CN114386075A - Data transmission channel establishing method, data transmission device, data transmission equipment and medium - Google Patents
Data transmission channel establishing method, data transmission device, data transmission equipment and medium Download PDFInfo
- Publication number
- CN114386075A CN114386075A CN202210043108.3A CN202210043108A CN114386075A CN 114386075 A CN114386075 A CN 114386075A CN 202210043108 A CN202210043108 A CN 202210043108A CN 114386075 A CN114386075 A CN 114386075A
- Authority
- CN
- China
- Prior art keywords
- terminal
- server
- secure
- authorization code
- channel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 212
- 238000000034 method Methods 0.000 title claims abstract description 122
- 238000013475 authorization Methods 0.000 claims abstract description 306
- 238000004891 communication Methods 0.000 claims abstract description 119
- 230000004044 response Effects 0.000 claims description 82
- 238000012795 verification Methods 0.000 claims description 38
- 230000015654 memory Effects 0.000 claims description 22
- 238000012545 processing Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 18
- 230000003213 activating effect Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 21
- 230000008569 process Effects 0.000 description 12
- 238000004364 calculation method Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the application provides a method, a device, equipment and a medium for establishing a data transmission channel and transmitting data. The data transmission channel establishing method comprises the steps of sending a security channel authorization application to a server, wherein the security channel authorization application comprises metadata information of a terminal, so that the server identifies the terminal according to the metadata information and generates a corresponding first security channel authorization code; receiving a first security channel authorization code returned by the server; sending a request for establishing a secure transmission channel to a server, wherein the request comprises a first secure channel authorization code and a terminal identifier, so that the server searches a corresponding second secure channel authorization code according to the terminal identifier; and returning a secure communication strategy to the terminal under the condition that the first secure channel authorization code is consistent with the second secure channel authorization code; and receiving the security communication strategy returned by the server to establish a data transmission channel between the terminal and the server. The data can be effectively prevented from being intercepted, intercepted or tampered.
Description
Technical Field
The present application relates to the field of computer data security, and in particular, to a method, an apparatus, a device, and a medium for establishing a data transmission channel and transmitting data.
Background
With the rapid development of society, new office modes are emerging in society, and in the emerging office modes, mobile office is gradually accepted by the public due to the characteristics of convenience and low cost.
However, in the current mobile office process, data needs to be transmitted between the server and the client, so how to ensure the security of the data in the transmission process becomes a problem to be solved urgently.
Currently, in order to ensure the security of data transmission, two methods are generally adopted, one is based on an asymmetric key exchange algorithm, a key certificate is built in a client, and then data is encrypted and transmitted through the key certificate. The other method is to set a dedicated transmission channel by setting the VPN, and then complete data transmission through the set transmission channel. However, the built-in key certificate has a risk of key certificate leakage. The method of establishing a dedicated transmission channel by setting a VPN has the problems of cumbersome operation and security risk when used with a wireless device. .
Disclosure of Invention
The embodiment of the application provides a data transmission method, a data transmission device, data transmission equipment and a computer storage medium, which can effectively prevent data from being intercepted, intercepted or tampered in the data transmission process.
In a first aspect, an embodiment of the present application provides a method for establishing a data transmission channel, where the method includes:
sending a security channel authorization application to a server, wherein the security channel authorization application comprises metadata information of a terminal, so that the server identifies the terminal according to the metadata information and generates a corresponding first security channel authorization code;
receiving a first security channel authorization code returned by the server;
sending a request for establishing a secure transmission channel to a server, wherein the request comprises a first secure channel authorization code and a terminal identifier, so that the server searches a corresponding second secure channel authorization code according to the terminal identifier; and returning a secure communication strategy to the terminal under the condition that the first secure channel authorization code is consistent with the second secure channel authorization code;
and receiving the security communication strategy returned by the server to establish a data transmission channel between the terminal and the server.
In some embodiments, before sending the secure channel authorization application to the server, the method further comprises:
sending a public key request to a server;
receiving a first public key returned by the server;
encrypting by using the first public key metadata information to obtain encrypted metadata information;
the metadata information of the terminal included in the secure channel authorization application is the metadata information encrypted by the first public key.
In some embodiments, after receiving the first secure channel authorization code returned by the server, the method further includes:
generating a second private key and a second public key to encrypt and decrypt the transmission data;
the request for establishing the secure transmission channel also comprises a second public key; the secure communication policy includes a secure communication policy encrypted by the second public key.
In some embodiments, after establishing the data transmission channel between the terminal and the server, the method further comprises:
under the condition that the first security channel authorization code is determined to be out of date, sending a security channel secondary authorization application to the server; the secure channel secondary authorization application comprises a terminal identifier;
receiving an activatable state code returned by the server, wherein the activatable state code is sent by the server under the condition that the second public key is determined to be valid according to the terminal identifier;
sending the secondary authentication information to the server so that the server verifies the validity of the secondary authentication information, and returning a new security channel authorization code to the terminal under the condition that the verification is passed;
and receiving a new secure channel authorization code and activating the secure transmission channel according to the new secure channel authorization code.
In a second aspect, an embodiment of the present application provides a method for establishing a data transmission channel, which is applied to a server, and the method includes:
receiving a security channel authorization application sent by a terminal, wherein the security channel authorization application comprises metadata information of the terminal;
identifying the terminal according to the metadata information, and generating a first security channel authorization code corresponding to the terminal under the condition that the identification is passed;
sending a first security channel authorization code to the terminal so that the terminal generates a security channel establishment application request according to the first security channel authorization code and the client identifier;
searching a second security channel authorization code corresponding to the terminal identifier according to the terminal identifier; under the condition that the second security channel authorization code is consistent with the first security channel authorization code, a security communication strategy is returned to the terminal; to establish a transmission channel between the terminal and the server.
In some embodiments, before receiving the secure channel authorization application sent by the terminal, the method further includes:
receiving a public key request sent by a terminal;
sending a first public key to the terminal so that the terminal can encrypt by using the metadata information of the first public key to obtain encrypted metadata information;
the metadata information of the terminal included in the secure channel authorization application is the metadata information encrypted by the first public key.
In some embodiments, the secure transmission channel establishment request further includes a second public key;
before returning the secure communication policy to the terminal, the method further comprises:
and encrypting the secure communication policy according to the second public key.
In some embodiments, after returning the secure communication policy to the terminal, the method further comprises:
receiving a secondary authorization application of a security channel sent by a terminal; the secondary application of the safe channel comprises a terminal identifier;
under the condition that the second public key is determined to be valid according to the terminal identification, an activatable state code is sent to the terminal;
acquiring secondary authentication information sent by a terminal, and verifying the validity of the secondary authentication information;
and returning a new security channel authorization code to the terminal under the condition of passing the verification so that the terminal activates the security transmission channel according to the new security channel authorization code.
In a third aspect, an embodiment of the present application provides a data transmission method, which is applied to a terminal, and the method includes:
encrypting the data to be transmitted according to the second private key to obtain a request data ciphertext;
sending a request data ciphertext and a terminal identifier of a terminal to a server so that the server verifies the secure channel according to the terminal identifier, decrypts the data ciphertext after the verification is passed to obtain a plaintext, performs service processing according to the plaintext, and generates response data;
and receiving a response data ciphertext returned by the server, decrypting the response data ciphertext by using the second private key to obtain the response data of the server, and finishing communication with the server.
In a fourth aspect, an embodiment of the present application provides a data transmission method, which is applied to a server, and the method includes:
receiving a data ciphertext sent by a terminal and a terminal identifier corresponding to the terminal;
verifying the security channel based on the terminal identification, and decrypting the data ciphertext after the verification is passed to obtain a plaintext;
performing service processing according to the plaintext to generate response data;
encrypting the response data according to the second public key to generate a response data ciphertext;
and returning the response data ciphertext to the terminal so that the terminal decrypts the response data ciphertext based on the second private key to obtain response data and complete communication with the server.
In a fifth aspect, an embodiment of the present application provides a data transmission channel establishing apparatus, which is applied to a terminal, and the apparatus includes:
the first sending module is used for sending a security channel authorization application to the server, wherein the security channel authorization application comprises metadata information of the terminal, so that the server can identify the terminal according to the metadata information and generate a corresponding first security channel authorization code;
the first receiving module is used for receiving a first security channel authorization code returned by the server;
the second sending module is used for sending an application request for establishing the secure transmission channel to the server, wherein the application request comprises the first secure channel authorization code and the terminal identifier, so that the server searches the corresponding second secure channel authorization code according to the terminal identifier; and returning a secure communication strategy to the terminal under the condition that the first secure channel authorization code is consistent with the second secure channel authorization code;
and the second receiving module is used for receiving the security communication strategy returned by the server so as to establish a data transmission channel between the terminal and the server.
In some embodiments, the data transmission channel establishing device further includes:
the sixth sending module is used for sending a public key request to the server before sending the secure channel authorization application to the server;
the fifth receiving module is used for receiving the first public key returned by the server;
the third encryption module is used for encrypting by using the first public key metadata information to obtain encrypted metadata information;
the metadata information of the terminal included in the secure channel authorization application is the metadata information encrypted by the first public key.
In some embodiments, the data transmission channel establishing device further includes:
the third generation module is used for generating a second private key and a second public key after receiving the first security channel authorization code returned by the server so as to encrypt and decrypt the transmission data;
the request for establishing the secure transmission channel also comprises a second public key; the secure communication policy includes a secure communication policy encrypted by the second public key.
In some embodiments, the data transmission channel establishing device further includes:
the seventh sending module is used for sending a secondary authorization application of the secure channel to the server under the condition that the first secure channel authorization code is determined to be expired after a data transmission channel between the terminal and the server is established; the secure channel secondary authorization application comprises a terminal identifier;
the sixth receiving module is used for receiving the activatable state code returned by the server, wherein the activatable state code is sent by the server under the condition that the second public key is determined to be valid according to the terminal identifier;
the eighth sending module is used for sending the secondary authentication information to the server so that the server verifies the validity of the secondary authentication information, and returns a new security channel authorization code to the terminal under the condition that the secondary authentication information passes the verification;
and the seventh receiving module is used for receiving the new security channel authorization code and activating the security transmission channel according to the new security channel authorization code.
In a sixth aspect, an embodiment of the present application provides an apparatus for establishing a data transmission channel, where the apparatus is applied to a server, and the apparatus includes:
the third receiving module is used for receiving a security channel authorization application sent by the terminal, wherein the security channel authorization application comprises metadata information of the terminal;
the first generation module is used for identifying the terminal according to the metadata information and generating a first security channel authorization code corresponding to the terminal under the condition that the identification is passed;
the third sending module is used for sending the first security channel authorization code to the terminal so that the terminal generates a security channel establishment application request according to the first security channel authorization code and the client identifier;
the first searching module is used for searching a second security channel authorization code corresponding to the terminal identifier according to the terminal identifier; under the condition that the second security channel authorization code is consistent with the first security channel authorization code, a security communication strategy is returned to the terminal; to establish a transmission channel between the terminal and the server.
In some embodiments, the data transmission channel establishing device further includes:
the eighth receiving module is used for receiving the public key request sent by the terminal before receiving the secure channel authorization application sent by the terminal;
a ninth sending module, configured to send the first public key to the terminal, so that the terminal encrypts the metadata information using the first public key to obtain encrypted metadata information;
the metadata information of the terminal included in the secure channel authorization application is the metadata information encrypted by the first public key;
in some embodiments, the data transmission channel establishing device further includes:
the fourth encryption module is used for encrypting the secure communication strategy according to the second public key before returning the secure communication strategy to the terminal;
the request for establishing the secure transmission channel also comprises a second public key.
In some embodiments, the data transmission channel establishing device further includes:
the ninth receiving module is used for receiving a security channel secondary authorization application sent by the terminal after the security communication strategy is returned to the terminal; the secondary application of the safe channel comprises a terminal identifier;
a tenth sending module, configured to send the activatable status code to the terminal when it is determined that the second public key is valid according to the terminal identifier;
the second verification module is used for acquiring the secondary authentication information sent by the terminal and verifying the validity of the secondary authentication information;
and the eleventh sending module is used for returning a new security channel authorization code to the terminal under the condition that the verification is passed, so that the terminal activates the security transmission channel according to the new security channel authorization code.
In a seventh aspect, an embodiment of the present application provides a data transmission apparatus, which is applied to a terminal, and the apparatus includes:
the first encryption module is used for encrypting the data to be transmitted according to the second private key to obtain a request data ciphertext;
the fourth sending module is used for sending the request data ciphertext and the terminal identification of the terminal to the server so that the server verifies the security channel according to the terminal identification, decrypts the data ciphertext after the verification is passed to obtain a plaintext, performs service processing according to the plaintext and generates response data;
and the fourth receiving module is used for receiving the response data ciphertext returned by the server, decrypting the response data ciphertext by using the second private key, obtaining the response data of the server and finishing the communication with the server.
In an eighth aspect, an embodiment of the present application provides a data transmission apparatus, which is applied to a server, and includes:
the fifth receiving module is used for receiving the data ciphertext sent by the terminal and the terminal identification corresponding to the terminal;
the first verification module is used for verifying the security channel based on the terminal identification and decrypting the data ciphertext to obtain a plaintext after the verification is passed;
the second generation module is used for carrying out service processing according to the plaintext and generating response data;
the second encryption module is used for encrypting the response data according to the second public key to generate a response data ciphertext;
and the fifth sending module is used for returning the response data ciphertext to the terminal so that the terminal decrypts the response data ciphertext based on the second private key to obtain response data and complete communication with the server.
In a ninth aspect, an embodiment of the present application provides an electronic device, including: a processor and a memory storing computer program instructions;
the processor, when executing the computer program instructions, implements the steps of the data transmission channel establishment method and the data transmission method as in any of the embodiments of the first aspect.
In a tenth aspect, the present application provides a computer-readable storage medium, on which computer program instructions are stored, where the computer program instructions, when executed by a processor, implement the steps of the data transmission channel establishment method or the data transmission method in any one of the first to fourth aspects.
In an eleventh aspect, the present application provides a computer program product, and when executed by a processor of an electronic device, the instructions of the computer program product enable the electronic device to perform the steps of the data transmission channel establishment method or the data transmission method in any one of the first to fourth aspects.
According to the data transmission channel establishing method, the data transmission device, the data transmission equipment and the data transmission medium, the terminal sends the secure channel authorization application to the server, and then the receiving server generates the first secure channel authorization code corresponding to the metadata according to the metadata information in the secure channel authorization application. After the terminal receives the first secure channel authorization code, a secure channel transmission channel establishment application request is generated based on the first secure channel authorization code and the terminal identification, and then the application request is sent to the server. And after receiving the application request, the server searches a second security channel authorization code corresponding to the terminal identifier according to the terminal identifier in the application request, and returns a security communication strategy to the terminal under the condition that the server determines that the first security channel authorization code is consistent with the second security channel authorization code. And after receiving the security communication strategy, the terminal establishes a data transmission channel between the terminal and the server according to the security communication strategy. The server generates a corresponding first security channel authorization code through metadata sent by the terminal, then obtains a second security channel authorization code according to a terminal identifier in an application request after receiving the application request of the terminal, then compares the first security channel authorization code with the second security channel authorization code, and sends a security communication strategy to the terminal under the condition of consistent comparison, so that the terminal establishes a data transmission channel through the security communication strategy.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram illustrating an example of a data transmission channel establishment scenario provided herein;
fig. 2 is a schematic flowchart illustrating an embodiment of a data transmission channel establishing method provided in the present application;
fig. 3 is a schematic flow chart illustrating another embodiment of a data transmission channel establishing method provided in the present application;
FIG. 4 is a schematic diagram illustrating an example of a data transmission scenario provided herein;
FIG. 5 is a flow chart illustrating an embodiment of a data transmission method provided herein;
fig. 6 is a schematic flow chart illustrating another embodiment of a data transmission method provided in the present application;
fig. 7 is a schematic structural diagram illustrating an embodiment of a data transmission channel establishing apparatus provided in the present application;
fig. 8 is a schematic structural diagram illustrating another embodiment of a data transmission channel establishing apparatus provided in the present application;
FIG. 9 is a schematic diagram illustrating an embodiment of a data transmission apparatus provided herein;
FIG. 10 is a schematic diagram illustrating another embodiment of a data transmission device provided herein;
fig. 11 shows a hardware structure diagram of an embodiment of the electronic device provided in the present application.
Detailed Description
Features and exemplary embodiments of various aspects of the present application will be described in detail below, and in order to make objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are intended to be illustrative only and are not intended to be limiting. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by illustrating examples thereof.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
In order to solve the problem of the prior art, embodiments of the present application provide a method, an apparatus, a device, and a medium for establishing a data transmission channel and transmitting data. The data transmission channel establishing method can be applied to the architecture shown in fig. 1, and is specifically described in detail with reference to fig. 1.
Fig. 1 is a schematic diagram illustrating an example of a data transmission channel establishment scenario provided by the present application.
As shown in fig. 1, in the scenario of establishing a data transmission channel, at least one terminal 10 and one server 20 are included, and a secure channel authorization application is sent to the server through the terminal 10. The server 20 generates a first secure channel authorization code corresponding to the terminal 10 according to the obtained secure channel authorization application. After receiving the first secure tunnel authorization code sent by the server 20, the terminal 10 generates a secure transmission tunnel application request according to the first secure tunnel authorization code and the terminal identifier. After receiving the secure transmission channel application request, the server 20 verifies the first secure channel authorization code in the secure transmission channel application request, and when the server 20 verifies the first secure channel authorization code, the server 20 sends the secure communication policy to the terminal 10. After receiving the secure communication policy, the terminal 10 establishes a data transmission channel between the terminal 10 and the server 20 according to the secure communication policy.
According to the application scenario, the data transmission channel establishing method provided in the embodiment of the present application is described in detail below with reference to fig. 2 to 3, it should be noted that, in the data transmission channel establishing method provided in the embodiment of the present application, the execution main body may include a terminal and a server, and first, the data transmission channel establishing method in which the execution main body is the terminal is described in detail below.
Fig. 2 shows a schematic flow chart of an embodiment of a data transmission channel establishing method provided in the present application, and it should be noted that, the data transmission channel establishing method is applied to a terminal, and as shown in fig. 2, the data transmission channel establishing method may include the following steps:
s210, sending a security channel authorization application to a server, wherein the security channel authorization application comprises metadata information of a terminal, so that the server identifies the terminal according to the metadata information and generates a corresponding first security channel authorization code;
s220, receiving a first security channel authorization code returned by the server;
s230, sending a request for establishing a secure transmission channel to a server, wherein the request comprises a first secure channel authorization code and a terminal identifier, so that the server searches a corresponding second secure channel authorization code according to the terminal identifier; and returning a secure communication strategy to the terminal under the condition that the first secure channel authorization code is consistent with the second secure channel authorization code;
and S240, receiving the security communication strategy returned by the server to establish a data transmission channel between the terminal and the server.
Therefore, the terminal sends a security channel authorization application to the server, and then the receiving server generates a first security channel authorization code corresponding to the metadata according to the metadata information in the security channel authorization application. After the terminal receives the first secure channel authorization code, a secure channel transmission channel establishment application request is generated based on the first secure channel authorization code and the terminal identification, and then the application request is sent to the server. And after receiving the application request, the server searches a second security channel authorization code corresponding to the terminal identifier according to the terminal identifier in the application request, and returns a security communication strategy to the terminal under the condition that the server determines that the first security channel authorization code is consistent with the second security channel authorization code. And after receiving the security communication strategy, the terminal establishes a data transmission channel between the terminal and the server according to the security communication strategy. The server generates a corresponding first security channel authorization code through metadata sent by the terminal, then obtains a second security channel authorization code according to a terminal identifier in an application request after receiving the application request of the terminal, then compares the first security channel authorization code with the second security channel authorization code, and sends a security communication strategy to the terminal under the condition of consistent comparison, so that the terminal establishes a data transmission channel through the security communication strategy.
In some embodiments, in S210, the metadata information of the terminal may include: at least one of a Mobile Equipment Identity (MEID), a serial number, a device model number, or a Mobile Equipment manufacturer terminal. The first secure channel authorization code may include: text information for authorizing the terminal. The server recognizing the terminal according to the metadata information may include: the server identifies the terminal by comparing the acquired metadata information with metadata information of the terminal stored in advance.
In some embodiments, before the terminal sends the secure channel authorization application to the server, the data transmission channel establishing method may further include:
sending a public key request to a server;
receiving a first public key returned by the server;
encrypting by using the first public key metadata information to obtain encrypted metadata information;
the metadata information of the terminal included in the secure channel authorization application is the metadata information encrypted by the first public key.
In some implementations, the first public key can include an encryption method generated by the server through an asymmetric encryption algorithm corresponding to the first private key.
In some embodiments, before encrypting the metadata information by using the first public key, the terminal may perform a hash value calculation on the metadata by using a hash value calculation method, and use the calculation result as an identification number of the terminal.
In some embodiments, after the server receives the metadata sent by the terminal, the hash value calculation may be performed according to the metadata, and then the result of the calculation may be stored in the server as the identifier of the terminal.
In some embodiments, the terminal may perform the above operations through a client provided on the terminal.
Therefore, the first public key generated by the server is obtained through the terminal, and then the metadata of the terminal is encrypted by using the first public key to obtain the encrypted metadata. The encrypted metadata is then sent to the server. Because the encrypted metadata is sent to the server, the metadata can be prevented from being easily stolen or monitored in the metadata sending process, and the security of the sent original data is improved.
In some embodiments, in S230, the terminal identifier may include metadata or a terminal identifier obtained by performing a hash value calculation on the metadata.
In some embodiments, the second secure tunnel authorization code may be identical to the first secure tunnel authorization code sent by the server to the terminal, and the server may store the second secure tunnel authorization code identical to the first secure tunnel authorization code in the server after sending the first secure tunnel authorization code to the terminal.
After the server receives a request for establishing a secure transmission channel sent by the terminal, a second secure channel authorization code corresponding to the terminal and stored in the server is searched according to the terminal identifier in the request for establishing. And then comparing the first security channel authorization code in the application request with the second security channel authorization code, and sending a security communication strategy to the terminal under the condition of consistent comparison.
In some embodiments, after the terminal receives the first secure channel authorization code returned by the server, the method further includes:
generating a second private key and a second public key to encrypt and decrypt the transmission data;
the request for establishing the secure transmission channel also comprises a second public key; the secure communication policy includes a secure communication policy encrypted by the second public key.
In some embodiments, the second public key and the second private key may comprise a corresponding pair of keys generated by the terminal through an asymmetric encryption algorithm.
In some embodiments, after receiving the first secure tunnel authorization code, the terminal may encrypt the second public key, the first secure tunnel authorization code, and the terminal identifier generated by the terminal according to the first public key, and then establish an application request for the secure transmission tunnel obtained after encryption.
In some embodiments, the server may store the first secure tunnel authorization code, the second secure tunnel authorization code, and the second public key in the same location, and set a usage age for the second secure tunnel authorization code and the second public key.
Therefore, the first secure channel authorization code, the second secure channel authorization code and the second public key are stored in the same position, so that when the server verifies the terminal by using the second secure channel authorization code and the second public key, the problem of low data acquisition efficiency caused by the fact that different information needs to be acquired at different storage positions in the process that the server verifies the terminal identity by using the second secure channel authorization code and the second public key is solved.
Therefore, the terminal receives the first secure channel authorization code and then sends the first secure channel authorization code and the second public key generated by the terminal to the server, so that the server can verify the identity of the terminal based on the first secure channel authorization code, and under the condition that the terminal identity is verified, the second public key sent by the terminal is confirmed to be the second public key generated by the terminal, and the secure communication strategy is sent to the terminal. Since the server verifies the identity of the terminal and then performs the secure communication policy, the problem that the secure communication policy is sent to the wrong terminal can be avoided, and the security of the secure communication policy sent by the server is improved.
In some embodiments, the secure communication policy may include a transmission policy for deciding a transmission path between the terminal and the server at S240. The secure transmission channel may comprise a virtual channel.
In some embodiments, the secure communication policy sent by the server to the terminal may include a secure communication policy encrypted by the server based on the second public key. And after receiving the security communication strategy encrypted by the second public key, the terminal decrypts the encrypted security communication strategy by using a second private key corresponding to the second public key stored in the terminal to obtain the security communication strategy.
In some embodiments, after establishing the data transmission channel between the terminal and the server, the method further comprises:
under the condition that the first security channel authorization code is determined to be out of date, sending a security channel secondary authorization application to the server; the secure channel secondary authorization application comprises a terminal identifier;
receiving an activatable state code returned by the server, wherein the activatable state code is sent by the server under the condition that the second public key is determined to be valid according to the terminal identifier;
sending the secondary authentication information to the server so that the server verifies the validity of the secondary authentication information, and returning a new security channel authorization code to the terminal under the condition that the verification is passed;
and receiving a new secure channel authorization code and activating the secure transmission channel according to the new secure channel authorization code.
In some embodiments, in order to avoid malicious theft of the first secure tunnel authorization code, the first secure tunnel authorization code may be set with a time limit, and after the time limit of the first secure tunnel authorization code expires, the client cannot complete establishment of the data transmission tunnel between the terminal and the server through the secure communication policy. The first secure channel authorization code and the second secure channel authorization code are non-duplicate unique numbers, and a UUID can be used.
In some embodiments, the secure tunnel secondary authorization application may include a secure tunnel secondary authorization application encrypted by the terminal through the first public key.
In some embodiments, the secure channel secondary authorization application may further include a user identifier of the user using the terminal, where the user identifier may include biometric information of the user.
After receiving the secure channel secondary authorization application, the server may authenticate the identity of the terminal according to the terminal identifier in the secure channel secondary authorization application. The verification method can comprise the steps of comparing the stored terminal identification with the terminal identification in the secure channel secondary authorization application, and passing the verification under the condition that the comparison is consistent.
In some embodiments, the state code may be activated to the terminal after the server has passed the authentication of the terminal.
In some embodiments, the secondary authentication information may include at least one of a terminal identification or a user identity identification. The method for authenticating the terminal identifier or the user identity identifier by the server has been described in detail in the above steps, and is not described herein again.
In some embodiments, in the case that the server verifies the secondary authentication information sent by the terminal, the validity of the terminal may be determined. And after the server determines that the terminal is legal, sending a new secure channel authorization code to the terminal.
In some embodiments, the terminal may activate the secure transmission channel in accordance with the new secure channel authorization code.
Therefore, the first security channel authorization code is set for a certain time period, the identity of the terminal is verified after the first security channel authorization code fails, if the first security channel authorization code is stolen, the identity verification of the terminal is difficult to pass, and loss can be reduced when the first security channel authorization code is stolen.
Fig. 3 is a schematic flowchart illustrating another embodiment of a data transmission channel establishing method provided in the present application, where the data transmission channel establishing method may be applied to a server, and as shown in fig. 3, the data transmission channel establishing method may include the following steps:
s310, receiving a security channel authorization application sent by a terminal, wherein the security channel authorization application comprises metadata information of the terminal;
s320, identifying the terminal according to the metadata information, and generating a first security channel authorization code corresponding to the terminal under the condition that the identification is passed;
s330, sending a first security channel authorization code to the terminal so that the terminal generates a security channel establishment application request according to the first security channel authorization code and the client identifier;
s340, searching a second secure channel authorization code corresponding to the terminal identifier according to the terminal identifier; under the condition that the second security channel authorization code is consistent with the first security channel authorization code, a security communication strategy is returned to the terminal; to establish a transmission channel between the terminal and the server.
Therefore, the terminal sends a security channel authorization application to the server, and then the receiving server generates a first security channel authorization code corresponding to the metadata according to the metadata information in the security channel authorization application. After the terminal receives the first secure channel authorization code, a secure channel transmission channel establishment application request is generated based on the first secure channel authorization code and the terminal identification, and then the application request is sent to the server. And after receiving the application request, the server searches a second security channel authorization code corresponding to the terminal identifier according to the terminal identifier in the application request, and returns a security communication strategy to the terminal under the condition that the server determines that the first security channel authorization code is consistent with the second security channel authorization code. And after receiving the security communication strategy, the terminal establishes a data transmission channel between the terminal and the server according to the security communication strategy. The server generates a corresponding first security channel authorization code through metadata sent by the terminal, then obtains a second security channel authorization code according to a terminal identifier in an application request after receiving the application request of the terminal, then compares the first security channel authorization code with the second security channel authorization code, and sends a security communication strategy to the terminal under the condition of consistent comparison, so that the terminal establishes a data transmission channel through the security communication strategy.
In some embodiments, before S310, the data transmission channel establishing method may further include:
receiving a security channel authorization application sent by a terminal, wherein the security channel authorization application comprises metadata information of the terminal;
identifying the terminal according to the metadata information, and generating a first security channel authorization code corresponding to the terminal under the condition that the identification is passed;
sending a first security channel authorization code to the terminal so that the terminal generates a security channel establishment application request according to the first security channel authorization code and the client identifier;
searching a second security channel authorization code corresponding to the terminal identifier according to the terminal identifier; under the condition that the second security channel authorization code is consistent with the first security channel authorization code, a security communication strategy is returned to the terminal; to establish a transmission channel between the terminal and the server.
Therefore, the first public key generated by the server is obtained through the terminal, and then the metadata of the terminal is encrypted by using the first public key to obtain the encrypted metadata. The encrypted metadata is then sent to the server. Because the encrypted metadata is sent to the server, the metadata can be prevented from being easily stolen or monitored in the metadata sending process, and the security of the sent original data is improved.
In some embodiments, the secure transmission channel establishment request may further include a second public key.
Before S340, the method for establishing a data transmission channel may further include:
and encrypting the secure communication policy according to the second public key.
Therefore, the terminal receives the first secure channel authorization code and then sends the first secure channel authorization code and the second public key generated by the terminal to the server, so that the server can verify the identity of the terminal based on the first secure channel authorization code, and under the condition that the terminal identity is verified, the second public key sent by the terminal is confirmed to be the second public key generated by the terminal, and the secure communication strategy is sent to the terminal. Since the server verifies the identity of the terminal and then performs the secure communication policy, the problem that the secure communication policy is sent to the wrong terminal can be avoided, and the security of the secure communication policy sent by the server is improved.
In some embodiments, after S340, the data transmission channel establishing method may further include:
receiving a secondary authorization application of a security channel sent by a terminal; the secondary application of the safe channel comprises a terminal identifier;
under the condition that the second public key is determined to be valid according to the terminal identification, an activatable state code is sent to the terminal;
acquiring secondary authentication information sent by a terminal, and verifying the validity of the secondary authentication information;
and returning a new security channel authorization code to the terminal under the condition of passing the verification so that the terminal activates the security transmission channel according to the new security channel authorization code.
Therefore, the first security channel authorization code is set for a certain time period, the identity of the terminal is verified after the first security channel authorization code fails, if the first security channel authorization code is stolen, the identity verification of the terminal is difficult to pass, and loss can be reduced when the first security channel authorization code is stolen.
After the data transmission channel is established, the application also provides a data transmission method realized based on the data transmission channel. The method can be applied to the architecture shown in fig. 4, and is specifically described in detail with reference to fig. 4.
Fig. 4 is a schematic diagram illustrating an example of a data transmission scenario provided herein.
As shown in fig. 4, in the data transmission scenario, at least one terminal 10, one server 20, and one data transmission channel 30 are included. The terminal 10 and the server 20 complete data transmission through a data transmission channel.
According to the application scenario, the data transmission method provided by the embodiment of the present application is described in detail below with reference to fig. 5 and fig. 6, it should be noted that, in the data transmission method provided by the embodiment of the present application, the execution subject may include a terminal and a server, and first, the data transmission method in which the execution subject is the terminal is described in detail below.
Fig. 5 shows a flowchart of an embodiment of a data transmission method provided in the present application, and it should be noted that, the data transmission method is applied to a terminal, and as shown in fig. 5, the data transmission method may include the following steps:
s510, encrypting data to be transmitted according to a second private key to obtain a request data ciphertext;
s520, sending the request data ciphertext and the terminal identification of the terminal to the server so that the server verifies the security channel according to the terminal identification, decrypting the data ciphertext after the verification is passed to obtain a plaintext, performing service processing according to the plaintext, and generating response data;
and S530, receiving the response data ciphertext returned by the server, decrypting the response data ciphertext by using the second private key to obtain the response data of the server, and finishing the communication with the server.
Therefore, the data to be sent is encrypted through the terminal according to the second private key, and then the encrypted ciphertext and the terminal identification corresponding to the terminal are sent to the server. After receiving the ciphertext and the terminal identification, the server verifies the terminal according to the terminal identification, decrypts the ciphertext under the condition that the verification is passed to obtain the plaintext, and then performs service processing on the data according to the plaintext to generate response data corresponding to the data. And then the server sends the response data to the terminal to complete the communication between the terminal and the server. Because the terminal encrypts the data by using the second private key before sending the data and then the server encrypts the response data when sending the response data, the sent data can be prevented from being stolen or intercepted, and the safety of the transmitted data is improved.
In some embodiments, in S510, the second private key and the second public key are keys that are generated by the terminal based on an asymmetric encryption algorithm and can be decrypted with each other.
In some embodiments, after the terminal generates the data ciphertext, the terminal may send the generated data ciphertext and a terminal identifier to the server through the established data transmission channel, where the terminal identifier may include a text that is calculated by the terminal metadata information through a hash value. Wherein, the metadata information of the terminal may include: at least one of a Mobile Equipment Identity (MEID), a serial number, a device model number, or a Mobile Equipment manufacturer terminal.
In some embodiments, the step S520 of the server verifying the secure channel according to the terminal identifier may include:
after receiving the terminal identification, the server verifies the terminal identification sent by the terminal according to the terminal identification stored in advance, and after the verification is passed, the server obtains a safety channel corresponding to the terminal identification according to the corresponding relation between the terminal identification and the safety channel established in advance, and then verifies the safety channel.
In some embodiments, the server decrypting the data cipher text may include: and the server decrypts the ciphertext encrypted by the second private key through a second public key which is stored in advance and corresponds to the second private key to obtain a plaintext.
In some embodiments, the processing of the plaintext may include processing the plaintext by: and the server acquires data corresponding to the data request according to the data request.
In some embodiments, in S530, the response data ciphertext may include a response data ciphertext obtained by the server encrypting the response data according to the second public key.
In some embodiments, after the terminal receives the response data ciphertext sent by the server, the second private key corresponding to the second public key is used to decrypt the response data ciphertext to obtain decrypted response data, so that the terminal and the server have completed corresponding communication.
Fig. 6 is a schematic flowchart illustrating another embodiment of a data transmission method provided in the present application, where the data transmission method may be applied to a server, and as shown in fig. 6, the data transmission method may include the following steps:
s610, receiving a data ciphertext sent by a terminal and a terminal identifier corresponding to the terminal;
s620, verifying the security channel based on the terminal identification, and decrypting the data ciphertext after the verification is passed to obtain a plaintext;
s630, performing service processing according to the plaintext to generate response data;
s640, encrypting the response data according to the second public key to generate a response data ciphertext;
s650, returning the response data ciphertext to the terminal so that the terminal decrypts the response data ciphertext based on the second private key to obtain response data, and finishing communication with the server.
Therefore, the data to be sent is encrypted through the terminal according to the second private key, and then the encrypted ciphertext and the terminal identification corresponding to the terminal are sent to the server. After receiving the ciphertext and the terminal identification, the server verifies the terminal according to the terminal identification, decrypts the ciphertext under the condition that the verification is passed to obtain the plaintext, and then performs service processing on the data according to the plaintext to generate response data corresponding to the data. And then the server sends the response data to the terminal to complete the communication between the terminal and the server. Because the terminal encrypts the data by using the second private key before sending the data and then the server encrypts the response data when sending the response data, the sent data can be prevented from being stolen or intercepted, and the safety of the transmitted data is improved.
It should be noted that the application scenarios described in the foregoing disclosure are for more clearly illustrating the technical solutions of the embodiments of the disclosure, and do not constitute a limitation of the technical solutions provided in the embodiments of the disclosure, and as a person of ordinary skill in the art knows new application scenarios, the technical solutions provided in the embodiments of the disclosure are also applicable to similar technical problems.
Based on the same inventive concept, the embodiment of the present application further provides a data transmission channel establishing apparatus, which can be applied to a terminal, and the following describes in detail the data transmission channel establishing apparatus provided in the embodiment of the present application with reference to fig. 7.
Fig. 7 is a schematic structural diagram illustrating an embodiment of a data transmission channel establishing apparatus provided in the present application.
As shown in fig. 7, the data transmission channel establishing apparatus 700 applied to the terminal may include:
a first sending module 701, configured to send a secure channel authorization application to a server, where the secure channel authorization application may include metadata information of a terminal, so that the server identifies the terminal according to the metadata information and generates a corresponding first secure channel authorization code;
a first receiving module 702, configured to receive a first secure channel authorization code returned by the server;
a second sending module 703, configured to send an application request for establishing a secure transmission channel to a server, where the application request may include a first secure channel authorization code and a terminal identifier, so that the server searches for a corresponding second secure channel authorization code according to the terminal identifier; and returning a secure communication strategy to the terminal under the condition that the first secure channel authorization code is consistent with the second secure channel authorization code;
and a second receiving module 704, configured to receive the secure communication policy returned by the server, so as to establish a data transmission channel between the terminal and the server.
Therefore, the terminal sends a security channel authorization application to the server, and then the receiving server generates a first security channel authorization code corresponding to the metadata according to the metadata information in the security channel authorization application. After the terminal receives the first secure channel authorization code, a secure channel transmission channel establishment application request is generated based on the first secure channel authorization code and the terminal identification, and then the application request is sent to the server. And after receiving the application request, the server searches a second security channel authorization code corresponding to the terminal identifier according to the terminal identifier in the application request, and returns a security communication strategy to the terminal under the condition that the server determines that the first security channel authorization code is consistent with the second security channel authorization code. And after receiving the security communication strategy, the terminal establishes a data transmission channel between the terminal and the server according to the security communication strategy. The server generates a corresponding first security channel authorization code through metadata sent by the terminal, then obtains a second security channel authorization code according to a terminal identifier in an application request after receiving the application request of the terminal, then compares the first security channel authorization code with the second security channel authorization code, and sends a security communication strategy to the terminal under the condition of consistent comparison, so that the terminal establishes a data transmission channel through the security communication strategy.
In some embodiments, the data transmission channel establishing apparatus 700 may further include:
the sixth sending module may be configured to send a public key request to the server before sending the secure channel authorization application to the server;
a fifth receiving module, configured to receive the first public key returned by the server;
the third encryption module can be used for encrypting by using the first public key metadata information to obtain encrypted metadata information;
the metadata information of the terminal that the secure channel authorization application may include is metadata information encrypted by the first public key.
Therefore, the first public key generated by the server is acquired by the terminal, and then the metadata of the terminal is encrypted by using the first public key to obtain the encrypted metadata. The encrypted metadata is then sent to the server. Because the encrypted metadata is sent to the server, the metadata can be prevented from being easily stolen or monitored in the metadata sending process, and the security of the sent original data is improved.
In some embodiments, the data transmission channel establishing apparatus 700 may further include:
the third generation module is used for generating a second private key and a second public key after receiving the first secure channel authorization code returned by the server so as to encrypt and decrypt the transmission data;
the request for establishing the secure transmission channel may further include a second public key; the secure communication policy may include a secure communication policy encrypted by the second public key.
Therefore, the terminal receives the first secure channel authorization code and then sends the first secure channel authorization code and the second public key generated by the terminal to the server, so that the server can verify the identity of the terminal based on the first secure channel authorization code, and under the condition that the terminal identity is verified, the second public key sent by the terminal is confirmed to be the second public key generated by the terminal, and the secure communication strategy is sent to the terminal. Since the server verifies the identity of the terminal and then performs the secure communication policy, the problem that the secure communication policy is sent to the wrong terminal can be avoided, and the security of the secure communication policy sent by the server is improved.
In some embodiments, the data transmission channel establishing apparatus 700 may further include:
the seventh sending module, after establishing the data transmission channel between the terminal and the server, may be configured to send a security channel secondary authorization application to the server when determining that the first security channel authorization code is expired; the secure channel secondary authorization application can include a terminal identifier;
the sixth receiving module may be configured to receive an activatable state code returned by the server, where the activatable state code is sent by the server when the second public key is determined to be valid according to the terminal identifier;
the eighth sending module may be configured to send the secondary authentication information to the server, so that the server verifies the validity of the secondary authentication information, and returns a new security channel authorization code to the terminal when the verification passes;
a seventh receiving module, configured to receive the new security channel authorization code and activate the security transmission channel according to the new security channel authorization code.
Therefore, the first security channel authorization code is set for a certain time period, the identity of the terminal is verified after the first security channel authorization code fails, if the first security channel authorization code is stolen, the identity verification of the terminal is difficult to pass, and loss can be reduced when the first security channel authorization code is stolen.
Based on the same inventive concept, the embodiment of the present application further provides a data transmission channel establishing apparatus, which may be applied to a server, and the following describes in detail a data transmission channel establishing apparatus 800 provided in the embodiment of the present application with reference to fig. 8.
Fig. 8 is a schematic structural diagram illustrating another embodiment of the data transmission channel establishing apparatus provided in the present application.
As shown in fig. 8, the data transmission channel establishing apparatus 800 applied to the server may include:
a third receiving module 801, configured to receive a secure channel authorization application sent by a terminal, where the secure channel authorization application may include metadata information of the terminal;
a first generating module 802, configured to identify the terminal according to the metadata information, and generate a first security channel authorization code corresponding to the terminal when the terminal passes the identification;
a third sending module 803, configured to send the first security channel authorization code to the terminal, so that the terminal generates a security channel establishment application request according to the first security channel authorization code and the client identifier;
a first searching module 804, configured to search, according to the terminal identifier, a second secure channel authorization code corresponding to the terminal identifier; under the condition that the second security channel authorization code is consistent with the first security channel authorization code, a security communication strategy is returned to the terminal; to establish a transmission channel between the terminal and the server.
Therefore, the terminal sends a security channel authorization application to the server, and then the receiving server generates a first security channel authorization code corresponding to the metadata according to the metadata information in the security channel authorization application. After the terminal receives the first secure channel authorization code, a secure channel transmission channel establishment application request is generated based on the first secure channel authorization code and the terminal identification, and then the application request is sent to the server. And after receiving the application request, the server searches a second security channel authorization code corresponding to the terminal identifier according to the terminal identifier in the application request, and returns a security communication strategy to the terminal under the condition that the server determines that the first security channel authorization code is consistent with the second security channel authorization code. And after receiving the security communication strategy, the terminal establishes a data transmission channel between the terminal and the server according to the security communication strategy. The server generates a corresponding first security channel authorization code through metadata sent by the terminal, then obtains a second security channel authorization code according to a terminal identifier in an application request after receiving the application request of the terminal, then compares the first security channel authorization code with the second security channel authorization code, and sends a security communication strategy to the terminal under the condition of consistent comparison, so that the terminal establishes a data transmission channel through the security communication strategy.
In some embodiments, the data transmission channel establishing apparatus 800 may further include:
the eighth receiving module is used for receiving the public key request sent by the terminal before receiving the secure channel authorization application sent by the terminal;
the ninth sending module may be configured to send the first public key to the terminal, so that the terminal encrypts the metadata information using the first public key to obtain encrypted metadata information;
the metadata information of the terminal that the secure channel authorization application may include is metadata information encrypted by the first public key.
Therefore, the first public key generated by the server is obtained through the terminal, and then the metadata of the terminal is encrypted by using the first public key to obtain the encrypted metadata. The encrypted metadata is then sent to the server. Because the encrypted metadata is sent to the server, the metadata can be prevented from being easily stolen or monitored in the metadata sending process, and the security of the sent original data is improved.
In some embodiments, the data transmission channel establishing apparatus 800 may further include:
the fourth encryption module can be used for encrypting the secure communication strategy according to the second public key before returning the secure communication strategy to the terminal;
the secure transmission channel establishment request may further include a second public key.
Therefore, the terminal receives the first secure channel authorization code and then sends the first secure channel authorization code and the second public key generated by the terminal to the server, so that the server can verify the identity of the terminal based on the first secure channel authorization code, and under the condition that the terminal identity is verified, the second public key sent by the terminal is confirmed to be the second public key generated by the terminal, and the secure communication strategy is sent to the terminal. Since the server verifies the identity of the terminal and then performs the secure communication policy, the problem that the secure communication policy is sent to the wrong terminal can be avoided, and the security of the secure communication policy sent by the server is improved.
In some embodiments, the data transmission channel establishing apparatus 800 may further include:
the ninth receiving module is used for receiving a security channel secondary authorization application sent by the terminal after the security communication policy is returned to the terminal; the secondary application of the secure channel can include a terminal identifier;
the tenth sending module may be configured to send the activatable status code to the terminal when it is determined that the second public key is valid according to the terminal identifier;
the second verification module can be used for acquiring the secondary authentication information sent by the terminal and verifying the validity of the secondary authentication information;
the eleventh sending module may be configured to return a new secure tunnel authorization code to the terminal when the verification passes, so that the terminal activates the secure transmission tunnel according to the new secure tunnel authorization code.
Therefore, the first security channel authorization code is set for a certain time period, the identity of the terminal is verified after the first security channel authorization code fails, if the first security channel authorization code is stolen, the identity verification of the terminal is difficult to pass, and loss can be reduced when the first security channel authorization code is stolen.
Based on the same inventive concept, the embodiment of the present application further provides a data transmission apparatus 900, which can be applied to a terminal, and the following describes in detail the data transmission apparatus provided in the embodiment of the present application with reference to fig. 9:
fig. 9 is a schematic structural diagram of an embodiment of a data transmission device provided in the present application.
As shown in fig. 9, the data transmission apparatus 900 applied to the terminal may include:
the first encryption module 901 is configured to encrypt data to be sent according to the second private key to obtain a request data ciphertext;
a fourth sending module 902, configured to send the request data ciphertext and the terminal identifier of the terminal to the server, so that the server verifies the secure channel according to the terminal identifier, decrypts the data ciphertext after the verification is passed, obtains a plaintext, performs service processing according to the plaintext, and generates response data;
and a fourth receiving module 903, configured to receive the response data ciphertext returned by the server, decrypt the response data ciphertext with the second private key, obtain response data of the server, and complete communication with the server.
Therefore, the data to be sent is encrypted through the terminal according to the second private key, and then the encrypted ciphertext and the terminal identification corresponding to the terminal are sent to the server. After receiving the ciphertext and the terminal identification, the server verifies the terminal according to the terminal identification, decrypts the ciphertext under the condition that the verification is passed to obtain the plaintext, and then performs service processing on the data according to the plaintext to generate response data corresponding to the data. And then the server sends the response data to the terminal to complete the communication between the terminal and the server. Because the terminal encrypts the data by using the second private key before sending the data and then the server encrypts the response data when sending the response data, the sent data can be prevented from being stolen or intercepted, and the safety of the transmitted data is improved.
Based on the same inventive concept, another data transmission apparatus 1000 is further provided in the embodiments of the present application, which can be applied to a terminal, and the following describes in detail the data transmission apparatus provided in the embodiments of the present application with reference to fig. 10:
fig. 10 is a schematic structural diagram of another embodiment of the data transmission device provided in the present application.
As shown in fig. 10, the data transmission apparatus 1000 applied to the server may include:
a fifth receiving module 1001, configured to receive a data ciphertext sent by a terminal and a terminal identifier corresponding to the terminal;
the first verification module 1002 is configured to verify the secure channel based on the terminal identifier, and decrypt the data ciphertext after the verification is passed, so as to obtain a plaintext;
a second generating module 1003, configured to perform service processing according to a plaintext, and generate response data;
the second encryption module 1004 is configured to encrypt the response data according to the second public key to generate a response data ciphertext;
a fifth sending module 1005, configured to return the response data ciphertext to the terminal, so that the terminal decrypts the response data ciphertext based on the second private key to obtain response data, and complete communication with the server.
Therefore, the data to be sent is encrypted through the terminal according to the second private key, and then the encrypted ciphertext and the terminal identification corresponding to the terminal are sent to the server. After receiving the ciphertext and the terminal identification, the server verifies the terminal according to the terminal identification, decrypts the ciphertext under the condition that the verification is passed to obtain the plaintext, and then performs service processing on the data according to the plaintext to generate response data corresponding to the data. And then the server sends the response data to the terminal to complete the communication between the terminal and the server. Because the terminal encrypts the data by using the second private key before sending the data and then the server encrypts the response data when sending the response data, the sent data can be prevented from being stolen or intercepted, and the safety of the transmitted data is improved.
Fig. 11 shows a hardware structure diagram of an embodiment of the electronic device provided in the present application.
The electronic device 1100 may include a processor 1101 and a memory 1102 in which computer program instructions are stored.
Specifically, the processor 1101 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
The memory may include Read Only Memory (ROM), Random Access Memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible memory storage devices. Thus, in general, the memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) encoded with software comprising computer-executable instructions and when the software is executed (e.g., by one or more processors), it is operable to perform operations described with reference to the methods according to an aspect of the application.
The processor 1101 realizes any one of the data transmission channel methods and the data transmission methods in the above-described embodiments by reading and executing the computer program instructions stored in the memory 1102.
In some examples, electronic device 1100 may also include a communication interface 1103 and a bus 1110. As shown in fig. 11, the processor 1101, the memory 1102, and the communication interface 1103 are connected via a bus 1110 to complete communication therebetween.
The communication interface 1103 can be mainly used for implementing communication between modules, apparatuses, units and/or devices in the embodiments of the present application.
Illustratively, as the payment terminal, the electronic device 1100 may be a mobile phone, a tablet computer, a notebook computer, a palm top computer, a vehicle-mounted electronic device, an ultra-mobile personal computer (UMPC), a netbook or a Personal Digital Assistant (PDA), and the like. As a code scanning terminal, the electronic device 1100 may be a Point of sale (POS), a code scanner, or the like.
The electronic device may execute the data transmission channel method and the data transmission method in the embodiment of the present application, so as to implement the data transmission channel method and the data transmission method and apparatus described in conjunction with fig. 2 to 6.
In addition, in combination with the data transmission channel method and the data transmission method in the foregoing embodiments, the embodiments of the present application may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the data transmission channel methods and data transmission methods of the above embodiments. Examples of computer-readable storage media include non-transitory computer-readable storage media such as portable disks, hard disks, Random Access Memories (RAMs), Read Only Memories (ROMs), erasable programmable read only memories (EPROMs or flash memories), portable compact disk read only memories (CD-ROMs), optical storage devices, magnetic storage devices, and so forth.
It is to be understood that the present application is not limited to the particular arrangements and instrumentality described above and shown in the attached drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present application are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications, and additions or change the order between the steps after comprehending the spirit of the present application.
The functional blocks shown in the above structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the present application are programs or code segments that may be used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
It should also be noted that the exemplary embodiments mentioned in this application describe some methods or systems based on a series of steps or devices. However, the present application is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.
Aspects of the present application are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions/acts specified in the flowchart and/or block diagram block or blocks. Such a processor may be, but is not limited to, a general purpose processor, a special purpose processor, an application specific processor, or a field programmable logic circuit. It will also be understood that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware for performing the specified functions or acts, or combinations of special purpose hardware and computer instructions.
As will be apparent to those skilled in the art, for convenience and brevity of description, the specific working processes of the systems, modules and units described above may refer to corresponding processes in the foregoing method embodiments, and are not described herein again. It should be understood that the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present application, and these modifications or substitutions should be covered within the scope of the present application.
Claims (17)
1. A method for establishing a data transmission channel is applied to a terminal, and the method comprises the following steps:
sending a secure channel authorization application to a server, wherein the secure channel authorization application comprises metadata information of the terminal, so that the server identifies the terminal according to the metadata information and generates a corresponding first secure channel authorization code;
receiving the first security channel authorization code returned by the server;
sending an application request for establishing a secure transmission channel to a server, wherein the application request comprises a first secure channel authorization code and a terminal identifier, so that the server searches a corresponding second secure channel authorization code according to the terminal identifier; and returning a secure communication policy to the terminal under the condition that the first secure channel authorization code is consistent with the second secure channel authorization code;
and receiving the security communication strategy returned by the server to establish a data transmission channel between the terminal and the server.
2. The method of claim 1, wherein prior to said sending a secure channel authorization request to a server, the method further comprises:
sending a public key request to a server;
receiving a first public key returned by the server;
encrypting the metadata information by using the first public key to obtain encrypted metadata information;
and the metadata information of the terminal included in the secure channel authorization application is the metadata information encrypted by the first public key.
3. The method according to claim 1, wherein after the receiving the first secure channel authorization code returned by the server, the method further comprises:
generating a second private key and a second public key to encrypt and decrypt the transmission data;
the request for establishing the secure transmission channel also comprises a second public key; the secure communication policy comprises a secure communication policy encrypted by the second public key.
4. The method according to claim 1, wherein after the establishing of the data transmission channel between the terminal and the server, the method further comprises:
under the condition that the first security channel authorization code is determined to be out of date, sending a security channel secondary authorization application to the server; the secure channel secondary authorization application comprises the terminal identification;
receiving an activatable state code returned by the server, wherein the activatable state code is sent by the server under the condition that the second public key is determined to be valid according to the terminal identification;
sending secondary authentication information to the server so that the server verifies the validity of the secondary authentication information, and returning a new security channel authorization code to the terminal under the condition that the verification is passed;
receiving a new secure channel authorization code and activating the secure transmission channel according to the new secure channel authorization code.
5. A data transmission channel establishing method is applied to a server, and the method comprises the following steps:
receiving a security channel authorization application sent by a terminal, wherein the security channel authorization application comprises metadata information of the terminal;
identifying the terminal according to the metadata information, and generating a first security channel authorization code corresponding to the terminal under the condition that the identification is passed;
sending the first security channel authorization code to the terminal, so that the terminal generates a security channel establishment application request according to the first security channel authorization code and a client identifier;
searching a second security channel authorization code corresponding to the terminal identification according to the terminal identification; returning a secure communication policy to the terminal under the condition that the second secure channel authorization code is consistent with the first secure channel authorization code; so as to establish a transmission channel between the terminal and the server.
6. The method according to claim 5, wherein before the receiving terminal sends the secure channel authorization application, the method further comprises:
receiving a public key request sent by the terminal;
sending a first public key to the terminal so that the terminal encrypts the metadata information by using the first public key to obtain encrypted metadata information;
and the metadata information of the terminal included in the secure channel authorization application is the metadata information encrypted by the first public key.
7. The method according to claim 5, wherein the secure transmission channel establishment request further includes a second public key;
before the returning of the secure communication policy to the terminal, the method further comprises:
and encrypting the secure communication strategy according to the second public key.
8. The method of claim 5, wherein after the returning of the secure communication policy to the terminal, the method further comprises:
receiving a security channel secondary authorization application sent by the terminal; the secondary application of the safe channel comprises the terminal identification;
under the condition that the second public key is determined to be valid according to the terminal identification, an activatable state code is sent to the terminal;
acquiring secondary authentication information sent by the terminal, and verifying the validity of the secondary authentication information;
and returning a new security channel authorization code to the terminal under the condition of passing the verification so that the terminal activates the security transmission channel according to the new security channel authorization code.
9. A data transmission method, applied to a terminal, the method comprising:
encrypting the data to be sent according to a second private key to obtain a request data ciphertext;
sending a request data cipher text and a terminal identification of the terminal to a server so that the server verifies a security channel according to the terminal identification, decrypts the data cipher text after the verification is passed to obtain a plaintext, and performs service processing according to the plaintext to generate response data;
and receiving a response data ciphertext returned by the server, decrypting the response data ciphertext by using the second private key to obtain response data of the server, and finishing communication with the server.
10. A data transmission method, applied to a server, the method comprising:
receiving a data ciphertext sent by a terminal and a terminal identifier corresponding to the terminal;
verifying the secure channel based on the terminal identification, and decrypting the data ciphertext after the verification is passed to obtain a plaintext;
performing service processing according to the plaintext to generate response data;
encrypting the response data according to the second public key to generate a response data ciphertext;
and returning the response data ciphertext to the terminal so that the terminal decrypts the response data ciphertext based on a second private key to obtain the response data, and finishing communication with the server.
11. A data transmission channel establishing apparatus, applied to a terminal, the apparatus comprising:
the first sending module is used for sending a secure channel authorization application to a server, wherein the secure channel authorization application comprises metadata information of the terminal, so that the server identifies the terminal according to the metadata information and generates a corresponding first secure channel authorization code;
the first receiving module is used for receiving the first secure channel authorization code returned by the server;
the second sending module is used for sending an application request for establishing a secure transmission channel to the server, wherein the application request comprises a first secure channel authorization code and a terminal identifier, so that the server searches a corresponding second secure channel authorization code according to the terminal identifier; and returning a secure communication policy to the terminal under the condition that the first secure channel authorization code is consistent with the second secure channel authorization code;
and the second receiving module is used for receiving the security communication strategy returned by the server so as to establish a data transmission channel between the terminal and the server.
12. A data transmission channel establishing apparatus, applied to a server, the apparatus comprising:
the third receiving module is used for receiving a secure channel authorization application sent by a terminal, wherein the secure channel authorization application comprises metadata information of the terminal;
the first generation module is used for identifying the terminal according to the metadata information and generating a first security channel authorization code corresponding to the terminal under the condition that the identification is passed;
a third sending module, configured to send the first secure tunnel authorization code to the terminal, so that the terminal generates a secure tunnel establishment application request according to the first secure tunnel authorization code and the client identifier;
the first searching module is used for searching a second security channel authorization code corresponding to the terminal identifier according to the terminal identifier; returning a secure communication policy to the terminal under the condition that the second secure channel authorization code is consistent with the first secure channel authorization code; so as to establish a transmission channel between the terminal and the server.
13. A data transmission apparatus, applied to a terminal, the apparatus comprising:
the first encryption module is used for encrypting the data to be sent according to a second private key to obtain a request data ciphertext;
the fourth sending module is used for sending a request data ciphertext and the terminal identifier of the terminal to a server so that the server verifies a security channel according to the terminal identifier, decrypts the data ciphertext after the verification is passed to obtain a plaintext, performs service processing according to the plaintext and generates response data;
and the fourth receiving module is used for receiving the response data ciphertext returned by the server, decrypting the response data ciphertext by using the second private key, obtaining the response data of the server and finishing the communication with the server.
14. A data transmission apparatus, applied to a server, the apparatus comprising:
a fifth receiving module, configured to receive a data cipher text sent by a terminal and a terminal identifier corresponding to the terminal;
the first verification module is used for verifying the security channel based on the terminal identification and decrypting the data ciphertext to obtain a plaintext after the verification is passed;
the second generation module is used for carrying out service processing according to the plaintext and generating response data;
the second encryption module is used for encrypting the response data according to a second public key to generate a response data ciphertext;
and the fifth sending module is used for returning the response data ciphertext to the terminal so that the terminal decrypts the response data ciphertext based on the second private key to obtain the response data, and the communication with the server is completed.
15. An electronic device, characterized in that the device comprises: a processor, and a memory storing computer program instructions; the processor reads and executes the computer program instructions to implement the data transmission channel establishment method and the data transmission method according to any one of claims 1 to 10.
16. A computer-readable storage medium, having stored thereon computer program instructions, which, when executed by a processor, implement the data transmission channel establishment method and the data transmission method according to any one of claims 1 to 10.
17. A computer program product, characterized in that instructions in the computer program product, when executed by a processor of an electronic device, cause the electronic device to perform a data transmission channel establishment method and a data transmission method according to any one of claims 1-10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210043108.3A CN114386075B (en) | 2022-01-14 | 2022-01-14 | Data transmission channel establishment, data transmission method, device, equipment and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210043108.3A CN114386075B (en) | 2022-01-14 | 2022-01-14 | Data transmission channel establishment, data transmission method, device, equipment and medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114386075A true CN114386075A (en) | 2022-04-22 |
CN114386075B CN114386075B (en) | 2024-08-20 |
Family
ID=81202334
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210043108.3A Active CN114386075B (en) | 2022-01-14 | 2022-01-14 | Data transmission channel establishment, data transmission method, device, equipment and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114386075B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116192529A (en) * | 2023-03-10 | 2023-05-30 | 广东堡塔安全技术有限公司 | Third party server safety management system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108810894A (en) * | 2018-05-31 | 2018-11-13 | 康键信息技术(深圳)有限公司 | Authorization terminal method, apparatus, computer equipment and storage medium |
CN109587164A (en) * | 2018-12-27 | 2019-04-05 | 深圳市元征科技股份有限公司 | A kind of information encrypting transmission method, device, equipment and storage medium |
CN110162936A (en) * | 2019-05-31 | 2019-08-23 | 北京比特安索信息技术有限公司 | A kind of use authorization method of software content |
CN111770088A (en) * | 2020-06-29 | 2020-10-13 | 南方电网科学研究院有限责任公司 | Data authentication method, device, electronic equipment and computer readable storage medium |
-
2022
- 2022-01-14 CN CN202210043108.3A patent/CN114386075B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108810894A (en) * | 2018-05-31 | 2018-11-13 | 康键信息技术(深圳)有限公司 | Authorization terminal method, apparatus, computer equipment and storage medium |
CN109587164A (en) * | 2018-12-27 | 2019-04-05 | 深圳市元征科技股份有限公司 | A kind of information encrypting transmission method, device, equipment and storage medium |
CN110162936A (en) * | 2019-05-31 | 2019-08-23 | 北京比特安索信息技术有限公司 | A kind of use authorization method of software content |
CN111770088A (en) * | 2020-06-29 | 2020-10-13 | 南方电网科学研究院有限责任公司 | Data authentication method, device, electronic equipment and computer readable storage medium |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116192529A (en) * | 2023-03-10 | 2023-05-30 | 广东堡塔安全技术有限公司 | Third party server safety management system |
CN116192529B (en) * | 2023-03-10 | 2023-09-29 | 广东堡塔安全技术有限公司 | Third party server safety management system |
Also Published As
Publication number | Publication date |
---|---|
CN114386075B (en) | 2024-08-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106161032B (en) | A kind of identity authentication method and device | |
CN112202772B (en) | Authorization management method, device, electronic equipment and medium | |
KR100922906B1 (en) | Bootstrapping authentication using distinguished random challenges | |
WO2015192670A1 (en) | User identity authentication method, terminal and service terminal | |
JP7192122B2 (en) | Systems and methods for authenticating connections between user devices and vehicles | |
CN111770057B (en) | Identity verification system and identity verification method | |
CN107733652B (en) | Unlocking method and system for shared vehicle and vehicle lock | |
CN107864124B (en) | Terminal information security protection method, terminal and Bluetooth lock | |
CN112084234B (en) | Data acquisition method, device, equipment and medium | |
CN112396735B (en) | Internet automobile digital key safety authentication method and device | |
CN105337740A (en) | Identity verification method, client, relay device and server | |
CN110955921A (en) | Electronic signature method, device, equipment and storage medium | |
CN113612852A (en) | Communication method, device, equipment and storage medium based on vehicle-mounted terminal | |
CN110730447B (en) | User identity protection method, user terminal and core network | |
CN114386075B (en) | Data transmission channel establishment, data transmission method, device, equipment and medium | |
CN114389793B (en) | Method, device, equipment and computer storage medium for verifying session key | |
CN116073989A (en) | Authentication data processing method, device, system, equipment and medium | |
CN109150891B (en) | Verification method and device and information security equipment | |
CN115344848B (en) | Identification acquisition method, device, equipment and computer readable storage medium | |
CN116389060A (en) | Equipment management method and device | |
CN115690955A (en) | Security authentication method and device for digital key, vehicle and digital key equipment | |
CN114444062A (en) | Method, system, electronic equipment and storage medium for identity information authentication | |
JP4440513B2 (en) | Credential authentication method | |
CN115225293B (en) | Authentication method, system, device, equipment and computer storage medium | |
CN117332387A (en) | User permission determination method, device, equipment and computer storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |