CN115632863B - Data transmission method and system - Google Patents

Data transmission method and system Download PDF

Info

Publication number
CN115632863B
CN115632863B CN202211304050.XA CN202211304050A CN115632863B CN 115632863 B CN115632863 B CN 115632863B CN 202211304050 A CN202211304050 A CN 202211304050A CN 115632863 B CN115632863 B CN 115632863B
Authority
CN
China
Prior art keywords
data
sender
receiver
ciphertext
segmented
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211304050.XA
Other languages
Chinese (zh)
Other versions
CN115632863A (en
Inventor
侯庆
翟亚雷
李刚毅
陈忠义
吴毅
曾鹏
蓝善根
吴丽娟
邹杰
吴招弟
贺凤琴
李渊波
罗盘君
彭仕宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guizhou Communication Industry Service Co ltd
Original Assignee
Guizhou Communication Industry Service Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guizhou Communication Industry Service Co ltd filed Critical Guizhou Communication Industry Service Co ltd
Priority to CN202211304050.XA priority Critical patent/CN115632863B/en
Publication of CN115632863A publication Critical patent/CN115632863A/en
Application granted granted Critical
Publication of CN115632863B publication Critical patent/CN115632863B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0464Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously

Abstract

The invention discloses a data transmission method and a system, comprising the following steps: the data sender sends an identity authentication request comprising the digital signature and the identity identifier to the data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request; the data sender receives token information and public key information which are sent after the data is received and the identity authentication is confirmed to pass; the data sender segments the plaintext data to be transmitted and determines a segmented data sequence; the data sender determines first ciphertext data and second ciphertext data based on the segmented data sequence, and sends the token information, the first ciphertext data and the second ciphertext data to the data receiver; the data receiver determines the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data and private key information corresponding to the public key information, and performs segmented data recombination based on the segmented data sequence to acquire the plaintext data.

Description

Data transmission method and system
Technical Field
The present invention relates to the field of data transmission technologies, and in particular, to a data transmission method and system.
Background
In recent years, security of network data has become more and more interesting. In general, a data packet transmitted on the internet is not encrypted or signed, so that problems such as interception, tampering, forging, repudiation of a sender and the like easily occur, and information is easily revealed in the process of data packet transmission, so that unnecessary loss is caused. Even if encryption processing is carried out on specific data packets, the system exchanges more redundant data packets in the data exchange process, and the data exchange is burdened.
The data transmission terminal, namely a data transmission unit (DTU, data Transfer unit), is a wireless or wired terminal which is specially used for converting serial data into network data or converting network data into serial data and transmitting the serial data through a communication network, is mainly applied to the fact that sensor data of an Internet of things sensing layer are transmitted to a core network or a platform through the communication network, is more in market product types at present and mainly relates to conversion among different communication modes, and the main circuit structure is a serial module, a power module and a network communication module, and mainly transmits the data including RS485/RS232 to 4G, RS/RS 232 to Ethernet, RS485/RS232 to LoRa, RS485/RS232 to NB, RS485/RS232 to WiFi and the like. The existing data transmission terminal functions are used for data transparent transmission, namely, serial port data and network data are 100% identical, and because the transmission data are not encrypted, the security risk of network information exists, the data are easy to be attacked by illegal invasion, and the core network or the production system is seriously paralyzed.
Disclosure of Invention
The invention provides a data transmission method and a data transmission system, which aim to solve the problem of how to efficiently perform data transmission between different devices.
In order to solve the above-mentioned problems, according to an aspect of the present invention, there is provided a data transmission method including:
a data sender sends an identity authentication request comprising a digital signature and an identity identifier to a data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request;
the data sender receives token information and public key information which are sent after the data is received and the identity authentication is confirmed to pass;
the data sender segments the plaintext data to be transmitted and determines a segmented data sequence; wherein the sequence of segmented data comprises at least one segmented data;
the data sender determines first ciphertext data and second ciphertext data based on the segmented data sequence, and sends the token information, the first ciphertext data and the second ciphertext data to the data receiver;
the data receiver determines the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data and private key information corresponding to the public key information, and performs segmented data recombination based on the segmented data sequence to acquire the plaintext data.
Preferably, the data sender sends an identity authentication request including a digital signature and an identity identifier to a data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request, and the method includes:
the data sender sends the digital signature and the identity identifier to the data receiver;
the data receiver generates a random number password challenge based on the digital signature and the identity identifier by using a built-in second trusted cryptography module TCM2, and sends the random number password challenge to the data sender;
the data sender performs encryption calculation based on the random number password challenge by utilizing a built-in first trusted cryptography module TCM1, acquires a reply response, and sends the reply response to the data receiver;
the data receiver uses a built-in second trusted cryptography module TCM2 to decrypt the reply response to obtain a decrypted value R, verifies whether the decrypted value R is consistent with the response, and obtains a verification result;
and when the verification result indicates consistency, determining that the identity authentication is passed, and sending token information token to the data sender.
Preferably, the data sender segments the plaintext data to be transmitted, and determines a segmented data sequence, which includes:
The data sender sends the data type and the data content detail information of the plaintext data to be transmitted to the data receiver so as to receive the data importance level coefficient returned by the data receiver based on the data type and the data content detail information;
the data sender determines the number of segments based on the data importance level coefficient and the number of times the data receiver is attacked within the past preset time period returned by the data receiver;
the data sender performs segmentation based on the segmentation number to determine the segmented data sequence.
Preferably, the determining, by the data sender, the number of fragments based on the data importance level coefficient and the number of times the data receiver is attacked within a past predetermined period of time returned by the data receiver includes:
Figure BDA0003905070010000031
wherein N is the number of segments; m is the number of preset segments; a is a first preset proportion; b is a second preset ratio; s is a data importance level coefficient of plaintext data to be transmitted; p is the number of times the data receiver is attacked in the past predetermined period of time;
Figure BDA0003905070010000032
representing an upward rounding.
Preferably, the data sender determines first ciphertext data and second ciphertext data based on the segmented data sequence, and sends the token information, the first ciphertext data and the second ciphertext data to the data receiver, including:
The data sender traverses the segmented data sequence, and performs splicing of preset splicing characters and segmented data on any segmented data according to preset splicing rules so as to acquire splicing data corresponding to any segmented data and determine a spliced data sequence;
the data sender randomly mixes all spliced data in the spliced data sequence to obtain mixed data, and establishes a position mapping relation based on first position information of any spliced data in the spliced data sequence and second position information of any spliced data in the mixed data; the data sender encrypts the mixed data based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain first ciphertext data, and sends the ciphertext data and token information to a data receiver based on a first link;
the data sender encrypts the position mapping relation based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain second ciphertext data, and sends the second ciphertext data to the data receiver based on a second link.
Preferably, the determining, by the data receiving party, the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data and the private key information corresponding to the public key information, and the reorganizing the segmented data based on the segmented data sequence to obtain the plaintext data includes:
The data receiver checks the token information and determines a check result;
when the verification result indicates that the token information passes the verification, a data receiver decrypts the first ciphertext data and the second ciphertext data respectively by utilizing a built-in second trusted cryptography module TCM2 based on private key information corresponding to the public key information, and acquires the mixed data and the position mapping relation;
the data receiver sorts the spliced data in the mixed data based on the position mapping relation so as to determine the spliced data sequence;
traversing the spliced data sequence by a data receiver, and splitting any spliced data according to a preset splicing rule to determine the segmented data sequence;
and traversing the segmented data in the segmented data sequence by a data receiver and carrying out data recombination to obtain the plaintext data.
According to another aspect of the present invention, there is provided a data transmission system, the system comprising:
an identity authentication unit, configured to enable a data sender to send an identity authentication request including a digital signature and an identity identifier to a data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request;
An information receiving unit for enabling a data sender to receive token information and public key information which are sent after the data is received after the identity authentication is confirmed to pass;
the data segmentation unit is used for enabling the data sender to segment the plaintext data to be transmitted and determining a segmented data sequence; wherein the sequence of segmented data comprises at least one segmented data;
the ciphertext data determining unit is used for enabling the data sender to determine first ciphertext data and second ciphertext data based on the segmented data sequence and sending the token information, the first ciphertext data and the second ciphertext data to the data receiver;
and the plaintext data determining unit is used for enabling a data receiver to determine the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data and private key information corresponding to the public key information, and recombining the segmented data based on the segmented data sequence so as to acquire the plaintext data.
Preferably, the identity authentication unit causes the data sender to send an identity authentication request including a digital signature and an identity identifier to the data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request, and includes:
The data sender sends the digital signature and the identity identifier to the data receiver;
the data receiver generates a random number password challenge based on the digital signature and the identity identifier by using a built-in second trusted cryptography module TCM2, and sends the random number password challenge to the data sender;
the data sender performs encryption calculation based on the random number password challenge by utilizing a built-in first trusted cryptography module TCM1, acquires a reply response, and sends the reply response to the data receiver;
the data receiver uses a built-in second trusted cryptography module TCM2 to decrypt the reply response to obtain a decrypted value R, verifies whether the decrypted value R is consistent with the response, and obtains a verification result;
and when the verification result indicates consistency, determining that the identity authentication is passed, and sending token information token to the data sender.
Preferably, the data segmentation unit causes a data sender to segment the plaintext data to be transmitted, and determines a segmented data sequence, including:
the data sender sends the data type and the data content detail information of the plaintext data to be transmitted to the data receiver so as to receive the data importance level coefficient returned by the data receiver based on the data type and the data content detail information;
The data sender determines the number of segments based on the data importance level coefficient and the number of times the data receiver is attacked within the past preset time period returned by the data receiver;
the data sender performs segmentation based on the segmentation number to determine the segmented data sequence.
Preferably, the data segmentation unit, the data sender determines the segmentation number based on the data importance level coefficient and the number of times that the data receiver is attacked within the past preset time period returned by the data receiver, and the method comprises the following steps:
Figure BDA0003905070010000061
wherein N is the number of segments; m is the number of preset segments; a is a first preset proportion; b is a second preset ratio; s is a data importance level coefficient of plaintext data to be transmitted; p is the number of times the data receiver is attacked in the past predetermined period of time;
Figure BDA0003905070010000062
representing an upward rounding.
Preferably, the ciphertext data determining unit causes a data transmitter to determine first ciphertext data and second ciphertext data based on the segmented data sequence, and transmit the token information, the first ciphertext data, and the second ciphertext data to the data receiver, including:
the data sender traverses the segmented data sequence, and performs splicing of preset splicing characters and segmented data on any segmented data according to preset splicing rules so as to acquire splicing data corresponding to any segmented data and determine a spliced data sequence;
The data sender randomly mixes all spliced data in the spliced data sequence to obtain mixed data, and establishes a position mapping relation based on first position information of any spliced data in the spliced data sequence and second position information of any spliced data in the mixed data; the data sender encrypts the mixed data based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain first ciphertext data, and sends the ciphertext data and token information to a data receiver based on a first link;
the data sender encrypts the position mapping relation based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain second ciphertext data, and sends the second ciphertext data to the data receiver based on a second link.
Preferably, the plaintext data determining unit causes a data receiver to determine the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data, and private key information corresponding to the public key information, and performs reassembly of segmented data based on the segmented data sequence to obtain the plaintext data, and includes:
The data receiver checks the token information and determines a check result;
when the verification result indicates that the token information passes the verification, a data receiver decrypts the first ciphertext data and the second ciphertext data respectively by utilizing a built-in second trusted cryptography module TCM2 based on private key information corresponding to the public key information, and acquires the mixed data and the position mapping relation;
the data receiver sorts the spliced data in the mixed data based on the position mapping relation so as to determine the spliced data sequence;
traversing the spliced data sequence by a data receiver, and splitting any spliced data according to a preset splicing rule to determine the segmented data sequence;
and traversing the segmented data in the segmented data sequence by a data receiver and carrying out data recombination to obtain the plaintext data.
The invention provides a data transmission method and a system, comprising the following steps: a data sender sends an identity authentication request comprising a digital signature and an identity identifier to a data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request; the data sender receives token information and public key information which are sent after the data is received and the identity authentication is confirmed to pass; the data sender segments the plaintext data to be transmitted and determines a segmented data sequence; the data sender determines first ciphertext data and second ciphertext data based on the segmented data sequence, and sends the token information, the first ciphertext data and the second ciphertext data to the data receiver; the data receiver determines the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data and private key information corresponding to the public key information, and performs segmented data recombination based on the segmented data sequence to acquire the plaintext data. The method provided by the invention needs to carry out identity authentication before carrying out data transmission, and carries out data transmission in a ciphertext data mode after carrying out the identity authentication, so that the safety of data transmission can be ensured, the intrusion prevention capability and the active defense capability of the sensing network of the Internet of things can be improved, and the method can be applied to the application scene of the Internet of things powered by a battery.
Drawings
Exemplary embodiments of the present invention may be more completely understood in consideration of the following drawings:
fig. 1 is a flow chart of a data transmission method 100 according to an embodiment of the present invention;
FIG. 2 is an interactive schematic diagram of identity authentication according to an embodiment of the present invention;
fig. 3 is a schematic structural view of a data transmission terminal according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a data transmission system 400 according to an embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
The invention mainly solves the information security problem of data transmission of the sensors of the Internet of things and control instruction transmission of the equipment of the Internet of things, transfers the domestic trusted computing technology to the sensing layer of the Internet of things, sends data to the TCM (trusted platform management) for encryption through a communication network and then transmits the data to the core network, decrypts the data transmitted by the core network through the TCM and then transmits the data to the sensors through a serial port, thereby realizing complex, safe and trusted data transmission in the sensing layer of the Internet of things with low power consumption, low cost and low computing power.
Fig. 1 is a flowchart of a data transmission method 100 according to an embodiment of the present invention. As shown in fig. 1, the data transmission method provided by the embodiment of the invention needs to perform identity authentication before performing data transmission, performs data transmission in a ciphertext data manner after performing the identity authentication, can ensure the safety of data transmission, can improve the intrusion prevention capability and the active defense capability of the sensing network of the internet of things, and can be applied to the application scene of the internet of things powered by a battery. The data transmission method 100 provided in the embodiment of the present invention starts from step 101, and in step 101, a data sender sends an identity authentication request including a digital signature and an identity identifier to a data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request.
Preferably, the data sender sends an identity authentication request including a digital signature and an identity identifier to a data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request, and the method includes:
the data sender sends the digital signature and the identity identifier to the data receiver;
the data receiver generates a random number password challenge based on the digital signature and the identity identifier by using a built-in second trusted cryptography module TCM2, and sends the random number password challenge to the data sender;
the data sender performs encryption calculation based on the random number password challenge by utilizing a built-in first trusted cryptography module TCM1, acquires a reply response, and sends the reply response to the data receiver;
the data receiver uses a built-in second trusted cryptography module TCM2 to decrypt the reply response to obtain a decrypted value R, verifies whether the decrypted value R is consistent with the response, and obtains a verification result;
and when the verification result indicates consistency, determining that the identity authentication is passed, and sending token information token to the data sender.
In step 102, the data sender receives the token information and the public key information sent after the data is received and the identity authentication is determined to pass.
In the invention, the realization of data transmission needs to depend on a data transmission terminal, the credible security of the data is realized on the data transmission terminal, and the data transmission terminal is used as a data security transmission controller of a sensing node, the core network needs to carry out bidirectional identity authentication to ensure the credibility of the equipment when being accessed to the core network, and the second step is based on the data transmission terminal to realize the encryption transmission of the data.
In the present invention, identity authentication is required before data transmission. The node identity authentication of the awareness layer aims at verifying whether the node belongs to a node authorized by the designer or whether the node visitor is authorized by the designer through encryption authentication. Node authentication is initiated when a node requests to connect to a server or a server requests to access a node, and identity authentication is bidirectional. In this authentication process, the requester must complete authentication of its own device (or module) to further request authentication from the responder. The requester is the data sender, and the responder is the data receiver.
As shown in connection with fig. 2, the combination pattern of the Requester (Requester) -Responder (Responder) may be one of two cases:
(1) Data transmission terminal→server;
(2) Server→data transmission terminal.
The process ASK is a request packet including a verification report to the peripheral device; id is the digital signature of the requester itself. The Controller is a core processor that controls devices that participate in authentication. The identity authentication process comprises the following steps:
(1) The requester packages the digital signature of the 72bit and the identity identifier, and initiates a request to the responder;
(2) After the responder recognizes that Id exists, sending a nonce instruction to the TCM2 to generate and return a 32-byte random number as a challenge, and the responder sends the challenge to the requester;
(3) The requestor sends a challenge to the TCM1 to perform a calculation to get a response (reply) and returns the response to the responder, wherein:
response=sm3 (challenge)// means that challenge is calculated by SM3 to give response.
(4) The responder sends a response to the TCM2, the TCM2 carries out decryption calculation on the reply response to obtain a decryption value R, whether the decryption value R is consistent with the response or not is verified internally, if so, result=1, otherwise, result=0, and finally, the value of a verification result is returned.
(5) If the result returned in the step 4 is true, the identity authentication is completed, the responder sends an authentication token to the requester, and simultaneously, a pair of public and private keys are generated and sent to the requester, so that the requester encrypts transmission data based on the public key. Otherwise, if result is false, the device Id is added to a blacklist or data communication is refused, and if the responder is a server, the node device is stopped.
Through the process, identity authentication between devices is completed, and a trust chain can be established so as to communicate or control each other. If errors such as overtime and data mismatch occur in the process, identity authentication will fail.
In step 103, the data sender segments the plaintext data to be transmitted and determines a segmented data sequence; wherein the sequence of segment data comprises at least one segment data.
Preferably, the data sender segments the plaintext data to be transmitted, and determines a segmented data sequence, which includes:
the data sender sends the data type and the data content detail information of the plaintext data to be transmitted to the data receiver so as to receive the data importance level coefficient returned by the data receiver based on the data type and the data content detail information;
the data sender determines the number of segments based on the data importance level coefficient and the number of times the data receiver is attacked within the past preset time period returned by the data receiver;
the data sender performs segmentation based on the segmentation number to determine the segmented data sequence.
Preferably, the determining, by the data sender, the number of fragments based on the data importance level coefficient and the number of times the data receiver is attacked within a past predetermined period of time returned by the data receiver includes:
Figure BDA0003905070010000111
Wherein N is the number of segments; m is the number of preset segments; a is a first preset proportion; b is a second preset ratio; s is a data importance level coefficient of plaintext data to be transmitted; p is the number of times the data receiver is attacked in the past predetermined period of time;
Figure BDA0003905070010000112
representing an upward rounding.
In the present invention, a data sender determines the data type and data content detail information of plaintext data to be transmitted, so that a data receiver returns a data importance level coefficient based on the data type and data content detail information. The data types may be: text, forms, video, recordings, etc.; the data content detail information may be different data identifications, the data content detail information being determined based on the different data identifications. For example, the data identification "aaa" represents asset information, the data representation "bbb" represents business information, and the like. For the data importance level coefficient, it may be determined according to a plurality of importance levels set, and for more important data, the higher the importance level, the greater the importance level coefficient.
In addition, the data sender may count the time period (e.g., one day, one month) that has elapsedOr one year) the number of times the data receiver is attacked is M1, and the number of times the data receiver is attacked and the data importance level coefficient in the past predetermined period of time are simultaneously transmitted to the data sender. The data sender then uses the formula
Figure BDA0003905070010000113
The number of segments is calculated and the plaintext data is segmented based on the determined segment data, thereby determining a sequence of segment data.
In the invention, the value range of the importance level coefficient can be set to be 1-2 so as to restrict the value of N. In addition, when the number of segments is calculated, if the number of times of attack is greater than a first preset number of times of attack threshold, calculating P according to the first preset number of times of attack threshold, if the number of times of attack is less than a second preset number of times of attack threshold, calculating P according to the second preset number of times of attack threshold to control the value range of N, so that the situation that when P is too large or too small, N is too large or too small is avoided, the data transmission safety can be ensured, and the data transmission speed can be ensured. In step 104, the data sender determines first ciphertext data and second ciphertext data based on the segmented data sequence, and sends the token information, the first ciphertext data, and the second ciphertext data to the data receiver.
Preferably, the data sender determines first ciphertext data and second ciphertext data based on the segmented data sequence, and sends the token information, the first ciphertext data and the second ciphertext data to the data receiver, including:
The data sender traverses the segmented data sequence, and performs splicing of preset splicing characters and segmented data on any segmented data according to preset splicing rules so as to acquire splicing data corresponding to any segmented data and determine a spliced data sequence;
the data sender randomly mixes all spliced data in the spliced data sequence to obtain mixed data, and establishes a position mapping relation based on first position information of any spliced data in the spliced data sequence and second position information of any spliced data in the mixed data; the data sender encrypts the mixed data based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain first ciphertext data, and sends the ciphertext data and token information to a data receiver based on a first link;
the data sender encrypts the position mapping relation based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain second ciphertext data, and sends the second ciphertext data to the data receiver based on a second link.
In the invention, the data Sender traverses the segmented data sequence and acquires the spliced data corresponding to each segmented data in a mode of 'preset spliced characters and segmented data'. Then, all the spliced data are mixed randomly, mixed data are determined, and a position mapping relation is established. For example, assuming that the segment data sequence is < a, B, C, D >, and the preset concatenation character is #, the concatenation data sequence is < #a, #b, #c, #d >. If the mixed data after random mixing is "#b#c#a#d", the positional mapping relationship can be determined as: 1- >2,2- >3,3- >1,4- >4, wherein the numbers following "- >" represent the position of the splice data in the mixed data and the numbers preceding "- >" represent the position of the splice data in the splice data sequence. Based on the position mapping relationship, the spliced data sequence can be reversely deduced based on the mixed data.
Then, encrypting the mixed data and the position mapping relation based on the public key information by using a built-in first trusted cryptography module TCM1 to obtain first ciphertext data and second ciphertext data; and finally, the ciphertext data is sent to a data receiver based on the first link, and the second ciphertext data is sent to the data receiver based on the second link.
In step 105, the data receiving party determines the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data and the private key information corresponding to the public key information, and performs the reconstruction of the segmented data based on the segmented data sequence to obtain the plaintext data.
Preferably, the determining, by the data receiving party, the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data and the private key information corresponding to the public key information, and the reorganizing the segmented data based on the segmented data sequence to obtain the plaintext data includes:
the data receiver checks the token information and determines a check result;
when the verification result indicates that the token information passes the verification, a data receiver decrypts the first ciphertext data and the second ciphertext data respectively by utilizing a built-in second trusted cryptography module TCM2 based on private key information corresponding to the public key information, and acquires the mixed data and the position mapping relation;
The data receiver sorts the spliced data in the mixed data based on the position mapping relation so as to determine the spliced data sequence;
traversing the spliced data sequence by a data receiver, and splitting any spliced data according to a preset splicing rule to determine the segmented data sequence;
and traversing the segmented data in the segmented data sequence by a data receiver and carrying out data recombination to obtain the plaintext data.
In the present invention, first, the data receiving side acquires the token information and the first ciphertext data based on the first link, and acquires the second ciphertext data based on the second link. And then, the data receiver checks the token information, and if the token information passes the check, the built-in second trusted cryptography module TCM2 is utilized to decrypt the first ciphertext data and the second ciphertext data based on private key information corresponding to the public key information respectively, so as to obtain the mixed data and the position mapping relation. Then, based on the position mapping relation and the mixed data, a spliced data sequence is determined. And then splitting each spliced data in the spliced data sequence in turn according to a mode of 'preset spliced characters and segmented data', so as to obtain the segmented data sequence. And finally, traversing all the segment data in the segment data sequence to carry out data recombination so as to obtain the plaintext data.
In the invention, data transmission can be realized based on a data transmission terminal containing a TCM (trusted platform module), a trusted security chip conventionally used in a computer is abandoned, and aiming at the characteristics of low power consumption, low computational power and the like of a sensing layer of the Internet of things, an encryption algorithm chip based on a domestic SM1/SM2/SM3/SM4/SM7 cryptographic algorithm and a key storage area is selected to be used as a core component of a cryptographic module, a hardware circuit module is innovatively designed, a new security mechanism algorithm is written through a C language in a control unit of the data transmission terminal, encryption and decryption transmission in the data transmission process is realized, and therefore, the TCM is taken as a core to be transplanted into the terminal through a trusted security mechanism, and the data transmission terminal equipment based on the domestic TCM is invented.
As shown in fig. 3, the data transmission terminal includes: (1) a power supply module, (2) a Trusted Cryptography Module (TCM), (3) an Ethernet-to-serial module, (4) an embedded processor module, and (5) an RS485 module. The power supply module is composed of a DC-DC direct current voltage converter chip and peripheral circuits, the input voltage of the power supply module is 9-36 VDC, and the output voltage DC3.3V supplies power to other modules. The embedded processor module is composed of a GD32F1 series ARM chip and a peripheral circuit, and is used as a central processing unit for controlling the encryption and decryption processes of data and the management of an upper-level data communication mechanism and a lower-level data communication mechanism. Trusted Cryptography Module (TCM): the domestic hardware encryption chip and peripheral circuit for trusted computing is formed by communicating with the embedded processor through IIC or SPI, encrypting and decrypting the data through the key pair burned in the chip at one time and the public key transmitted by the processor, and returning the result to the processor, wherein the module adopts a national encryption algorithm encryption product with high performance and high security based on a 32-bit security processor. The chip meets the second level of security level of the commercial security detection standard GM/T0008-2012 security chip password detection standard, has a high-speed communication interface IIC and SPI, and has a 32K RAM and a 64K byte file key area. The method supports the SM1/SM2/SM3/SM4/SM7 algorithm of the national cipher, supports the higher security level encryption algorithm of RSA, SHA, AES and 3DES, and has the characteristics of high performance and low power consumption. The Ethernet-to-serial port module converts TCP/IP protocol data transmitted by an RJ45 network port into TTL signal data and carries out serial port data interaction with the embedded processor; the embedded processor module is used as a control unit for controlling the encryption and decryption processes of data and the management of an upper-level data communication mechanism and a lower-level data communication mechanism; the RS485 module is used for data interaction between the sensor and the embedded processor.
The encryption algorithm is completed by the trusted cryptography module, the data protocol transmitted by the data transmission terminal is a modbus protocol, when the serial port 1 of the control unit receives the encrypted data REQ from the Ethernet-to-serial port module, the control unit sends the data REQ to the TCM through the IIC or SPI bus and waits for execution, after the TCM executes decryption calculation, the decrypted data REQER is returned to the control unit through the IIC or SPI, the control unit completes sorting, disassembly and recombination of the data, and then the control unit sends the REQER to the RS485 module through the serial port 2. And after the sensor connected to the RS485 module receives REQER data, responding, and returning corresponding data RES to the RS485 module according to the instruction. And then, when the serial port 2 of the control unit receives data RES returned by the sensor through the RS485 module, the control unit sends the data RES to the TCM through an IIC or SPI bus and waits for execution, after the TCM executes encryption calculation, the encrypted data RESCR is returned to the control unit through the IIC or SPI, the control unit completes encryption operation, then, the control unit sends the RESCR to the Ethernet serial port module through the serial port 1, finally, the encrypted data returned by the sensor is sent to the core network through the Ethernet, and a data interaction process of a complete modbus protocol is completed. The invention adds data encryption and decryption functions in the aspect of data communication, and adds a trusted encryption module on a hardware circuit.
In order to achieve the aim of safe transmission of data of the sensing layer of the Internet of things, the special hardware encryption chip is adopted, the control unit only needs to send the data to the hardware encryption chip through the IIC or SPI interface, the encrypted and decrypted data can be returned in millisecond level, the special hardware encryption chip has a designated secret key safe storage area, the safety of secret keys is guaranteed, and the safety performance is greatly improved, so that the aim is achieved.
In terms of alternative schemes, the number of domestic hardware encryption chips of the currently replaceable algorithms with the same function in the trusted cryptomodule is small, and the cryptographic chips can be replaced by 1 to 2 encryption algorithms, but the cryptographic chips have larger deviation from the patent; the power supply module can be replaced by a DCDC chip with similar function, the output voltage is required to be ensured to be 3.3V, and the output current is more than 0.5A; the embedded processor module can be replaced by other 8-32 processors supporting double serial ports, the IO number is greater than 8, and the Ethernet-to-serial port TTL module can be replaced by an SOC chip and peripheral circuits with similar functions.
Fig. 4 is a schematic diagram of a data transmission system 400 according to an embodiment of the present invention. As shown in fig. 4, a data transmission system 400 according to an embodiment of the present invention includes: an identity authentication unit 401, an information receiving unit 402, a data segmentation unit 403, a ciphertext data determination unit 404, and a plaintext data determination unit 405.
Preferably, the identity authentication unit 401 is configured to enable a data sender to send an identity authentication request including a digital signature and an identity identifier to a data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request.
Preferably, the identity authentication unit 401 causes the data sender to send an identity authentication request including a digital signature and an identity identifier to the data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request, including:
the data sender sends the digital signature and the identity identifier to the data receiver;
the data receiver generates a random number password challenge based on the digital signature and the identity identifier by using a built-in second trusted cryptography module TCM2, and sends the random number password challenge to the data sender;
the data sender performs encryption calculation based on the random number password challenge by utilizing a built-in first trusted cryptography module TCM1, acquires a reply response, and sends the reply response to the data receiver;
the data receiver uses a built-in second trusted cryptography module TCM2 to decrypt the reply response to obtain a decrypted value R, verifies whether the decrypted value R is consistent with the response, and obtains a verification result;
And when the verification result indicates consistency, determining that the identity authentication is passed, and sending token information token to the data sender.
Preferably, the information receiving unit 402 is configured to enable the data sender to receive the token information and the public key information sent by the data sender after the data receiver determines that the identity authentication is passed.
Preferably, the data segmentation unit 403 is configured to enable a data sender to segment the plaintext data to be transmitted, and determine a segmented data sequence; wherein the sequence of segment data comprises at least one segment data.
Preferably, the data segmentation unit 403 causes a data sender to segment the plaintext data to be transmitted, and determines a segmented data sequence, including:
the data sender sends the data type and the data content detail information of the plaintext data to be transmitted to the data receiver so as to receive the data importance level coefficient returned by the data receiver based on the data type and the data content detail information;
the data sender determines the number of segments based on the data importance level coefficient and the number of times the data receiver is attacked within the past preset time period returned by the data receiver;
the data sender performs segmentation based on the segmentation number to determine the segmented data sequence.
Preferably, the data segmentation unit, the data sender determines the segmentation number based on the data importance level coefficient and the number of times that the data receiver is attacked within the past preset time period returned by the data receiver, and the method comprises the following steps:
Figure BDA0003905070010000171
wherein N is the number of segments; m is the number of preset segments; a is a first preset proportion; b is a second preset ratio; s is plaintext data to be transmittedData importance level coefficients of (2); p is the number of times the data receiver is attacked in the past predetermined period of time;
Figure BDA0003905070010000172
representing an upward rounding.
Preferably, the ciphertext data determining unit 404 is configured to enable the data sender to determine the first ciphertext data and the second ciphertext data based on the segmented data sequence, and send the token information, the first ciphertext data, and the second ciphertext data to the data receiver.
Preferably, the ciphertext data determining unit 404 causes a data sender to determine first ciphertext data and second ciphertext data based on the segmented data sequence, and send the token information, the first ciphertext data, and the second ciphertext data to the data receiver, including:
the data sender traverses the segmented data sequence, and performs splicing of preset splicing characters and segmented data on any segmented data according to preset splicing rules so as to acquire splicing data corresponding to any segmented data and determine a spliced data sequence;
The data sender randomly mixes all spliced data in the spliced data sequence to obtain mixed data, and establishes a position mapping relation based on first position information of any spliced data in the spliced data sequence and second position information of any spliced data in the mixed data; the data sender encrypts the mixed data based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain first ciphertext data, and sends the ciphertext data and token information to a data receiver based on a first link;
the data sender encrypts the position mapping relation based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain second ciphertext data, and sends the second ciphertext data to the data receiver based on a second link.
Preferably, the plaintext data determining unit 405 is configured to enable a data receiver to determine the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data, and private key information corresponding to the public key information, and perform segmentation data reassembly based on the segmented data sequence, so as to obtain the plaintext data.
Preferably, the plaintext data determining unit 405 causes a data receiver to determine the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data, and private key information corresponding to the public key information, and perform segmentation data reassembly based on the segmented data sequence to obtain the plaintext data, and includes:
the data receiver checks the token information and determines a check result;
when the verification result indicates that the token information passes the verification, a data receiver decrypts the first ciphertext data and the second ciphertext data respectively by utilizing a built-in second trusted cryptography module TCM2 based on private key information corresponding to the public key information, and acquires the mixed data and the position mapping relation;
the data receiver sorts the spliced data in the mixed data based on the position mapping relation so as to determine the spliced data sequence;
traversing the spliced data sequence by a data receiver, and splitting any spliced data according to a preset splicing rule to determine the segmented data sequence;
and traversing the segmented data in the segmented data sequence by a data receiver and carrying out data recombination to obtain the plaintext data.
The data transmission system 400 according to the embodiment of the present invention corresponds to the data transmission method 100 according to another embodiment of the present invention, and is not described herein.
The invention has been described with reference to a few embodiments. However, as is well known to those skilled in the art, other embodiments than the above disclosed invention are equally possible within the scope of the invention, as defined by the appended patent claims.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise therein. All references to "a/an/the [ means, component, etc. ]" are to be interpreted openly as referring to at least one instance of said means, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.

Claims (7)

1. A method of data transmission, the method comprising:
a data sender sends an identity authentication request comprising a digital signature and an identity identifier to a data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request;
The data sender receives token information and public key information sent by the data receiver after the identity authentication is confirmed to pass;
the data sender segments plaintext data to be transmitted and determines a segmented data sequence; wherein the sequence of segmented data comprises at least one segmented data;
the data sender determines first ciphertext data and second ciphertext data based on the segmented data sequence, and sends the token information, the first ciphertext data and the second ciphertext data to the data receiver;
the data receiver determines the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data and private key information corresponding to the public key information, and performs segmented data recombination based on the segmented data sequence to acquire the plaintext data;
the data sender segments the plaintext data to be transmitted, and determines a segmented data sequence, which includes:
the data sender sends the data type and the data content detail information of the plaintext data to be transmitted to the data receiver so as to receive the data importance level coefficient returned by the data receiver based on the data type and the data content detail information;
The data sender determines the number of segments based on the data importance level coefficient and the number of times the data receiver is attacked within the past preset time period returned by the data receiver;
the data sender performs segmentation based on the segmentation quantity to determine the segmentation data sequence;
the data sender determines first ciphertext data and second ciphertext data based on the segmented data sequence, and sends the token information, the first ciphertext data and the second ciphertext data to the data receiver, and the method comprises the following steps:
the data sender traverses the segmented data sequence, and performs splicing of preset splicing characters and segmented data on any segmented data according to preset splicing rules so as to acquire splicing data corresponding to any segmented data and determine a spliced data sequence;
the data sender randomly mixes all spliced data in the spliced data sequence to obtain mixed data, and establishes a position mapping relation based on first position information of any spliced data in the spliced data sequence and second position information of any spliced data in the mixed data; the data sender encrypts the mixed data based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain first ciphertext data, and sends the first ciphertext data and token information to a data receiver based on a first link;
The data sender encrypts the position mapping relation based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain second ciphertext data, and sends the second ciphertext data to the data receiver based on a second link.
2. The method of claim 1, wherein the data sender sending an authentication request including a digital signature and an identity identifier to a data receiver, such that the data receiver authenticates the data sender based on the authentication request, comprising:
the data sender sends the digital signature and the identity identifier to the data receiver;
the data receiver generates a random number password challenge based on the digital signature and the identity identifier by using a built-in second trusted cryptography module TCM2, and sends the random number password challenge to the data sender;
the data sender performs encryption calculation based on the random number password challenge by utilizing a built-in first trusted cryptography module TCM1, acquires a reply response, and sends the reply response to the data receiver;
the data receiver uses a built-in second trusted cryptography module TCM2 to decrypt the reply response to obtain a decrypted value R, verifies whether the decrypted value R is consistent with the response, and obtains a verification result;
And when the verification result indicates consistency, determining that the identity authentication is passed, and sending token information token to the data sender.
3. The method of claim 1, wherein the data sender determining the number of segments based on the data importance level coefficient and the number of times the data receiver has been attacked within a predetermined period of time returned by the data receiver, comprises:
Figure FDA0004206743880000031
wherein N is the number of segments; m is the number of preset segments; a is a first preset proportion; b is a second preset proportionThe method comprises the steps of carrying out a first treatment on the surface of the S is a data importance level coefficient of plaintext data to be transmitted; p is the number of times the data receiver is attacked in the past predetermined period of time;
Figure FDA0004206743880000032
representing an upward rounding.
4. The method of claim 1, wherein the data receiver determining the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data, and private key information corresponding to the public key information, and performing reassembly of the segmented data based on the segmented data sequence to obtain the plaintext data, comprises:
the data receiver checks the token information and determines a check result;
when the verification result indicates that the token information passes the verification, a data receiver decrypts the first ciphertext data and the second ciphertext data respectively by utilizing a built-in second trusted cryptography module TCM2 based on private key information corresponding to the public key information, and acquires the mixed data and the position mapping relation;
The data receiver sorts the spliced data in the mixed data based on the position mapping relation so as to determine the spliced data sequence;
traversing the spliced data sequence by a data receiver, and splitting any spliced data according to a preset splicing rule to determine the segmented data sequence;
and traversing the segmented data in the segmented data sequence by a data receiver and carrying out data recombination to obtain the plaintext data.
5. A data transmission system, the system comprising:
an identity authentication unit, configured to enable a data sender to send an identity authentication request including a digital signature and an identity identifier to a data receiver, so that the data receiver performs identity authentication on the data sender based on the identity authentication request;
the information receiving unit is used for enabling the data sender to receive the token information and the public key information which are sent by the data receiver after the identity authentication is confirmed to pass;
the data segmentation unit is used for enabling the data sender to segment the plaintext data to be transmitted and determining a segmented data sequence; wherein the sequence of segmented data comprises at least one segmented data;
The ciphertext data determining unit is used for enabling the data sender to determine first ciphertext data and second ciphertext data based on the segmented data sequence and sending the token information, the first ciphertext data and the second ciphertext data to the data receiver;
a plaintext data determining unit, configured to enable a data receiving party to determine the segmented data sequence based on the token information, the first ciphertext data, the second ciphertext data and private key information corresponding to the public key information, and to reconstruct the segmented data based on the segmented data sequence, so as to obtain the plaintext data;
the data segmentation unit enables a data sender to segment the plaintext data to be transmitted, and determines a segmented data sequence, and the data segmentation unit comprises:
the data sender sends the data type and the data content detail information of the plaintext data to be transmitted to the data receiver so as to receive the data importance level coefficient returned by the data receiver based on the data type and the data content detail information;
the data sender determines the number of segments based on the data importance level coefficient and the number of times the data receiver is attacked within the past preset time period returned by the data receiver;
The data sender performs segmentation based on the segmentation quantity to determine the segmentation data sequence;
the ciphertext data determining unit causes a data sender to determine first ciphertext data and second ciphertext data based on the segmented data sequence, and sends the token information, the first ciphertext data and the second ciphertext data to the data receiver, and the ciphertext data determining unit includes:
the data sender traverses the segmented data sequence, and performs splicing of preset splicing characters and segmented data on any segmented data according to preset splicing rules so as to acquire splicing data corresponding to any segmented data and determine a spliced data sequence;
the data sender randomly mixes all spliced data in the spliced data sequence to obtain mixed data, and establishes a position mapping relation based on first position information of any spliced data in the spliced data sequence and second position information of any spliced data in the mixed data; the data sender encrypts the mixed data based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain first ciphertext data, and sends the ciphertext data and token information to a data receiver based on a first link;
The data sender encrypts the position mapping relation based on the public key information by utilizing a built-in first trusted cryptography module TCM1 to obtain second ciphertext data, and sends the second ciphertext data to the data receiver based on a second link.
6. The system of claim 5, wherein the authentication unit for causing the data sender to send an authentication request including a digital signature and an identity identifier to the data receiver to cause the data receiver to authenticate the data sender based on the authentication request comprises:
the data sender sends the digital signature and the identity identifier to the data receiver;
the data receiver generates a random number password challenge based on the digital signature and the identity identifier by using a built-in second trusted cryptography module TCM2, and sends the random number password challenge to the data sender;
the data sender performs encryption calculation based on the random number password challenge by utilizing a built-in first trusted cryptography module TCM1, acquires a reply response, and sends the reply response to the data receiver;
the data receiver uses a built-in second trusted cryptography module TCM2 to decrypt the reply response to obtain a decrypted value R, verifies whether the decrypted value R is consistent with the response, and obtains a verification result;
And when the verification result indicates consistency, determining that the identity authentication is passed, and sending token information token to the data sender.
7. The system of claim 5, wherein the data segmentation unit, the data sender determining the number of segments based on the data importance level coefficient and the number of times the data receiver has been attacked within a predetermined period of time returned by the data receiver, comprises:
Figure FDA0004206743880000051
wherein N is the number of segments; m is the number of preset segments; a is a first preset proportion; b is a second preset ratio; s is a data importance level coefficient of plaintext data to be transmitted; p is the number of times the data receiver is attacked in the past predetermined period of time;
Figure FDA0004206743880000052
representing an upward rounding. />
CN202211304050.XA 2022-10-24 2022-10-24 Data transmission method and system Active CN115632863B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211304050.XA CN115632863B (en) 2022-10-24 2022-10-24 Data transmission method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211304050.XA CN115632863B (en) 2022-10-24 2022-10-24 Data transmission method and system

Publications (2)

Publication Number Publication Date
CN115632863A CN115632863A (en) 2023-01-20
CN115632863B true CN115632863B (en) 2023-06-06

Family

ID=84906357

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211304050.XA Active CN115632863B (en) 2022-10-24 2022-10-24 Data transmission method and system

Country Status (1)

Country Link
CN (1) CN115632863B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114567427A (en) * 2022-01-05 2022-05-31 北京理工大学 Block chain concealed data segmented transmission method

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035253B (en) * 2006-11-14 2010-05-26 北京中星微电子有限公司 Encryption or decryption implementing method, device and system
EP3476078B1 (en) * 2016-06-28 2020-05-27 Verimatrix GmbH Systems and methods for authenticating communications using a single message exchange and symmetric key
CN109309565B (en) * 2017-07-28 2021-08-10 中国移动通信有限公司研究院 Security authentication method and device
EP4138335A4 (en) * 2020-05-15 2023-05-24 Huawei Technologies Co., Ltd. Communication method and communication apparatus
EP4236137A4 (en) * 2020-11-16 2023-11-22 Huawei Cloud Computing Technologies Co., Ltd. Data transmission method and apparatus, device, system, and storage medium
CN115065522A (en) * 2022-06-09 2022-09-16 北谷电子有限公司 Security authentication method, vehicle-mounted controller, remote communication terminal, and storage medium
CN115150098A (en) * 2022-06-30 2022-10-04 中国电信股份有限公司 Identity authentication method based on challenge response mechanism and related equipment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114567427A (en) * 2022-01-05 2022-05-31 北京理工大学 Block chain concealed data segmented transmission method

Also Published As

Publication number Publication date
CN115632863A (en) 2023-01-20

Similar Documents

Publication Publication Date Title
CN101005361B (en) Server and software protection method and system
CN108432205A (en) Use the system and method for the multi-party communication of the safety of agency
US11736304B2 (en) Secure authentication of remote equipment
KR101753859B1 (en) Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device
Wang et al. NOTSA: Novel OBU with three-level security architecture for internet of vehicles
CN107172056A (en) A kind of channel safety determines method, device, system, client and server
CN1659821A (en) Method for secure data exchange between two devices
CN111756529B (en) Quantum session key distribution method and system
CN113079132B (en) Mass Internet of things equipment authentication method, storage medium and information data processing terminal
CN112417494A (en) Power block chain system based on trusted computing
CN110233826B (en) Privacy protection method based on data confusion among users and terminal data aggregation system
CN107135070A (en) Method for implanting, framework and the system of RSA key pair and certificate
CN110944301A (en) Intelligent cell equipment monitoring system based on block chain and key management method
CN113595744B (en) Network access method, device, electronic equipment and storage medium
CN100579009C (en) Method for upgrading function of creditable calculation modules
KR20200099873A (en) HMAC-based source authentication and secret key sharing method and system for Unnamed Aerial vehicle systems
CN105516210A (en) System and method for terminal security access authentication
CN115632863B (en) Data transmission method and system
CN116866333A (en) Method and device for transmitting encrypted file, electronic equipment and storage medium
CN112468983B (en) Low-power-consumption access authentication method for intelligent equipment of power internet of things and auxiliary device thereof
CN115396149A (en) Efficient authentication key exchange method based on privacy protection
CN114362998A (en) Network security protection method based on edge cloud system
CN113051548A (en) Industrial safety control system of light-weight undisturbed formula
Yan et al. Power blockchain guarantee mechanism based on trusted computing
Lai et al. Blockchain-based Multi-Factor Group Authentication in Metaverse

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant