CN114338091A - Data transmission method and device, electronic equipment and storage medium - Google Patents
Data transmission method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114338091A CN114338091A CN202111493588.5A CN202111493588A CN114338091A CN 114338091 A CN114338091 A CN 114338091A CN 202111493588 A CN202111493588 A CN 202111493588A CN 114338091 A CN114338091 A CN 114338091A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- request
- key
- key information
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 137
- 230000005540 biological transmission Effects 0.000 title claims abstract description 65
- 238000012545 processing Methods 0.000 claims abstract description 141
- 230000008569 process Effects 0.000 claims abstract description 55
- 230000004044 response Effects 0.000 claims description 129
- 238000004422 calculation algorithm Methods 0.000 claims description 49
- 238000004891 communication Methods 0.000 claims description 32
- 238000004590 computer program Methods 0.000 claims description 11
- 239000000126 substance Substances 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 11
- 230000001360 synchronised effect Effects 0.000 description 6
- 230000003993 interaction Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Abstract
The application discloses a data transmission method, a data transmission device, electronic equipment and a storage medium. The method is applied to a client and comprises the following steps: calling a first Software Development Kit (SDK), and encrypting first data related to a first service based on at least one encryption mode supported by the first SDK to generate a first ciphertext; sending a first request to a server; the first request carries the first ciphertext; the first request is used for requesting to process the first service; receiving a second ciphertext returned by the server based on the first request; the second ciphertext is obtained by encrypting a first processing result of the first ciphertext by the server based on the first request; calling the first SDK to decrypt the second ciphertext to generate a first plaintext; processing the first traffic based on the first plain text.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a data transmission method and apparatus, an electronic device, and a storage medium.
Background
In the related art, in order to ensure the security of data in the transmission process, the transmission data is encrypted, and the efficiency of data encryption and the security of the data are reduced due to certain security holes or limitation of applicable scenes in different data encryption modes.
Disclosure of Invention
In view of this, embodiments of the present application provide a data transmission method, an apparatus, an electronic device, and a storage medium, so as to solve at least the problems of the related art that the efficiency of data encryption and the security of data are reduced.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides a data transmission method, which is applied to a client side and comprises the following steps:
calling a first Software Development Kit (SDK), and encrypting first data about a first service based on at least one encryption mode supported by the first SDK to generate a first ciphertext;
sending a first request to a server; the first request carries the first ciphertext; the first request is used for requesting to process the first service;
receiving a second ciphertext returned by the server based on the first request; the second ciphertext is obtained by encrypting a first processing result of the first ciphertext by the server based on the first request;
calling the first SDK to decrypt the second ciphertext to generate a first plaintext;
processing the first traffic based on the first plain text.
The embodiment of the application provides another data transmission method, which is applied to a server and comprises the following steps:
receiving a first request sent by a client; the first request carries a first ciphertext; the first ciphertext represents an encryption result of first data related to a first service; the first request is used for requesting to process the first service;
calling a second Software Development Kit (SDK) and generating a first decryption result according to the encryption mode of the first ciphertext; the first decryption result characterizing a decryption result with respect to the first request;
processing the first service according to the first decryption result to generate a first processing result;
calling the second SDK to encrypt the first processing result to generate a second ciphertext;
and returning the second ciphertext to the client.
The embodiment of the application also provides another data transmission method, which is applied to a key management platform and comprises the following steps:
receiving a key management request sent by a client or a server;
according to the key management request, calling a key service corresponding to the request, and generating a response about the key management request;
returning a response to the key management request to the client or server.
An embodiment of the present application further provides a data transmission device, which is applied to a client, and includes:
the second receiving unit is used for receiving a first request sent by the client; the first request carries a first ciphertext; the first ciphertext represents an encryption result of first data related to a first service; the first request is used for requesting to process the first service;
the second decryption unit is used for calling a second Software Development Kit (SDK) and generating a first decryption result according to the encryption mode of the first ciphertext; the first decryption result characterizing a decryption result with respect to the first request;
the second processing unit is used for processing the first service according to the first decryption result to generate a first processing result;
the second encryption unit is used for calling the second SDK to encrypt the first processing result and generate a second ciphertext;
and the second sending unit returns the second ciphertext to the client.
An embodiment of the present application further provides a data transmission device, which is applied to a key management platform, and includes:
a third receiving unit, configured to receive a key management request sent by a client or a server;
a first generation unit, configured to invoke a key service corresponding to the request according to the key management request, and generate a response regarding the key management request;
and a third sending unit that returns a response to the key management request to the client or the server.
An embodiment of the present application further provides an electronic device, including: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is configured to perform the steps of any of the above methods when running the computer program.
Embodiments of the present application also provide a storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of any one of the above methods.
In the embodiment of the application, the client encrypts the data of the first service by calling the software development kit on the client and decrypts the ciphertext which is returned by the server and is related to the processing result of the first service, so that the security of the data of the first service in the transmission process can be ensured, meanwhile, the universal infrastructure for data encryption or decryption can be provided, and the data encryption and decryption efficiency can be improved.
Drawings
Fig. 1 is a schematic diagram of a service architecture for key management according to an embodiment of the present application;
fig. 2 is a schematic diagram of a technical architecture of key management according to an embodiment of the present application;
fig. 3 is a schematic flow chart illustrating an implementation of a data transmission method according to an embodiment of the present application;
fig. 4 is a schematic flow chart illustrating an implementation of a data transmission method according to another embodiment of the present application;
fig. 5 is a schematic flow chart illustrating an implementation of a data transmission method according to another embodiment of the present application;
fig. 6 is a schematic flow chart illustrating an implementation of a data transmission method according to another embodiment of the present application;
fig. 7 is a schematic flow chart illustrating an implementation of a data transmission method according to another embodiment of the present application;
fig. 8 is a schematic flow chart illustrating an implementation of a data transmission method according to another embodiment of the present application;
fig. 9 is a schematic flow chart illustrating an implementation of a data transmission method according to another embodiment of the present application;
fig. 10 is a schematic flow chart illustrating an implementation of a data transmission method according to another embodiment of the present application;
fig. 11 is a schematic flow chart illustrating an implementation of a data transmission method according to another embodiment of the present application;
fig. 12 is a schematic flow chart illustrating an implementation of a data transmission method according to another embodiment of the present application;
fig. 13 is a schematic processing flow diagram of a key management technology architecture for RSA digital envelopes according to an embodiment of the present application;
FIG. 14 is a schematic diagram illustrating a processing flow of an ECC digital envelope by a key management technology architecture according to another embodiment of the present application;
fig. 15 is a schematic processing flow diagram of a key management technology architecture provided in another embodiment of the present application for a first ciphertext encrypted based on a communication key between a client and a server;
fig. 16 is a process flow of key management technology architecture registration key provided in another embodiment of the present application;
fig. 17 is a process flow of service certificate upgrade of a key management technology architecture according to another application embodiment of the present application;
fig. 18 is a key application service access flow provided in another application embodiment of the present application;
fig. 19 is a schematic structural diagram of a data transmission device according to an embodiment of the present application;
fig. 20 is a schematic structural diagram of a data transmission device according to another embodiment of the present application;
fig. 21 is a schematic structural diagram of a data transmission device according to another embodiment of the present application;
fig. 22 is a schematic diagram of a hardware component structure of an electronic device according to an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and specific embodiments.
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
The technical means described in the embodiments of the present application may be arbitrarily combined without conflict.
In addition, in the embodiments of the present application, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.
In addition, the term "at least one" herein means any combination of at least two of any one or more of a plurality, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.
In the related art, different security compliance policies exist for the same service, and different encryption schemes and decryption schemes are designed by different design teams to meet the security compliance policies, and a part of the encryption schemes and the decryption schemes have higher security holes, for example, encryption key information is added to a Uniform Resource Locator (url) request, which results in the security of data transmission being weakened.
Based on this, the scheme provided in the embodiment of the present application can provide a set of standardized encryption scheme and decryption scheme, and can also ensure the security of data in the transmission process.
Before describing the technical solution of the embodiment of the present application in detail, a service architecture of key management and a technical architecture of key management applied in the embodiment of the present application are introduced correspondingly.
As shown in fig. 1, fig. 1 shows a service architecture diagram of key management. In the service architecture of key management, an RSA digital envelope generated by encrypting data based on an RSA encryption algorithm, an Elliptic encryption algorithm (ECC) digital envelope, and data transmitted based on a Noise framework can be processed. The ECC digital envelope is generated by encrypting data based on an ECC encryption algorithm. The Noise framework is a framework for constructing a security protocol, and provides a secure channel for a network protocol, so that the security of data in a transmission process can be ensured.
The processing scene of the service architecture based on the key management can provide different key management services, including key registration, key agreement and flow unloading, wherein the different key management services need to call corresponding key management capabilities to assist in realization, and the key management capabilities include key configuration, service certificate distribution, key acquisition, protocol authentication, key agreement and the like. In practical applications, the Key Management capability also needs to depend on a certain tool, in the Key Management Service architecture, the Infrastructure layer provides a Key Management Service (KMS) tool, a Public Key Infrastructure (PKI), and the like, the KMS tool can determine a decrypted Key, and the PKI can realize the functions of generating, managing, storing, distributing, revoking, and the like of certificates. For example, when the key in the ECC digital envelope needs to be registered, first, the key for decrypting the ECC digital envelope is determined from the KMS tool through the key management capability of the key agreement by using the key agreement service, and after the key is obtained, the key registration service is provided, and the registration of the key is completed from the PKI through the key management capability of the key storage.
As shown in fig. 2, fig. 2 shows a schematic diagram of a technical architecture of key management, and the technical architecture in fig. 2 includes an access layer, an application layer, a domain layer, and an infrastructure layer, where the access layer can be accessed by a client, a server, an SDK of the client, an SDK of the server, and an operation background, so as to invoke different layers in the technical architecture of key management to complete different key management. In practical applications, the client's SDK integrates the capabilities of key handling and traffic handling with the server's SDK. The application layer provides key operation, key registration and key agreement, when the access layer calls the application layer to perform corresponding processing, the corresponding capability of the field layer can be triggered, the field layer comprises different capabilities of key management, key synchronization, key agreement, key acquisition, service authentication and the like, and the key management initiated by the access layer is completed depending on different tools in the infrastructure layer, wherein the infrastructure layer comprises KMS, PKI and the like.
The present application will be described in further detail with reference to the following drawings and specific embodiments.
An embodiment of the present application provides a data transmission method, fig. 3 is a schematic flow chart of the data transmission method in the embodiment of the present application, and as shown in fig. 3, the method is applied to a client, and the method includes:
s301: and calling the first SDK, encrypting the first data related to the first service based on at least one encryption mode supported by the first SDK, and generating a first ciphertext.
The client is provided with a standardized first SDK, and the first SDK integrates certain capabilities, for example, the first SDK can encrypt data, decrypt data and the like.
The first service is a data interaction service performed on the client, for example, in the process of logging in the website, the first service may be a login authentication service, the first service may also be a payment service, the first service may also be a data query service, and the like.
In the process of processing the first service, the client needs to transmit information such as payment information and a payment password to the server, and the server performs corresponding verification and data processing according to the information transmitted by the client, so as to complete payment. The client may call the first SDK to encrypt the first data to generate a first ciphertext, where the first ciphertext is an encryption result of the first data.
Different encryption modes are integrated on the first SDK, the first data can be encrypted through the encryption mode supported by the first SDK, and in practical application, the encryption mode of the first data can be selected according to the transmission requirement of the first service, for example, when the transmission requirement of the first service is more important on the security of the data, the encryption mode with the highest encryption security is selected from the encryption modes supported by the first SDK, and the corresponding encryption time is increased, so that the transmission time of the first data is also correspondingly increased. When the transmission requirement of the first service is more inclined to the processing efficiency of the data, the encryption mode with the highest transmission efficiency is selected from the encryption modes supported by the first SDK, and the corresponding encryption time is shortened, so that the transmission time of the first data can be reduced.
S302: sending a first request to a server; the first request carries the first ciphertext; the first request is for requesting processing of the first service.
Under the condition of completing the encryption of the first data, the server is required to be requested to assist in completing the processing of the first service, so that the client can send a first request to the server, wherein the first request is request information, and the first request carries a first ciphertext, so that the first data can be protected in the process of sending the first data along with the request.
S303: receiving a second ciphertext returned by the server based on the first request; and the second ciphertext is obtained by encrypting a first processing result of the first ciphertext by the server based on the first request.
After the server completes processing of the first request, the client can receive a second ciphertext returned by the server based on the first request, the second ciphertext contains a processing result of the first service, and the client can obtain the processing result of the first service by decrypting the first ciphertext.
S304: and calling the first SDK to decrypt the second ciphertext to generate a first plaintext.
The second ciphertext returned by the server is obtained by encrypting based on the encryption mode of the first ciphertext, and the client can call the first SDK to decrypt the second ciphertext so as to obtain a decryption result of the second ciphertext. In practical applications, the decryption process for the second ciphertext is opposite to the encryption process for the first ciphertext.
S305: processing the first traffic based on the first plain text.
The client can complete subsequent processing of the first service according to the first plaintext, for example, when the first service is a payment service, the obtained first plaintext can be information representing successful payment, so that a page of successful payment can be displayed on the client, and processing of the payment service is completed. The obtained first plaintext can also represent payment failure information, so that a payment failure page can be displayed on the client, and the payment service processing is continued.
In the embodiment of the present application, the first SDK can support three encryption manners, and a process of encrypting the first data by the three encryption manners and a process of decrypting the data encrypted by the three encryption manners are described below by different embodiments.
In an embodiment, the encrypting the first data based on at least one encryption manner supported by the first SDK to generate the first ciphertext includes:
under the condition that a first encryption mode or a second encryption mode is selected from at least one encryption mode supported by the first SDK, encrypting the first data according to first private key information of a client and first public key information of a server based on a first encryption algorithm of the first encryption mode or a second encryption algorithm of the second encryption mode to generate a first ciphertext; the first encryption algorithm is an RAS algorithm; the second encryption algorithm is an elliptic curve ECC algorithm.
The first encryption mode is to encrypt the first data based on the RSA algorithm to generate a first ciphertext, and the specific generation process of the first ciphertext is as follows: the method comprises the steps of firstly determining first private key information of a client, wherein the first private key information can be symmetric key information generated randomly, encrypting first data by utilizing the first private key information of the client to obtain an encryption result A related to the first data, then encrypting the first private key information of the client by utilizing first public key information of a server through an RSA algorithm to obtain an encryption result B related to the first private key information of the client, and combining the encryption result A and the encryption result B to obtain a first ciphertext.
The second encryption mode is to encrypt the first data based on the ECC algorithm to generate a first ciphertext. The specific generation process of the first ciphertext is as follows: the method comprises the steps of firstly determining first private key information of a client, using Elliptic Curve Diffie-Hellman key Exchange (ECDH) to obtain an AES key according to the first private key information of the client, encrypting first data through the AES key to obtain an encryption result A related to the first data, then encrypting the AES key of the client to obtain an encryption result B related to the first private key information of the client, and generating a first ciphertext based on the encryption result A and the encryption result B. In practical application, the first ciphertext is an ECC digital envelope.
The second encryption method has higher security compared with the first encryption method, the processing speed in the encryption process of the first data is higher than that of the first encryption method, and the size of the generated AES key in the encryption process of the second encryption method is smaller than that of the key generated in the encryption process of the first encryption method, so that more storage resources are not needed.
When the encryption mode of the second ciphertext is the first encryption mode or the second encryption mode, the invoking the first SDK to decrypt the second ciphertext to generate the first plaintext, including:
decrypting the second ciphertext according to second private key information of the server to generate the first plaintext; the second private key information of the server is determined based on the second public key information of the client.
The second ciphertext returned by the server is obtained by encrypting the second ciphertext based on the encryption mode of the first ciphertext, when the second ciphertext received by the client is encrypted based on the first encryption mode or the second encryption mode, the first SDK can decrypt the second ciphertext, and in practical application, the decryption process of the second ciphertext is opposite to the encryption process of the first ciphertext.
Under the condition that the second ciphertext is obtained by encrypting based on the first encryption mode, the second ciphertext is an RSA digital envelope, the RSA digital envelope is decrypted by using a private key of the client to obtain second private key information of the server, the second private key information of the server is used for encrypting the first processing result to generate the second ciphertext, and then the encrypted first processing result can be decrypted by using the second private key information of the server to obtain the first plaintext.
Under the condition that the second ciphertext is obtained by encrypting based on the second encryption mode, the second ciphertext is an ECC digital envelope, the ECC digital envelope is decrypted by using a private key of the client to obtain second private key information of the server, the second private key information of the server is used for encrypting the first processing result to generate the second ciphertext, and then the encrypted first processing result can be decrypted by using the second private key information of the server to obtain the first plaintext.
In an embodiment, as shown in fig. 4, the encrypting the first data based on at least one encryption manner supported by the first SDK to generate the first ciphertext includes:
s401: under the condition that a third encryption mode is selected from at least one encryption mode supported by the first SDK, sending a second request to a key management platform; the second request is used for requesting to distribute communication key information between the client and the server.
The third encryption mode is to encrypt the first data through the communication key information between the client and the server, wherein the communication key information between the client and the server is distributed by the key management platform. The key management platform is used for managing keys and providing different key management services such as key registration and key distribution.
And the client side sends a second request to the key management platform to acquire the communication key information between the client side and the server distributed by the key management platform.
In practical application, a client generates temporary public key information and temporary private key information of the client based on a first SDK, invokes an initialize function to initialize a negotiation State machine (HS), the negotiation State machine is used for determining a Handshake State between the client and a server, and invokes a write _ message function to update the HS, so as to generate a first cache data buffer1, where the first cache data buffer1 includes other information such as the temporary public key information and signature information of the client generated by the first SDK. The client sends the second request carrying the first cache data buffer1 to the key management platform based on the first SDK.
S402: receiving a first response returned by the key management platform about the second request; the first response includes first key information and second key information.
After the key management platform completes processing of the second request, the client can receive first key information and second key information returned by the key management platform, wherein the first key information and the second key information are communication key information between the client and the server.
The first response received by the client is the second cache data buffer2 generated by encrypting the temporary public key information of the client, the first SDK calls a write _ message function to update the HS, and the second cache data buffer2 is decrypted, so that the first key information and the second key information can be obtained.
S403: and encrypting the first data according to the first key information to generate the first ciphertext.
The first data is encrypted using the first key information, thereby generating a first ciphertext.
When the encryption mode of the second ciphertext is the third encryption mode, the invoking the first SDK to decrypt the second ciphertext to generate the first plaintext, including:
and decrypting the second ciphertext through the second key information to generate the first plaintext.
The client requests the key management platform to distribute the communication key information between the client and the server through the second request, and similarly, the server can also acquire the communication key information between the client and the server from the key management platform. In the communication key information distributed by the key management platform, when the client encrypts data by using the first key information, the server encrypts data by using the second key information, and in this case, the client can decrypt the second ciphertext by using the second key information to obtain the first plaintext.
In one embodiment, as shown in fig. 5, the method further comprises:
s501: sending a third request to the key management platform; the third request is used for requesting registration of second public key information of the client so that the server encrypts the first processing result according to the second public key information.
The first SDK generates first private key information of the client during the process of encrypting the first data by using the first encryption mode or the second encryption mode, and can also generate second public key information of the client while generating the first private key information of the client, wherein the server can encrypt the data transmitted to the client by using the second public key information. In practical application, the server may obtain the second public key information of the client through the key management platform, and in order to ensure that the server can obtain the second public key information of the client from the key management platform, the client needs to register the second public key information with the key management platform. In practical application, the client initiates a third request for registering the key to the key management platform, so that the key management platform registers the second public key information, wherein the third request carries the second public key information, and in practical application, in order to ensure data security of the second public key information in a transmission process, the third request carries an encryption result of the second public key information.
S502: receiving a second response returned by the key management platform about the third request; the second response characterizes whether the second public key information is successfully registered.
The key management platform makes a second response according to the registration condition of the second public key information, and the client can receive the second response, so that the registration condition of the second public key information can be determined according to the second response.
In an embodiment, as shown in fig. 6, the method further comprises:
s601: sending a fourth request to the key management platform; the fourth request is used for requesting to acquire a new version of the service certificate; the service certificate includes first public key information of the server.
The service certificate is a digital certificate of the server, is a file digitally signed by a certificate authority, and the simplest service certificate contains first public key information of the server, the name of the server and the digital signature of the certificate authority.
Under the first encryption mode and the second encryption mode, the first public key information of the server is needed to encrypt the first data, and therefore the client needs to acquire the first public key information of the server. In practical application, the client can query the first public key information of the server through the key management platform and store the first public key information, so that the first data can be encrypted by using the stored first public key information. Because the first public key information of the server has valid time, or the first public key information of the server may change, the client may periodically query the key management platform for whether the service certificate changes, and the client sends a fourth request to the key management platform, so that the key management platform obtains the latest version of the service certificate of the server.
S602: receiving a third response returned by the key management platform based on the fourth request; the third response characterizes the latest version of the business certificate.
The client receives a third response, wherein the third response comprises the latest version of the service certificate of the server, and the client can also store the service certificate, so that the first data can be encrypted by using the first public key information of the server in the latest version of the service certificate, the server can be ensured to successfully decrypt the first ciphertext, and the related processing of the first service is performed. In addition, the client can verify the server according to the service certificate of the server, so that the client is prevented from transmitting the first data to an illegal server.
In the embodiment of the application, the first SDK provides a standardized encryption mode and a standardized decryption mode, and the client side completes encryption of data and decryption of the data by calling the first SDK, so that the data transmission security between the client side and the server can be ensured, meanwhile, the client side can be prevented from encrypting the data by using the encryption mode with higher security holes, and the encryption efficiency of the data can be improved.
The present application provides another data transmission method, as shown in fig. 7, where the method is applied to a server, and includes:
s701: receiving a first request sent by a client; the first request carries a first ciphertext; the first ciphertext represents an encryption result of first data related to a first service; the first request is for requesting processing of the first service.
The method includes the steps that a first request of a client is received, the client requests a server to perform corresponding processing on a first service through the first request, the first service is data interaction service performed on the client, for example, when the first service is login verification service, the client requests the server to perform corresponding processing on the login verification service through the first request, and the server can determine whether the first data related to the first service passes the verification or not according to the first data related to the first service.
S702: calling a second Software Development Kit (SDK) and generating a first decryption result according to the encryption mode of the first ciphertext; the first decryption result characterizes a decryption result with respect to the first request.
The server needs to decrypt the first ciphertext, and then can perform corresponding processing on the first service according to the first ciphertext, wherein the server can decrypt the first ciphertext by calling the second SDK, and the second SDK integrates different functions, for example, the second SDK can implement data encryption and data decryption.
And decrypting the first ciphertext by the encryption mode of the first ciphertext to obtain a first decryption result, wherein the decryption of the first ciphertext is the inverse process of the encryption of the first data.
In an embodiment, as shown in fig. 8, the invoking the second SDK and generating a first decryption result according to the encryption mode of the first ciphertext includes:
s801: under the condition that the client side is applicable to non-certificate authentication, calling the second SDK to determine a second processing result; and the second processing result represents the authentication result of the client.
The second SDK also integrates the functionality of authentication. In practical applications, the authentication of the client may be performed through certificate-based authentication or through non-certificate-based authentication, where the certificate-based authentication requires a key management service platform to obtain a certificate of the client, and thus the certificate-based authentication is generally performed on the key management platform. And the second SDK authenticates the client under the condition that the client is suitable for non-certificate authentication to obtain a second processing result.
S802: and under the condition that the second processing result represents that the client has the right of accessing the server, calling the second SDK, and generating the first decryption result according to the encryption mode of the first ciphertext.
And under the condition that the second processing result represents that the client has the right of accessing the server, the client is indicated to be a legal client, the first request is sent by the client, and other illegal clients do not steal information to obtain the processing result of the server, so that the first ciphertext can be decrypted and the first service can be subsequently processed.
S803: a fourth response to the first request returned to the client in case the second processing result characterizes that the client does not have the right to access the server; the fourth response characterizes a rejection of processing the first traffic.
And under the condition that the second processing result represents that the client does not have the right of accessing the server, the client is indicated to be an illegal client, the illegal client intercepts a first request sent to the server by the legal client, so that a sender of the first request received by the server is converted from the legal client to the illegal client, and then the server is cheated to obtain the data of the legal client.
S703: and processing the first service according to the first decryption result to generate a first processing result.
And decrypting the first ciphertext according to the first key information to generate the first decryption result.
And in the process of decrypting the first ciphertext by using the fifth response, decrypting the first ciphertext according to the first key information, wherein the first key information is the key information used by the client for encrypting the first data, so as to obtain a first decryption result.
S704: and calling the second SDK to encrypt the first processing result to generate a second ciphertext.
The first processing result is returned to the client, and when the processing result of the first service processed by the server contains sensitive information, the first processing result is directly returned to the client, which easily causes data leakage, thereby generating various security threats. In practical application, the first processing result is encrypted by using an encryption mode for generating a first ciphertext so as to generate a second ciphertext.
S705: and returning the second ciphertext to the client.
In the embodiment of the present application, the first ciphertext may be generated by three different encryption manners, and a decryption process of the first ciphertext in the different encryption manners and an encryption process of the first processing result are described below by different embodiments.
In an embodiment, as shown in fig. 9, the invoking the second SDK and generating a first decryption result according to the encryption mode of the first ciphertext includes:
s901: sending a fifth request to a key management platform according to the encryption mode of the first ciphertext; the fifth request is used for requesting to acquire key information for decrypting the first ciphertext.
The decryption process is the inverse process of the encryption process, so that the encryption mode of the first ciphertext is determined, and the first ciphertext can be decrypted according to the encryption mode of the first ciphertext, wherein the key information for decrypting the first ciphertext needs to obtain the key information for decrypting the first ciphertext through the key management platform, and the server enables the key management platform to provide the key information of the first ciphertext for the server by sending a fifth request to the key management platform.
S902: and decrypting the first ciphertext according to a fifth response which is returned by the key management platform and related to the fifth request, and generating the first decryption result.
And the server receives a fifth response, wherein the fifth response contains the key information for decrypting the first ciphertext, so that the server can perform confidentiality on the first ciphertext according to the key information of the first ciphertext in the fifth response to obtain a first decryption result. In practical applications, the key information of the first ciphertext in the fifth response is different according to different encryption modes of the first ciphertext.
And when the encryption mode of the first ciphertext is the first encryption mode, the fifth response comprises second private key information of the server.
The first encryption mode is based on an RSA algorithm for encryption, the corresponding first ciphertext is an RSA digital envelope, the second private key information of the server is firstly acquired by the RSA digital envelope for decryption, the second private key information of the server is acquired from the key management platform through a fifth request, and a fifth response acquired by the server contains the second private key information of the server. The RSA digital envelope can be decrypted by utilizing the second private key information acquired by the server, so that the key information used for encrypting the first data, namely the first private key information of the client side is acquired, and the encrypted first data is decrypted by the first private key information to acquire the first data.
When the encryption mode of the first ciphertext is the first encryption mode, the fifth response comprises third key information; the third key information is AES key information.
The second encryption mode is based on ECC algorithm for encryption, the corresponding first ciphertext is an ECC digital envelope, the AES key information is key information used for encrypting the first data in the process of generating the first ciphertext, and the server can decrypt the ECC digital envelope through the AES key information so as to obtain the first data.
Calling the second SDK to encrypt the first processing result to generate a second ciphertext, wherein the steps of:
based on a first encryption algorithm of a first encryption mode or a second encryption algorithm of a second encryption mode, encrypting the first processing result according to second private key information of the server and second public key information of the client to generate a second ciphertext; the first encryption algorithm is an RAS algorithm; the second encryption algorithm is an elliptic curve ECC algorithm.
And encrypting the first processing result by using the encryption mode of the first ciphertext to generate a second ciphertext.
The first encryption mode is based on an RSA algorithm, and encrypts a first processing result to generate a second ciphertext. The specific generation process of the second ciphertext is as follows: and encrypting the first processing result by utilizing the second private key information of the server so as to obtain an encryption result A related to the first processing result, encrypting the second private key information of the server by utilizing the second public key information of the client through an RSA algorithm so as to obtain an encryption result B related to the second private key information of the server, and combining the encryption result A and the encryption result B to generate a second ciphertext, wherein in practical application, the second ciphertext is an RSA digital envelope.
The second encryption mode is to encrypt the first processing result based on the ECC algorithm to generate a second ciphertext. The specific generation of the second ciphertext is as follows: according to the second private key information of the server, an AES key of the server is generated through Elliptic Curve Diffie-Hellman key Exchange (ECDH), the first processing result is encrypted by the AES key of the server, an encryption result A related to the first processing result is obtained, then the AES key is encrypted by the second public key information of the client, an encryption result B related to the AES key of the server is obtained, the encryption result A and the encryption result B are combined to generate a second ciphertext, and in practical application, the second ciphertext is an ECC digital envelope.
In an embodiment, the invoking the second SDK and generating a first decryption result according to the encryption mode of the first ciphertext includes:
when the encryption mode is a third encryption mode, the fifth response comprises first key information and second key information; the first key information and the second key information represent communication key information between the client and the server.
The third encryption mode is to encrypt the key information requested to be distributed by the client to the key management platform, so that the server requests to acquire the key information distributed by the key management platform to the client from the key management platform through a fifth request, the server acquires the first key information and the second key information through a fifth response, and the first ciphertext can be decrypted according to the key information in the fifth response to acquire the first decryption result of the first ciphertext.
Calling the second SDK to encrypt the first processing result to generate a second ciphertext, wherein the steps of:
and encrypting the first processing result according to the second key information to generate the second ciphertext.
In the case where the client encrypts using the first key information, the server may encrypt the first processing result using the second key information to generate a second ciphertext.
In an embodiment, the method further comprises:
sending a sixth response to the key management platform if the first decryption result cannot be generated; the sixth response characterizes a failure to decrypt the first ciphertext.
In general, the server receives that the key information included in the fifth response to the fifth request returned by the key management platform is correct key information, and can decrypt the first ciphertext. When the first ciphertext cannot be decrypted according to the key information in the fifth response, the server can report the decryption failure condition to the key management platform, so that the key management platform can count and analyze the decryption failure condition, and the next decryption can be successfully performed.
In the above embodiment, the second SDK provides a standardized encryption manner and a standardized decryption manner, and the server can decrypt the first ciphertext by calling the second SDK, so that the first service can be processed according to the corresponding service data, and the processing result is encrypted and returned to the client, thereby improving the security of data transmission between the client and the server, and also improving the encryption efficiency and the decryption efficiency of the data transmission.
An embodiment of the present application further provides another data transmission method, as shown in fig. 10, which is applied to a key management platform, and the method includes:
s1001: and receiving a key management request sent by a client or a server.
The key management platform can receive a key management request sent by a client or a server, wherein the key management request sent by the client is generally a request for key registration, key information distribution and server service certificate acquisition. The key management request sent by the server is typically a request for key agreement. In practical applications, the key management platform can support different key management services and support invoking various key management tools, such as KMS tools, PKI tools, etc., to complete the key service requested by the key management request sent by the client or server.
S1002: and according to the key management request, calling a key service corresponding to the request, and generating a response about the key management request.
The key management platform determines a key service required by the key management request according to the key management request, for example, in the case that the key management request is key registration, the key registration service is called to register the key. When the key management platform calls the corresponding key service to complete the key server requested by the key management request, a response to the key management request is generated, for example, the key registration service is called to complete the registration of the key, and response information that the key registration is successful can be generated.
In one embodiment, the invoking a key service corresponding to the request according to the key management request and generating a response regarding the key management request includes:
in the case that the key management request is a second request, calling a first key service and a first tool to generate a first response about the second request; the first response comprises first key information and second key information; the first key service characterizes a key agreement service; the second request is used for requesting the distribution of the communication key information between the client and the server.
And the key management platform receives a second request, wherein the second request is a request initiated by the client, and the second request initiated by the client is used for requesting the key management platform to distribute the communication key information between the client and the server, so that the client and the server transmit data through the communication key information distributed by the key management platform.
And under the condition that the key management request received by the key management platform is a second request, calling a first key service, and performing key agreement through the first key service, so as to generate communication key information between the client and the server.
The generation process of the first response specifically includes: the key management platform receives a second request, wherein the second request also carries a first cache data buffer1, the key management platform calls the first key service request to perform key agreement, the first key information is obtained by decryption through a first tool KMS tool, and the second key information can be distributed and obtained by calling a key distribution service.
In practical applications, directly returning the first key information and the second key information to the client easily causes information leakage, so that the first key information and the second key information need to be encrypted. The first key service is responsible for decrypting the first buffer data buffer1 and encrypting the first key information and the second key information through two rounds of updating, wherein the first key information and the second key information are encrypted through an AES key, so that the first key information C1 and the second key information C2 encrypted through the AES key are derived, only the first key information and the second key information encrypted through the AES key need to be encrypted and protected, and even if plaintext of the AES key is leaked in the transmission process, the security of the first key information and the security of the second key information cannot be affected. The first key service can store the first key information C1 and the second key information C2, and return the second buffer data buffer2 to the client, where the second buffer data buffer2 includes the first key information and the second key information.
In an embodiment, as shown in fig. 11, the invoking a key service corresponding to the request according to the key management request and generating a response to the key management request includes:
s1101: under the condition that the key management request is a third request, calling a second key service and determining a third processing result; the third processing result represents the result of the authentication of the client; the second key service characterizes an authentication service.
The third request is a request initiated by the client and is used for requesting the key management platform to register the key information. And when the key management platform receives the third request, calling a second key service to authenticate the client to obtain a third processing result, and determining whether the client is a legal client or not through the third processing result, so that the key management platform is prevented from registering key information of the illegal client, and the illegal client is prevented from communicating with the server.
S1102: under the condition that the third processing result represents that the client is allowed to access the key management platform, calling a third key service to register second public key information of the client and generating a second response; the second response represents that the second public key information is successfully registered; the third key service characterizes a key registration service.
And under the condition that the representation of the third processing result allows the client to access the key management platform, the client is indicated to be a legal client, so that the second public key information of the client is registered. And the key management platform registers the second public key information of the client by calling a third key service to generate a second response about the third request, and can generate a second response representing the successful registration of the key under the condition that the key management platform successfully registers the second public key information, wherein the successfully registered second public key information is obtained by writing the second public key information into a database of the key management platform through a key acquisition service. And generating a second response for representing that the key registration fails in the case that the key management platform fails to register the second public key information.
In practical applications, the second public key information carried in the third request is encrypted, that is, the second public key information is loaded in a digital envelope, in this case, the digital envelope is decrypted first to obtain the second public key information, and then the second public key information is registered. Specifically, the key management platform calls a first key service to disassemble the digital envelope, so as to obtain AES key information, where the AES key information is used to encrypt the second public key information, and decrypts the encrypted second public key information through the AES key information to obtain the second public key information, and then registers the second public key information.
In one embodiment, the invoking a key service corresponding to the request according to the key management request and generating a response regarding the key management request includes:
under the condition that the key management request is a fourth request, calling a third key service to generate a third response; the third key service characterizes the third key service as a key registration service; the third response characterizes the latest version of the business certificate.
The fourth request is a request initiated by the client and is used for requesting the key management platform to return the latest version of the service certificate to the client, wherein the service certificate is a digital certificate of the server and is a file digitally signed by a certificate authority, the simplest service certificate contains the first public key information of the server, the name of the server and the digital signature of the certificate authority, in general, the service certificate also contains different information such as the valid time of the first public key information of the server, the name of a certificate issuing authority, the serial number of the service certificate and the like, and the client acquires the first public key information of the server from the latest version of the service certificate and further completes the encryption of data.
And when the key management platform receives the fourth request, calling a third key management service, inquiring the latest version of the business certificate in a database of the key management platform, and generating a third response about the fourth request, wherein the third response is the latest version of the business certificate.
In an embodiment, as shown in fig. 12, the invoking a key service corresponding to the request according to the key management request and generating a response to the key management request includes:
s1201: calling a first key service under the condition that the key management request is a fifth request; the fifth request is used for requesting to acquire key information for decrypting the first ciphertext; the first key service characterizes a key agreement service.
The fifth request is a request initiated by the server and is used for requesting the key management platform to acquire key information for decrypting the first ciphertext, wherein the key information for decrypting the first ciphertext is obtained by performing key negotiation through the first key service.
S1202: generating a fifth response according to the encryption mode of the first ciphertext; the fifth response includes key information to decrypt the first ciphertext.
The decryption process is substantially the reverse process of the encryption process, and different encryption modes lead to different decryption key information and decryption modes, so that the key management platform negotiates to obtain the key information for decrypting the first ciphertext according to the encryption mode of the first ciphertext in the process of calling the key negotiation service, and returns the key information for decrypting the first ciphertext to the server according to the fifth response, so that the server decrypts according to the key information in the fifth response.
In an embodiment, the generating a fifth response according to the encryption mode of the first ciphertext includes:
and calling a first tool to acquire first private key information of the server under the condition that the encryption mode of the first ciphertext is the first encryption mode.
The first encryption mode representation utilizes an RSA algorithm to encrypt the first data, the obtained first ciphertext is an RSA digital envelope, and the decryption step of the first ciphertext is to decrypt the RSA digital envelope first and then decrypt the encrypted first data. The key agreement service can obtain the key information of the digital envelope for decrypting the RSA, i.e. the second private key information of the server, from the first tool KMS tool, and return the second private key information of the server to the server by a fifth response.
Calling a first tool to acquire the third key information under the condition that the encryption mode of the first ciphertext is a second encryption mode; the third key information characterizes AES key information.
And the second encryption mode represents that the first data is encrypted by using an ECC algorithm, the obtained first ciphertext is an ECC digital envelope, and the first data is to be obtained by firstly decrypting the ECC digital envelope and then decrypting the encrypted first data. The key agreement service is capable of obtaining second private key information of the server from the first tool KMS tool and determining AES key information from the second private key information of the server, the AES key information being key information for encrypting the first data, the AES key information being returned to the server by a fifth response.
Under the condition that the encryption mode of the first ciphertext is the third mode, acquiring first key information and second key information according to the first mark; the first token characterizes key information between the server and the client that the first key service history negotiates.
The third encryption mode is that the first data is encrypted through the communication key information between the client and the server distributed by the key management platform, the communication key information between the client and the server needs to be obtained first when the first ciphertext is decrypted, and the communication key information between the client and the server is stored into the key agreement service by the key management platform in the process of determining the communication key information between the client and the server, so that the corresponding first key information and the second key information can be obtained from the key agreement service through the first mark, and the first mark can be used for distinguishing the communication key information between different clients and servers, so that the corresponding first key information and the second key information in the key information stored by the key agreement service can be extracted.
In an embodiment, the method further comprises:
generating a seventh response when key information for decrypting the first ciphertext cannot be obtained; the seventh response characterizes a failure to negotiate key information.
The key management platform determines key information for decrypting the first ciphertext through a key agreement service. When the key agreement service cannot agree to determine the key information for decrypting the first ciphertext, the server cannot decrypt the first ciphertext, that is, the key management platform has an error report, and reports a seventh response generated under the condition that the key information for decrypting the first ciphertext cannot be obtained, so that the number of times of the key management platform negotiation failure can be counted, the reason of the key negotiation failure can be further analyzed, and the probability of the key negotiation success can be ensured.
In practical application, since the third encryption mode is encrypted by the communication key information distributed by the key management platform, there is no negotiation failure for the third encryption mode, and the first encryption mode and the second encryption mode both require the key management platform to negotiate to obtain the second private key information of the server, so that there is a negotiation failure.
S1003: returning a response to the key management request to the client or server.
In practical application, when data with high security requirements exist in the response of the key management request, the data can be encrypted and then returned to the client or the server, so that the client or the server can receive a processing result of the key management request.
In the above embodiment, the key management platform invokes the corresponding key management server to complete the key management service corresponding to different key requirements through the key management platform initiated by the server or the client, so that a set of standardized processing flow of the key management service can be provided through different interfaces, the key management efficiency is improved, and the security of the key information managed by the key management platform can be improved.
The application also provides an application embodiment, as shown in fig. 13, fig. 13 is a schematic diagram illustrating a processing flow of a key management technology architecture to an RSA digital envelope.
The client sends an encryption request to the first SDK, and the encryption request is used for requesting the first SDK to encrypt the first data. The first SDK encrypts the first data through a first encryption mode to generate a first ciphertext, and the first ciphertext is an RSA digital envelope.
The client sends a first request to the server for requesting the server to assist in processing the first service, wherein the first request carries a first ciphertext.
And after receiving the first request, the server requests the second SDK to decrypt the first ciphertext. And the second SDK is used for requesting to acquire the key information for decrypting the first ciphertext by sending a fifth request to the key management platform.
And after receiving the fifth request, the key management platform calls the service authentication capability of the domain layer by the key negotiation application service to authenticate the client, wherein when the simple authentication of the non-certificate class is carried out, the authentication can be integrated in the second SDK. And after the service authentication capability obtains the authentication result of the client, returning the authentication result to the key negotiation application service. And the key negotiation application service requests the key negotiation field service to perform key negotiation, and the key negotiation field service acquires second private key information of the server from the KMS and returns to the second SDK layer by layer. And reporting negotiation failure information to data statistics under the condition that the key negotiation field service cannot acquire the second private key information of the server from the KMS.
And after obtaining the second private key information of the server, the second SDK decrypts the first ciphertext to obtain a decryption result of the first ciphertext and returns the decryption result of the first ciphertext to the server.
And the server processes the service logic according to the decryption result of the first ciphertext, calls a second SDK to encrypt the processing result and returns the second ciphertext to the client.
And after receiving the second ciphertext, the client calls the first SDK to decrypt the second ciphertext, the first SDK returns the first plaintext obtained by decrypting the second ciphertext to the client, and the client processes the service logic according to the first plaintext.
The application also provides another application embodiment, as shown in fig. 14, fig. 14 shows a schematic processing flow diagram of the key management technology architecture for ECC digital envelopes.
The client sends an encryption request to the first SDK, and the encryption request is used for requesting the first SDK to encrypt the first data. And the first SDK encrypts the first data through a second encryption mode to generate a first ciphertext, wherein the first ciphertext is an ECC digital envelope.
The client sends a first request to the server for requesting the server to assist in processing the first service, wherein the first request carries a first ciphertext.
And after receiving the first request, the server requests the second SDK to decrypt the first ciphertext. And the second SDK is used for requesting to acquire the key information for decrypting the first ciphertext by sending a fifth request to the key management platform.
And after receiving the fifth request, the key management platform calls the service authentication capability of the domain layer by the key negotiation application service to authenticate the client, wherein when the simple authentication of the non-certificate class is carried out, the authentication can be integrated in the second SDK. And after the service authentication capability obtains the authentication result of the client, returning the authentication result to the key negotiation application service. The key agreement application service requests the key agreement field service to perform key agreement, the key agreement field service acquires second private key information of the server from the KMS, obtains an AES key by using ECDH calculation according to the second private key information, and returns the AES key to the second SDK layer by layer. And reporting negotiation failure information to data statistics under the condition that the key negotiation field service cannot acquire the AES key from the KMS.
And after obtaining the AES key, the second SDK decrypts the first ciphertext to obtain a decryption result of the first ciphertext and returns the decryption result of the first ciphertext to the server.
And the server processes the service logic according to the decryption result of the first ciphertext, calls a second SDK to encrypt the processing result and returns the second ciphertext to the client.
And after receiving the second ciphertext, the client calls the first SDK to decrypt the second ciphertext, the first SDK returns the first plaintext obtained by decrypting the second ciphertext to the client, and the client processes the service logic according to the first plaintext.
Another application embodiment is provided, and as shown in fig. 15, fig. 15 is a schematic diagram illustrating a processing flow of a key management technology architecture for a first ciphertext encrypted based on a communication key between a client and a server.
The client sends an encryption request to the first SDK, and the encryption request is used for requesting the first SDK to encrypt the first data. The first SDK initializes to generate temporary public key information and private key information, calls an initialization function (HS), calls a write _ message function to update the HS, generates a first cache data buffer1, and transmits the first cache data buffer1 to a key management platform, wherein the first cache data buffer1 contains information such as temporary public key information and signatures.
After receiving the first buffer data buffer1, the key management platform calls a key agreement application service, the key agreement application service requests a key agreement domain server to perform key agreement, the key agreement domain server obtains a service private key through the KMS, and calling a key distribution service to obtain an application public key, generating temporary public key information and private key information by a key negotiation field service according to the service private key and the application public key, updating HS through two rounds, decrypting the first cache data buffer1, deriving AES key information including the first key information and the second key information, returning the second cache data buffer2, the temporary public key information, the first key information and the second key information to the key agreement application service by the key agreement field service, keeping the first key information and the second key information by the key agreement application service, and returns the second buffer data buffer2, the first key information and the second key information to the client.
The first SDK calls the write _ message function to update the HS, and decrypts the second cache data buffer2 to obtain the first key information and the second key information. And encrypting the first data by using the first key information to obtain a first ciphertext. And returning the first ciphertext to the client.
The client sends a first request to the server for requesting the server to assist in processing the first service, wherein the first request carries a first ciphertext.
And after receiving the first request, the server requests the second SDK to decrypt the first ciphertext. And the second SDK is used for requesting to acquire the key information for decrypting the first ciphertext by sending a fifth request to the key management platform.
And after receiving the fifth request, the key management platform obtains the first key information and the second key information through the key negotiation application service and the corresponding first marks, and returns the first key information and the second key information to the server.
And calling the second SDK to decrypt the first ciphertext by using the first key information, and returning the decryption result of the first ciphertext to the server.
And the server processes the service logic according to the decryption result of the first ciphertext and calls the second SDK to encrypt the first processing result.
And the second SDK encrypts the first processing result through the second key information to generate a second ciphertext. And the server returns the second ciphertext to the client.
And the client calls the first SDK, decrypts the second ciphertext according to the second key information to obtain a first plaintext, and processes the service logic according to the first plaintext.
The present application also provides another application embodiment, as shown in fig. 16, fig. 16 shows a processing flow of key management technology architecture registration key.
The client side initializes the first SDK, the first SDK generates public key information and private key information, and the public key information and the private key information are stored. And the client initiates a third request to the key management platform, wherein the third request carries the public key information.
The key management platform calls a key registration application service according to the third request, if public key information is encrypted through a digital envelope, the key registration application service requests a key negotiation field service to disassemble the digital envelope, the key field negotiation service disassembles the digital envelope to obtain an AES (advanced encryption standard) key, the AES key is returned to the key registration application service, the key registration application service decrypts according to the AES key to obtain public key information, calls service authentication capacity, authenticates the client and returns an authentication result to the key registration application service, the key registration application service sends the public key information to a key acquisition service under the condition that the authentication result represents that the client is a legal client, and the key acquisition service stores the public key information into a database and returns responses layer by layer.
The client is able to receive a response characterizing the successful enrollment.
The present application further provides another application embodiment, as shown in fig. 17, fig. 17 shows a process flow of service certificate upgrade of a key management technology architecture.
The client initializes the first SDK and calls the first SDK to send a fourth request to the key management platform, wherein the fourth request is used for requesting the key management platform to detect the update of the service certificate.
And the key management platform calls a key registration application service according to the fourth request, the key registration application service acquires the latest version of the business certificate from the key distribution field service, the key distribution field service returns the inquired latest version of the business certificate to the client layer by layer in the database, and the client can acquire the latest version of the business certificate.
The present application also provides another application embodiment, as shown in fig. 18, fig. 18 shows a key application service access process.
The service side submits the application for creating the certificate, the management background creates the corresponding certificate according to the request, and the certificate is sent to the examination. And the examination and approval personnel carry out the first examination and approval on the certificate, then the platform carries out the second examination and approval on the certificate, the service party carries out the debugging of the access SDK according to the second examination and approval result, and the gateway forwarding rule is configured according to the debugging result. In addition, the platform evaluates the service volume according to the second approval result, informs the platform to prepare the online of the relevant service, and deploys the corresponding resources.
An embodiment of the present application further provides a data transmission apparatus, as shown in fig. 19, which is applied to a client, and includes:
a first encryption unit 1901, configured to invoke a first software development kit SDK, encrypt first data related to a first service based on at least one encryption manner supported by the first SDK, and generate a first ciphertext;
a first sending unit 1902, configured to send a first request to a server; the first request carries the first ciphertext; the first request is used for requesting to process the first service;
a first receiving unit 1903, configured to receive a second ciphertext returned by the server based on the first request; the second ciphertext is obtained by encrypting a first processing result of the first ciphertext by the server based on the first request;
a first decryption unit 1904, configured to invoke the first SDK to decrypt the second ciphertext to generate a first plaintext;
a first processing unit 1905, configured to process the first service based on the first plaintext.
In an embodiment, when the first software development kit SDK is called, the first encryption unit 1901 encrypts first data about a first service based on at least one encryption manner supported by the first SDK, and generates a first ciphertext, further configured to:
under the condition that a first encryption mode or a second encryption mode is selected from at least one encryption mode supported by the first SDK, encrypting the first data according to first private key information of a client and first public key information of a server based on a first encryption algorithm of the first encryption mode or a second encryption algorithm of the second encryption mode to generate a first ciphertext; the first encryption algorithm is an RAS algorithm; the second encryption algorithm is an elliptic curve ECC algorithm;
the first decryption unit 1904, when the first SDK is called to decrypt the second ciphertext to generate a first plaintext, is further configured to:
decrypting the second ciphertext according to second private key information of the server to generate the first plaintext; the second private key information of the server is determined based on the second public key information of the client.
In an embodiment, when the first software development kit SDK is called, the first encryption unit 1901 encrypts first data about a first service based on at least one encryption manner supported by the first SDK, and generates a first ciphertext, further configured to:
under the condition that a third encryption mode is selected from at least one encryption mode supported by the first SDK, sending a second request to a key management platform; the second request is used for requesting to distribute communication key information between the client and the server;
receiving a first response returned by the key management platform about the second request; the first response comprises first key information and second key information;
and encrypting the first data according to the first key information to generate the first ciphertext.
The first decryption unit 1904, when the first SDK is called to decrypt the second ciphertext to generate a first plaintext, is further configured to:
and decrypting the second ciphertext through the second key information to generate the first plaintext.
In an embodiment, the apparatus is further configured to:
sending a fourth request to the key management platform; the fourth request is used for requesting to acquire a new version of the service certificate; the service certificate comprises first public key information of the server;
receiving a third response returned by the key management platform based on the fourth request; the third response characterizes the latest version of the business certificate.
In practical applications, the first encrypting unit 1901, the first sending unit 1902, the first receiving unit 1903, the first decrypting unit 1904, and the first processing unit 1905 may be implemented by a processor in a data transmission device. Of course, the processor needs to run the program stored in the memory to realize the functions of the above-described program modules.
It should be noted that, when the data transmission device provided in the embodiment of fig. 19 performs data transmission, only the division of the program modules is illustrated, and in practical applications, the above processing may be distributed to different program modules according to needs, that is, the internal structure of the device may be divided into different program modules to complete all or part of the above-described processing. In addition, the data transmission device and the data transmission method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.
An embodiment of the present application further provides another data transmission apparatus, as shown in fig. 20, which is applied to a server, and includes:
a second receiving unit 2001, configured to receive the first request sent by the client; the first request carries a first ciphertext; the first ciphertext represents an encryption result of first data related to a first service; the first request is used for requesting to process the first service;
the second decryption unit 2002 is configured to invoke a second software development kit SDK, and generate a first decryption result according to the encryption mode of the first ciphertext; the first decryption result characterizing a decryption result with respect to the first request;
a second processing unit 2003, configured to process the first service according to the first decryption result, and generate a first processing result;
a second encrypting unit 2004, configured to invoke the second SDK to encrypt the first processing result, and generate a second ciphertext;
the second sending unit 2005 returns the second ciphertext to the client.
In an embodiment, when the second decryption unit 2002 invokes the second software development kit SDK to generate the first decryption result according to the encryption mode of the first ciphertext, the second decryption unit is further configured to:
under the condition that the client side is applicable to non-certificate authentication, calling the second SDK to determine a second processing result; the second processing result represents an authentication result of the client;
under the condition that the second processing result represents that the client has the right of accessing the server, calling the second SDK, and generating the first decryption result according to the encryption mode of the first ciphertext;
a fourth response to the first request returned to the client in case the second processing result characterizes that the client does not have the right to access the server; the fourth response characterizes a rejection of processing the first traffic.
In an embodiment, when the second decryption unit 2002 invokes the second software development kit SDK to generate the first decryption result according to the encryption mode of the first ciphertext, the second decryption unit is further configured to:
sending a fifth request to a key management platform according to the encryption mode of the first ciphertext; the fifth request is used for requesting to acquire key information for decrypting the first ciphertext;
decrypting the first ciphertext according to a fifth response which is returned by the key management platform and related to the fifth request, and generating a first decryption result; wherein the content of the first and second substances,
when the encryption mode of the first ciphertext is a first encryption mode, the fifth response comprises second private key information of the server;
when the encryption mode of the first ciphertext is the first encryption mode, the fifth response comprises third key information; the third key information is AES key information;
the second encrypting unit 2004 is further configured to, when invoking the second SDK to encrypt the first processing result and generate a second ciphertext:
based on a first encryption algorithm of a first encryption mode or a second encryption algorithm of a second encryption mode, encrypting the first processing result according to second private key information of the server and second public key information of the client to generate a second ciphertext; the first encryption algorithm is an RAS algorithm; the second encryption algorithm is an elliptic curve ECC algorithm.
In an embodiment, when the encryption scheme is the third encryption scheme, the fifth response includes the first key information and the second key information; the first key information and the second key information represent communication key information between the client and the server;
the second encrypting unit 2004 is further configured to, when invoking the second SDK to encrypt the first processing result and generate a second ciphertext:
and encrypting the first processing result according to the second key information to generate the second ciphertext.
In an embodiment, the apparatus is further configured to:
sending a sixth response to the key management platform if the first decryption result cannot be generated; the sixth response characterizes a failure to decrypt the first ciphertext.
In actual use, the second receiving unit 2001, the second decrypting unit 2002, the second processing unit 2003, the second encrypting unit 2004, and the second sending unit 2005 can be realized by a processor in the data transmission device. Of course, the processor needs to run the program stored in the memory to realize the functions of the above-described program modules.
It should be noted that, when the data transmission device provided in the embodiment of fig. 20 performs data transmission, the division of the program modules is merely exemplified, and in practical applications, the above processing may be distributed to different program modules according to needs, that is, the internal structure of the device may be divided into different program modules to complete all or part of the above-described processing. In addition, the data transmission device and the data transmission method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.
An embodiment of the present application further provides another data transmission apparatus, as shown in fig. 21, which is applied to a key management platform, and includes:
a third receiving unit 2101, configured to receive a key management request sent by a client or a server;
a first generating unit 2102 configured to invoke a key service corresponding to the request according to the key management request, and generate a response regarding the key management request;
a third sending unit 2103 returns a response to the client or the server regarding the key management request.
In an embodiment, when the first generating unit 2102 invokes a key service corresponding to the key management request according to the key management request, and generates a response regarding the key management request, the first generating unit is further configured to:
in the case that the key management request is a second request, calling a first key service and a first tool to generate a first response about the second request; the first response comprises first key information and second key information; the first key service characterizes a key agreement service; the second request is used for requesting the distribution of the communication key information between the client and the server.
In an embodiment, when the first generating unit 2102 invokes a key service corresponding to the key management request according to the key management request, and generates a response regarding the key management request, the first generating unit is further configured to:
under the condition that the key management request is a third request, calling a second key service and determining a third processing result; the third processing result represents the result of the authentication of the client; the second key service characterizes an authentication service;
under the condition that the third processing result represents that the client is allowed to access the key management platform, calling a third key service to register second public key information of the client and generating a second response; the second response represents that the second public key information is successfully registered; the third key service characterizes a key registration service.
In an embodiment, when the first generating unit 2102 invokes a key service corresponding to the key management request according to the key management request, and generates a response regarding the key management request, the first generating unit is further configured to:
under the condition that the key management request is a fourth request, calling a third key service to generate a third response; the third key service characterizes the third key service as a key registration service; the third response characterizes the latest version of the business certificate.
In an embodiment, when the first generating unit 2102 invokes a key service corresponding to the key management request according to the key management request, and generates a response regarding the key management request, the first generating unit is further configured to:
calling a first key service under the condition that the key management request is a fifth request; the fifth request is used for requesting to acquire key information for decrypting the first ciphertext; the first key service characterizes a key agreement service;
generating a fifth response according to the encryption mode of the first ciphertext; the fifth response includes key information to decrypt the first ciphertext.
In an embodiment, the first generating unit 2102, when generating the fifth response according to the encryption mode of the first ciphertext, is further configured to:
calling a first tool to acquire first private key information of the server under the condition that the encryption mode of the first ciphertext is a first encryption mode;
calling a first tool to acquire the third key information under the condition that the encryption mode of the first ciphertext is a second encryption mode; the third key information represents AES key information;
under the condition that the encryption mode of the first ciphertext is a third mode, acquiring first key information and second key information according to a first mark; the first token characterizes key information between the server and the client that the first key service history negotiates.
In an embodiment, the apparatus is further configured to:
generating a seventh response when key information for decrypting the first ciphertext cannot be obtained; the seventh response characterizes a failure to negotiate key information.
Based on the hardware implementation of the program module, and in order to implement the method according to the embodiment of the present application, an embodiment of the present application further provides an electronic device, and fig. 22 is a schematic diagram of a hardware composition structure of the electronic device according to the embodiment of the present application, and as shown in fig. 22, the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment, and is used for executing the data transmission method provided by one or more technical schemes when running a computer program. And the computer program is stored on the memory 3.
In practice, of course, the various components in the electronic device are coupled together by the bus system 4. It will be appreciated that the bus system 4 is used to enable connection communication between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. For clarity of illustration, however, the various buses are labeled as bus system 4 in fig. 22.
The memory 3 in the embodiment of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 3 described in the embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the above embodiment of the present application may be applied to the processor 2, or implemented by the processor 2. The processor 2 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 2. The processor 2 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 3, and the processor 2 reads the program in the memory 3 and in combination with its hardware performs the steps of the aforementioned method.
When the processor 2 executes the program, the corresponding processes in the methods according to the embodiments of the present application are realized, and for brevity, are not described herein again.
In an exemplary embodiment, the present application further provides a storage medium, i.e. a computer storage medium, specifically a computer readable storage medium, for example, including a memory 3 storing a computer program, which can be executed by a processor 2 to implement the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above-described device embodiments are only illustrative, for example, the division of the unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof that contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling an electronic device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (22)
1. A data transmission method is applied to a client, and the method comprises the following steps:
calling a first Software Development Kit (SDK), and encrypting first data related to a first service based on at least one encryption mode supported by the first SDK to generate a first ciphertext;
sending a first request to a server; the first request carries the first ciphertext; the first request is used for requesting to process the first service;
receiving a second ciphertext returned by the server based on the first request; the second ciphertext is obtained by encrypting a first processing result of the first ciphertext by the server based on the first request;
calling the first SDK to decrypt the second ciphertext to generate a first plaintext;
processing the first traffic based on the first plain text.
2. The method of claim 1, wherein the encrypting the first data based on the at least one encryption supported by the first SDK to generate the first ciphertext comprises:
under the condition that a first encryption mode or a second encryption mode is selected from at least one encryption mode supported by the first SDK, encrypting the first data according to first private key information of a client and first public key information of a server based on a first encryption algorithm of the first encryption mode or a second encryption algorithm of the second encryption mode to generate a first ciphertext; the first encryption algorithm is an RAS algorithm; the second encryption algorithm is an elliptic curve ECC algorithm;
the calling the first SDK to decrypt the second ciphertext to generate a first plaintext, including:
decrypting the second ciphertext according to second private key information of the server to generate the first plaintext; the second private key information of the server is determined based on the second public key information of the client.
3. The method of claim 2, wherein the encrypting the first data based on the at least one encryption supported by the first SDK to generate the first ciphertext comprises:
under the condition that a third encryption mode is selected from at least one encryption mode supported by the first SDK, sending a second request to a key management platform; the second request is used for requesting to distribute communication key information between the client and the server;
receiving a first response returned by the key management platform about the second request; the first response comprises first key information and second key information;
encrypting the first data according to the first key information to generate the first ciphertext;
the calling the first SDK to decrypt the second ciphertext to generate a first plaintext, including:
and decrypting the second ciphertext through the second key information to generate the first plaintext.
4. The method of claim 1, further comprising:
sending a third request to the key management platform; the third request is used for requesting registration of second public key information of the client so that the server encrypts the first processing result according to the second public key information;
receiving a second response returned by the key management platform about the third request; the second response characterizes whether the second public key information is successfully registered.
5. The method of claim 2, further comprising:
sending a fourth request to the key management platform; the fourth request is used for requesting to acquire a new version of the service certificate; the service certificate comprises first public key information of the server;
receiving a third response returned by the key management platform based on the fourth request; the third response characterizes the latest version of the business certificate.
6. A data transmission method, applied to a server, the method comprising:
receiving a first request sent by a client; the first request carries a first ciphertext; the first ciphertext represents an encryption result of first data related to a first service; the first request is used for requesting to process the first service;
calling a second Software Development Kit (SDK) and generating a first decryption result according to the encryption mode of the first ciphertext; the first decryption result characterizing a decryption result with respect to the first request;
processing the first service according to the first decryption result to generate a first processing result;
calling the second SDK to encrypt the first processing result to generate a second ciphertext;
and returning the second ciphertext to the client.
7. The method of claim 6, wherein the invoking the second SDK to generate a first decryption result according to the encryption mode of the first ciphertext comprises:
under the condition that the client side is applicable to non-certificate authentication, calling the second SDK to determine a second processing result; the second processing result represents an authentication result of the client;
under the condition that the second processing result represents that the client has the right of accessing the server, calling the second SDK, and generating the first decryption result according to the encryption mode of the first ciphertext;
a fourth response to the first request returned to the client in case the second processing result characterizes that the client does not have the right to access the server; the fourth response characterizes a rejection of processing the first traffic.
8. The method of claim 6, wherein the invoking the second SDK to generate a first decryption result according to the encryption mode of the first ciphertext comprises:
sending a fifth request to a key management platform according to the encryption mode of the first ciphertext; the fifth request is used for requesting to acquire key information for decrypting the first ciphertext;
decrypting the first ciphertext according to a fifth response which is returned by the key management platform and related to the fifth request, and generating a first decryption result; wherein the content of the first and second substances,
when the encryption mode of the first ciphertext is a first encryption mode, the fifth response comprises second private key information of the server;
when the encryption mode of the first ciphertext is the first encryption mode, the fifth response comprises third key information; the third key information is AES key information;
calling the second SDK to encrypt the first processing result to generate a second ciphertext, wherein the steps of:
based on a first encryption algorithm of a first encryption mode or a second encryption algorithm of a second encryption mode, encrypting the first processing result according to second private key information of the server and second public key information of the client to generate a second ciphertext; the first encryption algorithm is an RAS algorithm; the second encryption algorithm is an elliptic curve ECC algorithm.
9. The method according to claim 8, wherein in a case where the encryption scheme is a third encryption scheme, the fifth response includes first key information and second key information; the first key information and the second key information represent communication key information between the client and the server;
calling the second SDK to encrypt the first processing result to generate a second ciphertext, wherein the steps of:
and encrypting the first processing result according to the second key information to generate the second ciphertext.
10. The method of claim 6, further comprising:
sending a sixth response to the key management platform if the first decryption result cannot be generated; the sixth response characterizes a failure to decrypt the first ciphertext.
11. A data transmission method applied to a key management platform, the method comprising:
receiving a key management request sent by a client or a server;
according to the key management request, calling a key service corresponding to the request, and generating a response about the key management request;
returning a response to the key management request to the client or server.
12. The method of claim 11, wherein the invoking a key service corresponding to the request according to the key management request to generate a response to the key management request comprises:
in the case that the key management request is a second request, calling a first key service and a first tool to generate a first response about the second request; the first response comprises first key information and second key information; the first key service characterizes a key agreement service; the second request is used for requesting the distribution of the communication key information between the client and the server.
13. The method of claim 11, wherein the invoking a key service corresponding to the request according to the key management request to generate a response to the key management request comprises:
under the condition that the key management request is a third request, calling a second key service and determining a third processing result; the third processing result represents the result of the authentication of the client; the second key service characterizes an authentication service;
under the condition that the third processing result represents that the client is allowed to access the key management platform, calling a third key service to register second public key information of the client and generating a second response; the second response represents that the second public key information is successfully registered; the third key service characterizes a key registration service.
14. The method of claim 11, wherein the invoking a key service corresponding to the request according to the key management request to generate a response to the key management request comprises:
under the condition that the key management request is a fourth request, calling a third key service to generate a third response; the third key service characterizes the third key service as a key registration service; the third response characterizes the latest version of the business certificate.
15. The method of claim 11, wherein the invoking a key service corresponding to the request according to the key management request to generate a response to the key management request comprises:
calling a first key service under the condition that the key management request is a fifth request; the fifth request is used for requesting to acquire key information for decrypting the first ciphertext; the first key service characterizes a key agreement service;
generating a fifth response according to the encryption mode of the first ciphertext; the fifth response includes key information to decrypt the first ciphertext.
16. The method of claim 15, wherein generating a fifth response based on the encryption of the first ciphertext comprises:
calling a first tool to acquire first private key information of the server under the condition that the encryption mode of the first ciphertext is a first encryption mode;
calling a first tool to acquire the third key information under the condition that the encryption mode of the first ciphertext is a second encryption mode; the third key information represents AES key information;
under the condition that the encryption mode of the first ciphertext is a third mode, acquiring first key information and second key information according to a first mark; the first token characterizes key information between the server and the client that the first key service history negotiates.
17. The method of claim 15, further comprising:
generating a seventh response when key information for decrypting the first ciphertext cannot be obtained; the seventh response characterizes a failure to negotiate key information.
18. A data transmission device is applied to a client and comprises:
the first encryption unit is used for calling a first Software Development Kit (SDK), encrypting first data related to a first service based on at least one encryption mode supported by the first SDK and generating a first ciphertext;
a first sending unit, configured to send a first request to a server; the first request carries the first ciphertext; the first request is used for requesting to process the first service;
a first receiving unit, configured to receive a second ciphertext returned by the server based on the first request; the second ciphertext is obtained by encrypting a first processing result of the first ciphertext by the server based on the first request;
the first decryption unit is used for calling the first SDK to decrypt the second ciphertext to generate a first plaintext;
and the first processing unit is used for processing the first service based on the first plain text.
19. A data transmission device is applied to a client and comprises:
the second receiving unit is used for receiving a first request sent by the client; the first request carries a first ciphertext; the first ciphertext represents an encryption result of first data related to a first service; the first request is used for requesting to process the first service;
the second decryption unit is used for calling a second Software Development Kit (SDK) and generating a first decryption result according to the encryption mode of the first ciphertext; the first decryption result characterizing a decryption result with respect to the first request;
the second processing unit is used for processing the first service according to the first decryption result to generate a first processing result;
the second encryption unit is used for calling the second SDK to encrypt the first processing result and generate a second ciphertext;
and the second sending unit returns the second ciphertext to the client.
20. A data transmission device applied to a key management platform comprises:
a third receiving unit, configured to receive a key management request sent by a client or a server;
a first generation unit, configured to invoke a key service corresponding to the request according to the key management request, and generate a response regarding the key management request;
and a third sending unit that returns a response to the key management request to the client or the server.
21. An electronic device, comprising: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is configured to perform the steps of the method of any one of claims 1 to 5 or 6 to 10 or 11 to 17 when running the computer program.
22. A storage medium having stored thereon a computer program for implementing the steps of the method of any one of claims 1 to 5 or 6 to 10 or 11 to 17 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111493588.5A CN114338091A (en) | 2021-12-08 | 2021-12-08 | Data transmission method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111493588.5A CN114338091A (en) | 2021-12-08 | 2021-12-08 | Data transmission method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114338091A true CN114338091A (en) | 2022-04-12 |
Family
ID=81050065
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111493588.5A Pending CN114338091A (en) | 2021-12-08 | 2021-12-08 | Data transmission method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338091A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115499250A (en) * | 2022-11-17 | 2022-12-20 | 北京搜狐新动力信息技术有限公司 | Data encryption method and device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103812871A (en) * | 2014-02-24 | 2014-05-21 | 北京明朝万达科技有限公司 | Development method and system based on mobile terminal application program security application |
| CN105025470A (en) * | 2014-04-18 | 2015-11-04 | 中国移动通信集团公司 | Service request processing method, system and related device |
| CN109981641A (en) * | 2019-03-26 | 2019-07-05 | 北京邮电大学 | A kind of safe distribution subscription system and distribution subscription method based on block chain technology |
| CN110570275A (en) * | 2019-08-19 | 2019-12-13 | 香港乐蜜有限公司 | Order checking method and device, electronic equipment and storage medium |
| WO2021022701A1 (en) * | 2019-08-08 | 2021-02-11 | 平安科技(深圳)有限公司 | Information transmission method and apparatus, client terminal, server, and storage medium |
| WO2021103708A1 (en) * | 2019-11-26 | 2021-06-03 | 支付宝(杭州)信息技术有限公司 | Data query method, apparatus, device and system based on privacy information protection |
| CN113010856A (en) * | 2021-03-02 | 2021-06-22 | 北京顶象技术有限公司 | Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system |
| CN113204772A (en) * | 2021-04-26 | 2021-08-03 | 五八有限公司 | Data processing method, device, system, terminal, server and storage medium |
| CN113497778A (en) * | 2020-03-18 | 2021-10-12 | 北京同邦卓益科技有限公司 | Data transmission method and device |
-
2021
- 2021-12-08 CN CN202111493588.5A patent/CN114338091A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103812871A (en) * | 2014-02-24 | 2014-05-21 | 北京明朝万达科技有限公司 | Development method and system based on mobile terminal application program security application |
| CN105025470A (en) * | 2014-04-18 | 2015-11-04 | 中国移动通信集团公司 | Service request processing method, system and related device |
| CN109981641A (en) * | 2019-03-26 | 2019-07-05 | 北京邮电大学 | A kind of safe distribution subscription system and distribution subscription method based on block chain technology |
| WO2021022701A1 (en) * | 2019-08-08 | 2021-02-11 | 平安科技(深圳)有限公司 | Information transmission method and apparatus, client terminal, server, and storage medium |
| CN110570275A (en) * | 2019-08-19 | 2019-12-13 | 香港乐蜜有限公司 | Order checking method and device, electronic equipment and storage medium |
| WO2021103708A1 (en) * | 2019-11-26 | 2021-06-03 | 支付宝(杭州)信息技术有限公司 | Data query method, apparatus, device and system based on privacy information protection |
| CN113497778A (en) * | 2020-03-18 | 2021-10-12 | 北京同邦卓益科技有限公司 | Data transmission method and device |
| CN113010856A (en) * | 2021-03-02 | 2021-06-22 | 北京顶象技术有限公司 | Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system |
| CN113204772A (en) * | 2021-04-26 | 2021-08-03 | 五八有限公司 | Data processing method, device, system, terminal, server and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115499250A (en) * | 2022-11-17 | 2022-12-20 | 北京搜狐新动力信息技术有限公司 | Data encryption method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10069806B2 (en) | Secure transfer and use of secret material in a shared environment | |
| US9219722B2 (en) | Unclonable ID based chip-to-chip communication | |
| JP5860815B2 (en) | System and method for enforcing computer policy | |
| US10797879B2 (en) | Methods and systems to facilitate authentication of a user | |
| US8724819B2 (en) | Credential provisioning | |
| JP6731491B2 (en) | Data transfer method, non-transitory computer-readable storage medium, cryptographic device, and method of controlling data use | |
| KR101985179B1 (en) | Blockchain based id as a service | |
| US11134069B2 (en) | Method for authorizing access and apparatus using the method | |
| WO2023143037A1 (en) | Key management and service processing | |
| KR100772534B1 (en) | Device authentication system based on public key and method thereof | |
| CN115277168A (en) | Method, device and system for accessing server | |
| CN114629713A (en) | Identity verification method, device and system | |
| CN113965425B (en) | Access method, device and equipment of Internet of things equipment and computer readable storage medium | |
| CN114338091A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN113722749A (en) | Data processing method and device for block chain BAAS service based on encryption algorithm | |
| CN115409511B (en) | Personal information protection system based on block chain | |
| US20210111906A1 (en) | Pseudonym credential configuration method and apparatus | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| JP2005086428A (en) | Method of obtaining authentication and performing crypto communication, authenticating system and authenticating method | |
| CN112242976B (en) | Identity authentication method and device | |
| JP2013236185A (en) | Electronic signature proxy server, electronic signature proxy system, and electronic signature proxy method | |
| CN111404901A (en) | Information verification method and device | |
| Ghaemi et al. | Novel blockchain-assisted fault-tolerant roaming authentication protocol for mobility networks without home agent entanglement | |
| TWI673621B (en) | Information registration, authentication method and device | |
| CN114697065B (en) | Security authentication method and security authentication device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |