CN114338091A - Data transmission method and device, electronic equipment and storage medium - Google Patents

Abstract

The present application discloses a data transmission method, device, electronic device and storage medium. Wherein, applying the method to the client includes: invoking a first software development kit SDK, encrypting the first data about the first service based on at least one encryption method supported by the first SDK, and generating a first ciphertext; send a first request to the server; the first request carries the first ciphertext; the first request is used to request processing of the first service; receive a response from the server based on the first request the second ciphertext; the second ciphertext is obtained by the server encrypting the first processing result of the first ciphertext based on the first request; calling the first SDK to encrypt the second ciphertext Decrypt the text to generate a first plaintext; and process the first service based on the first plaintext.

Description

Data transmission method, device, electronic device and storage medium

technical field

The present application relates to the technical field of information security, and in particular, to a data transmission method, device, electronic device and storage medium.

Background technique

In the related art, in order to ensure the security of data during the transmission process, the transmission data will be encrypted. Due to the existence of certain security loopholes or limitations of applicable scenarios in different data encryption methods, the efficiency of data encryption and the security of data are caused. lowering problem.

SUMMARY OF THE INVENTION

In view of this, embodiments of the present application provide a data transmission method, apparatus, electronic device, and storage medium, so as to at least solve the problems of reduced data encryption efficiency and data security in the related art.

The technical solutions of the embodiments of the present application are implemented as follows:

An embodiment of the present application provides a data transmission method, which is applied to a client, and the method includes:

calling a first software development kit (SDK, Software Development Kit), and based on at least one encryption method supported by the first SDK, encrypts the first data about the first service, and generates a first ciphertext;

sending a first request to the server; the first request carries the first ciphertext; the first request is used to request processing of the first service;

receiving the second ciphertext returned by the server based on the first request; the second ciphertext is obtained by the server encrypting the first processing result of the first ciphertext based on the first request;

calling the first SDK to decrypt the second ciphertext to generate the first plaintext;

Based on the first plaintext, the first service is processed.

The embodiment of the present application provides another data transmission method, which is applied to a server, and the method includes:

Receive the first request sent by the client; the first request carries the first ciphertext; the first ciphertext represents the encryption result of the first data about the first service; the first request is used to request processing of the first business;

calling the second software development kit SDK, and generating a first decryption result according to the encryption method of the first ciphertext; the first decryption result represents the decryption result about the first request;

processing the first service according to the first decryption result to generate a first processing result;

calling the second SDK to encrypt the first processing result to generate a second ciphertext;

The second ciphertext is returned to the client.

The embodiment of the present application also provides another data transmission method, which is applied to the key management platform, and the method includes:

Receive key management requests sent by clients or servers;

According to the key management request, invoking a key service corresponding to the request, and generating a response to the key management request;

A response to the key management request is returned to the client or server.

The embodiment of the present application also provides a data transmission device, which is applied to a client, including:

The second receiving unit is configured to receive the first request sent by the client; the first request carries the first ciphertext; the first ciphertext represents the encryption result of the first data about the first service; the first ciphertext the request is used to request processing of the first service;

a second decryption unit, configured to call a second software development kit SDK, and generate a first decryption result according to the encryption method of the first ciphertext; the first decryption result represents a decryption result about the first request;

a second processing unit, configured to process the first service according to the first decryption result to generate a first processing result;

a second encryption unit, configured to call the second SDK to encrypt the first processing result and generate a second ciphertext;

The second sending unit returns the second ciphertext to the client.

The embodiment of the present application also provides a data transmission device, which is applied to a key management platform, including:

a third receiving unit, configured to receive a key management request sent by the client or the server;

a first generating unit, configured to invoke a key service corresponding to the request according to the key management request, and generate a response to the key management request;

The third sending unit returns a response to the key management request to the client or server.

Embodiments of the present application also provide an electronic device, including: a processor and a memory for storing a computer program that can be executed on the processor,

Wherein, when the processor is configured to execute the steps of any of the above methods when running the computer program.

Embodiments of the present application further provide a storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of any of the foregoing methods.

In the embodiment of the present application, the client encrypts the data of the first service by invoking the software development kit on the client, and decrypts the ciphertext of the processing result of the first service returned by the server, so as to ensure the first In addition to the security of the data of a service in the transmission process, it can also use a general data encryption or decryption infrastructure, so that the efficiency of data encryption and decryption can be improved.

Description of drawings

FIG. 1 is a schematic diagram of a service architecture of key management provided by an embodiment of the present application;

2 is a schematic diagram of a technical architecture of key management provided by an embodiment of the present application;

FIG. 3 is a schematic diagram of an implementation flowchart of a data transmission method provided by an embodiment of the present application;

FIG. 4 is a schematic diagram of an implementation flowchart of a data transmission method provided by another embodiment of the present application;

FIG. 5 is a schematic diagram of an implementation flowchart of a data transmission method provided by another embodiment of the present application;

FIG. 6 is a schematic diagram of an implementation flowchart of a data transmission method provided by another embodiment of the present application;

FIG. 7 is a schematic diagram of an implementation flowchart of a data transmission method provided by another embodiment of the present application;

FIG. 8 is a schematic diagram of an implementation flowchart of a data transmission method provided by another embodiment of the present application;

FIG. 9 is a schematic diagram of an implementation flowchart of a data transmission method provided by another embodiment of the present application;

FIG. 10 is a schematic diagram of an implementation flowchart of a data transmission method provided by another embodiment of the present application;

FIG. 11 is a schematic flowchart of an implementation of a data transmission method provided by another embodiment of the present application;

FIG. 12 is a schematic diagram of an implementation flowchart of a data transmission method provided by another embodiment of the present application;

13 is a schematic diagram of the processing flow of the RSA digital envelope provided by the key management technology framework provided by an application embodiment of the present application;

14 is a schematic diagram of the processing flow of the ECC digital envelope provided by the key management technology framework provided by another application embodiment of the present application;

15 is a schematic flowchart of processing the first ciphertext encrypted based on the communication key between the client and the server according to the key management technology framework provided by another application embodiment of the present application;

FIG. 16 is a process flow of registering a key in a key management technical framework provided by another application embodiment of the present application;

FIG. 17 is a processing flow of a service certificate upgrade of a key management technical framework provided by another application embodiment of the present application;

FIG. 18 is a key application service access process provided by another application embodiment of the present application;

FIG. 19 is a schematic structural diagram of a data transmission apparatus provided by an embodiment of the application;

FIG. 20 is a schematic structural diagram of a data transmission apparatus provided by another embodiment of the present application;

FIG. 21 is a schematic structural diagram of a data transmission apparatus provided by another embodiment of the present application;

FIG. 22 is a schematic structural diagram of a hardware composition of an electronic device according to an embodiment of the present application.

Detailed ways

The present application will be described in further detail below with reference to the accompanying drawings and specific embodiments.

In the following description, for the purpose of illustration rather than limitation, specific details such as a specific system structure and technology are set forth in order to provide a thorough understanding of the embodiments of the present application. However, it will be apparent to those skilled in the art that the present application may be practiced in other embodiments without these specific details. In other instances, detailed descriptions of well-known systems, devices, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.

It should be noted that the technical solutions described in the embodiments of the present application may be combined arbitrarily unless there is a conflict.

In addition, in the embodiments of the present application, "first", "second", etc. are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence.

In addition, the term "at least one" herein refers to any one of a plurality or any combination of at least two of the plurality, for example, including at least one of A, B, and C, and may mean including from A, B and any one or more elements selected from the set of C.

In related technologies, there are different security compliance policies for the same business. For this reason, different design teams have designed different encryption schemes and decryption schemes to meet the security compliance policies, and some encryption schemes and decryption schemes have higher The security vulnerability of, for example, appending encryption key information to Uniform Resource Locator (url, Uniform ResourceLocator) requests, resulting in weakened security of data transmission.

Based on this, the solutions provided in the embodiments of the present application can provide a set of standardized encryption solutions and decryption solutions, and can also ensure the security of data during transmission.

Before the technical solutions of the embodiments of the present application are described in detail, the service architecture of the key management and the technical architecture of the key management applied by the embodiments of the present application are first introduced correspondingly.

As shown in FIG. 1 , FIG. 1 shows a schematic diagram of the service architecture of key management. In the service architecture of key management, it can process RSA digital envelopes, elliptic encryption algorithm (ECC, Elliptic curve cryptography) digital envelopes, and data transmitted based on the Noise framework, wherein the RSA digital envelope is based on the RSA encryption algorithm to encrypt data. As a result, the RSA encryption algorithm is an asymmetric encryption algorithm. The ECC digital envelope is generated by encrypting data based on the ECC encryption algorithm. The Noise framework is a framework for building secure protocols, providing secure channels for network protocols so that data security can be guaranteed during transmission.

In the processing scenario of the service architecture based on key management, it can provide different key management services, including key registration, key negotiation, and traffic offloading. Different key management services need to call the corresponding key management capabilities to assist in the implementation. , and key management capabilities include key configuration, service certificate distribution, key collection, protocol authentication, and key negotiation. In practical applications, key management capabilities also need to rely on certain tools. In the key management service architecture, the infrastructure layer provides key management service (KMS, Key Management Service) tools, public key infrastructure (PKI, Public Key Infrastructure), etc., KMS tools can determine the decryption key, and PKI can realize the functions of certificate generation, management, storage, distribution and revocation. For example, when it is necessary to register the key in the ECC digital envelope, the key agreement service should be used first to determine the key for decrypting the ECC digital envelope from the KMS tool through the key management capability of key agreement, and then obtain the key. Afterwards, the key registration service is provided to complete the key registration from the PKI through the key management capability of the key storage.

As shown in Figure 2, Figure 2 shows a schematic diagram of the technical architecture of key management. The technical architecture in Figure 2 includes an access layer, an application layer, a domain layer, and an infrastructure layer. The access layer can For client, server, client SDK, server SDK and operation background access, so as to call different layers in the technical architecture of key management to complete different key management. In practical applications, the client's SDK and the server's SDK integrate the capabilities of key loading and unloading and traffic loading and unloading. The application layer provides key operation, key registration, and key negotiation. When the access layer calls the application layer for corresponding processing, it can trigger the corresponding capabilities of the domain layer. The domain layer includes key management, key It has different capabilities such as synchronization, key negotiation, key collection, and service authentication, and relies on different tools in the infrastructure layer to complete key management initiated by the access layer. The infrastructure layer includes KMS, PKI, etc. .

The present application will be described in further detail below with reference to the accompanying drawings and specific embodiments.

An embodiment of the present application provides a data transmission method, and FIG. 3 is a schematic flowchart of a data transmission method according to an embodiment of the present application. As shown in FIG. 3 , the method is applied to a client, and the method includes:

S301: Invoke a first SDK to encrypt first data about a first service based on at least one encryption method supported by the first SDK to generate a first ciphertext.

A standardized first SDK is configured on the client, and the first SDK integrates certain capabilities. For example, the first SDK can perform data encryption and data decryption.

The first service is a data interaction service performed on the client. For example, in the process of logging in to a website, the first service may be a login verification service, a payment service, and a data query service.

In the process of processing the first service, the client needs to exchange data between the client and the server. For example, when the first service is a payment service, the client needs to transmit payment information, payment password and other information to the client. The server, the server performs corresponding verification and data processing according to the information transmitted by the client, so as to complete the payment. Among them, the payment information, payment password and other information transmitted by the client to the server belong to private information, if it is stolen or stolen during the transmission process. Leakage will affect the security of the account. Therefore, the first data related to the first service needs to be encrypted and then transmitted to the server. The client can call the first SDK to encrypt the first data to generate a first ciphertext, where the first ciphertext is an encryption result of the first data.

The first SDK integrates different encryption methods, and the first data can be encrypted by the encryption methods supported by the first SDK. In practical applications, the encryption method of the first data can be selected according to the transmission requirements of the first service, for example, Under the circumstance that the transmission of the first service requires more emphasis on data security, selecting the encryption method with the highest encryption security among the encryption methods supported by the first SDK, the corresponding encryption time will increase, resulting in the transmission time of the first data being also will increase accordingly. In the case that the transmission requirements of the first service tend to be more efficient in data processing, selecting the encryption method with the highest transmission efficiency among the encryption methods supported by the first SDK, the corresponding encryption time will be shortened, thereby reducing the transmission time of the first data. .

S302: Send a first request to a server; the first request carries the first ciphertext; the first request is used to request processing of the first service.

In the case of completing the first data encryption, the server needs to be requested to assist in completing the processing of the first service, so that the client can send a first request to the server, where the first request is request information, and the first request carries the first password. Therefore, the first data can be protected during the process of sending the first data along with the request.

S303: Receive the second ciphertext returned by the server based on the first request; the second ciphertext is obtained by the server encrypting the first processing result of the first ciphertext based on the first request .

After the server finishes processing the first request, the client can receive the second ciphertext returned by the server based on the first request. The second ciphertext contains the processing result of the first service, and the client decrypts the first ciphertext by decrypting the first request. , the processing result of the first service can be obtained.

S304: Invoke the first SDK to decrypt the second ciphertext to generate a first plaintext.

The second ciphertext returned by the server is encrypted based on the encryption method of the first ciphertext, and the client can call the first SDK to decrypt the second ciphertext to obtain the decryption result of the second ciphertext. In practical applications, the decryption process for the second ciphertext is opposite to the encryption process for the first ciphertext.

S305: Based on the first plaintext, process the first service.

The client can complete the follow-up processing of the first service according to the first plaintext. For example, when the first service is a payment service, the acquired first plaintext may be information indicating successful payment, so that the client can display the successful payment. page to complete the processing of the payment business. The acquired first plaintext can also represent the payment failure information, so that the payment failure page can be displayed on the client and continue to process the payment service.

In the embodiment of the present application, the first SDK can support three encryption methods. The following describes the process of encrypting the first data by using the three encryption methods and the method of decrypting the data encrypted by the three encryption methods. process.

In one embodiment, encrypting the first data based on at least one encryption method supported by the first SDK to generate the first ciphertext includes:

In the case where the first encryption method or the second encryption method is selected from at least one encryption method supported by the first SDK, based on the first encryption algorithm of the first encryption method or the second encryption algorithm of the second encryption method, according to the The first private key information of the client and the first public key information of the server encrypt the first data to generate the first ciphertext; the first encryption algorithm is the RAS algorithm; the second encryption algorithm is an elliptic curve ECC algorithm.

The first encryption method is to encrypt the first data based on the RSA algorithm to generate the first ciphertext. The specific generating process of the first ciphertext is as follows: first determine the first private key information of the client, wherein the first private key information may be: The randomly generated symmetric key information is used to encrypt the first data with the first private key information of the client, so as to obtain the encryption result A of the first data, and then use the first public key information of the server to encrypt the first data of the client through the RSA algorithm. A private key information is encrypted to obtain an encryption result B about the client's first private key information, and the encryption result A and the encryption result B are combined to obtain the first ciphertext. In practical applications, the first ciphertext is called the first ciphertext. For a digital envelope of data, since the first ciphertext is obtained by encrypting with the first encryption method, the first ciphertext is an RSA digital envelope.

The second encryption method is to encrypt the first data based on the ECC algorithm to generate the first ciphertext. The specific generation process of the first ciphertext is as follows: first determine the first private key information of the client, and use the Elliptic Curve Diffie Hellman key exchange (ECDH, Elliptic Curve Diffie Hellman key Exchange) according to the first private key information of the client. ), obtain the AES key, encrypt the first data by the AES key, obtain the encryption result A about the first data, and then encrypt the AES key of the client, obtain the encryption about the first private key information of the client As a result B, based on the encryption result A and the encryption result B, the first ciphertext can be generated. In practical applications, the first ciphertext is an ECC digital envelope.

Compared with the first encryption method, the second encryption method has higher security, and the processing speed in the process of encrypting the first data is also faster than the first encryption method. During the encryption process, the size of the generated AES key will be smaller than the size of the key generated by the first encryption method during the encryption process, so that more storage resources are not required.

When the encryption method of the second ciphertext is the first encryption method or the second encryption method, the calling the first SDK to decrypt the second ciphertext to generate the first plaintext includes:

The second ciphertext is decrypted according to the second private key information of the server to generate the first plaintext; the second private key information of the server is determined based on the second public key information of the client.

The second ciphertext returned by the server is encrypted based on the encryption method of the first ciphertext. When the second ciphertext received by the client is encrypted based on the first encryption method or the second encryption method, the first SDK can Decrypt the second ciphertext. In practical applications, the decryption process of the second ciphertext is opposite to the encryption process of the first ciphertext.

In the case where the second ciphertext is obtained by encrypting based on the first encryption method, the second ciphertext is an RSA digital envelope, and the RSA digital envelope is first decrypted by using the private key of the client to obtain the second private key information of the server. The second private key information is used to encrypt the first processing result to generate the second ciphertext, and then the encrypted first processing result can be decrypted through the second private key information of the server to obtain the first plaintext.

In the case where the second ciphertext is encrypted based on the second encryption method, and the second ciphertext is an ECC digital envelope, the ECC digital envelope is first decrypted using the client's private key to obtain the server's second private key information. The second private key information is used to encrypt the first processing result to generate the second ciphertext, and then the encrypted first processing result can be decrypted through the second private key information of the server to obtain the first plaintext.

In one embodiment, as shown in FIG. 4 , encrypting the first data based on at least one encryption method supported by the first SDK to generate the first ciphertext includes:

S401: In the case where a third encryption method is selected from at least one encryption method supported by the first SDK, send a second request to the key management platform; the second request is used to request distribution between the client and the server communication key information.

The third encryption method is to encrypt the first data through the communication key information between the client and the server, wherein the communication key information between the client and the server is distributed by the key management platform. The key management platform is used to manage keys and provide different key management services such as key registration and key distribution.

The client obtains the communication key information between the client and the server distributed by the key management platform by sending a second request to the key management platform.

In practical applications, the client generates the client's temporary public key information and temporary private key information based on the first SDK, and calls the initialize function to initialize the negotiation state machine (HS, Handshake State-machine). The negotiation state machine is used to determine the client The handshake state between the client and the server, and call the write_message function to update the HS to generate the first cached data buffer1, wherein the first cached data buffer1 contains the client's temporary public key information and signature information generated by the first SDK. other information. The client sends the second request to the key management platform based on the first SDK, which carries the first cached data buffer1.

S402: Receive a first response about the second request returned by the key management platform; the first response includes first key information and second key information.

After the key management platform completes the processing of the second request, the client can receive the first key information and the second key information returned by the key management platform, wherein the first key information and the second key information are the client Communication key information between the client and the server.

The first response received by the client is the second cached data buffer2 encrypted and generated by using the temporary public key information of the client. The first SDK calls the write_message function to update the HS, and decrypts the second cached data buffer2, so as to obtain the first response. a key information and a second key information.

S403: Encrypt the first data according to the first key information to generate the first ciphertext.

The first data is encrypted by using the first key information, thereby generating a first ciphertext.

When the encryption method of the second ciphertext is the third encryption method, the calling the first SDK to decrypt the second ciphertext to generate the first plaintext, including:

Using the second key information, the second ciphertext is decrypted to generate the first plaintext.

The client requests the key management platform to allocate the communication key information between the client and the server through the second request. Similarly, the server can also obtain the communication key information between the client and the server from the key management platform. In the communication key information distributed by the key management platform, when the client uses the first key information to encrypt data, the server will use the second key information to encrypt the data. In this case, the client can Decrypt the second ciphertext through the second key information to obtain the first plaintext.

In one embodiment, as shown in FIG. 5 , the method further includes:

S501: Send a third request to the key management platform; the third request is used to request to register the second public key information of the client, so that the server encrypts the first processing result according to the second public key information .

During the process of encrypting the first data with the first encryption method or the second encryption method, the first SDK will generate the first private key information of the client, and at the same time of generating the first private key information of the client, it can also generate the client The second public key information of the client, wherein the server can encrypt the data transmitted to the client by using the second public key information. In practical applications, the server can obtain the second public key information of the client through the key management platform. In order to ensure that the server can obtain the second public key information of the client from the key management platform, the client needs to register the second public key information with the key management platform. public key information. In practical applications, the client initiates a third request for registering the key to the key management platform, so that the key management platform registers the second public key information, wherein the third request carries the second public key information, In practical applications, in order to ensure data security of the second public key information during transmission, the third request carries the encryption result of the second public key information.

S502: Receive a second response about the third request returned by the key management platform; the second response represents whether the registration of the second public key information is successful.

The key management platform makes a second response according to the registration situation of the second public key information, and the client can receive the second response, so that the registration situation of the second public key information can be determined according to the second response.

In one embodiment, as shown in FIG. 6 , the method further includes:

S601: Send a fourth request to a key management platform; the fourth request is used to request to obtain a new version of a service certificate; the service certificate includes first public key information of the server.

The business certificate is the digital certificate of the server, which is a file digitally signed by the certificate authority. The simplest business certificate contains the first public key information of the server, the name of the server and the digital signature of the certificate authority. The certificate also includes different information such as the valid time of the first public key information of the server, the name of the issuing authority, the serial number of the business certificate, and the like.

In the first encryption mode and the second encryption mode, the first public key information of the server is required to encrypt the first data. Therefore, the client needs to obtain the first public key information of the server. In practical applications, the client can query the first public key information of the server through the key management platform, and store the first public key information, so that the first data can be encrypted by using the stored first public key information. Since the first public key information of the server has a valid time, or the first public key information of the server may change, the client can periodically query the key management platform whether the service certificate has changed. The platform sends a fourth request, so that the key management platform obtains the latest version of the service certificate of the server.

S602: Receive a third response returned by the key management platform based on the fourth request; the third response represents the latest version of the service certificate.

The client receives a third response, where the third response includes the latest version of the service certificate of the server, and the client can also save the service certificate, so that the first public key information of the server in the latest version of the service certificate can be used to interpret the first public key information of the server. Encrypting one data can ensure that the server successfully decrypts the first ciphertext and performs related processing of the first service. In addition, the client can also verify the server according to the service certificate of the server, thereby preventing the client from transmitting the first data to an illegal server.

In the embodiment of the present application, the first SDK provides a standardized encryption method and decryption method, and the client completes data encryption and data decryption by calling the first SDK, thereby ensuring the security of data transmission between the client and the server. At the same time, it can also prevent the client from encrypting the data by using the encryption method with high security loopholes, and can also improve the encryption efficiency of the data.

This application is an example and also provides another data transmission method, as shown in FIG. 7 , the method is applied to the server, including:

S701: Receive a first request sent by a client; the first request carries a first ciphertext; the first ciphertext represents an encryption result of first data about a first service; the first request is used to request processing the first business.

Receive the first request from the client, and the client requests the server to perform corresponding processing on the first service through the first request. The first service is the data interaction service performed on the client. For example, when the first service is a login verification service , the client requests the server to perform corresponding processing on the login verification service through the first request, and the server will confirm whether the verification is passed according to the first data about the first service, wherein, in order to ensure the security of the transmission data between the client and the server, What the server receives is the encrypted first data. In practical applications, the first request received by the server carries the first ciphertext about the first data, and the first ciphertext is the encryption result of the first data.

S702: Invoke a second software development kit SDK, and generate a first decryption result according to the encryption method of the first ciphertext; the first decryption result represents a decryption result about the first request.

The server needs to decrypt the first ciphertext before performing corresponding processing on the first service according to the first ciphertext. The server can decrypt the first ciphertext by calling the second SDK, and the second SDK integrates different For example, the second SDK can implement data encryption and data decryption.

The first ciphertext is decrypted by the encryption method of the first ciphertext, thereby obtaining a first decryption result, wherein the decryption of the first ciphertext is an inverse process of the encryption of the first data.

In one embodiment, as shown in FIG. 8 , the calling of the second SDK generates a first decryption result according to the encryption method of the first ciphertext, including:

S801: In the case that the client side applies non-certificate authentication, call the second SDK to determine a second processing result; the second processing result represents the authentication result of the client.

The second SDK also integrates the authentication function. In practical applications, the client can be authenticated through certificate-based authentication or non-certificate-based authentication. Among them, certificate-based authentication needs to obtain the client's certificate through the key management service platform. The management platform performs certificate-based authentication. In this embodiment, the service authentication function of the second SDK is suitable for simple service authentication, and does not apply to certificate-based authentication. The second SDK authenticates the client when the client applies non-certificate authentication, and obtains the second processing result.

S802: In the case that the second processing result indicates that the client has the right to access the server, call the second SDK, and generate the first decryption result according to the encryption method of the first ciphertext .

In the case where the second processing result indicates that the client has the right to access the server, it indicates that the client is a legitimate client, the first request is sent by the client, and there is no other illegal client stealing information to obtain the server Therefore, the first ciphertext can be decrypted, and subsequent processing of the first service can be performed.

S803: In the case that the second processing result represents that the client does not have the right to access the server, return a fourth response to the client regarding the first request; the fourth response represents refuse to process the first service.

If the second processing result indicates that the client does not have the right to access the server, it indicates that the client is an illegal client, and the illegal client intercepts the first request sent by the legal client to the server to make the first request received by the server. The sender changes from a legal client to an illegal client, and then defrauds the server to obtain the data of the legal client. In this case, in order to protect the data security, the server will no longer process the first request and send the illegal client to the illegal client. The terminal returns a fourth response refusing to process the first service.

S703: Process the first service according to the first decryption result to generate a first processing result.

Decrypt the first ciphertext according to the first key information to generate the first decryption result.

In the process of decrypting the first ciphertext by using the fifth response, the first ciphertext is decrypted according to the first key information, wherein the first key information is used by the client to encrypt the first data key information to obtain the first decryption result.

S704: Invoke the second SDK to encrypt the first processing result to generate a second ciphertext.

The first processing result will be returned to the client. If the processing result of the first service processed by the server contains sensitive information, the first processing result will be directly returned to the client, which may easily lead to data leakage, resulting in various security issues. Threats, for example, when the first service is to apply for a login verification code, the server's first processing result for the first service is the verification code used by the client to log in. After the verification code is stolen, the user's account information will be leaked. , so the first processing result needs to be encrypted. In practical applications, the first processing result is encrypted by using the encryption method for generating the first ciphertext, thereby generating the second ciphertext.

S705: Return the second ciphertext to the client.

In the embodiments of the present application, the first ciphertext can be generated through three different encryption modes. The following describes the decryption process of the first ciphertext in different encryption modes and the encryption process of the first processing result through different embodiments.

In one embodiment, as shown in FIG. 9 , the calling of the second SDK generates a first decryption result according to the encryption method of the first ciphertext, including:

S901: Send a fifth request to the key management platform according to the encryption method of the first ciphertext; the fifth request is used to request to obtain key information for decrypting the first ciphertext.

Since the decryption process is the inverse process of the encryption process, the encryption method of the first ciphertext is determined, and then the first ciphertext can be decrypted according to the encryption method of the first ciphertext, wherein the ciphertext used to decrypt the first ciphertext The key information needs to obtain the key information for decrypting the first ciphertext through the key management platform, and the server sends the fifth request to the key management platform, so that the key management platform can provide the server with the key information of the first ciphertext.

S902: Decrypt the first ciphertext according to the fifth response about the fifth request returned by the key management platform to generate the first decryption result.

The server receives the fifth response, and the fifth response contains the key information for decrypting the first ciphertext, so that the server can encrypt the first ciphertext according to the key information of the first ciphertext in the fifth response, and obtain the first ciphertext. decrypt the result. In practical applications, according to different encryption modes of the first ciphertext, the key information of the first ciphertext in the fifth response is also different.

When the encryption mode of the first ciphertext is the first encryption mode, the fifth response includes the second private key information of the server.

The first encryption method is based on the RSA algorithm, and the corresponding first ciphertext is the RSA digital envelope. To decrypt the RSA digital envelope, first obtain the second private key information of the server, and the second private key information of the server is obtained by the server through the fifth The request is obtained from the key management platform, and the fifth response obtained by the server contains the second private key information of the server. Using the second private key information obtained by the server, the RSA digital envelope can be decrypted, so as to obtain the key information used to encrypt the first data, that is, the first private key information of the client, and then use the first private key information to encrypt the encrypted first data. One data is decrypted to obtain the first data.

When the encryption method of the first ciphertext is the first encryption method, the fifth response includes third key information; and the third key information is AES key information.

The second encryption method is based on the ECC algorithm, the corresponding first ciphertext is an ECC digital envelope, and the AES key information is the key information used to encrypt the first data in the process of generating the first ciphertext. The key information decrypts the ECC digital envelope to obtain the first data.

Calling the second SDK to encrypt the first processing result to generate a second ciphertext, including:

Based on the first encryption algorithm of the first encryption method or the second encryption algorithm of the second encryption method, according to the second private key information of the server and the second public key information of the client, the first processing result is encrypted, The second ciphertext is generated; the first encryption algorithm is the RAS algorithm; the second encryption algorithm is the elliptic curve ECC algorithm.

The first processing result is encrypted by using the encryption method of the first ciphertext to generate the second ciphertext.

The first encryption method is based on the RSA algorithm, and encrypts the first processing result to generate the second ciphertext. The specific generation process of the second ciphertext is as follows: encrypting the first processing result with the second private key information of the server, thereby obtaining the encryption result A about the first processing result, and then using the second public key of the client to pass the RSA algorithm Encrypt the second private key information of the server to obtain an encryption result B about the second private key information of the server, and combine the encryption result A and the encryption result B to generate a second ciphertext. The text is an RSA digital envelope.

The second encryption method is to encrypt the first processing result based on the ECC algorithm to generate the second ciphertext. The specific generation of the second ciphertext is as follows: according to the second private key information of the server, the AES key of the server is generated through Elliptic Curve Diffie-Hellman key exchange (ECDH, Elliptic Curve Diffie-Hellman key Exchange), and the The AES key of the server encrypts the first processing result, so as to obtain the encryption result A of the first processing result, and then uses the second public key information of the client to encrypt the AES key to obtain the encryption of the AES key of the server. For result B, the encryption result A and the encryption result B are combined to generate a second ciphertext. In practical applications, the second ciphertext is an ECC digital envelope.

In one embodiment, the calling of the second SDK to generate a first decryption result according to the encryption method of the first ciphertext includes:

In the case where the encryption method is the third encryption method, the fifth response includes first key information and second key information; the first key information and second key information represent the relationship between the client and the The communication key information between the above servers.

The third encryption method is to encrypt the key information that the client requests to the key management platform for distribution. Therefore, the server requests the key management platform to obtain the key information distributed by the key management platform to the client through the fifth request. In the fifth response, the first key information and the second key information are obtained, and the first ciphertext can be decrypted according to the key information in the fifth response to obtain the first decryption result of the first ciphertext.

Calling the second SDK to encrypt the first processing result to generate a second ciphertext, including:

According to the second key information, the first processing result is encrypted to generate the second ciphertext.

When the client uses the first key information for encryption, the server may use the second key information to encrypt the first processing result to generate the second ciphertext.

In one embodiment, the method further includes:

In the case that the first decryption result cannot be generated, a sixth response is sent to the key management platform; the sixth response indicates that the decryption of the first ciphertext fails.

In general, the server receives the key information contained in the fifth response about the fifth request returned by the key management platform, which is correct key information and can decrypt the first ciphertext. When the first ciphertext cannot be decrypted according to the key information in the fifth response, the server can report the decryption failure to the key management platform, so that the key management platform can count and analyze the decryption failure. Analysis, which can help to ensure that the next decryption can be carried out smoothly.

In the above embodiment, the second SDK provides a standardized encryption method and decryption method, and the server can decrypt the first ciphertext by calling the second SDK, so that the first service can be processed according to the corresponding service data, and the processing result can be processed. After encryption, the data is returned to the client, which improves the security of data transmission between the client and the server, and also improves the encryption efficiency and decryption efficiency of the transmission data.

The embodiment of the present application also provides another data transmission method, as shown in FIG. 10, which is applied to a key management platform, and the method includes:

S1001: Receive a key management request sent by a client or a server.

The key management platform can receive the key management request sent by the client or the server, wherein the key management request sent by the client is usually a request for key registration, distribution of key information, and acquisition of the server's service certificate. The key management request sent by the server is usually a request for key negotiation. In practical applications, the key management platform can support different key management services and call various key management tools, such as KMS tools, PKI tools, etc., and then complete the key management request sent by the client or server. key service.

S1002: According to the key management request, call a key service corresponding to the request to generate a response to the key management request.

The key management platform determines the key service required by the key management request according to the key management request. For example, if the key management request is key registration, the key registration service is invoked to register the key. When the key management platform calls the corresponding key service to complete the key server requested by the key management request, it will generate a response to the key management request. For example, calling the key registration service to complete the key registration can Generate a response message that the key registration is successful.

In an embodiment, according to the key management request, invoking a key service corresponding to the request to generate a response to the key management request includes:

In the case that the key management request is a second request, the first key service and the first tool are invoked to generate a first response to the second request; the first response includes the first key information and the second key information; the first key service represents a key agreement service; the second request is used for requesting distribution of communication key information between the client and the server.

The key management platform receives the second request, the second request is a request initiated by the client, and the second request initiated by the client is used to request the key management platform to allocate the communication key information between the client and the server, so that the client Data is transmitted with the server through the communication key information distributed by the key management platform.

When the key management request received by the key management platform is the second request, the first key service needs to be called, and key negotiation is performed through the first key service, thereby generating a communication key between the client and the server. key information.

The generation process of the first response is specifically as follows: the key management platform receives a second request, wherein the second request also carries the first cached data buffer1, and the key management platform invokes the first key service request to perform key negotiation, Through the first tool KMS tool, the first key information is obtained by decryption, and the second key information can be distributed by invoking the key distribution service. Encryption, so that the server can decrypt the data encrypted by the client according to the first key information, and the server can encrypt the data of the server according to the second key information, so that the client can also realize according to the second key information. Decrypt data encrypted by the server.

In practical applications, directly returning the first key information and the second key information to the client may easily lead to information leakage, so the first key information and the second key information need to be encrypted. The first key service is updated through two rotations, and is responsible for decrypting the first cached data buffer1, and is responsible for encrypting the first key information and the second key information, wherein the first key information and the second key information pass through The AES key is encrypted to derive the first key information C1 and the second key information C2 encrypted by the AES key, and only the first key information and the second key information encrypted by the AES key need to be processed. Encryption protection, even if the plaintext of the AES key is leaked during transmission, it will not affect the security of the first key information and the second key information. The first key service can save the first key information C1 and the second key information C2, and return the second cached data buffer2 to the client, wherein the second cached data buffer2 contains the first key information and second key information.

In one embodiment, as shown in FIG. 11 , according to the key management request, invoking a key service corresponding to the request to generate a response to the key management request includes:

S1101: In the case that the key management request is a third request, call a second key service to determine a third processing result; the third processing result represents a result of authenticating the client; the The second key service represents the authentication service.

The third request is a request initiated by the client, and is used to request the key management platform to register the key information. When the key management platform receives the third request, it calls the second key service to authenticate the client, and obtains the third processing result. Through the third processing result, it can be determined whether the client is a legitimate client, so as to avoid The key management platform registers the key information of illegal clients to prevent illegal clients from communicating with the server.

S1102: In the case that the third processing result indicates that the client is allowed to access the key management platform, call a third key service to register the second public key information of the client, and generate a second response; the The second response indicates that the registration of the second public key information is successful; the third key service indicates the key registration service.

In the case that the third processing result indicates that the client is allowed to access the key management platform, it indicates that the client is a legitimate client, so that the registration of the second public key information of the client is performed. The key management platform registers the second public key information of the client by invoking the third key service, and generates a second response to the third request. When the key management platform successfully registers the second public key information, it can generate The second response representing the successful registration of the key, the second public key information of the successful registration is to write the second public key information into the database of the key management platform through the key collection service. When the key management platform fails to register the second public key information, a second response representing the failure of the key registration is generated.

In practical applications, the second public key information carried in the third request is encrypted, that is to say, the second key information is loaded in the digital envelope. In this case, the digital envelope is first decrypted to obtain the first key information. Second public key information, and then register the second public key information. Specifically, the key management platform invokes the first key service to disassemble the digital envelope to obtain AES key information, where the AES key information is the key information used to encrypt the second public key information, and the AES key information is used to encrypt the second public key information. The key information decrypts the encrypted second public key information to obtain the second public key information, and then registers the second public key information.

In an embodiment, according to the key management request, invoking a key service corresponding to the request to generate a response to the key management request includes:

In the case that the key management request is a fourth request, a third key service is called to generate a third response; the third key service represents the third key service and the key registration service; the The third response represents the latest version of the service certificate.

The fourth request is a request initiated by the client, and is used to request the key management platform to return the latest version of the business certificate to the client, where the business certificate is the server's digital certificate, which is a file digitally signed by the certificate authority. The business certificate contains the first public key information of the server, the name of the server and the digital signature of the certificate authority. In general, the business certificate also includes the valid time of the first public key information of the server, the name of the issuing authority, For different information such as the serial number of the service certificate, the client obtains the first public key information of the server from the latest version of the service certificate, and then completes data encryption.

When the key management platform receives the fourth request, the third key management service is invoked, the latest version of the service certificate is queried in the database of the key management platform, and a third response to the fourth request is generated, wherein, The third correspondence is the latest version of the business certificate.

In one embodiment, as shown in FIG. 12 , according to the key management request, invoking a key service corresponding to the request, and generating a response to the key management request, includes:

S1201: When the key management request is a fifth request, call a first key service; the fifth request is used to request to obtain key information for decrypting the first ciphertext; the first ciphertext The key service represents the key agreement service.

The fifth request is a request initiated by the server, and is used to request the key management platform to obtain key information for decrypting the first ciphertext, wherein the key information for decrypting the first ciphertext is to perform key negotiation through the first key service owned.

S1202: Generate a fifth response according to the encryption method of the first ciphertext; the fifth response includes key information for decrypting the first ciphertext.

The decryption process is essentially the reverse process of the encryption process. Different encryption methods will result in different decrypted key information and decryption methods. Therefore, when the key management platform invokes the key negotiation service, it will the encryption method, negotiate to obtain the key information for decrypting the first ciphertext, so that according to the fifth response, the key information for decrypting the first ciphertext is returned to the server, so that the server can decrypt according to the key information in the fifth response. .

In an embodiment, the generating a fifth response according to the encryption method of the first ciphertext, including:

When the encryption mode of the first ciphertext is the first encryption mode, the first tool is invoked to obtain the first private key information of the server.

The first encryption method represents that the RSA algorithm is used to encrypt the first data, and the obtained first ciphertext is an RSA digital envelope, and the decryption step of the first ciphertext is to decrypt the RSA digital envelope first, and then decrypt the encrypted first data. The key agreement service can obtain the key information for decrypting the RSA digital envelope from the first tool KMS tool, that is, the server's second private key information, and returns the server's second private key information to the server through the fifth response .

When the encryption mode of the first ciphertext is the second encryption mode, the first tool is invoked to obtain the third key information; the third key information represents the AES key information.

The second encryption method represents that the first data is encrypted by the ECC algorithm, and the obtained first ciphertext is the ECC digital envelope. To obtain the first data, the ECC digital envelope must be decrypted first, and then the encrypted first data must be decrypted. . The key agreement service can obtain the second private key information of the server from the first tool KMS tool, and determine the AES key information according to the second private key information of the server, where the AES key information is the key information for encrypting the first data, The AES key information is returned to the server through the fifth response.

When the encryption mode of the first ciphertext is the third mode, the first key information and the second key information are obtained according to the first mark; the first mark represents the historical negotiation of the first key service Key information between the server and the client.

The third encryption method is to encrypt the first data through the communication key information between the client and the server distributed by the key management platform. To decrypt the first ciphertext, the communication key between the client and the server needs to be obtained first. information, since the key management platform stores the communication key information between the client and the server in the key agreement service in the process of determining the communication key information between the client and the server, it can pass the first mark Obtain the corresponding first key information and second key information from the key agreement service, and the first mark can be used to distinguish the communication key information between different clients and servers, so that the key information stored in the key agreement service can be obtained from the key agreement service. Corresponding first key information and second key information are extracted from the information.

In one embodiment, the method further includes:

In the case that the key information for decrypting the first ciphertext cannot be obtained, a seventh response is generated; the seventh response represents a failure to negotiate the key information.

The key management platform determines the key information for decrypting the first ciphertext through the key agreement service. When the key negotiation service cannot negotiate and determine the key information for decrypting the first ciphertext, the server cannot decrypt the first ciphertext, that is to say, the key management platform has an error report and cannot obtain the decryption first ciphertext. The seventh response generated in the case of the key information of the ciphertext is reported, so that the number of times that the key management platform fails to negotiate can be counted, and then the reason for the failure of the key negotiation can be further analyzed, and the probability of successful key negotiation can be guaranteed.

In practical applications, since the third encryption method is encrypted by the communication key information distributed by the key management platform, there is no negotiation failure for the third encryption method, and the first encryption method and the second encryption method are both encrypted. The key management platform needs to negotiate to obtain the second private key information of the server, so the negotiation fails. Therefore, in the case of obtaining the decryption key information corresponding to the first encryption method or the second encryption method, it is necessary to monitor the key negotiation. Whether it is successful or not, in the case of obtaining the decryption key information corresponding to the third encryption method, it is not necessary to monitor whether the key negotiation is successful.

S1003: Return a response to the key management request to the client or server.

The key management platform returns the response to the key management request to the client or server. In practical applications, when there is data with high security requirements in the response to the key management request, the data can be encrypted before Return to the client or server, so that the client or server can receive the processing result of the key management request.

In the above embodiment, the key management platform invokes the corresponding key management server to complete the key management service corresponding to different key requirements through the key management platform initiated by the server or the client, so as to provide a key management service through different interfaces. A standardized set of processing procedures for key management services improves the efficiency of key management and also improves the security of key information managed by the key management platform.

The present application also provides an application embodiment, as shown in FIG. 13 , which shows a schematic diagram of the processing flow of the RSA digital envelope by the key management technology architecture.

The client sends an encryption request to the first SDK for requesting the first SDK to encrypt the first data. The first SDK encrypts the first data by using the first encryption method to generate a first ciphertext, and the first ciphertext is an RSA digital envelope.

The client sends a first request to the server for requesting the server to assist in processing the first service, wherein the first request carries the first ciphertext.

After receiving the first request, the server requests the second SDK to decrypt the first ciphertext. By sending the fifth request to the key management platform, the second SDK is used to request to obtain the key information for decrypting the first ciphertext.

After the key management platform receives the fifth request, the key agreement application service invokes the service authentication capability of the domain layer to authenticate the client. in the SDK. After the service authentication capability obtains the authentication result of the client, the authentication result is returned to the key agreement application service. The key agreement application service requests the key agreement domain service to perform key negotiation, and the key agreement domain service obtains the server's second private key information from the KMS, and returns to the second SDK layer by layer. Wherein, when the key negotiation domain service cannot obtain the server's second private key information from the KMS, the negotiation failure information is reported to the data statistics.

After obtaining the second private key information of the server, the second SDK decrypts the first ciphertext, obtains the decryption result of the first ciphertext, and returns the decryption result of the first ciphertext to the server.

The server processes the business logic according to the decryption result of the first ciphertext, calls the second SDK to encrypt the processing result, and returns the second ciphertext to the client.

After the client receives the second ciphertext, it calls the first SDK to decrypt the second ciphertext, the first SDK returns the first plaintext obtained by decrypting the second ciphertext to the client, and the client processes the business logic according to the first plaintext .

The present application also provides another application embodiment, as shown in FIG. 14 , which shows a schematic diagram of the processing flow of the ECC digital envelope by the key management technology architecture.

The client sends an encryption request to the first SDK for requesting the first SDK to encrypt the first data. The first SDK encrypts the first data through the second encryption method to generate a first ciphertext, and the first ciphertext is an ECC digital envelope.

The client sends a first request to the server for requesting the server to assist in processing the first service, wherein the first request carries the first ciphertext.

After receiving the first request, the server requests the second SDK to decrypt the first ciphertext. By sending the fifth request to the key management platform, the second SDK is used to request to obtain the key information for decrypting the first ciphertext.

After the key management platform receives the fifth request, the key agreement application service invokes the service authentication capability of the domain layer to authenticate the client. in the SDK. After the service authentication capability obtains the authentication result of the client, the authentication result is returned to the key agreement application service. The key agreement application service requests the key agreement domain service to perform key negotiation. The key agreement domain service obtains the server's second private key information from the KMS, uses ECDH to calculate the AES key according to the second private key information, and uses The AES key is returned to the second SDK layer by layer. Among them, when the key negotiation domain service cannot obtain the AES key from the KMS, the negotiation failure information is reported to the data statistics.

After obtaining the AES key, the second SDK decrypts the first ciphertext, obtains the decryption result of the first ciphertext, and returns the decryption result of the first ciphertext to the server.

The server processes the business logic according to the decryption result of the first ciphertext, calls the second SDK to encrypt the processing result, and returns the second ciphertext to the client.

After the client receives the second ciphertext, it calls the first SDK to decrypt the second ciphertext, the first SDK returns the first plaintext obtained by decrypting the second ciphertext to the client, and the client processes the business logic according to the first plaintext .

The present application also provides another application embodiment, as shown in FIG. 15 , which shows a schematic flowchart of processing the first ciphertext encrypted based on the communication key between the client and the server by the key management technology framework.

The client sends an encryption request to the first SDK for requesting the first SDK to encrypt the first data. The first SDK initializes and generates temporary public key information and private key information, calls the initialize function to initialize the HS, calls the write_message function to update the HS, generates the first cached data buffer1, and transmits the first cached data buffer1 to the key management platform. A cached data buffer1 contains temporary public key information, signature and other information.

After receiving the first cached data buffer1, the key management platform calls the key agreement application service, the key agreement application service requests the key agreement domain server to perform key negotiation, and the key agreement domain service obtains the service private key through the KMS, and Call the key distribution service to obtain the application public key, and the key agreement domain service generates temporary public key information and private key information according to the business private key and the application public key, updates the HS through two rotations, and decrypts the first cached data buffer1, and derives the Obtain the AES key information, including the first key information and the second key information, and the key negotiation domain service returns the second cached data buffer2, temporary public key information, first key information and second key information to the secret key. The key agreement application service maintains the first key information and the second key information, and returns the second cache data buffer2, the first key information and the second key information to the client.

The first SDK calls the write_message function to update the HS, and decrypts the second cached data buffer2 to obtain the first key information and the second key information. The first ciphertext is obtained by encrypting the first data using the first key information. Return the first ciphertext to the client.

The client sends a first request to the server for requesting the server to assist in processing the first service, wherein the first request carries the first ciphertext.

After receiving the first request, the server requests the second SDK to decrypt the first ciphertext. By sending the fifth request to the key management platform, the second SDK is used to request to obtain the key information for decrypting the first ciphertext.

After receiving the fifth request, the key management platform obtains the first key information and the second key information through the key negotiation application service, and through the corresponding first mark, and combines the first key information and the second key information Return to the server.

The second SDK is called to decrypt the first ciphertext by using the first key information, and the decryption result of the first ciphertext is returned to the server.

The server processes the business logic according to the decryption result of the first ciphertext, and calls the second SDK to encrypt the first processing result.

The second SDK encrypts the first processing result by using the second key information to generate the second ciphertext. The server returns the second ciphertext to the client.

The client calls the first SDK, decrypts the second ciphertext according to the second key information, obtains the first plaintext, and processes the business logic according to the first plaintext.

The present application also provides another application embodiment, as shown in FIG. 16 , which shows a process flow of registering a key in a key management technology framework.

The client initializes the first SDK, the first SDK generates public key information and private key information, and stores the public key information and the private key information. The client initiates a third request to the key management platform, and the third request carries public key information.

The key management platform calls the key registration application service according to the third request. If the public key information is encrypted by the digital envelope, the key registration application service requests the key agreement domain service to disassemble the digital envelope, and the key domain agreement service disassembles the digital envelope. After the envelope, the AES key is obtained, and the AES key is returned to the key registration application service. The key registration application service obtains the public key information according to the AES key decryption, and invokes the service authentication capability to authenticate the client. The authentication result is returned to the key registration application service. If the authentication result indicates that the client is a legitimate client, the key registration application service sends the public key information to the key collection service, and the key collection service stores the public key information. into the database and return the response layer by layer.

The client can receive a response indicating that the registration was successful.

The present application also provides another application embodiment, as shown in FIG. 17 , which shows the processing flow of the service certificate upgrade of the key management technology architecture.

The client initializes the first SDK, and calls the first SDK to send a fourth request to the key management platform, where the fourth request is used to request the key management platform to detect the update of the service certificate.

The key management platform invokes the key registration application service according to the fourth request, the key registration application service obtains the latest version of the business certificate from the key distribution domain service, and the key distribution domain service will query the database for the latest version of the service The certificate is returned to the client layer by layer, and the client can obtain the latest version of the service certificate.

The present application also provides another application embodiment, as shown in FIG. 18 , which shows the key application service access process.

The business party submits an application for creating a certificate, and the management background creates a corresponding certificate according to the request, and submits the certificate for review. The approving staff conducts the first approval of the certificate, and then the platform conducts the second approval for the certificate. According to the second approval result, the business side debugs the access to the SDK, and configures the gateway forwarding rules according to the debugging result. In addition, the platform evaluates the business volume according to the second approval result, and informs the platform to prepare for the launch of relevant business and deploy the corresponding resources.

The embodiment of the present application also provides a data transmission device, as shown in FIG. 19, applied to a client, including:

The first encryption unit 1901 is used to call the first software development kit SDK, and based on at least one encryption method supported by the first SDK, encrypt the first data about the first service, and generate the first ciphertext;

a first sending unit 1902, configured to send a first request to a server; the first request carries the first ciphertext; the first request is used to request processing of the first service;

The first receiving unit 1903 is configured to receive the second ciphertext returned by the server based on the first request; 1. The processing result is encrypted and obtained;

a first decryption unit 1904, configured to call the first SDK to decrypt the second ciphertext to generate the first plaintext;

A first processing unit 1905, configured to process the first service based on the first plaintext.

In one embodiment, the first encryption unit 1901 is calling the first software development kit SDK, and based on at least one encryption method supported by the first SDK, encrypts the first data about the first service, and generates a When the first ciphertext is used, it is also used for:

In the case where the first encryption method or the second encryption method is selected from at least one encryption method supported by the first SDK, based on the first encryption algorithm of the first encryption method or the second encryption algorithm of the second encryption method, according to the The first private key information of the client and the first public key information of the server encrypt the first data to generate the first ciphertext; the first encryption algorithm is the RAS algorithm; the second encryption algorithm is an elliptic curve ECC algorithm;

When the first decryption unit 1904 calls the first SDK to decrypt the second ciphertext and generates the first plaintext, the first decryption unit 1904 is also used to:

The second ciphertext is decrypted according to the second private key information of the server to generate the first plaintext; the second private key information of the server is determined based on the second public key information of the client.

In one embodiment, the first encryption unit 1901 is calling the first software development kit SDK, and based on at least one encryption method supported by the first SDK, encrypts the first data about the first service, and generates a When the first ciphertext is used, it is also used for:

In the case where a third encryption method is selected from at least one encryption method supported by the first SDK, a second request is sent to the key management platform; the second request is used to request the communication between the distribution client and the server key information;

receiving a first response about the second request returned by the key management platform; the first response includes first key information and second key information;

The first data is encrypted according to the first key information to generate the first ciphertext.

When the first decryption unit 1904 calls the first SDK to decrypt the second ciphertext and generates the first plaintext, the first decryption unit 1904 is also used to:

Using the second key information, the second ciphertext is decrypted to generate the first plaintext.

In one embodiment, the device is further used to:

sending a fourth request to the key management platform; the fourth request is used to request to obtain a new version of the service certificate; the service certificate includes the first public key information of the server;

A third response returned by the key management platform based on the fourth request is received; the third response represents the latest version of the service certificate.

In practical application, the first encryption unit 1901, the first sending unit 1902, the first receiving unit 1903, the first decrypting unit 1904, and the first processing unit 1905 may be implemented by a processor in the data transmission device. Of course, the processor needs to run the program stored in the memory to realize the functions of the above program modules.

It should be noted that, when the data transmission device provided in the above embodiment of FIG. 19 performs data transmission, only the division of the above program modules is used as an example for illustration. In practical applications, the above processing may be allocated to different program modules as required. Completion means dividing the internal structure of the device into different program modules to complete all or part of the processing described above. In addition, the data transmission apparatus and the data transmission method embodiments provided by the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the method embodiments, which will not be repeated here.

The embodiment of the present application also provides another data transmission device, as shown in FIG. 20, applied to a server, including:

The second receiving unit 2001 is configured to receive a first request sent by a client; the first request carries a first ciphertext; the first ciphertext represents an encryption result of the first data of the first service; the first ciphertext a request for processing the first service;

The second decryption unit 2002 is configured to call the second software development kit SDK, and generate a first decryption result according to the encryption method of the first ciphertext; the first decryption result represents the decryption result about the first request ;

a second processing unit 2003, configured to process the first service according to the first decryption result to generate a first processing result;

A second encryption unit 2004, configured to call the second SDK to encrypt the first processing result and generate a second ciphertext;

The second sending unit 2005 returns the second ciphertext to the client.

In one embodiment, when the second decryption unit 2002 calls the second software development kit SDK to generate the first decryption result according to the encryption method of the first ciphertext, it is also used to:

In the case where non-certificate authentication is applied to the client, the second SDK is called to determine a second processing result; the second processing result represents the authentication result of the client;

In the case that the second processing result indicates that the client has the right to access the server, the second SDK is invoked, and the first decryption result is generated according to the encryption method of the first ciphertext;

In the case that the second processing result represents that the client does not have the right to access the server, a fourth response regarding the first request returned to the client; the fourth response represents refusal to process the first business.

In one embodiment, when the second decryption unit 2002 calls the second software development kit SDK to generate the first decryption result according to the encryption method of the first ciphertext, it is also used to:

Send a fifth request to the key management platform according to the encryption method of the first ciphertext; the fifth request is used to request to obtain key information for decrypting the first ciphertext;

Decrypt the first ciphertext according to the fifth response about the fifth request returned by the key management platform to generate the first decryption result; wherein,

When the encryption mode of the first ciphertext is the first encryption mode, the fifth response includes the second private key information of the server;

The encryption method of the first ciphertext is the first encryption method, and the fifth response includes third key information; the third key information is AES key information;

When the second encryption unit 2004 calls the second SDK to encrypt the first processing result and generates the second ciphertext, it is further configured to:

Based on the first encryption algorithm of the first encryption method or the second encryption algorithm of the second encryption method, according to the second private key information of the server and the second public key information of the client, the first processing result is encrypted, The second ciphertext is generated; the first encryption algorithm is the RAS algorithm; the second encryption algorithm is the elliptic curve ECC algorithm.

In an embodiment, when the encryption method is the third encryption method, the fifth response includes first key information and second key information; the first key information and the second key information Characterize the communication key information between the client and the server;

When the second encryption unit 2004 calls the second SDK to encrypt the first processing result and generates the second ciphertext, it is further configured to:

According to the second key information, the first processing result is encrypted to generate the second ciphertext.

In one embodiment, the device is further used to:

In the case that the first decryption result cannot be generated, a sixth response is sent to the key management platform; the sixth response indicates that the decryption of the first ciphertext fails.

In practical applications, the second receiving unit 2001 , the second decrypting unit 2002 , the second processing unit 2003 , the second encrypting unit 2004 , and the second sending unit 2005 may be implemented by a processor in the data transmission device. Of course, the processor needs to run the program stored in the memory to realize the functions of the above program modules.

It should be noted that, when the data transmission device provided in the above-mentioned embodiment of FIG. 20 performs data transmission, only the division of the above-mentioned program modules is used as an example for illustration. In practical applications, the above-mentioned processing may be allocated to different program modules as required Completion means dividing the internal structure of the device into different program modules to complete all or part of the processing described above. In addition, the data transmission apparatus and the data transmission method embodiments provided by the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the method embodiments, which will not be repeated here.

The embodiment of the present application also provides another data transmission device, as shown in FIG. 21, applied to the key management platform, including:

A third receiving unit 2101, configured to receive a key management request sent by a client or a server;

a first generating unit 2102, configured to invoke a key service corresponding to the request according to the key management request, and generate a response to the key management request;

The third sending unit 2103 returns a response about the key management request to the client or server.

In one embodiment, when the first generating unit 2102 invokes a key service corresponding to the request according to the key management request, and generates a response to the key management request, it is further configured to:

In the case that the key management request is a second request, the first key service and the first tool are invoked to generate a first response to the second request; the first response includes the first key information and the second key information; the first key service represents a key agreement service; the second request is used for requesting distribution of communication key information between the client and the server.

In one embodiment, when the first generating unit 2102 invokes a key service corresponding to the request according to the key management request, and generates a response to the key management request, it is further configured to:

When the key management request is a third request, the second key service is invoked to determine a third processing result; the third processing result represents the result of authenticating the client; the second The key service represents the authentication service;

In the case that the third processing result indicates that the client is allowed to access the key management platform, the third key service is invoked to register the second public key information of the client, and a second response is generated; the second The response indicates that the registration of the second public key information is successful; the third key service indicates the key registration service.

In one embodiment, when the first generating unit 2102 invokes a key service corresponding to the request according to the key management request, and generates a response to the key management request, it is further configured to:

In the case that the key management request is a fourth request, a third key service is called to generate a third response; the third key service represents the third key service and the key registration service; the The third response represents the latest version of the service certificate.

In one embodiment, when the first generating unit 2102 invokes a key service corresponding to the request according to the key management request, and generates a response to the key management request, it is further configured to:

When the key management request is a fifth request, the first key service is called; the fifth request is used to request to obtain key information for decrypting the first ciphertext; the first key service Characterize the key agreement service;

A fifth response is generated according to the encryption method of the first ciphertext; the fifth response includes key information for decrypting the first ciphertext.

In one embodiment, when generating the fifth response according to the encryption method of the first ciphertext, the first generating unit 2102 is further configured to:

When the encryption method of the first ciphertext is the first encryption method, call the first tool to obtain the first private key information of the server;

When the encryption method of the first ciphertext is the second encryption method, the first tool is invoked to obtain the third key information; the third key information represents the AES key information;

When the encryption mode of the first ciphertext is the third mode, the first key information and the second key information are obtained according to the first mark; the first mark represents the service history of the first key Negotiate key information between the server and the client.

In one embodiment, the device is further used to:

In the case that the key information for decrypting the first ciphertext cannot be obtained, a seventh response is generated; the seventh response represents a failure to negotiate the key information.

Based on the hardware implementation of the above program modules, and in order to implement the method of the embodiment of the present application, the embodiment of the present application further provides an electronic device. FIG. 22 is a schematic diagram of the hardware structure of the electronic device according to the embodiment of the present application, as shown in FIG. 22 . , electronic equipment including:

Communication interface 1, which can exchange information with other devices such as network devices;

The processor 2 is connected to the communication interface 1 to realize information interaction with other devices, and is used to execute the data transmission method provided by one or more of the above technical solutions when running the computer program. The computer program is instead stored on the memory 3 .

Of course, in practical application, various components in the electronic device are coupled together through the bus system 4 . It can be understood that the bus system 4 is used to realize the connection communication between these components. In addition to the data bus, the bus system 4 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, the various buses are designated as bus system 4 in FIG. 22 .

The memory 3 in the embodiment of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program used to operate on an electronic device.

It is understood that the memory 3 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memory. Among them, the non-volatile memory may be a read-only memory (ROM, Read Only Memory), a programmable read-only memory (PROM, Programmable Read-Only Memory), an erasable programmable read-only memory (EPROM, Erasable Programmable Read-only memory) Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), Magnetic Random Access Memory (FRAM, ferromagnetic random access memory), Flash Memory (Flash Memory), Magnetic Surface Memory , CD-ROM, or Compact Disc Read-Only Memory (CD-ROM, Compact Disc Read-Only Memory); the magnetic surface memory can be a magnetic disk memory or a tape memory. The volatile memory may be Random Access Memory (RAM), which is used as an external cache memory. By way of example and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory Memory (DRAM, Dynamic Random Access Memory), Synchronous Dynamic Random Access Memory (SDRAM, SynchronousDynamic Random Access Memory), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), Synchronous Link Dynamic Random Access Memory (SLDRAM, SyncLink Dynamic Random Access Memory), Direct Memory Bus Random Access Memory (DRRAM, Direct Rambus Random Access Memory) . The memory 3 described in the embodiments of the present application is intended to include but not limited to these and any other suitable types of memory.

The methods disclosed in the above embodiments of the present application may be applied to the processor 2 or implemented by the processor 2 . The processor 2 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method can be completed by a hardware integrated logic circuit in the processor 2 or an instruction in the form of software. The above-mentioned processor 2 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The processor 2 may implement or execute the methods, steps, and logical block diagrams disclosed in the embodiments of this application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application can be directly embodied as being executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, the storage medium is located in the memory 3, and the processor 2 reads the program in the memory 3, and completes the steps of the foregoing method in combination with its hardware.

When the processor 2 executes the program, the corresponding process in each method of the embodiments of the present application is implemented, which is not repeated here for brevity.

In an exemplary embodiment, the embodiment of the present application further provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, for example, including a memory 3 storing a computer program, and the above-mentioned computer program can be executed by the processor 2, to complete the steps described in the preceding method. The computer-readable storage medium may be memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM.

In the several embodiments provided in this application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored, or not implemented. In addition, the coupling, or direct coupling, or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be electrical, mechanical or other forms. of.

The unit described above as a separate component may or may not be physically separated, and the component displayed as a unit may or may not be a physical unit, that is, it may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

In addition, each functional unit in each embodiment of the present application may all be integrated into one processing unit, or each unit may be separately used as a unit, or two or more units may be integrated into one unit; the above integration The unit can be implemented either in the form of hardware or in the form of hardware plus software functional units.

Those of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiments can be completed by program instructions related to hardware, the aforementioned program can be stored in a computer-readable storage medium, and when the program is executed, execute It includes the steps of the above method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic disk or an optical disk and other media that can store program codes.

Alternatively, if the above-mentioned integrated units of the present application are implemented in the form of software function modules and sold or used as independent products, they may also be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application can be embodied in the form of software products in essence or in the parts that make contributions to the prior art. The computer software products are stored in a storage medium and include several instructions for An electronic device (which may be a personal computer, a server, or a network device, etc.) is caused to execute all or part of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic disk or an optical disk and other mediums that can store program codes.

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this. should be covered within the scope of protection of this application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims (22)

1. A data transmission method is applied to a client, and the method comprises the following steps:

calling a first Software Development Kit (SDK), and encrypting first data related to a first service based on at least one encryption mode supported by the first SDK to generate a first ciphertext;

sending a first request to a server; the first request carries the first ciphertext; the first request is used for requesting to process the first service;

receiving a second ciphertext returned by the server based on the first request; the second ciphertext is obtained by encrypting a first processing result of the first ciphertext by the server based on the first request;

calling the first SDK to decrypt the second ciphertext to generate a first plaintext;

processing the first traffic based on the first plain text.

2. The method of claim 1, wherein the encrypting the first data based on the at least one encryption supported by the first SDK to generate the first ciphertext comprises:

under the condition that a first encryption mode or a second encryption mode is selected from at least one encryption mode supported by the first SDK, encrypting the first data according to first private key information of a client and first public key information of a server based on a first encryption algorithm of the first encryption mode or a second encryption algorithm of the second encryption mode to generate a first ciphertext; the first encryption algorithm is an RAS algorithm; the second encryption algorithm is an elliptic curve ECC algorithm;

the calling the first SDK to decrypt the second ciphertext to generate a first plaintext, including:

decrypting the second ciphertext according to second private key information of the server to generate the first plaintext; the second private key information of the server is determined based on the second public key information of the client.

3. The method of claim 2, wherein the encrypting the first data based on the at least one encryption supported by the first SDK to generate the first ciphertext comprises:

under the condition that a third encryption mode is selected from at least one encryption mode supported by the first SDK, sending a second request to a key management platform; the second request is used for requesting to distribute communication key information between the client and the server;

receiving a first response returned by the key management platform about the second request; the first response comprises first key information and second key information;

encrypting the first data according to the first key information to generate the first ciphertext;

the calling the first SDK to decrypt the second ciphertext to generate a first plaintext, including:

and decrypting the second ciphertext through the second key information to generate the first plaintext.

4. The method of claim 1, further comprising:

sending a third request to the key management platform; the third request is used for requesting registration of second public key information of the client so that the server encrypts the first processing result according to the second public key information;

receiving a second response returned by the key management platform about the third request; the second response characterizes whether the second public key information is successfully registered.

5. The method of claim 2, further comprising:

sending a fourth request to the key management platform; the fourth request is used for requesting to acquire a new version of the service certificate; the service certificate comprises first public key information of the server;

receiving a third response returned by the key management platform based on the fourth request; the third response characterizes the latest version of the business certificate.

6. A data transmission method, applied to a server, the method comprising:

receiving a first request sent by a client; the first request carries a first ciphertext; the first ciphertext represents an encryption result of first data related to a first service; the first request is used for requesting to process the first service;

calling a second Software Development Kit (SDK) and generating a first decryption result according to the encryption mode of the first ciphertext; the first decryption result characterizing a decryption result with respect to the first request;

processing the first service according to the first decryption result to generate a first processing result;

calling the second SDK to encrypt the first processing result to generate a second ciphertext;

and returning the second ciphertext to the client.

7. The method of claim 6, wherein the invoking the second SDK to generate a first decryption result according to the encryption mode of the first ciphertext comprises:

under the condition that the client side is applicable to non-certificate authentication, calling the second SDK to determine a second processing result; the second processing result represents an authentication result of the client;

under the condition that the second processing result represents that the client has the right of accessing the server, calling the second SDK, and generating the first decryption result according to the encryption mode of the first ciphertext;

a fourth response to the first request returned to the client in case the second processing result characterizes that the client does not have the right to access the server; the fourth response characterizes a rejection of processing the first traffic.

8. The method of claim 6, wherein the invoking the second SDK to generate a first decryption result according to the encryption mode of the first ciphertext comprises:

sending a fifth request to a key management platform according to the encryption mode of the first ciphertext; the fifth request is used for requesting to acquire key information for decrypting the first ciphertext;

decrypting the first ciphertext according to a fifth response which is returned by the key management platform and related to the fifth request, and generating a first decryption result; wherein,

when the encryption mode of the first ciphertext is a first encryption mode, the fifth response comprises second private key information of the server;

when the encryption mode of the first ciphertext is the first encryption mode, the fifth response comprises third key information; the third key information is AES key information;

calling the second SDK to encrypt the first processing result to generate a second ciphertext, wherein the steps of:

based on a first encryption algorithm of a first encryption mode or a second encryption algorithm of a second encryption mode, encrypting the first processing result according to second private key information of the server and second public key information of the client to generate a second ciphertext; the first encryption algorithm is an RAS algorithm; the second encryption algorithm is an elliptic curve ECC algorithm.

9. The method according to claim 8, wherein in a case where the encryption scheme is a third encryption scheme, the fifth response includes first key information and second key information; the first key information and the second key information represent communication key information between the client and the server;

calling the second SDK to encrypt the first processing result to generate a second ciphertext, wherein the steps of:

and encrypting the first processing result according to the second key information to generate the second ciphertext.

10. The method of claim 6, further comprising:

sending a sixth response to the key management platform if the first decryption result cannot be generated; the sixth response characterizes a failure to decrypt the first ciphertext.

11. A data transmission method applied to a key management platform, the method comprising:

receiving a key management request sent by a client or a server;

according to the key management request, calling a key service corresponding to the request, and generating a response about the key management request;

returning a response to the key management request to the client or server.

12. The method of claim 11, wherein the invoking a key service corresponding to the request according to the key management request to generate a response to the key management request comprises:

in the case that the key management request is a second request, calling a first key service and a first tool to generate a first response about the second request; the first response comprises first key information and second key information; the first key service characterizes a key agreement service; the second request is used for requesting the distribution of the communication key information between the client and the server.

13. The method of claim 11, wherein the invoking a key service corresponding to the request according to the key management request to generate a response to the key management request comprises:

under the condition that the key management request is a third request, calling a second key service and determining a third processing result; the third processing result represents the result of the authentication of the client; the second key service characterizes an authentication service;

under the condition that the third processing result represents that the client is allowed to access the key management platform, calling a third key service to register second public key information of the client and generating a second response; the second response represents that the second public key information is successfully registered; the third key service characterizes a key registration service.

14. The method of claim 11, wherein the invoking a key service corresponding to the request according to the key management request to generate a response to the key management request comprises:

under the condition that the key management request is a fourth request, calling a third key service to generate a third response; the third key service characterizes the third key service as a key registration service; the third response characterizes the latest version of the business certificate.

15. The method of claim 11, wherein the invoking a key service corresponding to the request according to the key management request to generate a response to the key management request comprises:

calling a first key service under the condition that the key management request is a fifth request; the fifth request is used for requesting to acquire key information for decrypting the first ciphertext; the first key service characterizes a key agreement service;

generating a fifth response according to the encryption mode of the first ciphertext; the fifth response includes key information to decrypt the first ciphertext.

16. The method of claim 15, wherein generating a fifth response based on the encryption of the first ciphertext comprises:

calling a first tool to acquire first private key information of the server under the condition that the encryption mode of the first ciphertext is a first encryption mode;

calling a first tool to acquire the third key information under the condition that the encryption mode of the first ciphertext is a second encryption mode; the third key information represents AES key information;

under the condition that the encryption mode of the first ciphertext is a third mode, acquiring first key information and second key information according to a first mark; the first token characterizes key information between the server and the client that the first key service history negotiates.

17. The method of claim 15, further comprising:

generating a seventh response when key information for decrypting the first ciphertext cannot be obtained; the seventh response characterizes a failure to negotiate key information.

18. A data transmission device is applied to a client and comprises:

the first encryption unit is used for calling a first Software Development Kit (SDK), encrypting first data related to a first service based on at least one encryption mode supported by the first SDK and generating a first ciphertext;

a first sending unit, configured to send a first request to a server; the first request carries the first ciphertext; the first request is used for requesting to process the first service;

a first receiving unit, configured to receive a second ciphertext returned by the server based on the first request; the second ciphertext is obtained by encrypting a first processing result of the first ciphertext by the server based on the first request;

the first decryption unit is used for calling the first SDK to decrypt the second ciphertext to generate a first plaintext;

and the first processing unit is used for processing the first service based on the first plain text.

19. A data transmission device is applied to a client and comprises:

the second receiving unit is used for receiving a first request sent by the client; the first request carries a first ciphertext; the first ciphertext represents an encryption result of first data related to a first service; the first request is used for requesting to process the first service;

the second decryption unit is used for calling a second Software Development Kit (SDK) and generating a first decryption result according to the encryption mode of the first ciphertext; the first decryption result characterizing a decryption result with respect to the first request;

the second processing unit is used for processing the first service according to the first decryption result to generate a first processing result;

the second encryption unit is used for calling the second SDK to encrypt the first processing result and generate a second ciphertext;

and the second sending unit returns the second ciphertext to the client.

20. A data transmission device applied to a key management platform comprises:

a third receiving unit, configured to receive a key management request sent by a client or a server;

a first generation unit, configured to invoke a key service corresponding to the request according to the key management request, and generate a response regarding the key management request;

and a third sending unit that returns a response to the key management request to the client or the server.

21. An electronic device, comprising: a processor and a memory for storing a computer program capable of running on the processor,

wherein the processor is configured to perform the steps of the method of any one of claims 1 to 5 or 6 to 10 or 11 to 17 when running the computer program.

22. A storage medium having stored thereon a computer program for implementing the steps of the method of any one of claims 1 to 5 or 6 to 10 or 11 to 17 when executed by a processor.

Images