CN114650173A - Encryption communication method and system - Google Patents
Encryption communication method and system Download PDFInfo
- Publication number
- CN114650173A CN114650173A CN202210260520.0A CN202210260520A CN114650173A CN 114650173 A CN114650173 A CN 114650173A CN 202210260520 A CN202210260520 A CN 202210260520A CN 114650173 A CN114650173 A CN 114650173A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- information
- identity
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000012795 verification Methods 0.000 claims abstract description 23
- 230000005540 biological transmission Effects 0.000 abstract description 12
- 238000012545 processing Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to an encryption communication method and system, wherein the communication method comprises the following steps: the client establishes connection with the server and exchanges digital certificates; the client encrypts and signs the negotiation information to obtain first ciphertext information; the server decrypts and verifies the first ciphertext information to verify the validity of the client identity; after the identity validity of the client passes verification, the server generates a shared key, encrypts and signs the combined information of the negotiation information and the shared key to obtain second ciphertext information, and sends the second ciphertext information to the client; the client decrypts and verifies the second ciphertext information to verify the validity of the identity of the server; and after the identity validity of the server passes the verification, the client and the server use the shared key to carry out encryption communication on the data. The encryption communication method and the encryption communication system can improve the efficiency and the safety of data transmission and ensure the authenticity of transmitted data.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an encryption communication method and system.
Background
With the rapid development of the internet technology, more and more intelligent devices can be connected to the internet, on one hand, the intelligent device brings help to life, work and study of people, and on the other hand, the safety of data communication is more and more emphasized. Encryption algorithms are widely used in the field of communication technology, and mainly include symmetric encryption algorithms, asymmetric encryption algorithms and hash algorithms.
The symmetric encryption algorithm is also called a shared key encryption algorithm, and only one key is used in the algorithm, and the key is used by both the sending party and the receiving party to encrypt and decrypt data. The encryption mode has higher encryption and decryption speed, but the encryption security depends on the complexity of the key, the security of the algorithm used by the encryption mode, and whether the key is secure or not. In the data transmission process, the security is low, and if the secret key is stolen, the encryption loses meaning.
Asymmetric encryption is also known as public key encryption algorithm. It requires two keys, one is called public key, i.e. public key, and the other is called private key, i.e. private key, the public key and the private key are generated by corresponding elliptic curves, and the public key encryption can only be used for decryption by the corresponding private key. The asymmetric encryption mode is more secure than the symmetric encryption algorithm, but the encryption and decryption speed is relatively slow.
The hash algorithm is used for hashing data to ensure the authenticity of the data during network transmission, and the data processed by the hash algorithm has irreversibility. However, the hash algorithm does not have the encryption and decryption functions of data, and only can ensure that the authenticity of the data cannot be tampered during network transmission.
The problem that each algorithm is self-corresponding exists when a single algorithm is used for encrypting or hashing network transmission data, how to combine the three algorithms to encrypt the network transmission data improves the efficiency and the safety of data transmission, and the authenticity of the transmission data is guaranteed, so that the problem to be solved urgently is solved.
Disclosure of Invention
In view of the above technical problems, the present application provides an encryption communication method and system to improve the efficiency and security of data transmission and ensure the authenticity of the transmitted data.
The application provides an encryption communication method, which comprises the following steps: the client establishes connection with the server and exchanges digital certificates; the client encrypts and signs the negotiation information to obtain first ciphertext information, and sends the first ciphertext information to the server; the server decrypts and verifies the signature of the first ciphertext information to verify the validity of the identity of the client; after the identity validity of the client passes verification, the server generates a shared key, encrypts and signs the combined information of the negotiation information and the shared key to obtain second ciphertext information, and sends the second ciphertext information to the client; the client decrypts and verifies the signature of the second ciphertext information to verify the validity of the identity of the server; and after the identity validity of the server passes the verification, the client and the server use the shared secret key to carry out encryption communication on data.
In one embodiment, before exchanging the digital certificate, the client generates a first key pair through an asymmetric encryption algorithm, wherein the first key pair comprises a first public key and a first private key; the digital certificate of the client comprises the first public key; the server side generates a second key pair through the asymmetric encryption algorithm, wherein the second key pair comprises a second public key and a second private key; the digital certificate of the server comprises the second public key.
In one embodiment, the encrypting and signing, by the client, the negotiation information to obtain a first ciphertext message includes: the client encrypts the negotiation information by using the second public key, and signs the encrypted negotiation information by using the first private key to obtain the first ciphertext information; the server decrypts and verifies the first ciphertext information to verify the validity of the client identity, and the method comprises the following steps: and the server side uses the first public key to check the first ciphertext information, and uses the second private key to decrypt the first ciphertext information after the first ciphertext information passes the check, so as to obtain the negotiation information.
In an embodiment, the step of decrypting and verifying the first ciphertext information by the server to verify the validity of the client identity includes: if the negotiation information is consistent with the preset information, the identity validity of the client passes the verification; and if the negotiation information is inconsistent with the preset information, the identity validity verification of the client fails.
In one embodiment, the encrypting and signing, by the server, the combined information of the negotiation information and the shared key to obtain a second ciphertext information includes: the server side encrypts the combined information by using the first public key and signs the encrypted combined information by using the second private key to obtain second ciphertext information; the client decrypts and verifies the second ciphertext information to verify the validity of the identity of the server, and the method comprises the following steps: and the client checks the second ciphertext information by using the second public key, and decrypts the second ciphertext information by using the first private key after the second ciphertext information passes the check, so as to obtain the negotiation information and the shared key.
In an embodiment, the step of decrypting and verifying the second ciphertext message by the client to verify the validity of the identity of the server includes: if the negotiation information is consistent with the preset information, the identity validity of the server side is verified to be passed; and if the negotiation information is inconsistent with the preset information, the identity validity verification of the server side fails.
In one embodiment, the server generates a shared key, including: and the server generates the shared secret key through a symmetric encryption algorithm.
In one embodiment, the communication method includes: the client and the server monitor the service duration of the digital certificate; and when the use time of the digital certificate of the client exceeds a first preset time, and/or the use time of the digital certificate of the server exceeds a second preset time, disconnecting the digital certificate.
The application also provides a data encryption communication system, which comprises a server and at least one client; the client is used for establishing connection with the server and exchanging digital certificates; the client is also used for encrypting and signing negotiation information to obtain first ciphertext information and sending the first ciphertext information to the server; the server is used for decrypting and checking the first ciphertext information so as to verify the validity of the identity of the client; after the identity validity of the client passes the verification, the server is used for generating a shared key, encrypting and signing the combined information of the negotiation information and the shared key to obtain second ciphertext information, and sending the second ciphertext information to the client; the client is also used for decrypting and checking the second ciphertext information so as to verify the validity of the identity of the server; and after the identity validity of the server passes the verification, the client and the server are used for carrying out encryption communication on data by using the shared secret key.
In one embodiment, the server includes a first authentication unit and a first secure channel unit; the client comprises a second authentication unit and a second secure channel unit; the first authentication unit is used for authenticating the identity validity of the client; the second authentication unit is used for authenticating the identity validity of the server; and after the identity legitimacy of the client and the identity legitimacy of the server are authenticated, the first secure channel unit and the second secure channel unit use the shared secret key to carry out encryption communication on data.
According to the encryption communication method and system, the high efficiency of the symmetric encryption algorithm, the safety of the asymmetric encryption algorithm and the irreversibility of the hash algorithm are combined, the efficiency and the safety of data transmission can be improved, and the authenticity of transmitted data is guaranteed.
Drawings
Fig. 1 is a schematic flowchart of an encrypted communication method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an encrypted communication system according to a second embodiment of the present application;
fig. 3 is a schematic structural diagram of a server according to a second embodiment of the present application;
fig. 4 is a schematic structural diagram of a client according to the second embodiment of the present application.
Detailed Description
The technical solution of the present application is further described in detail with reference to the drawings and specific embodiments of the specification. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used herein, "and/or" includes any and all combinations of one or more of the associated listed items.
Fig. 1 is a schematic flowchart of an encrypted communication method according to an embodiment of the present application. As shown in fig. 1, the encryption communication method of the present application may include the following steps:
step S101: the client establishes connection with the server and exchanges digital certificates;
in one embodiment, prior to exchanging the digital certificate, comprising:
the client generates a first key pair through an asymmetric encryption algorithm, wherein the first key pair comprises a first public key and a first private key; the digital certificate of the client comprises a first public key;
the server generates a second key pair through an asymmetric encryption algorithm, wherein the second key pair comprises a second public key and a second private key; the digital certificate of the server includes the second public key.
Optionally, the content of the client digital certificate further includes an available duration of the client digital certificate, that is, a secret validity duration of the first public key; the content of the server-side digital certificate further includes the available duration of the server-side digital certificate, i.e. the secret duration of the second public key.
Step S102: the client encrypts and signs the negotiation information to obtain first ciphertext information, and sends the first ciphertext information to the server;
in one embodiment, the client encrypts and signs the negotiation information to obtain a first ciphertext message, including:
the client encrypts the negotiation information by using the second public key, and signs the encrypted negotiation information by using the first private key to obtain first ciphertext information;
optionally, the client signs the encrypted negotiation information by using a first private key through a hash algorithm; the negotiation information is the information negotiated by the client and the server and used for identity authentication.
Step S103: the server decrypts and verifies the first ciphertext information to verify the validity of the client identity;
in one embodiment, step S103 includes:
the server side uses the first public key to check the first ciphertext information, and after the first ciphertext information passes the check, the server side uses the second private key to decrypt the first ciphertext information to obtain the negotiation information.
If the negotiation information is consistent with the preset information, the identity validity verification of the client side is passed;
and if the negotiation information is inconsistent with the preset information, the identity validity verification of the client fails.
Step S104: after the identity validity of the client passes verification, the server generates a shared key, encrypts and signs the combined information of the negotiation information and the shared key to obtain second ciphertext information, and sends the second ciphertext information to the client;
in one embodiment, the step of encrypting and signing the combined information of the negotiation information and the shared key by the server to obtain the second ciphertext information includes:
the server side encrypts the combined information by using the first public key and signs the encrypted combined information by using the second private key to obtain second ciphertext information;
optionally, the server uses the second public key to sign the encrypted combination information through a hash algorithm.
Step S105: the client decrypts and verifies the second ciphertext information to verify the validity of the identity of the server;
in one embodiment, step S105 includes:
and the client checks the second ciphertext information by using the second public key, and decrypts the second ciphertext information by using the first private key after the second ciphertext information passes the check, so as to obtain the negotiation information and the shared key.
If the negotiation information is consistent with the preset information, the identity validity verification of the server side is passed;
and if the negotiation information is inconsistent with the preset information, the identity validity verification of the server side fails.
Step S106: and after the identity validity of the server passes the verification, the client and the server use the shared key to carry out encryption communication on the data.
In one embodiment, the method for performing encrypted communication between a client and a server by using a shared key includes:
the client encrypts the first data by using the shared key to obtain first encrypted data, and sends the first encrypted data to the server;
the server decrypts the first encrypted data by using the shared key to obtain first data; and/or
The server encrypts the second data by using the shared key to obtain second encrypted data, and sends the second encrypted data to the client;
and the client decrypts the second encrypted data by using the shared secret key to obtain the second data.
Optionally, the shared secret is generated by a symmetric encryption algorithm.
It should be noted that the communication method of the present application further includes: monitoring the use duration of the digital certificate by the client and the server; and when the use time of the digital certificate of the client exceeds a first preset time and/or the use time of the digital certificate of the server exceeds a second preset time, disconnecting the connection, and re-executing the steps of S101-S106 when the communication is performed again. Optionally, the first preset duration is an available duration of the client digital certificate; the second preset duration is the available duration of the server-side digital certificate.
Alternatively, take 7G smart box (server), large screen media processing card (client) as an example: after the large-screen media processing card is successfully connected with the 7G smart box, the large-screen media processing card can generate a digital certificate, the content of the certificate comprises a public key PK1 generated based on an asymmetric encryption algorithm SM2 and the available time length of the certificate, and the certificate is sent to the 7G smart box; the 7G smart box also generates a digital certificate after receiving the digital certificate sent by the large-screen media processing card, the content of the certificate comprises a public key PK2 generated based on an asymmetric encryption algorithm SM2 and the available duration of the certificate, and sends the certificate to the large-screen media processing card; the large-screen media processing card encrypts negotiation information, such as a 7G character string, by using a public key PK2 on a 7G smart box digital certificate, signs the encrypted negotiation information by using a private key SK1 (a key pair generated together with the public key PK 1), and sends the signed and encrypted negotiation information to the 7G smart box; the 7G smart box firstly checks the signature by using a public key PK1 after receiving the information, if the signature is successfully checked, the private key SK2 (a key pair generated together with the public key PK 2) is used for decryption to obtain negotiation information, the identity validity of the large-screen media processing card is verified, if the negotiation information is consistent with preset information, the identity validity of the large-screen media processing card is verified to be passed, the 7G smart box starts a security mode, a random number is generated by a symmetric encryption algorithm SM4 to serve as a shared key, then the public key PK1 is used for encrypting the negotiation information and the shared key, and the encrypted information is signed by using a private key SK2 and then sent to the large-screen media processing card; after receiving the information, the large-screen media processing card checks the signature by using the public key PK2, if the signature is successfully checked, the private key SK1 is used for decryption to obtain negotiation information and a shared key, the identity validity of the 7G smart box is verified, if the negotiation information is consistent with the preset information, the identity validity of the 7G smart box is verified to be passed, and the large-screen media processing card starts a safety mode; after the 7G smart box and the large-screen media processing card both start the security mode, the data sender encrypts the data into the ciphertext by using the shared secret key through the encryption mode of the symmetric encryption algorithm, such as a ciphertext block chaining mode (CBC mode), and then transmits the ciphertext, and the data receiver decrypts the ciphertext by using the shared secret key to obtain the plaintext. In the process, the 7G smart box and the large-screen media processing card can monitor the service life of the digital certificates of both parties, and if the service life of any party exceeds the available time, the connection is actively disconnected.
According to the communication method provided by the embodiment of the application, the high efficiency of the symmetric encryption algorithm, the safety of the asymmetric encryption algorithm and the irreversibility of the hash algorithm are combined, the efficiency and the safety of data transmission are effectively improved, and the authenticity of transmitted data is guaranteed.
Fig. 2 is a schematic structural diagram of an encrypted communication system according to the second embodiment of the present application. As shown in fig. 2, the encryption communication system of the present application includes a server 11 and at least one client 12;
the client 12 is used for establishing connection with the server 11 and exchanging digital certificates;
the client 12 is further configured to encrypt and sign the negotiation information to obtain first ciphertext information, and send the first ciphertext information to the server 11;
the server 11 is configured to decrypt and verify the first ciphertext information to verify the validity of the identity of the client 12;
after the identity validity of the client 12 passes the verification, the server 11 is configured to generate a shared key, encrypt and sign the combined information of the negotiation information and the shared key to obtain second ciphertext information, and send the second ciphertext information to the client 12;
the client 12 is further configured to decrypt and check the second ciphertext information to verify the validity of the identity of the server 11;
after the identity validity of the server 11 is verified, the client 12 is configured to perform encrypted communication with the server 11 by using the shared key.
In one embodiment, the server 11 includes a first authentication unit 111 and a first secure channel unit 112, as shown in fig. 3; the client 12 includes a second authentication unit 121 and a second secure channel unit 122, as shown in fig. 4;
the first authentication unit 111 is configured to authenticate the identity validity of the client 12;
the second authentication unit 121 is configured to authenticate the identity validity of the server 11;
after the identity validity of the client 12 and the identity validity of the server 11 are authenticated, the first secure channel unit 112 and the second secure channel unit 122 perform encrypted communication on data by using the shared key.
The specific implementation method of this embodiment refers to the first embodiment, and is not described herein again.
In the communication system provided by the second embodiment of the present application, after the bidirectional authentication between the client and the server is passed, the two parties start the security mode, and perform encryption communication on data by using the shared key through the first secure channel unit and the second secure channel unit, so as to combine the high efficiency of the symmetric encryption algorithm, the security of the asymmetric encryption algorithm, and the irreversibility of the hash algorithm, thereby effectively improving the efficiency and security of data transmission, and ensuring the authenticity of transmitted data.
All possible combinations of the technical features of the above embodiments may not be described for the sake of brevity, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the technical features.
As used herein, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, including not only those elements listed, but also other elements not expressly listed.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. An encrypted communication method, comprising:
the client establishes connection with the server and exchanges digital certificates;
the client encrypts and signs the negotiation information to obtain first ciphertext information, and sends the first ciphertext information to the server;
the server decrypts and verifies the signature of the first ciphertext information to verify the validity of the identity of the client;
after the identity validity of the client passes verification, the server generates a shared key, encrypts and signs the combined information of the negotiation information and the shared key to obtain second ciphertext information, and sends the second ciphertext information to the client;
the client decrypts and verifies the signature of the second ciphertext information to verify the validity of the identity of the server;
and after the identity validity of the server passes the verification, the client and the server use the shared secret key to carry out encryption communication on data.
2. The communication method of claim 1, prior to exchanging the digital certificate, comprising:
the client generates a first key pair through an asymmetric encryption algorithm, wherein the first key pair comprises a first public key and a first private key; the digital certificate of the client comprises the first public key;
the server generates a second key pair through the asymmetric encryption algorithm, wherein the second key pair comprises a second public key and a second private key; the digital certificate of the server comprises the second public key.
3. The communication method of claim 2, wherein the client encrypts and signs the negotiation information to obtain a first ciphertext message, comprising:
the client encrypts the negotiation information by using the second public key, and signs the encrypted negotiation information by using the first private key to obtain the first ciphertext information;
the server side decrypts and checks the signature of the first ciphertext information to verify the validity of the identity of the client side, and the method comprises the following steps:
and the server side checks the first ciphertext information by using the first public key, and decrypts the first ciphertext information by using the second private key after the first ciphertext information passes the check, so as to obtain the negotiation information.
4. The communication method according to claim 3, wherein the step of decrypting and verifying the signature of the first ciphertext message by the server to verify the validity of the client identity comprises:
if the negotiation information is consistent with the preset information, the identity validity of the client passes the verification;
and if the negotiation information is inconsistent with the preset information, the identity validity verification of the client fails.
5. The communication method as claimed in claim 2, wherein the step of encrypting and signing the combined information of the negotiation information and the shared key by the server to obtain a second ciphertext message comprises:
the server side encrypts the combined information by using the first public key and signs the encrypted combined information by using the second private key to obtain second ciphertext information;
the client decrypts and verifies the second ciphertext information to verify the validity of the identity of the server, and the method comprises the following steps:
and the client checks the second ciphertext information by using the second public key, and decrypts the second ciphertext information by using the first private key after the second ciphertext information passes the check, so as to obtain the negotiation information and the shared key.
6. The communication method according to claim 5, wherein the step of the client decrypting and verifying the second ciphertext message to verify the validity of the server identity comprises:
if the negotiation information is consistent with the preset information, the identity validity of the server side is verified to be passed;
and if the negotiation information is inconsistent with the preset information, the identity validity verification of the server side fails.
7. The communication method of claim 1, wherein the server generates a shared secret key, comprising:
and the server generates the shared secret key through a symmetric encryption algorithm.
8. The communication method according to any one of claims 1 to 7, wherein the communication method comprises:
the client and the server monitor the service duration of the digital certificate;
and when the use time of the digital certificate of the client exceeds a first preset time, and/or the use time of the digital certificate of the server exceeds a second preset time, disconnecting the digital certificate.
9. A data encryption communication system is characterized in that the communication system comprises a server side and at least one client side;
the client is used for establishing connection with the server and exchanging digital certificates;
the client is also used for encrypting and signing negotiation information to obtain first ciphertext information and sending the first ciphertext information to the server;
the server is used for decrypting and checking the first ciphertext information so as to verify the validity of the identity of the client;
after the identity validity of the client passes the verification, the server is used for generating a shared key, encrypting and signing the combined information of the negotiation information and the shared key to obtain second ciphertext information, and sending the second ciphertext information to the client;
the client is also used for decrypting and checking the second ciphertext information so as to verify the validity of the identity of the server;
and after the identity validity of the server passes the verification, the client and the server are used for carrying out encryption communication on data by using the shared secret key.
10. The communication system of claim 9, wherein the server includes a first authentication unit and a first secure channel unit; the client comprises a second authentication unit and a second secure channel unit;
the first authentication unit is used for authenticating the identity validity of the client;
the second authentication unit is used for authenticating the identity validity of the server;
and after the identity legitimacy of the client and the identity legitimacy of the server are authenticated, the first secure channel unit and the second secure channel unit use the shared secret key to carry out encryption communication on data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210260520.0A CN114650173A (en) | 2022-03-16 | 2022-03-16 | Encryption communication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210260520.0A CN114650173A (en) | 2022-03-16 | 2022-03-16 | Encryption communication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114650173A true CN114650173A (en) | 2022-06-21 |
Family
ID=81993829
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210260520.0A Pending CN114650173A (en) | 2022-03-16 | 2022-03-16 | Encryption communication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114650173A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826659A (en) * | 2022-03-16 | 2022-07-29 | 深圳奇迹智慧网络有限公司 | Encryption communication method and system |
| CN115457687A (en) * | 2022-09-15 | 2022-12-09 | 深圳奇迹智慧网络有限公司 | Safety configuration method and system for intelligent pole |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991650A (en) * | 2016-01-21 | 2016-10-05 | 李明 | Secret key acquisition method and identity card information transmission method and system |
| CN110535868A (en) * | 2019-09-05 | 2019-12-03 | 山东浪潮商用系统有限公司 | Data transmission method and system based on Hybrid Encryption algorithm |
| CN111030814A (en) * | 2019-12-25 | 2020-04-17 | 杭州迪普科技股份有限公司 | Key negotiation method and device |
| CN114826659A (en) * | 2022-03-16 | 2022-07-29 | 深圳奇迹智慧网络有限公司 | Encryption communication method and system |
-
2022
- 2022-03-16 CN CN202210260520.0A patent/CN114650173A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991650A (en) * | 2016-01-21 | 2016-10-05 | 李明 | Secret key acquisition method and identity card information transmission method and system |
| CN110535868A (en) * | 2019-09-05 | 2019-12-03 | 山东浪潮商用系统有限公司 | Data transmission method and system based on Hybrid Encryption algorithm |
| CN111030814A (en) * | 2019-12-25 | 2020-04-17 | 杭州迪普科技股份有限公司 | Key negotiation method and device |
| CN114826659A (en) * | 2022-03-16 | 2022-07-29 | 深圳奇迹智慧网络有限公司 | Encryption communication method and system |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826659A (en) * | 2022-03-16 | 2022-07-29 | 深圳奇迹智慧网络有限公司 | Encryption communication method and system |
| CN115457687A (en) * | 2022-09-15 | 2022-12-09 | 深圳奇迹智慧网络有限公司 | Safety configuration method and system for intelligent pole |
| CN115457687B (en) * | 2022-09-15 | 2024-05-03 | 深圳奇迹智慧网络有限公司 | Security configuration method and system for intelligent pole |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| CN107947913B (en) | Anonymous authentication method and system based on identity | |
| CN110535868A (en) | Data transmission method and system based on Hybrid Encryption algorithm | |
| CN102572817B (en) | Method and intelligent memory card for realizing mobile communication confidentiality | |
| CN105162599B (en) | A kind of data transmission system and its transmission method | |
| CN110048849B (en) | Multi-layer protection session key negotiation method | |
| CN110020524B (en) | Bidirectional authentication method based on smart card | |
| CN102394749B (en) | Line protection method, system, information safety equipment and application equipment for data transmission | |
| CN103763356A (en) | Establishment method, device and system for connection of secure sockets layers | |
| CN107679847B (en) | Mobile transaction privacy protection method based on near field communication bidirectional identity authentication | |
| CN101931536B (en) | Method for encrypting and authenticating efficient data without authentication center | |
| CN101286849A (en) | Authentication system and method of a third party based on engagement arithmetic | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CN112637136A (en) | Encrypted communication method and system | |
| CN107682152B (en) | Group key negotiation method based on symmetric cipher | |
| CN113204760B (en) | Method and system for establishing secure channel for software cryptographic module | |
| CN114650173A (en) | Encryption communication method and system | |
| CN114826656A (en) | Trusted data link transmission method and system | |
| CN103905388A (en) | Authentication method, authentication device, smart card, and server | |
| CN111147257A (en) | Identity authentication and information confidentiality method, monitoring center and remote terminal unit | |
| CN114826659A (en) | Encryption communication method and system | |
| CN114553441B (en) | Electronic contract signing method and system | |
| CN113507372A (en) | Bidirectional authentication method for interface request | |
| CN113676448B (en) | Offline equipment bidirectional authentication method and system based on symmetric key | |
| CN114331456A (en) | Communication method, device, system and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |