side;
step 3, the server side calls a private key in a random symmetric key generated by the encryption platform, decrypts the master key Mk, converts the master key Mk into a master key Lmk of the server side, encrypts the master key and stores the master key Mk into the encryption platform, and the server side calls the encryption platform to store the public key PK _ APP;
step 4, the mobile terminal equipment randomly generates a pair of symmetric keys, encrypts the symmetric keys by the master key Mk and sends the encrypted symmetric keys to the server;
step 5, the server side calls an encryption platform to guide the symmetric key in the step 4 into the encryption platform to be stored;
step 6, the server side calls an encryption platform to generate another group of public and private key pairs, and a public key PK _ ESSC in the public key pair is encrypted by using the public key PK _ APP and then returned to the mobile terminal equipment;
step 7, the mobile terminal equipment decrypts to obtain and store the public key PK _ ESSC, and the public key is used as the public key of a subsequent digital envelope, and meanwhile, the public key also provides key guarantee for bidirectional authentication;
step 8, the server side calls the encryption platform to generate seeds and returns the seeds to the mobile terminal equipment;
and 9, importing the seeds by the mobile terminal equipment to finish one secret per machine of the mobile terminal.
4. The method for protecting data of a rail transit mobile terminal according to claim 1, wherein in the mobile terminal initialization step, the client program is subjected to copyright verification, and the method comprises the following steps:
step 1, a client program operated by mobile terminal equipment calls a legal version verification interface of a mobile encryption module SMTP to obtain a dynamic signature and sends the dynamic signature to a server;
and 2, the server side calls the encryption platform signature to pass through, and then the user of the mobile terminal equipment can see the interactive interface.
5. The method for protecting data of the rail transit mobile terminal as claimed in claim 1, wherein: in the mobile terminal operation step, the new operation data includes user registration information, service data and an operation log.
6. The method for protecting data of the rail transit mobile terminal as claimed in claim 1, wherein: in the operation step of the mobile terminal, after receiving the encrypted rail transit operation data of the server, the mobile terminal device performs integrity check by using a domestic encryption algorithm, performs random key decryption by using an asymmetric encryption algorithm SM2 to obtain a random key, and performs data decryption on the rail transit operation data by using the random key.
7. The method for protecting track traffic mobile terminal data according to claim 1, wherein in the mobile terminal operation step, the server classifies new operation data and establishes a table for encrypted storage, specifically comprising the following steps:
a table building step, namely building and storing a table, wherein the table comprises an encrypted column name and a non-encrypted column name;
data definition, namely classifying and defining data to be stored in new operation data, wherein the data to be stored comprises user information, service data and logs, defining data belonging to secret information to an encrypted column name, and defining data belonging to common information to a non-encrypted column name;
a data ID creating step, wherein a corresponding data ID is created for each item of data belonging to secret information or common information and is stored in the data, each data ID is randomly generated and is different from each other, and each data ID is associated with a corresponding encrypted column name or a corresponding unencrypted column name;
a data encryption step, namely screening a data ID corresponding to the encrypted column name from the table, calling an encryption platform to encrypt the confidential information corresponding to the data ID by identifying the data ID in the data and generating encrypted data;
and a data storage step, namely, according to the classification definition of the new operation data by the data definition step station, using the service data and the log as secret information, carrying out encryption storage by using a national secret SM4 algorithm, and using the user information as common information, and carrying out abstract calculation storage by using a national secret SM3 algorithm.
CN202111244907.9A 2021-10-26 2021-10-26 Data protection method for rail transit mobile terminal Active CN114095156B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111244907.9A CN114095156B (en) 2021-10-26 2021-10-26 Data protection method for rail transit mobile terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111244907.9A CN114095156B (en) 2021-10-26 2021-10-26 Data protection method for rail transit mobile terminal

Publications (2)

Publication Number Publication Date
CN114095156A true CN114095156A (en) 2022-02-25
CN114095156B CN114095156B (en) 2023-05-12

Family

ID=80297625

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111244907.9A Active CN114095156B (en) 2021-10-26 2021-10-26 Data protection method for rail transit mobile terminal

Country Status (1)

Country Link
CN (1) CN114095156B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170338964A1 (en) * 2015-01-22 2017-11-23 Visa International Service Association Method and system for establishing a secure communication tunnel
WO2018074750A1 (en) * 2016-10-18 2018-04-26 주식회사 유니온플레이스 Train information managing device
CN109688585A (en) * 2018-12-28 2019-04-26 卡斯柯信号有限公司 Vehicle-ground wireless communication encryption method and device applied to train monitoring system
CN112020038A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic encryption terminal suitable for rail transit mobile application
CN112020037A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic communication encryption method suitable for rail transit
CN112565285A (en) * 2020-12-16 2021-03-26 卡斯柯信号(成都)有限公司 Communication encryption method suitable for rail transit

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170338964A1 (en) * 2015-01-22 2017-11-23 Visa International Service Association Method and system for establishing a secure communication tunnel
WO2018074750A1 (en) * 2016-10-18 2018-04-26 주식회사 유니온플레이스 Train information managing device
CN109688585A (en) * 2018-12-28 2019-04-26 卡斯柯信号有限公司 Vehicle-ground wireless communication encryption method and device applied to train monitoring system
CN112020038A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic encryption terminal suitable for rail transit mobile application
CN112020037A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic communication encryption method suitable for rail transit
CN112565285A (en) * 2020-12-16 2021-03-26 卡斯柯信号(成都)有限公司 Communication encryption method suitable for rail transit

Also Published As

Publication number Publication date
CN114095156B (en) 2023-05-12

Similar Documents

Publication Publication Date Title
CN104796265B (en) A kind of Internet of Things identity identifying method based on Bluetooth communication access
CN102024123B (en) Method and device for importing mirror image of virtual machine in cloud calculation
CN106973056A (en) The safety chip and its encryption method of a kind of object-oriented
CN102986161B (en) For carrying out the method and system of cryptoguard to application
CN110519046A (en) Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
CN112020038A (en) Domestic encryption terminal suitable for rail transit mobile application
CN106411926A (en) Data encryption communication method and system
CN101695038A (en) Method and device for detecting SSL enciphered data safety
CN108323230B (en) Method for transmitting key, receiving terminal and distributing terminal
CN108809936B (en) Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof
CN107465665A (en) A kind of file encryption-decryption method based on fingerprint identification technology
JPH07325785A (en) Network user identifying method, ciphering communication method, application client and server
CN101582896A (en) Third-party network authentication system and authentication method thereof
CN111600948B (en) Cloud platform application and data security processing method, system, storage medium and program based on identification password
US20120284787A1 (en) Personal Secured Access Devices
JP3348753B2 (en) Encryption key distribution system and method
CN111224958A (en) Data transmission method and system
CN105657699A (en) Safe data transmission method
CN112865965B (en) Train service data processing method and system based on quantum key
CN110519222A (en) Outer net access identity authentication method and system based on disposable asymmetric key pair and key card
CN112020037A (en) Domestic communication encryption method suitable for rail transit
CN116743470A (en) Service data encryption processing method and device
CN101539978B (en) Software protection method based on space
CN114095156B (en) Data protection method for rail transit mobile terminal
CN114173303A (en) Train-ground session key generation method and system for CTCS-3 level train control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant