CN114240428A - Data transmission method and device, data transaction terminal and data supplier - Google Patents
Data transmission method and device, data transaction terminal and data supplier Download PDFInfo
- Publication number
- CN114240428A CN114240428A CN202111392253.4A CN202111392253A CN114240428A CN 114240428 A CN114240428 A CN 114240428A CN 202111392253 A CN202111392253 A CN 202111392253A CN 114240428 A CN114240428 A CN 114240428A
- Authority
- CN
- China
- Prior art keywords
- data
- trusted
- public key
- ciphertext
- digital signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3827—Use of message hashing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Accounting & Taxation (AREA)
- Computer Security & Cryptography (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
A data transmission method and device, a data transaction terminal, a data supplier and a data demander are provided, wherein the method comprises the steps of receiving first ciphertext data and first digital signature data from the data supplier, wherein the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key; verifying the first digital signature data; if the verification is passed, decrypting the first ciphertext data; verifying the first digital signature data and decrypting the first ciphertext data at least according to a trusted private key; a trusted public-private key pair comprising the trusted public key is generated by a data transaction terminal within a trusted computing environment and the trusted public key is then sent to the data donor. The invention can provide a safe, controllable and credible computing environment for computing or modeling analysis, and effectively improves the security of data transmission.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a data transmission method and device, a data transaction terminal, a data supplier and a data demander.
Background
In the big data era, data is increasingly becoming an asset which can be traded, and a data demander obtains required result data by calculating or modeling and analyzing original data by purchasing data use rights of a data supplier. In order to protect the benefits of both parties of data transaction to the maximum extent, a trusted computing environment needs to be provided for the data demander to compute or model the data, and the trusted computing environment is a totally enclosed operating area, so that the data demander can safely and controllably process the data in the environment, and the data is protected from being leaked or tampered. Furthermore, it is also essential to ensure that the raw data and the result data are securely transmitted between the data supplier and the data demander.
In the prior art, data transmission between mobile terminals is generally performed in a point-to-point manner, that is, data is directly transmitted from a first terminal to a second terminal. For example, in data transaction, the terminal of the data supplier directly transmits the original data to the terminal of the data demander, and the data demander performs modeling analysis on a platform of the data demander after acquiring the original data to obtain result data, so that the use purpose is achieved. However, since the limitation of the data demander in this manner cannot be effectively reached, the data demander cannot be prevented from intentionally or unintentionally leaking, unauthorized processing, and using data, and controllability is low. In addition, the simple and direct data transmission mode lacks security, because original data provided by a data supplier and result data obtained after calculation or modeling by a data demander are easily leaked, stolen, tampered and the like in the transmission process, so that benefits of both parties of a data transaction are damaged.
Therefore, a data transmission method is needed to provide a safe, controllable and credible computing environment for data calculation or modeling analysis by a data demander, and effectively improve the security of data transmission.
Disclosure of Invention
One of the objectives of the present invention is to provide a data transmission method and apparatus, a data transaction terminal, a data supplier, and a data demander, which can provide a safe, controllable, and credible computing environment for data calculation or modeling analysis, and effectively ensure the security of data transmission.
In order to achieve the above object, an embodiment of the present invention provides a data transmission method, including the following steps: receiving first ciphertext data and first digital signature data from a data supplier, wherein the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key; verifying the first digital signature data; if the verification is passed, decrypting the first ciphertext data; verifying the first digital signature data and decrypting the first ciphertext data at least according to a trusted private key; a trusted public-private key pair comprising the trusted public key is generated by a data transaction terminal within a trusted computing environment and the trusted public key is then sent to the data donor.
Optionally, the first ciphertext data is obtained by encrypting original data by using the trusted public key; the first digital signature data is obtained by firstly encrypting the first ciphertext data by using a first private key to obtain first initial encrypted data and secondly encrypting the first initial encrypted data by using the trusted public key; wherein the first private key is generated by the data supplier.
Optionally, the verifying the first digital signature data according to at least a trusted private key includes: performing hash operation on the first ciphertext data by using a hash algorithm SM3 to obtain a first hash value; firstly, decrypting the first digital signature data by adopting a first public key to obtain first initial decrypted data, and then decrypting the first initial decrypted data for the second time by adopting the credible private key to obtain first decrypted data; comparing whether the first hash value is identical to the first decrypted data or not; if the two are identical, the verification is passed; wherein the first public key is generated by the data supplier.
Optionally, the decrypting the first digital signature data by using the first public key to obtain first initial decrypted data, and then performing secondary decryption on the first initial decrypted data by using the trusted private key to obtain first decrypted data includes: firstly, decrypting the first digital signature data by using the first public key and an asymmetric encryption algorithm SM2 to obtain first initial decrypted data; and then decrypting the first initial decrypted data by using the trusted private key and an asymmetric encryption algorithm SM2 to obtain the first decrypted data.
Optionally, before decrypting the first digital signature data with the first public key, the method further includes: receiving the first public key from the data supplier.
Optionally, the decrypting the first ciphertext data according to at least the trusted private key includes: and decrypting the first ciphertext data by using the trusted private key and an asymmetric encryption algorithm SM2.
Optionally, after decrypting the first ciphertext data, the method further includes: sending second ciphertext data and second digital signature data to a data demander, wherein the second ciphertext data and the second digital signature data are obtained by encrypting at least according to a second public key; wherein the second public key is generated by the data demander.
Optionally, before sending the second ciphertext data and the second digital signature data to the data demander, the method further includes: encrypting result data by using the second public key to obtain second ciphertext data, wherein the result data is generated after processing the unfortunately decrypted data in a trusted computing environment, and the trusted decrypted data is data obtained by decrypting the first ciphertext data; and encrypting the second ciphertext data by using the trusted private key to obtain second initial encrypted data, and then encrypting the second initial encrypted data by using the second public key to obtain the second digital signature data.
Optionally, before encrypting the result data by using the second public key to obtain the second ciphertext data, the method further includes: receiving the second public key from the data demander.
Optionally, encrypting the result data by using the second public key to obtain the second ciphertext data includes: and encrypting the result data by adopting the second public key and an asymmetric encryption algorithm SM2.
Optionally, the encrypting the second ciphertext data by using the trusted private key to obtain second initial encrypted data, and then performing secondary encryption on the second initial encrypted data by using the second public key to obtain the second digital signature data includes: firstly, encrypting the second ciphertext data by adopting a Hash algorithm SM3, the trusted private key and an asymmetric encryption algorithm SM2 to obtain a second initial ciphertext; and encrypting the second initial ciphertext by using the second public key and an asymmetric encryption algorithm SM2 to obtain the second digital signature data.
In order to achieve the above object, an embodiment of the present invention provides a data transmission method, including the following steps: sending first ciphertext data and first digital signature data to the data transaction terminal, wherein the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key; wherein the trusted public key is received from a data transaction terminal, a trusted public-private key pair comprising the trusted public key being generated by the data transaction terminal within a trusted computing environment.
Optionally, before sending the first ciphertext data and the first digital signature data to the data transaction terminal, the method further includes: encrypting original data by adopting the trusted public key to obtain the first ciphertext data; firstly, a first private key is adopted to encrypt the first ciphertext data to obtain first initial encrypted data, and then the trusted public key is adopted to encrypt the first initial encrypted data for the second time to obtain first digital signature data; wherein the first private key is generated by a data supplier.
Optionally, the encrypting the original data by using the trusted public key includes: and encrypting the original data by adopting the trusted public key and an asymmetric encryption algorithm SM2.
Optionally, the encrypting the first ciphertext data by using the first private key to obtain first initial encrypted data, and then performing secondary encryption on the first initial encrypted data by using the trusted public key to obtain the first digital signature data includes: firstly, encrypting the first ciphertext data by adopting a Hash algorithm SM3, the first private key and an asymmetric encryption algorithm SM2 to obtain a first initial ciphertext; and secondly, performing secondary encryption on the first initial ciphertext by using the trusted public key and an asymmetric encryption algorithm SM2 to obtain the first digital signature data.
Optionally, the data transmission method further includes: generating a first public-private key pair comprising a first public key and the first private key; and sending the first public key to the data transaction terminal.
In order to achieve the above object, an embodiment of the present invention provides a data transmission method, including the following steps: receiving second ciphertext data and second digital signature data from the data transaction terminal, wherein the second ciphertext data and the second digital signature data are obtained by encrypting at least according to a second public key; verifying the second digital signature data; if the verification is passed, decrypting the second ciphertext data; and verifying the second digital signature data and decrypting the second ciphertext data at least according to a second private key.
Optionally, before receiving the second ciphertext data and the second digital signature data from the data transaction terminal, the method further includes: and generating a second public-private key pair comprising the second public key and the second private key, and sending the second public key to the data transaction terminal.
Optionally, verifying the second digital signature data according to at least the second private key includes: performing hash operation on the second ciphertext data by using a hash algorithm SM3 to obtain a second hash value; decrypting the second digital signature data by adopting a trusted public key to obtain second initial decrypted data, and then performing secondary decryption on the second initial decrypted data by adopting a second private key to obtain second decrypted data; comparing whether the second hash value is identical to the second decrypted data or not; if the two are identical, the verification is passed; wherein a trusted public-private key pair comprising the trusted public key is generated by the data transaction terminal within a trusted computing environment.
Optionally, the decrypting the second digital signature data by using the trusted public key first to obtain second initial decrypted data, and then performing secondary decryption on the second initial decrypted data by using the second private key to obtain second decrypted data includes: firstly, the trusted public key and an asymmetric encryption algorithm SM2 are adopted to decrypt the second digital signature data to obtain second initial decrypted data; and then decrypting the second initial decrypted data by using the second private key and an asymmetric encryption algorithm SM2 to obtain the second decrypted data.
Optionally, before decrypting the second digital signature data by using the trusted public key and the asymmetric cryptographic algorithm SM2, the method further includes: receiving the trusted public key from the data transaction terminal.
Optionally, the decrypting the second ciphertext data according to at least the second private key includes: and decrypting the second ciphertext data by using the second private key and an asymmetric encryption algorithm SM2.
An embodiment of the present invention further provides a data transmission device, including: the device comprises a first data receiving module, a first data processing module and a second data processing module, wherein the first data receiving module is used for receiving first ciphertext data and first digital signature data from a data supplier, and the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key; the first verification module is used for verifying the first digital signature data; the first decryption module is used for decrypting the first ciphertext data when the verification is passed, wherein the first digital signature data is verified and the first ciphertext data is decrypted at least according to a trusted private key, a trusted public and private key pair including the trusted public key is generated in a trusted computing environment by a data transaction terminal, and then the trusted public key is sent to the data supplier; and the trusted public and private key pair generation module is used for generating a trusted public and private key pair in a trusted computing environment by the data transaction terminal and then sending the trusted public key to the data supplier.
An embodiment of the present invention further provides a data transmission device, including: a first data sending module, configured to send first ciphertext data and first digital signature data to a data transaction terminal, where the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key, where the trusted public key is received from the data transaction terminal, and a trusted public-private key pair including the trusted public key is generated by the data transaction terminal in a trusted computing environment; and the first public and private key pair generation module is used for generating a first public and private key pair by a data supplier and sending a first public key to the data transaction terminal.
An embodiment of the present invention further provides a data transmission device, including: the second data receiving module is used for receiving second ciphertext data and second digital signature data from the data transaction terminal, wherein the second ciphertext data and the second digital signature data are obtained by encrypting at least according to a second public key; the second verification module is used for verifying the second digital signature data; the second decryption module is used for decrypting the second ciphertext data when the verification is passed, wherein the second digital signature data is verified and the second ciphertext data is decrypted at least according to a second private key; and the second public and private key pair generation module is used for generating a second public and private key pair by a data demander and sending the second public key to the data transaction terminal.
The embodiment of the invention also provides a computer-readable storage medium, on which computer instructions are stored, and when the computer instructions are executed, the steps of the data transmission method are executed.
The embodiment of the invention also provides a data transaction terminal, which comprises a memory and a processor, wherein the memory is stored with computer instructions capable of running on the processor, and the processor executes the steps of the data transmission method when running the computer instructions.
The embodiment of the invention also provides a data supplier, which comprises a memory and a processor, wherein the memory is stored with a computer program capable of running on the processor, and the processor executes the steps of the data transmission method when running the computer program.
The embodiment of the present invention further provides a data demander, which includes a memory and a processor, where the memory stores a computer program capable of running on the processor, and the processor executes the steps of the data transmission method when running the computer program.
Compared with the prior art, the technical scheme of the embodiment of the invention has the following beneficial effects:
in the embodiment of the invention, first ciphertext data and first digital signature data are received from a data supplier, wherein the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key; verifying the first digital signature data; if the verification is passed, decrypting the first ciphertext data; verifying the first digital signature data and decrypting the first ciphertext data at least according to a trusted private key; a trusted public-private key pair comprising the trusted public key is generated by a data transaction terminal within a trusted computing environment and the trusted public key is then sent to the data donor. Compared with the prior art that data transmission is carried out only in a simple and direct terminal-to-terminal mode, original data provided by a data supplier and result data obtained after calculation or modeling by a data demander are easily leaked, stolen, tampered and the like in the transmission process, so that the safety of data transmission cannot be guaranteed. In the data transmission process from the data supplier to the data demander, the embodiment of the invention adopts the credible public and private key pair, and can encrypt and digitally sign the original plaintext data at least according to the credible public key, and then verify and decrypt at least according to the credible private key, thereby effectively improving the security of data transmission. The embodiment of the invention provides a trusted computing environment, and the trusted computing environment is a totally enclosed operating area, so that a data demander can safely and controllably process data in the environment, and the data is guaranteed not to be leaked or tampered.
Further, before sending data to a data transaction terminal, a data supplier encrypts original data by using a trusted public key and an asymmetric encryption algorithm SM2 generated by the data transaction terminal in a trusted computing environment to obtain first ciphertext data, and encrypts the first ciphertext data by using a hash algorithm SM3, a first private key generated by the data supplier and an asymmetric encryption algorithm SM2 to obtain a first initial ciphertext; and secondly, performing secondary encryption on the first initial ciphertext by using the trusted public key and an asymmetric encryption algorithm SM2 to obtain first digital signature data. After the data transaction terminal receives the first ciphertext data and the first digital signature data, the signature is verified by using the same algorithm and a first public key generated by the data supplier and a trusted private key generated by the data transaction terminal in a trusted computing environment, and the first ciphertext data is decrypted by using the trusted private key after the verification is confirmed to be passed. The identity authentication of the data supplier can be realized, the received data is ensured to be sent by the appointed data supplier, the data is prevented from being falsified in the transmission process, the integrity of the data is guaranteed, and the safety and the reliability of data transmission are improved.
Further, the received first ciphertext data is decrypted only after the received first digital signature data passes verification, namely after the received data is confirmed to be from a specified data supplier and the received data is confirmed to be not tampered or forged in the transmission process, otherwise, if the received first digital signature data does not pass verification, the decryption step is not required to be executed, so that the operation expense can be reduced, and the integrity of the data and the authenticity and the reliability of the data source are guaranteed.
Drawings
Fig. 1 is a flowchart of a first data transmission method in an embodiment of the present invention;
FIG. 2 is a partial flow chart of a second data transmission method according to an embodiment of the present invention;
fig. 3 is a flowchart of a third data transmission method according to an embodiment of the present invention;
fig. 4 is a data flow diagram of a fourth data transmission method in an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a first data transmission apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a second data transmission apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a third data transmission apparatus according to an embodiment of the present invention.
Detailed Description
As described above, in the big data era, data is increasingly becoming an asset that can be traded, and a data demander obtains required result data by calculating or modeling and analyzing raw data by purchasing data use rights of a data supplier. In order to protect the interests of both parties of data transaction to the maximum extent, it is necessary to provide a secure and controllable trusted computing environment for the data demander to compute or model the data to ensure that the data is not leaked or tampered, and to ensure that the original data and the result data are transmitted securely between the data supplier and the data demander.
In the prior art, data transmission between mobile terminals is generally performed in a point-to-point manner, that is, data is directly transmitted from a first terminal to a second terminal. For example, in data transaction, a data supplier directly transmits original data to a data demander, and the data demander performs modeling analysis on a platform of the data demander after acquiring the original data to obtain result data, so as to achieve the use purpose.
The inventor of the invention finds that the safety of data transmission can not be guaranteed without any safe and reliable encryption technology processing, because the original data provided by a data supplier and the result data obtained after calculation or modeling by a data demander are easily leaked, stolen, tampered and the like in the transmission process, the benefits of both parties of data transaction are damaged; in addition, in the process of modeling and analyzing the raw data after the data demander obtains the raw data, if a trusted computing environment is not provided, the limitation on the data demander cannot be effectively reached, so that the data demander cannot be prevented from intentionally or unintentionally revealing, unauthorized processing and using the data, and the safety and controllability of the data are extremely low.
To solve the above problem, in an embodiment of the present invention, first ciphertext data and first digital signature data are received from a data supplier, wherein the first ciphertext data and the first digital signature data are encrypted at least according to a trusted public key; verifying the first digital signature data; if the verification is passed, decrypting the first ciphertext data; verifying the first digital signature data and decrypting the first ciphertext data at least according to a trusted private key; a trusted public-private key pair comprising the trusted public key is generated by a data transaction terminal within a trusted computing environment and the trusted public key is then sent to the data donor. Compared with the prior art that data transmission is carried out only in a simple and direct terminal-to-terminal mode, original data provided by a data supplier and result data obtained after calculation or modeling by a data demander are easily leaked, stolen, tampered and the like in the transmission process, so that the safety of data transmission cannot be guaranteed. In the data transmission process from the data supplier to the data demander, the embodiment of the invention adopts the credible public and private key pair, and can encrypt and digitally sign the original plaintext data at least according to the credible public key, and then verify and decrypt at least according to the credible private key, thereby effectively improving the security of data transmission. The embodiment of the invention provides a trusted computing environment, and the trusted computing environment is a totally enclosed operating area, so that a data demander can safely and controllably process data in the environment, and the data is guaranteed not to be leaked or tampered.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
Referring to fig. 1, fig. 1 is a flowchart of a first data transmission method in an embodiment of the present invention. The first data transmission method may be used for a data transaction terminal, and may include steps S11 to S13:
step S11: receiving first ciphertext data and first digital signature data from a data supplier, wherein the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key;
step S12: verifying the first digital signature data;
step S13: and after the verification is determined to pass, decrypting the first ciphertext data.
Verifying the first digital signature data and decrypting the first ciphertext data at least according to a trusted private key; a trusted public-private key pair comprising the trusted public key is generated by a data transaction terminal within a trusted computing environment and the trusted public key is then sent to the data donor.
In a specific implementation of step S11, the first ciphertext data is obtained by encrypting original data using the trusted public key; the first digital signature data is obtained by firstly encrypting the first ciphertext data by using a first private key to obtain first initial encrypted data and secondly encrypting the first initial encrypted data by using the trusted public key.
The first private key is generated by the data supplier, and corresponds to the first public key generated by the data supplier, wherein the first private key is kept by the data supplier in a secret way, and the first public key is disclosed to the outside and is sent to the data transaction terminal.
The trusted public key is used for indicating a key generated by the data transaction terminal in the trusted computing environment, and corresponds to a trusted private key generated by the data transaction terminal in the trusted computing environment, wherein the trusted private key is stored in the data transaction terminal in a secret manner, and the trusted public key is published to the outside and is sent to the data supplier. When a trusted public-private key pair is used, if one of the keys is used to encrypt a piece of data, the other key must be used to decrypt the piece of data. For example, if data is encrypted with a trusted public key, it must be successfully decrypted with its corresponding trusted private key; if encrypted with a trusted private key, the corresponding trusted public key must be used for successful decryption.
It should be noted that the first private key is different from the trusted private key, the first public key is also different from the trusted public key, and the first public-private key pair and the trusted public-private key pair are two mutually independent key pairs generated by the data supplier and the data transaction terminal, respectively.
It should be noted that, in the implementation, it is not necessary for the data supplier to generate a first public-private key pair before each data transmission and send the first public key to the data transaction terminal; similarly, for the data transaction terminal, a trusted public-private key pair does not need to be generated before each round of data transmission, and a trusted public key is sent to the data supplier. It can be sent just before the first round of data transmission or after the public-private key pair is updated.
The trusted computing environment can be a totally enclosed operating area, so that the data processing of the data demander in the environment is safe and controllable, and the data is protected from being leaked or tampered.
Wherein the original data is indicative of plaintext data originally provided by a data supplier, typically unencrypted, for use by a data demander; the first ciphertext data is used for indicating a data supplier to encrypt the original data to generate data; the first digital signature data is used for indicating data generated after data supplier is processed by digital signature technology, wherein the digital signature is a method for signing electronic messages, a signature message can be transmitted in a communication network, the digital signature can be obtained based on a public key cryptosystem and a private key cryptosystem, and the technology can be used for data confirmation data source (data authentication) and data integrity (judging whether data is falsified or forged).
In an implementation of step S12, the verifying the first digitally signed data according to at least the trusted private key includes: performing hash operation on the first ciphertext data by using a hash algorithm SM3 to obtain a first hash value; firstly, decrypting the first digital signature data by adopting a first public key to obtain first initial decrypted data, and then decrypting the first initial decrypted data for the second time by adopting the credible private key to obtain first decrypted data; comparing whether the first hash value is identical to the first decrypted data or not; if the two are identical, the verification is passed; wherein the first public key is generated by the data supplier.
Further, the decrypting the first digital signature data by using the first public key to obtain first initial decrypted data, and then performing secondary decryption on the first initial decrypted data by using the trusted private key to obtain first decrypted data includes: firstly, decrypting the first digital signature data by using the first public key and an asymmetric encryption algorithm SM2 to obtain first initial decrypted data; and then decrypting the first initial decrypted data by using the trusted private key and an asymmetric encryption algorithm SM2 to obtain the first decrypted data.
The hash algorithm SM3 is a cipher hash function standard, in a commercial cipher system, SM3 is mainly used for digital signature and verification, message authentication code generation and verification, random number generation and the like, and the algorithm is disclosed; the asymmetric encryption algorithm SM2 is an encryption algorithm with different encryption keys and decryption keys, and may also be referred to as Public Key Cryptography (Public Key Cryptography), and has a pair of Public and private keys for encryption and decryption.
In a specific implementation manner of the embodiment of the present invention, the first digital signature data may be verified by using the following formula:
(1) performing hash operation on the first ciphertext data by using a hash algorithm SM3 to obtain a first hash value:
reciveHashCode1=sm3(enData1);
wherein, receiveHashCode 1 is used for representing a first hash value; the enda 1 is used to represent the first ciphertext data; SM3() is used to represent the hash algorithm SM 3.
(2) Decrypting the first digitally signed signature data using:
sendHashCode1=sm2.decrypt(sm2.decrypt(sign1,senderPublicKey),safePrivat eKey));
wherein sendHashCode1 is used to represent the first decrypted data; decrypt () is used to represent the asymmetric cryptographic algorithm SM 2; sign1 is used to represent first digital signature data; senderPublicKey is used to represent the public key of the data supplier; safePrivateKey is used to represent a trusted private key.
(3) Comparing whether the receivehashcode 1 is equal to sendHashCode 1:
if equal, the verification passes. The data transmitted at this time is not tampered, and is sent by the designated data sending party, and the identity of the data sending party is confirmed. Otherwise, the data is tampered or non-specified data is sent by the sending party.
In the embodiment of the invention, by verifying the first digital signature data received from the data supplier, whether the received data is from the specified data supplier can be confirmed, and whether the data is falsified or forged in the transmission process can be confirmed, so that the authenticity and the reliability of the data source are ensured, and the security of data transmission is improved. Specifically, after it is confirmed that the received data originates from a specified data supplier and that the data is not tampered or forged in the transmission process, the received first ciphertext data is decrypted continuously, otherwise, if the received first digital signature data is not verified, the decryption step is not required to be executed, and the operation overhead can be reduced.
In the embodiment of the invention, after receiving the first ciphertext data and the first digital signature data, the data transaction terminal firstly verifies the signature by using a first public key generated by a data supplier and a trusted private key generated by the data transaction terminal in a trusted computing environment, and then decrypts the first ciphertext data by using the trusted private key after the verification is determined to be passed. The identity authentication of the data supplier can be realized, the received data is ensured to be sent by the appointed data supplier, the data is prevented from being falsified in the transmission process, the integrity of the data is guaranteed, and the safety and the reliability of data transmission are improved.
Further, before decrypting the first digital signature data with the first public key, the method further comprises: receiving the first public key from the data supplier.
In an implementation of step S13, after the verification is determined to pass, the first ciphertext data is decrypted.
Further, the first ciphertext data is decrypted by using the trusted private key and an asymmetric encryption algorithm SM2.
In a specific implementation manner of the embodiment of the present invention, the following formula may be adopted to decrypt the first ciphertext data:
safedata=sm2.decrypt(enData1,safePrivateKey);
the safe data is used for indicating credible decryption data obtained after the first ciphertext data is decrypted; decrypt () is used to indicate asymmetric cryptographic algorithm SM 2; the enda 1 is used to indicate first ciphertext data; safePrivateKey is used to indicate the trusted private key.
It can be understood that, the decryption of the received first ciphertext data is continued only after the received first digital signature data is verified, that is, after the received data is confirmed to be from the designated data supplier and the received data is not tampered or forged in the transmission process, whereas, if the received first digital signature data is not verified, the decryption step is not required to be executed, so that the operation overhead can be reduced, and the authenticity and the reliability of the data source and the integrity of the data are guaranteed.
Further, after decrypting the first ciphertext data, the method may further comprise: and sending the second ciphertext data and the second digital signature data to the data demander.
And the second ciphertext data and the second digital signature data are obtained by encrypting at least according to a second public key.
The second public key is generated by the data demander and corresponds to a second private key generated by the data demander, wherein the second private key is kept secret by the data demander, and the second public key is published to the outside and is sent to the data transaction terminal.
It should be noted that the second public key is different from the trusted public key, the second private key is also different from the trusted private key, and the second public-private key pair and the trusted public-private key pair are two pairs of mutually independent key pairs generated by the data demander and the data transaction terminal, respectively.
Further, before the sending the second ciphertext data and the second digital signature data to the data demander, the method further includes: encrypting result data by using the second public key to obtain second ciphertext data, wherein the result data is generated after processing trusted decryption data in a trusted computing environment, and the trusted decryption data is data obtained after decrypting the first ciphertext data; and encrypting the second ciphertext data by using the trusted private key to obtain second initial encrypted data, and then encrypting the second initial encrypted data by using the second public key to obtain the second digital signature data.
It should be noted that the trusted decryption data is used to instruct the data transaction terminal to decrypt the first ciphertext data by using a trusted private key generated in a trusted computing environment, and the data demander may directly or remotely access the trusted computing environment running in the data transaction terminal, and then perform computation or modeling analysis on the trusted decryption data in the trusted computing environment to obtain the result data.
Further, before encrypting the result data with the second public key to obtain the second ciphertext data, the method further includes: receiving the second public key from the data demander.
Further, encrypting the result data by using the second public key to obtain the second ciphertext data includes: and encrypting the result data by adopting the second public key and an asymmetric encryption algorithm SM2.
In a specific implementation manner of the embodiment of the present invention, the following formula may be adopted to encrypt the result data to obtain the second ciphertext data:
enData2=sm2.encryption(resultData,reciverPublicKey);
the enData2 is used for representing second ciphertext data obtained after encryption; encryption () is used to represent the asymmetric cryptographic algorithm SM2, and resultData is used to represent the result data; receiverepublickey is used to represent the second public key.
Further, the encrypting the second ciphertext data by using the trusted private key to obtain second initial encrypted data, and then performing secondary encryption on the second initial encrypted data by using the second public key to obtain the second digital signature data includes: firstly, encrypting the second ciphertext data by adopting a Hash algorithm SM3, the trusted private key and an asymmetric encryption algorithm SM2 to obtain a second initial ciphertext; and encrypting the second initial ciphertext by using the second public key and an asymmetric encryption algorithm SM2 to obtain the second digital signature data.
In a specific implementation manner of the embodiment of the present invention, the above two steps of performing digital signature may be completed by using the following formula:
Sign2=sm2.encryption(sm2.encryption(sm3(enData2),safePrivateKey),reciver PublicKey);
wherein Sign2 is used to represent the second digital signature data; encryption (xxx) is used to represent the asymmetric cryptographic algorithm SM 2; SM3() is used to represent the hash algorithm SM 3; the enda 2 is used to represent the second ciphertext data; the safe PrivateKey is used for representing a trusted private key generated by the data transaction terminal in a trusted computing environment; the receiverepublickey is used to represent the second public key generated by the data demander.
Referring to fig. 2, fig. 2 is a flowchart of a second data transmission method in an embodiment of the present invention, where the second data transmission method may be used for a data supplier, and may include steps S21 to S24, and the following steps are described.
In step S21, the original data is encrypted using the trusted public key and the asymmetric encryption algorithm SM2 to obtain first ciphertext data.
Wherein the trusted public key is received from the data transaction terminal, a trusted public-private key pair comprising the trusted public key being generated by the data transaction terminal within a trusted computing environment.
It is noted that in an implementation, it is not necessary for the data supplier to receive the trusted public key from the data transaction terminal before each data transmission round, but the trusted public key may be received only before the first data transmission round or after the data transaction terminal updates the trusted public-private key pair.
In a specific implementation manner of the embodiment of the present invention, the following formula may be adopted to encrypt the original data to obtain the first ciphertext data:
enData1=sm2.encryption(originData,safePublicKey);
the endData 1 is used for representing first ciphertext data obtained after encryption; encryption () is used to represent the asymmetric cryptographic algorithm SM2, originData is used to represent the original data; safePublicKey is used to represent a trusted public key.
In the embodiment of the invention, before sending data to a data transaction terminal, a data supplier encrypts original data by using a trusted public key and an asymmetric encryption algorithm SM2 generated by the data transaction terminal in a trusted computing environment to obtain first ciphertext data, and then encrypts the first ciphertext data by using a hash algorithm SM3, a first private key generated by the data supplier and an asymmetric encryption algorithm SM2 to obtain a first initial ciphertext; compared with the method that a data supplier directly sends original plaintext data without adopting any encryption mode, or the data supplier only encrypts the original plaintext data through a private key of the data supplier and then sends the encrypted original plaintext data to a data transaction terminal, and the data transaction terminal decrypts the encrypted original plaintext data through the public key of the data supplier, the embodiment of the invention adopts a trusted public and private key pair generated in a trusted computing environment to encrypt and decrypt, can ensure that the ciphertext data sent by the data supplier can be decrypted successfully only in the trusted computing environment, improves the security of data transmission, and ensures the security and controllability of subsequent data computing or modeling.
In step S22, the first ciphertext data is encrypted by using the hash algorithm SM3, the first private key, and the asymmetric encryption algorithm SM2 to obtain a first initial ciphertext.
Wherein the first private key is generated by a data supplier.
In step S23, the trusted public key and the asymmetric cryptographic algorithm SM2 are used to perform secondary encryption on the first initial ciphertext to obtain first digital signature data.
In a specific implementation manner of the embodiment of the present invention, the above two steps of performing digital signature may be completed by using the following formula:
Sign1=sm2.encryption(sm2.encryption(sm3(enData1),senderPrivateKey),safe PublicKey);
wherein Sign1 is used to represent the first digital signature data; encryption () is used to represent the asymmetric cryptographic algorithm SM 2; SM3() is used to represent the hash algorithm SM 3; the enda 1 is used to represent the first ciphertext data; the senderPrivateKey is used for representing a first private key generated by a data supplier; the safePublicKey is used for representing a credible public key generated by the data transaction terminal in the credible calculation exchange.
In step S24, the first ciphertext data and the first digital signature data are transmitted to a data transaction terminal.
It can be understood that, in the embodiment of the present invention, the data supplier encrypts and digitally signs the original data according to at least the trusted public key received from the data transaction terminal to obtain the first ciphertext data and the first digital signature data, and since the trusted public key has unique correspondence with the trusted private key and the trusted private key can only be stored secretly by the data transaction terminal itself, after receiving the first ciphertext data and the first digital signature data sent by the data supplier, the data transaction terminal should at least verify signing and decrypting according to the corresponding unique trusted private key, thereby ensuring the authenticity and reliability of the data source and the security of transmission.
In the specific implementation, please refer to the foregoing description and the step description in fig. 1 for further details regarding steps S21 to S24, which are not described herein again.
Referring to fig. 3, fig. 3 is a flowchart of a third data transmission method in an embodiment of the present invention, where the third data transmission method may be used by a data demander, and may include steps S31 to S33, and the steps are described below.
In step S31, second ciphertext data and second digital signature data are received from the data transaction terminal, wherein the second ciphertext data and the second digital signature data are encrypted according to at least a second public key.
In step S32, the second digital signature data is verified.
In step S33, after the verification is determined to be passed, the second ciphertext data is decrypted.
And verifying the second digital signature data and decrypting the second ciphertext data at least according to a second private key.
It should be noted that the second ciphertext data is obtained by the data transaction terminal processing the first ciphertext data of the data supplier by using the trusted private key and the second public key, and the second digital signature data is obtained by the data transaction terminal digitally signing the second ciphertext data by using the second public key.
The trusted public key is used to indicate a secret key generated by the data transaction terminal in the trusted computing environment, and corresponds to a trusted private key generated by the data transaction terminal in the trusted computing environment, which relates to more contents of the trusted computing environment, please refer to the foregoing and the technical solution shown in fig. 1, which are not described herein again.
Further, the second ciphertext data is obtained by the data transaction terminal decrypting the first ciphertext data of the data supplier by using a trusted private key to obtain trusted decrypted data, processing the trusted decrypted data in a trusted computing environment to generate result data, and encrypting the result data by using a second public key.
Further, before receiving the second ciphertext data and the second digital signature data from the data transaction terminal, the method further includes: and generating a second public-private key pair comprising the second public key and the second private key, and sending the second public key to the data transaction terminal.
It should be noted that, in the implementation, it is not necessary for the data demander to generate a second public-private key pair once before each data transmission and send the second public key to the data transaction terminal.
Further, verifying the second digital signature data based at least on the second private key comprises: performing hash operation on the second ciphertext data by using a hash algorithm SM3 to obtain a second hash value; decrypting the second digital signature data by adopting a trusted public key to obtain second initial decrypted data, and then performing secondary decryption on the second initial decrypted data by adopting a second private key to obtain second decrypted data; comparing whether the second hash value is identical to the second decrypted data or not; if they are identical, the verification passes.
Further, the decrypting the second digital signature data by using the trusted public key to obtain second initial decrypted data, and then performing secondary decryption on the second initial decrypted data by using the second private key to obtain second decrypted data includes: firstly, the trusted public key and an asymmetric encryption algorithm SM2 are adopted to decrypt the second digital signature data to obtain second initial decrypted data; and then decrypting the second initial decrypted data by using the second private key and an asymmetric encryption algorithm SM2 to obtain the second decrypted data.
In a specific implementation manner of the embodiment of the present invention, the second digital signature data may be verified by using the following formula:
(1) performing hash operation on the second ciphertext data by using a hash algorithm SM3 to obtain a second hash value:
reciveHashCode2=sm3(enData2);
wherein, the receiveHashCode 2 is used for representing a second hash value; the enda 2 is used to represent the second ciphertext data; SM3(xxx) is used to represent the hash algorithm SM 3.
(2) Decrypting the second digital signature data using:
sendHashCode2=sm2.decrypt(sm2.decrypt(sign2,safePublicKey),reciever
PrivateKey));
wherein sendHashCode2 is used to represent the second decrypted data; decrypt () is used to represent the asymmetric cryptographic algorithm SM 2; sign2 is used to represent second digital signature data; the safePublicKey is used for representing a credible public key; and the receiver privatekey is used for representing a second private key generated by the data demander.
(3) Comparing whether the receivehashcode 2 is equal to sendHashCode 2:
if equal, the verification passes. The data transmitted at this time is not tampered, and is sent by the designated data sending party, and the identity of the data sending party is confirmed. Otherwise, the data is tampered or sent by an unspecified data sender.
In the embodiment of the invention, in the data transmission process from the data supplier to the data demander, a first public and private key pair generated by the data supplier, a trusted public and private key pair generated by the data transaction terminal in a trusted computing environment and a second public and private key pair generated by the data demander are adopted, compared with the prior art that data transmission is carried out only in a simple and direct terminal-to-terminal mode, original data provided by a data supplier and result data obtained after calculation or modeling by a data demander are easily leaked, stolen, tampered and the like in the transmission process, so that the safety of data transmission cannot be guaranteed, the safety and reliability of data transmission can be effectively improved by adopting the technical scheme of the embodiment of the invention, and the integrity of the data in the transmission process can be guaranteed.
In the embodiment of the invention, by verifying the second digital signature data received from the data transaction terminal, whether the received data originates from the data transaction terminal or not can be confirmed, and whether the data is falsified or forged in the transmission process or not can be confirmed, so that the authenticity and the reliability of the data source are ensured, and the security of data transmission is improved.
Further, before decrypting the second digital signature data using the trusted public key and the asymmetric encryption algorithm SM2, the method further includes: receiving the trusted public key from the data transaction terminal.
It should be noted that, for the data transaction terminal, it is also not necessary to generate a trusted public-private key pair before each data transmission and send the trusted public key to the data demander. It can be sent just before the first round of data transmission or after the public-private key pair is updated.
Further, the decrypting the second ciphertext data according to at least the second private key comprises: and decrypting the second ciphertext data by using the second private key and an asymmetric encryption algorithm SM2.
In a specific implementation manner of the embodiment of the present invention, the following formula may be adopted to decrypt the second ciphertext data:
finalData=sm2.decrypt(enData2,reciever PrivateKey);
wherein, finalData is used for indicating the final decrypted data obtained after the second ciphertext data is decrypted; decrypt () is used to indicate asymmetric cryptographic algorithm SM 2; the enda 2 is used to indicate second ciphertext data; the receiver PrivateKey is used for indicating a second private key generated by the data demander.
Referring to fig. 4, fig. 4 is a data flow diagram of a fourth data transmission method in the embodiment of the present invention. The data transmission method may include steps S401 to S410, each of which is described below.
In step S401, the data supplier 41 encrypts the original data with the trusted public key to obtain first ciphertext data.
In step S402, the data supplier 41 performs digital signature on the first ciphertext data by using at least the trusted public key to obtain first digital signature data.
Wherein the trusted public key is received from the data transaction terminal.
In step S403, the data supplier 41 transmits the first ciphertext data and the first digital signature data to the data transaction terminal 42.
In step S404, the data transaction terminal 42 verifies the first digitally signed data with at least the trusted private key.
In step S405, the data transaction terminal 42 decrypts the first ciphertext data by using the trusted private key if it is determined that the verification is passed.
In step S406, the data transaction terminal 42 encrypts the result data with the second public key to obtain second ciphertext data.
The result data is generated after processing trusted decryption data in a trusted computing environment, and the trusted decryption data is data obtained after decrypting the first ciphertext data.
Further, before encrypting the result data with the second public key to obtain the second ciphertext data, the method further includes: receiving the second public key from the data demander.
In step S407, the data transaction terminal 42 performs digital signature on the second ciphertext data by using at least the second public key to obtain second digital signature data.
In step S408, the data transaction terminal 42 transmits the second ciphertext data and the second digital signature data to the data demander 43.
In step S409, the data acquirer 43 verifies the second digital signature data with at least the second private key.
In step S410, the data demander 43 decrypts the second ciphertext data by using the second private key if it is determined that the verification is passed.
In a specific implementation, more details about step S401 to step S410 are described with reference to steps in fig. 1 to fig. 3 for execution, and are not described herein again.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a first data transmission apparatus in the embodiment of the present invention. The first data transmission device may be used for a data transaction terminal, and may include:
a first data receiving module 51, configured to receive first ciphertext data and first digital signature data from a data supplier, where the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key; a first verification module 52, configured to verify the first digital signature data; a first decryption module 53, configured to decrypt the first ciphertext data when the verification is passed, where the first digital signature data is verified and the first ciphertext data is decrypted at least according to a trusted private key, and a trusted public-private key pair including the trusted public key is generated by a data transaction terminal in a trusted computing environment, and then the trusted public key is sent to the data supplier; a trusted public-private key pair generation module 54 for generating a trusted public-private key pair within a trusted computing environment by the data transaction terminal and then sending the trusted public key to the data supplier.
For the principle, specific implementation and beneficial effects of the data transmission apparatus, please refer to the related description about the data transmission method shown in fig. 1 and fig. 4, which is not repeated herein.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a second data transmission apparatus in the embodiment of the present invention. The second data transmission apparatus may be for a data supplier, and may include: a first data sending module 61, configured to send first ciphertext data and first digital signature data to a data transaction terminal, where the first ciphertext data and the first digital signature data are encrypted according to at least a trusted public key, where the trusted public key is received from the data transaction terminal, and a trusted public-private key pair including the trusted public key is generated by the data transaction terminal in a trusted computing environment; and a first public and private key pair generating module 62, configured to generate a first public and private key pair by a data supplier, and send the first public key to the data transaction terminal.
For the principle, specific implementation and beneficial effects of the data transmission apparatus, please refer to the related description about the data transmission method shown in fig. 2 and fig. 4, which is not repeated herein.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a third data transmission apparatus according to an embodiment of the present invention. The third data transmission apparatus may be used for a data demander, and may include: a second data receiving module 71, configured to receive second ciphertext data and second digital signature data from the data transaction terminal, where the second ciphertext data and the second digital signature data are obtained by encrypting at least according to a second public key; a second verification module 72, configured to verify the second digital signature data; a second decryption module 73, configured to decrypt the second ciphertext data when the verification passes, where the second digital signature data is verified and decrypted according to at least a second private key; and a second public and private key pair generating module 74, configured to generate a second public and private key pair by the data demander, and send the second public key to the data transaction terminal.
For the principle, specific implementation and beneficial effects of the data transmission apparatus, please refer to the related description about the data transmission method shown in fig. 3 and fig. 4, which is not repeated herein.
The embodiment of the invention also provides a computer readable storage medium, wherein computer instructions are stored on the computer readable storage medium, and the computer instructions execute the steps of the data transmission method when running. The computer-readable storage medium may include a non-volatile memory (non-volatile) or a non-transitory memory, and may further include an optical disc, a mechanical hard disk, a solid state hard disk, and the like.
Specifically, in the embodiment of the present invention, the processor may be a Central Processing Unit (CPU), and the processor may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will also be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example and not limitation, many forms of Random Access Memory (RAM) are available, such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (enhanced SDRAM), SDRAM (SLDRAM), synchlink DRAM (SLDRAM), and direct bus RAM (DR RAM).
The embodiment of the invention also provides a data transaction terminal, which comprises a memory and a processor, wherein the memory is stored with computer instructions capable of running on the processor, and the processor executes the steps of the data transmission method when running the computer instructions. The data transaction terminal may include, but is not limited to, a mobile phone, a computer, a tablet computer and other terminal devices, and may also be a server, a cloud platform and the like.
The embodiment of the invention also provides a data supplier, which comprises a memory and a processor, wherein the memory is stored with computer instructions capable of running on the processor, and the processor executes the steps of the data transmission method when running the computer instructions. The data supplier can include but is not limited to terminal devices such as a mobile phone, a computer, a tablet computer and the like, and can also be a server, a cloud platform and the like.
The embodiment of the present invention further provides a data demander, which includes a memory and a processor, where the memory stores computer instructions capable of being executed on the processor, and the processor executes the steps of the data transmission method when executing the computer instructions. The data demander can include but is not limited to terminal equipment such as a mobile phone, a computer, a tablet computer and the like, and can also be a server, a cloud platform and the like.
It should be understood that the term "and/or" herein is merely one type of association relationship that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in this document indicates that the former and latter related objects are in an "or" relationship.
The "plurality" appearing in the embodiments of the present application means two or more.
The descriptions of the first, second, etc. appearing in the embodiments of the present application are only for illustrating and differentiating the objects, and do not represent the order or the particular limitation of the number of the devices in the embodiments of the present application, and do not constitute any limitation to the embodiments of the present application.
It should be noted that the sequence numbers of the steps in this embodiment do not represent a limitation on the execution sequence of the steps.
Although the present invention is disclosed above, the present invention is not limited thereto. Various changes and modifications may be effected therein by one skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (29)
1. A method of data transmission, comprising:
receiving first ciphertext data and first digital signature data from a data supplier, wherein the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key;
verifying the first digital signature data;
if the verification is passed, decrypting the first ciphertext data;
verifying the first digital signature data and decrypting the first ciphertext data at least according to a trusted private key;
a trusted public-private key pair comprising the trusted public key is generated by a data transaction terminal within a trusted computing environment and the trusted public key is then sent to the data donor.
2. The method of claim 1,
the first ciphertext data is obtained by encrypting original data by adopting the trusted public key;
the first digital signature data is obtained by firstly encrypting the first ciphertext data by using a first private key to obtain first initial encrypted data and secondly encrypting the first initial encrypted data by using the trusted public key;
wherein the first private key is generated by the data supplier.
3. The method of claim 1, wherein the verifying the first digitally signed data from at least a trusted private key comprises:
performing hash operation on the first ciphertext data by using a hash algorithm SM3 to obtain a first hash value;
firstly, decrypting the first digital signature data by adopting a first public key to obtain first initial decrypted data, and then decrypting the first initial decrypted data for the second time by adopting the credible private key to obtain first decrypted data;
comparing whether the first hash value is identical to the first decrypted data or not;
if the two are identical, the verification is passed;
wherein the first public key is generated by the data supplier.
4. The method according to claim 3, wherein the first decrypting the first digital signature data with the first public key to obtain first initial decrypted data, and then decrypting the first initial decrypted data with the trusted private key for the second time to obtain the first decrypted data includes:
firstly, decrypting the first digital signature data by using the first public key and an asymmetric encryption algorithm SM2 to obtain first initial decrypted data;
and then decrypting the first initial decrypted data by using the trusted private key and an asymmetric encryption algorithm SM2 to obtain the first decrypted data.
5. The method according to claim 3 or 4, wherein before decrypting the first digitally signed data using the first public key, the method further comprises:
receiving the first public key from the data supplier.
6. The method of claim 1, wherein decrypting the first ciphertext data based at least on a trusted private key comprises:
and decrypting the first ciphertext data by using the trusted private key and an asymmetric encryption algorithm SM2.
7. The method of claim 1, wherein after decrypting the first ciphertext data, the method further comprises:
sending second ciphertext data and second digital signature data to a data demander, wherein the second ciphertext data and the second digital signature data are obtained by encrypting at least according to a second public key;
wherein the second public key is generated by the data demander.
8. The method of claim 7, wherein prior to sending the second ciphertext data and the second digital signature data to the data requestor, the method further comprises:
encrypting result data by using the second public key to obtain second ciphertext data, wherein the result data is generated after processing trusted decryption data in a trusted computing environment, and the trusted decryption data is data obtained after decrypting the first ciphertext data;
and encrypting the second ciphertext data by using the trusted private key to obtain second initial encrypted data, and then encrypting the second initial encrypted data by using the second public key to obtain the second digital signature data.
9. The method of claim 8, wherein before encrypting the result data with the second public key to obtain the second ciphertext data, the method further comprises:
receiving the second public key from the data demander.
10. The method of claim 8, wherein encrypting the result data using the second public key to obtain the second ciphertext data comprises:
and encrypting the result data by adopting the second public key and an asymmetric encryption algorithm SM2.
11. The method of claim 8, wherein encrypting the second ciphertext data with the trusted private key to obtain second initial encrypted data, and then encrypting the second initial encrypted data with the second public key for a second time to obtain the second digital signature data comprises: firstly, encrypting the second ciphertext data by adopting a Hash algorithm SM3, the trusted private key and an asymmetric encryption algorithm SM2 to obtain a second initial ciphertext;
and encrypting the second initial ciphertext by using the second public key and an asymmetric encryption algorithm SM2 to obtain the second digital signature data.
12. A method of data transmission, comprising:
sending first ciphertext data and first digital signature data to a data transaction terminal, wherein the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key;
wherein the trusted public key is received from the data transaction terminal, a trusted public-private key pair comprising the trusted public key being generated by the data transaction terminal within a trusted computing environment.
13. The method of claim 12, wherein prior to transmitting the first ciphertext data and the first digital signature data to the data transaction terminal, the method further comprises:
encrypting original data by adopting the trusted public key to obtain the first ciphertext data;
firstly, a first private key is adopted to encrypt the first ciphertext data to obtain first initial encrypted data, and then the trusted public key is adopted to encrypt the first initial encrypted data for the second time to obtain first digital signature data;
wherein the first private key is generated by a data supplier.
14. The method of claim 13, wherein encrypting the original data using the trusted public key comprises:
and encrypting the original data by adopting the trusted public key and an asymmetric encryption algorithm SM2.
15. The method of claim 13, wherein encrypting the first ciphertext data with the first private key to obtain first initial encrypted data, and performing secondary encryption on the first initial encrypted data with the trusted public key to obtain the first digital signature data comprises: firstly, encrypting the first ciphertext data by adopting a Hash algorithm SM3, the first private key and an asymmetric encryption algorithm SM2 to obtain a first initial ciphertext;
and secondly, performing secondary encryption on the first initial ciphertext by using the trusted public key and an asymmetric encryption algorithm SM2 to obtain the first digital signature data.
16. The method of any one of claims 13 to 15, further comprising: generating a first public-private key pair comprising a first public key and the first private key;
and sending the first public key to the data transaction terminal.
17. A method of data transmission, comprising:
receiving second ciphertext data and second digital signature data from the data transaction terminal, wherein the second ciphertext data and the second digital signature data are obtained by encrypting at least according to a second public key;
verifying the second digital signature data;
if the verification is passed, decrypting the second ciphertext data;
and verifying the second digital signature data and decrypting the second ciphertext data at least according to a second private key.
18. The method of claim 17, wherein prior to receiving the second ciphertext data and the second digital signature data from the data trafficking terminal, the method further comprises:
and generating a second public-private key pair comprising the second public key and the second private key, and sending the second public key to the data transaction terminal.
19. The method of claim 17, wherein verifying the second digital signature data based on at least the second private key comprises:
performing hash operation on the second ciphertext data by using a hash algorithm SM3 to obtain a second hash value;
decrypting the second digital signature data by adopting a trusted public key to obtain second initial decrypted data, and then performing secondary decryption on the second initial decrypted data by adopting a second private key to obtain second decrypted data;
comparing whether the second hash value is identical to the second decrypted data or not;
if the two are identical, the verification is passed;
wherein a trusted public-private key pair comprising the trusted public key is generated by the data transaction terminal within a trusted computing environment.
20. The method of claim 19, wherein the decrypting the second digital signature data with the trusted public key to obtain second initial decrypted data, and then decrypting the second initial decrypted data with the second private key to obtain second decrypted data comprises:
firstly, the trusted public key and an asymmetric encryption algorithm SM2 are adopted to decrypt the second digital signature data to obtain second initial decrypted data;
and then decrypting the second initial decrypted data by using the second private key and an asymmetric encryption algorithm SM2 to obtain the second decrypted data.
21. The method according to claim 19 or 20, wherein before decrypting the second digital signature data using the trusted public key and the asymmetric encryption algorithm SM2, the method further comprises:
receiving the trusted public key from the data transaction terminal.
22. The method of claim 17, wherein the decrypting the second ciphertext data based at least on the second private key comprises:
and decrypting the second ciphertext data by using the second private key and an asymmetric encryption algorithm SM2.
23. A data transmission apparatus, comprising:
the device comprises a first data receiving module, a first data processing module and a second data processing module, wherein the first data receiving module is used for receiving first ciphertext data and first digital signature data from a data supplier, and the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key;
the first verification module is used for verifying the first digital signature data;
the first decryption module is used for decrypting the first ciphertext data when the verification is passed, wherein the first digital signature data is verified and the first ciphertext data is decrypted at least according to a trusted private key, a trusted public and private key pair including the trusted public key is generated in a trusted computing environment by a data transaction terminal, and then the trusted public key is sent to the data supplier;
and the trusted public and private key pair generation module is used for generating a trusted public and private key pair in a trusted computing environment by the data transaction terminal and then sending the trusted public key to the data supplier.
24. A data transmission apparatus, comprising:
a first data sending module, configured to send first ciphertext data and first digital signature data to a data transaction terminal, where the first ciphertext data and the first digital signature data are obtained by encrypting at least according to a trusted public key, where the trusted public key is received from the data transaction terminal, and a trusted public-private key pair including the trusted public key is generated by the data transaction terminal in a trusted computing environment;
and the first public and private key pair generation module is used for generating a first public and private key pair by a data supplier and sending a first public key to the data transaction terminal.
25. A data transmission apparatus, comprising:
the second data receiving module is used for receiving second ciphertext data and second digital signature data from the data transaction terminal, wherein the second ciphertext data and the second digital signature data are obtained by encrypting at least according to a second public key;
the second verification module is used for verifying the second digital signature data;
the second decryption module is used for decrypting the second ciphertext data when the verification is passed, wherein the second digital signature data is verified and the second ciphertext data is decrypted at least according to a second private key;
and the second public and private key pair generation module is used for generating a second public and private key pair by a data demander and sending the second public key to the data transaction terminal.
26. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the data transmission method according to any one of claims 1 to 11, or carries out the steps of the data transmission method according to any one of claims 12 to 16, or carries out the steps of the data transmission method according to any one of claims 17 to 22.
27. A data transaction terminal comprising a memory and a processor, the memory having stored thereon a computer program operable on the processor, wherein the processor, when executing the computer program, performs the steps of the data transmission method of any one of claims 1 to 11.
28. A data supplier comprising a memory and a processor, the memory having stored thereon a computer program operable on the processor, wherein the processor, when executing the computer program, performs the steps of the data transmission method of any one of claims 12 to 16.
29. A data demander comprising a memory and a processor, the memory having stored thereon a computer program operable on the processor, wherein the processor, when executing the computer program, performs the steps of the data transmission method of any of claims 17 to 22.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111392253.4A CN114240428A (en) | 2021-11-19 | 2021-11-19 | Data transmission method and device, data transaction terminal and data supplier |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111392253.4A CN114240428A (en) | 2021-11-19 | 2021-11-19 | Data transmission method and device, data transaction terminal and data supplier |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114240428A true CN114240428A (en) | 2022-03-25 |
Family
ID=80750422
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111392253.4A Pending CN114240428A (en) | 2021-11-19 | 2021-11-19 | Data transmission method and device, data transaction terminal and data supplier |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114240428A (en) |
-
2021
- 2021-11-19 CN CN202111392253.4A patent/CN114240428A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11323276B2 (en) | Mutual authentication of confidential communication | |
| US11108565B2 (en) | Secure communications providing forward secrecy | |
| CN109347835B (en) | Information transmission method, client, server, and computer-readable storage medium | |
| JP6221014B1 (en) | Secure shared key sharing system and method | |
| CN110519309B (en) | Data transmission method, device, terminal, server and storage medium | |
| CN107317677B (en) | Secret key storage and equipment identity authentication method and device | |
| WO2021120871A1 (en) | Authentication key negotiation method and apparatus, storage medium and device | |
| CN107005577B (en) | Fingerprint data processing method and processing device | |
| CN112532393A (en) | Verification method of cross-link transaction, relay link node equipment and medium | |
| CN109309566B (en) | Authentication method, device, system, equipment and storage medium | |
| JP2020530726A (en) | NFC tag authentication to remote servers with applications that protect supply chain asset management | |
| CN111769938A (en) | Key management system and data verification system of block chain sensor | |
| CN114499837B (en) | Message leakage prevention method, device, system and equipment | |
| CN112003697A (en) | Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium | |
| US20240106633A1 (en) | Account opening methods, systems, and apparatuses | |
| CN110611679A (en) | Data transmission method, device, equipment and system | |
| CN111565108B (en) | Signature processing method, device and system | |
| CN111817856B (en) | Identity authentication method and system based on zero-knowledge proof and password technology | |
| CN108242997B (en) | Method and apparatus for secure communication | |
| CN114240428A (en) | Data transmission method and device, data transaction terminal and data supplier | |
| CN109104393B (en) | Identity authentication method, device and system | |
| CN113676462B (en) | Key distribution and decryption method, device, equipment and medium | |
| CN116415268A (en) | Data processing method, device, equipment and medium | |
| JP6153454B2 (en) | Signature apparatus, method and program | |
| CN115361168A (en) | Data encryption method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |