CN115766066A - Data transmission method, device, safety communication system and storage medium - Google Patents

Data transmission method, device, safety communication system and storage medium Download PDF

Info

Publication number
CN115766066A
CN115766066A CN202211174096.4A CN202211174096A CN115766066A CN 115766066 A CN115766066 A CN 115766066A CN 202211174096 A CN202211174096 A CN 202211174096A CN 115766066 A CN115766066 A CN 115766066A
Authority
CN
China
Prior art keywords
key
client
message
session key
proxy server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211174096.4A
Other languages
Chinese (zh)
Inventor
郭旻
马东娟
刘泽辉
景卫哲
郑惠萍
刘晓捷
杨华
杨大哲
琚贇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Electric Power Research Institute Of Sepc
North China Electric Power University
Original Assignee
State Grid Electric Power Research Institute Of Sepc
North China Electric Power University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Electric Power Research Institute Of Sepc, North China Electric Power University filed Critical State Grid Electric Power Research Institute Of Sepc
Priority to CN202211174096.4A priority Critical patent/CN115766066A/en
Publication of CN115766066A publication Critical patent/CN115766066A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a data transmission method, a data transmission device, a secure communication system and a storage medium, and relates to the technical field of communication security. The method comprises the following steps: the first client generates a first exclusive public key according to a private key of the first client and a public key corresponding to a preset theme; the first client encrypts the first session key by using the first exclusive public key to obtain a second session key; the authentication center generates a process key according to the session key of the client; the authentication center encrypts a third session key of the second client by using the exclusive private key to obtain a fourth session key; the proxy server encrypts the first message ciphertext by using the process key to obtain a second message ciphertext; the second client generates a second exclusive public key according to the private key of the second client and the public key corresponding to the preset theme; and the second client decrypts the second message ciphertext by using the second exclusive public key, the fourth session key and the process key to obtain the target message. The data transmission safety is improved.

Description

Data transmission method, device, safety communication system and storage medium
Technical Field
The present application relates to the field of communications security technologies, and in particular, to a data transmission method, an apparatus, a secure communication system, and a storage medium.
Background
The MQTT (Message Queuing Transport protocol) protocol is a lightweight communication protocol, and has the characteristics of low communication overhead, unreliable network adaptability and the like, so that the MQTT protocol has wide application in the field of the internet of things nowadays. However, the MQTT protocol does not provide a measure for guaranteeing data security, and messages are in a plaintext state by default during pushing, forwarding and cloud storage processing, so that an attacker is provided with an opportunity.
In the related art, an SSL/TLS Protocol scheme is embedded between an MQTT Protocol and a TCP (Transmission Control Protocol) Protocol to encrypt data Transmission.
In carrying out the present application, the applicant has found that the related art has at least the following problems:
firstly, security problems possibly existing when messages are stored and processed at an agent end are not solved, for example, as more and more message agents are deployed to a cloud end, if the message agents are invaded, as the messages are stored in a plain text at the agent end, a large number of plain text messages are likely to be leaked and tampered; second, the SSL (Secure Socket Layer)/TLS (Transport Layer Security protocol) protocol additionally adds a handshake procedure for negotiating a subsequent symmetric key, that is, adds two extra round trips of information, which may cause a burden on a client in pursuit of lightweight and fast internet of things communication, especially communication.
Disclosure of Invention
In view of this, the present application provides a data transmission method, an apparatus, a secure communication system, and a storage medium, and mainly aims to solve the problems that security of a key for encrypting a message by using an SSL/TLS protocol scheme cannot be guaranteed, and the key cannot be effectively managed and controlled when a large number of clients exist.
According to a first aspect of the present application, there is provided a data transmission method applied to a secure communication system, where the secure communication system includes a first client, a second client, a proxy server, and an authentication center, the method includes:
the first client generates a first exclusive public key according to a private key of the first client and a public key corresponding to a preset theme;
the first client encrypts the first session key by using the first exclusive public key to obtain a second session key;
the first client sends the second session key and the first message ciphertext to the proxy server;
the authentication center responds to a process key request sent by the proxy server, generates a process key according to a session key of the client and sends the process key to the proxy server;
the authentication center encrypts a third session key of the second client by using the exclusive private key to obtain a fourth session key, and sends the fourth session key to the proxy server;
the proxy server encrypts the first message ciphertext by using the process key to obtain a second message ciphertext;
the proxy server sends the second message ciphertext, the fourth session key and the process key to the second client;
the second client generates a second exclusive public key according to the private key of the second client and the public key corresponding to the preset theme;
and the second client decrypts the second message ciphertext by using the second exclusive public key, the fourth session key and the process key to obtain the target message.
Optionally, before the first client generates the first exclusive public key according to the private key of the first client and the public key corresponding to the preset theme, the method further includes:
the authentication center responds to the equipment registration request, and obtains the equipment identification, the equipment attribute and the equipment theme of the target equipment in the equipment registration request;
the authentication center registers the target equipment according to the equipment identification, the equipment attribute and the equipment theme;
the authentication center generates a public and private key pair and a signature key pair corresponding to the target equipment by using a preset key generation algorithm according to the equipment theme;
the authentication center determines an equipment identification code corresponding to the target client according to the signature key pair;
and loading the device identification, the device attribute, the device theme, the device identification code, the signature key pair and the public and private key pair to the target device.
Optionally, before the first client generates the first exclusive public key according to the private key of the first client and the public key corresponding to the preset theme, the method further includes:
the first client responds to the data transmission request, and acquires data content, a preset theme and transmission time which are included in the data transmission request;
a first client acquires a signature key corresponding to the first client;
the first client generates a target message according to the data content, the preset theme, the transmission time and the signature key pair;
the first client generates a first session key by using a preset key derivation function;
the first client encrypts the target message by using the first session key to obtain a first message ciphertext.
Optionally, the step of the authentication center responding to the process key request sent by the proxy server, generating the process key according to the session key of the client, and sending the process key to the proxy server specifically includes:
the authentication center responds to a process key request sent by the proxy server and acquires a preset theme included in the request;
the authentication center generates an exclusive private key corresponding to a first exclusive public key of the first client according to the public key of the first client and a private key corresponding to a preset theme;
the authentication center decrypts the second session key sent by the proxy server by using the exclusive private key to obtain a first session key;
the authentication center generates a third session key corresponding to the second client according to a preset theme;
and the authentication center generates a process key according to the first session key and the third session key and sends the process key to the proxy server.
Optionally, the step of decrypting, by the second client, the second message ciphertext by using the second exclusive public key, the fourth session key, and the process key to obtain the target message includes:
the second client generates a second exclusive public key according to the private key of the second client and the public key corresponding to the preset theme;
the second client decrypts the fourth session key by using the second exclusive public key to obtain a third session key;
the second client decrypts the second message ciphertext by using the process key to obtain a first message ciphertext;
and the second client decrypts the first message ciphertext by using the third session key to obtain the target message.
Optionally, after the second client decrypts the second message ciphertext by using the second exclusive public key, the fourth session key, and the process key to obtain the target message, the method further includes:
the second client verifies the transmission time and the signature key pair in the target message respectively;
when the transmission time and the signature key pair pass the verification, the second client receives the data content in the target message;
and when any one of the transmission time or the signature key pair is not verified, the second client refuses to receive the data content in the target message.
According to a second aspect of the present application, there is provided a data transmission apparatus applied to a secure communication system, wherein the secure communication system includes a first client, a second client, a proxy server and an authentication center, the apparatus includes:
the first generation module is used for the first client to generate a first exclusive public key according to a private key of the first client and a public key corresponding to a preset theme;
the second generation module is used for the first client to encrypt the first session key by using the first exclusive public key to obtain a second session key;
the sending module is used for sending the second session key and the first message ciphertext to the proxy server by the first client;
the third generation module is used for responding to the process key request sent by the proxy server by the authentication center and generating a process key according to the session key of the client;
the sending module is also used for sending the process key to the proxy server by the authentication center;
the fourth generation module is used for encrypting the third session key of the second client by the authentication center by using the exclusive private key to obtain a fourth session key;
the sending module is also used for sending the fourth session key to the proxy server by the authentication center;
the fifth generation module is used for encrypting the first message ciphertext by using the process key by the proxy server to obtain a second message ciphertext;
the sending module is further used for sending the second message ciphertext, the fourth session key and the process key to the second client by the proxy server;
the sixth generating module is used for the second client to generate a second exclusive public key according to the private key of the second client and the public key corresponding to the preset theme;
and the seventh generation module is used for decrypting the second message ciphertext by the second client by using the second exclusive public key, the fourth session key and the process key to obtain the target message.
Optionally, the apparatus further comprises:
the first acquisition module is used for responding to the equipment registration request by the authentication center, and acquiring the equipment identification, the equipment attribute and the equipment theme of the target equipment in the equipment registration request;
the registration module is used for registering the target equipment by the authentication center according to the equipment identification, the equipment attribute and the equipment theme;
the eighth generation module is used for generating a public and private key pair and a signature key pair corresponding to the target equipment by the authentication center according to the equipment theme by using a preset key generation algorithm;
the determining module is used for determining the equipment identification code corresponding to the target client by the authentication center according to the signature key pair;
and the loading module is used for loading the equipment identifier, the equipment attribute, the equipment theme, the equipment identification code, the signature key pair and the public and private key pair to the target equipment.
Optionally, the apparatus further comprises:
the second acquisition module is used for responding to the data transmission request by the first client, and acquiring data content, preset theme and transmission time included in the data transmission request;
the third acquisition module is used for the first client to acquire the signature key corresponding to the first client;
a ninth generating module, configured to generate, by the first client, a target message according to the data content, the preset topic, the transmission time, and the signature key pair;
a tenth generating module, configured to generate, by the first client, the first session key using the preset key derivation function;
and the eleventh generating module is used for encrypting the target message by the first client by using the first session key to obtain a first message ciphertext.
Optionally, the third generating module is specifically configured to:
the authentication center responds to a process key request sent by the proxy server and acquires a preset theme included in the request;
the authentication center generates an exclusive private key corresponding to a first exclusive public key of the first client according to the public key of the first client and a private key corresponding to a preset theme;
the authentication center decrypts the second session key sent by the proxy server by using the exclusive private key to obtain a first session key;
the authentication center generates a third session key corresponding to the second client according to a preset theme;
the authentication center generates a process key according to the first session key and the third session key, and sends the process key to the proxy server
Optionally, the seventh generating module is specifically configured to:
the second client generates a second exclusive public key according to the private key of the second client and the public key corresponding to the preset theme;
the second client decrypts the fourth session key by using the second exclusive public key to obtain a third session key;
the second client decrypts the second message ciphertext by using the process key to obtain a first message ciphertext;
and the second client decrypts the first message ciphertext by using the third session key to obtain the target message.
Optionally, the apparatus further comprises:
the verification module is used for verifying the transmission time and the signature key pair in the target message by the second client side respectively;
the receiving module is used for receiving the data content in the target message by the second client when the transmission time and the signature key pair are verified;
and the rejection module is used for rejecting and receiving the data content in the target message by the second client when any one of the transmission time or the signature key pair is not verified.
According to a third aspect of the present application, there is provided a secure communication system including the data transmission method of the first aspect.
Optionally, the secure communication system further comprises:
the first client is used for issuing messages, the first client is in communication connection with the authentication center, and the first client is in communication connection with the proxy server;
the second client is used for receiving the subscribed message of the theme, and the second client is in communication connection with the proxy server;
a proxy server;
and (4) an authentication center.
According to a fourth aspect of the present application, there is provided a storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to implement the steps of the data transmission method according to any one of the first aspect when executed.
By means of the technical scheme, the data transmission method, the data transmission device, the secure communication system and the storage medium provided by the application encrypt the original message by using the own session key at the issuer side, and encrypt the session key by using the own exclusive public key at the same time. The method comprises the steps that a process key is generated at an authentication center according to session keys of a publisher end and a subscriber end, after a proxy server obtains the process key from the authentication center, a message ciphertext is encrypted for the second time by the process key, so that the proxy server cannot push out the session key when only knowing the process key, and the session key is encrypted and decrypted by using an exclusive public and private key on the basis of an application process key, so that on one hand, in the data transmission process, the key and the message are encrypted, an attacker can only obtain the encrypted message and the session key and cannot obtain the plaintext of the message, and the corresponding message cannot be subjected to operations such as eavesdropping, leakage and the like, thereby solving the safety problem when the message is stored and processed in a plaintext form at the proxy end and improving the safety of data transmission; on the other hand, an extra handshake process is not needed to be added to negotiate a key as in the SSL/TLS scheme, so that the problem of overhead possibly caused by extra network round trip in the SSL/TLS scheme is solved, the burden on a client in communication is avoided, the portability of Internet of things communication is improved, and a better compromise effect of the MQTT protocol between a performance index and data security is achieved.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flowchart illustrating a data transmission method provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram illustrating a data transmission apparatus according to an embodiment of the present application;
fig. 3 is a schematic structural diagram illustrating an authentication center provided in an embodiment of the present application;
fig. 4 shows a schematic structural diagram of a secure communication system provided in an embodiment of the present application.
Detailed Description
Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
An embodiment of the present application provides a data transmission method, as shown in fig. 1, the method includes:
101. the first client generates a first exclusive public key according to the private key of the first client and the public key corresponding to the preset theme.
In this step, each client itself has a pair of public and private keys, and the authentication center manages the pair of public and private keys with the granularity of subject. Before forwarding the message to the subscriber end each time, the first client, that is, the publisher end generates a first exclusive public key of the first client according to the public key of the first client and a private key corresponding to a preset theme, and the first exclusive public key is used for encrypting the session key.
102. And the first client encrypts the first session key by using the first exclusive public key to obtain a second session key.
In this step, the issuer side encrypts the first session key using the first exclusive public key to obtain the second session key. The first session key is a session key used by the first client to encrypt the original message before issuing the message.
Through the method, the first client generates the exclusive public key to encrypt the session key, and the security of the client for controlling the session key is improved.
103. And the first client sends the second session key and the first message ciphertext to the proxy server.
In this step, the first client sends the encrypted second session key and the encrypted first message ciphertext to the proxy server, where it is to be noted that the encrypted first message ciphertext refers to a message that is transmitted by the publisher to the subscriber.
Through the mode, on one hand, the data is in an encrypted state before transmission, so that an attacker is difficult to obtain the original text of the message, and the data transmission safety is improved; on the other hand, additional handshake flow similar to the SSL/TLS scheme is not needed to negotiate the subsequent symmetric key, and burden on the client in the data transmission process is avoided.
104. The authentication center responds to the process key request sent by the proxy server, generates a process key according to the session key of the client and sends the process key to the proxy server.
In this step, after the first client message is processed, the generated message cipher text and the encrypted session key are sent to the proxy server. And after receiving the message, the proxy server sends a process key request to the authentication center. And then, the authentication center responds to the request sent by the proxy server, generates a process key through the session key of the client, and sends the generated process key to the proxy server. It should be noted that the session key of the client refers to the session key of the first client and the session key of the second client.
Optionally, before generating the process key, the authentication center needs to decrypt the encrypted second session key transmitted by the proxy server by using the exclusive private key to obtain the first session key of the publisher, and then randomly generate the third session key of the subscriber. And finally, generating a process key according to the first session key and the third session key, and sending the process key to the proxy server.
In a specific embodiment, taking exclusive-or encryption as an example, if the first session key of the publisher is known to be "11010", and the third session key of the subscriber side randomly generated by the authentication center is "00100", then the generated process key is "11110" which is the result of exclusive-or of the two session keys.
105. And the authentication center encrypts the third session key of the second client by using the exclusive private key to obtain a fourth session key, and sends the fourth session key to the proxy server.
In the step, the authentication center adds the third session key of the second client by using the exclusive private key to generate a fourth session key, and sends the fourth session key to the proxy server to prevent the proxy server from obtaining the unencrypted session key.
It should be noted that the exclusive private key is an exclusive private key generated by the authentication center according to the public and private keys with the topic as the granularity to encrypt and decrypt the encrypted session key.
106. And the proxy server encrypts the first message ciphertext by using the process key to obtain a second message ciphertext.
107. And the proxy server sends the second message ciphertext, the fourth session key and the process key to the second client.
In step 106 and step 107, the proxy server uses the acquired process key to perform secondary encryption on the first message ciphertext transmitted by both the first client and the second client, so as to obtain a new second message ciphertext. And then, the proxy server forwards the processed second message ciphertext, the fourth session key and the process key to the second client.
By the method, the proxy server cannot release the session key of the publisher or the subscriber under the condition that only the process key is known, so that the problem that the message is stored and processed in a plaintext form in the proxy server is solved, and the safety of data transmission is improved.
108. And the second client generates a second exclusive public key according to the private key of the second client and the public key corresponding to the preset theme.
109. And the second client decrypts the second message ciphertext by using the second exclusive public key and the fourth session key to obtain the target message.
In this step, after receiving the second message ciphertext secondarily encrypted by the proxy server, the second client generates a corresponding second exclusive public key by using its own private key and the public key of the corresponding topic. And then, the subscriber end decrypts the fourth session key by using the second exclusive public key to obtain a third session key. And then, decrypting the second message ciphertext through the decryption of the third session key to obtain the original target message.
By the above mode, the subscriber can decrypt the secondarily encrypted information after receiving the secondarily encrypted information to obtain the original information, and the integrity of the whole issuing and forwarding process is ensured. Further, before the subscriber decrypts the message, the message and the key are always in an encrypted state, and on the premise that the session key of the subscriber is not leaked, an attacker is difficult to acquire the original text of the message, so that the security of data transmission is ensured.
The data transmission method provided by the embodiment of the application, specifically, the MQTT protocol is used as a lightweight communication protocol, and has the characteristics of low communication overhead, unreliable network adaptability and the like, so that the MQTT protocol is widely applied to the field of the internet of things at present. However, since the MQTT protocol was originally designed in a private network environment, the focus is more on the lightweight of distribution of messages, rather than the security during some message processing or transmission processes, and there is no other security guarantee measure except for authentication by means of user name and password. In the rapid development of the field of the internet of things, corresponding potential safety hazards and problems are gradually highlighted along with the increase of the number of users. At present, the common methods for ensuring the security of data transmission are SSL/TLS protocol schemes and the emerging AugPAKE protocol scheme. The SSL/TLS protocol negotiates a symmetric key for encrypting data subsequently through an additional handshake process to ensure security of data transmission. However, as more and more message brokers are deployed to the server, given that a message broker is hacked, since messages are stored in the clear at the broker server, a large number of clear messages are likely to be revealed and tampered with. In addition, the SSL/TLS protocol adds a handshake procedure for negotiating a subsequent symmetric key, that is, adds two additional round trips of information, which may cause a burden on a client in communication, especially a client in communication, when network conditions are congested. Further, the AugPAKE protocol scheme is a simplified version of the SSL/TLS scheme, and it is actually to put the authentication steps of the SSL/TLS scheme offline, and this is not suitable for the scenario where a large number of clients exist, in order to ensure that the secure client and the proxy server need to perform authentication online. Based on the above problem, the present application proposes to encrypt the original message by using its own session key at the issuer side, and to encrypt the session key by using its own exclusive public key at the same time. The method comprises the steps that a process key is generated at an authentication center according to session keys of a publisher end and a subscriber end, after a proxy server acquires the process key from the authentication center, a message ciphertext is encrypted for the second time by the process key, so that the proxy server cannot push out the session key when only knowing the process key, and the session key is encrypted and decrypted by using an exclusive public and private key on the basis of an application process key, so that on one hand, in the data transmission process, the key and the message are encrypted, an attacker can only acquire the encrypted message and the session key and cannot obtain the plaintext of the message, and the corresponding message cannot be eavesdropped, leaked and the like, so that the safety problem when the message is stored and processed in a plaintext form at the proxy end is solved, and the security of the key is improved; on the other hand, an extra handshake process is not needed to be added to negotiate a key as in the SSL/TLS scheme, so that the problem of overhead possibly caused by extra network round trip in the SSL/TLS scheme is solved, the burden on a client in communication is avoided, the portability of Internet of things communication is improved, and a better compromise effect of the MQTT protocol between a performance index and data security is achieved.
Further, as a refinement and an extension of the specific implementation of the foregoing embodiment, in order to fully describe the specific implementation process of the embodiment, an embodiment of the present application provides another data transmission method, which includes:
201. the authentication center responds to the equipment registration request, and obtains the equipment identification, the equipment attribute and the equipment theme of the target equipment in the equipment registration request.
202. And the authentication center registers the equipment according to the equipment identification, the equipment attribute and the equipment theme.
In step 201 and step 202, the user registers the device with the authentication center through the client, and the authentication center responds to the device registration request and obtains the device identifier, the device attribute and the device theme included in the registration request. Wherein, the device identification refers to a physical address of the device; a device attribute means that the device is a publisher or subscriber; the device topic refers to a topic published or subscribed by the device in the MQTT communication. And then, the authentication center registers the equipment according to the acquired equipment identification, equipment attribute and equipment theme.
203. And the authentication center generates a public and private key pair and a signature key pair corresponding to the target equipment by using a preset key generation algorithm according to the equipment theme.
204. And the authentication center determines the equipment identification code corresponding to the target client according to the signature key pair.
After the registration is successful in step 203 and step 204, the authentication center uses a preset key generation algorithm to generate a public-private key pair and a signature key pair for verifying device signature information for the device. Further, a universally unique identification code corresponding to the target device is uniformly generated by the authentication center, and the device identification code is set to serve as a signature public key for verifying device signature information.
205. And loading the device identification, the device attribute, the device theme, the device identification code, the signature key pair and the public and private key pair to the target device.
In this step, the parameter information of the device identifier, the device attribute, and the device theme generated by the authentication center, and the device identification code, the device signature key pair, and the device public and private key pair are loaded into the target device through the secure channel.
Through the steps, the target equipment is registered, so that the publisher side and the subscriber side respectively obtain a public and private key pair and a signature key pair. When each client needs to release or decrypt the message on a certain theme, the used key is generated and managed by the authentication center, so that the client does not need to manage and control a large number of keys.
206. The first client responds to the data transmission request, and obtains data content, preset theme and transmission time included in the data transmission request.
207. The first client side obtains a signature key corresponding to the first client side.
208. And the first client generates a target message according to the data content, the preset theme, the transmission time and the signature key.
209. The first client generates a first session key by using a preset key derivation function.
210. The first client encrypts the target message by using the first session key to obtain a first message ciphertext.
In steps 206 to 210, the first client obtains the data content to be transmitted, the preset device theme and the transmission time of the transmission data in response to the data transmission request, and takes the transmission time as the timestamp. When each client side is registered, a corresponding signature key is generated, the signature key corresponding to the publisher side is obtained, and then the target message is generated according to the data content, the preset theme, the timestamp and the signature key as a message main body. Further, the publisher sends out a function by using a preset key to generate a first session key, and encrypts the target message by using the first session key to obtain an encrypted first message ciphertext.
Through the method, the publisher terminal encrypts the original message by using the first session key before publishing the message to the proxy server, so that the message is in an encrypted state before transmission, and an attacker is difficult to acquire the original text of the message. Further, if the issuer requests the session key, the authentication center generates and returns the session key, the security of the session key in transmission cannot be guaranteed, and an attacker can easily acquire or tamper with the information that the issuer wants to issue after intercepting the session key, which can have a serious impact on data transmission.
In a specific embodiment, the issuer side generates the first session Key using a KDF (Key derivation function). Specifically, the function may be triggered by using a timer or a counter, and in a timer triggering mode, the function is periodically generated according to a preset session key generation period; in the counter trigger mode, key generation is performed according to the number of times of encryption of the restricted session key. Further, the original message to be issued is encrypted by using the first session key, and a first message ciphertext is generated. The message theme of the original message is { T, UUID, M, T, sig }, wherein T is a preset theme corresponding to the published message, UUID is a uniform identifier obtained by a publisher end after registration, M is main body information which can be used for bearing the published message resource, namely data content, T is a transmission timestamp, and sig is a signature key. Further, the issuer end generates an exclusive public key, encrypts the first session key, and then encrypts the target message by using the first session key pre-generated by the issuer in an AES symmetric encryption mode to obtain a first message ciphertext.
211. The first client generates a first exclusive public key according to a private key of the first client and a public key corresponding to a preset theme.
212. And the first client encrypts the first session key by using the first exclusive public key to obtain a second session key.
213. And the first client sends the second session key and the first message ciphertext to the proxy server.
In steps 211 to 213, each client has a pair of public and private keys, and the authentication center manages the pair of public and private keys with the granularity of theme. Before forwarding a message to a subscriber end each time, a first client end, namely a publisher end generates a first exclusive public key of the first client end according to a public key of the first client end and a private key corresponding to a preset theme, and the publisher end encrypts a first session key by using the first exclusive public key to obtain a second session key. Further, the publisher side sends the encrypted second session key and the encrypted first message ciphertext to the proxy server.
Through the mode, on one hand, the data is in an encrypted state before transmission, so that an attacker is difficult to obtain the original text of the message, and the data transmission safety is improved; on the other hand, additional handshake flow similar to the SSL/TLS scheme is not needed to negotiate the subsequent symmetric key, and burden on the client in the data transmission process is avoided.
214. The authentication center responds to a process key request sent by the proxy server, and obtains a preset theme included in the request.
215. The authentication center generates an exclusive private key corresponding to the first exclusive public key of the first client according to the public key of the first client and the private key corresponding to the preset theme.
216. And the authentication center decrypts the second session key sent by the proxy server by using the exclusive private key to obtain the first session key.
217. And the authentication center generates a third session key corresponding to the second client according to the preset theme.
218. And the authentication center generates a process key according to the first session key and the third session key and sends the process key to the proxy server.
219. And the authentication center encrypts a third session key of the second client by using the exclusive private key to obtain a fourth session key and sends the fourth session key to the proxy server.
In steps 214 through 218, the proxy server requests a process key from the authentication center, which determines the preset topic for publication in response to the request. The authentication center generates an exclusive private key corresponding to the first exclusive public key of the issuer according to the public key of the issuer and the private key corresponding to the preset theme, and then decrypts the second session key of the issuer transmitted from the proxy server by using the exclusive private key to obtain the first session key of the issuer. Further, the authentication center randomly generates a third session key of the subscriber end about the preset topic, and then generates a process key according to the newly generated third session key of the subscriber end and the first session key of the publisher end. Further, the authentication center encrypts the third session key of the subscriber end by using the generated exclusive private key, so as to obtain an encrypted fourth session key. Thereafter, the procedure key and the fourth session key are sent to the proxy server.
Through the method, the authentication center uses the session keys of the related publisher end and the subscriber end to generate the process key according to the request of the proxy server, so that the subsequent proxy server uses the process key to perform secondary encryption processing on the first message ciphertext. Furthermore, the session key of the subscriber end is encrypted by using the related exclusive private key, so that the proxy server is prevented from obtaining the unencrypted session key, and the security of data transmission is ensured.
220. And the proxy server encrypts the first message ciphertext by using the process key to obtain a second message ciphertext.
221. And the proxy server sends the second message ciphertext, the fourth session key and the process key to the second client.
In step 220 and step 221, when forwarding a message to the subscriber end each time, the proxy server performs secondary encryption on the first message ciphertext transmitted by the publisher end by using the obtained process key to obtain a new second message ciphertext, and then forwards the processed second message ciphertext, the fourth session key, and the process key to the subscriber end.
By the above mode, on the premise that the proxy server only knows the process key, the session key of the publisher side or the subscriber side cannot be reversely pushed out, so that the original message cannot be obtained through decryption, the problems that a large amount of plaintext messages are leaked and tampered under the condition that the proxy server is not trusted are solved, and the safety of the message in the aspect of storage is ensured.
222. And the second client generates a second exclusive public key according to the private key of the second client and the public key corresponding to the preset theme.
223. And the second client decrypts the fourth session key by using the second exclusive public key to obtain a third session key.
In step 222 and step 223, the second client, that is, the subscriber generates a second exclusive public key according to its own private key and the public key corresponding to the preset theme, and decrypts the received fourth session key by using the generated second exclusive public key to obtain a third session key.
224. And the second client decrypts the second message ciphertext by using the process key to obtain the first message ciphertext.
225. And the second client decrypts the first message ciphertext by using the third session key to obtain the target message.
In this step, after receiving the second message ciphertext encrypted twice sent by the proxy server, the subscriber side decrypts the encrypted second message ciphertext by using the process key to obtain the first message ciphertext, and then decrypts the first message ciphertext by using the third session key of the subscriber side to obtain the message original text.
226. And the second client verifies the transmission time and the signature key pair in the target message respectively.
227. And when the transmission time and the signature key pair are verified, the second client receives the data content in the target message.
228. And when either the transmission time or the signature key pair is not verified, the second client refuses to receive the data content in the target message.
In steps 224 to 228, after the subscriber decrypts the target message, the transmission time in the target message is checked first, if the transmission time is checked to be passed, the signature key in the target message is verified continuously, and if the transmission time and the signature key are both verified to be passed, the subscriber receives the data resource in the message body, otherwise, the target message is rejected.
Through the mode, the target message is verified, and the data is received only when the transmission time and the signature key pass the verification, so that the accuracy of receiving the message by the subscriber is improved.
In a specific embodiment, an embodiment of the present application provides a data transmission method, and specifically, a user registers a device with an authentication center through a client, where registering content includes: device identification, e.g. physical address, device attributes, i.e. publish/subscribe, device topic, i.e. the device publishes/subscribes to the topic in MQTT communications.
Further, after the successful registration, the authentication center uses a preset key generation algorithm to generate a public and private key pair and a signature key pair for the target device. The device universal unique identification code is uniformly generated by the authentication center and serves as a signature public key for verifying device signature information. After the process, the publisher end can obtain the public and private key pair and the signature key pair, and the subscriber end can obtain the public and private key pair and the signature key pair.
Further, after successful registration, the user must load the target device with the system parameters, device identification code, device signing key pair and device public-private key pair generated by the certificate authority through a secure channel, such as manual embedding, device security firmware or secure storage using a device trusted platform module.
Further, the publisher generates the first session key using a preset key derivation function. Wherein the algorithm function may be triggered using a timer or counter. Specifically, in a timer triggering mode, the first session key is periodically generated according to a set life cycle of the first session key; in the counter triggering mode, key generation is performed according to the limited encryption times of the first session key.
Further, the issuer generates a first exclusive public key, and encrypts the first session key by using the first exclusive public key.
Further, the original message is encrypted by using the first session key generated by the publisher side, and the published message is sent to the proxy server.
Further, the proxy server requests the process key from the certificate authority, and the certificate authority generates the process key in response to the proxy. Specifically, the second session key transmitted from the proxy server needs to be decrypted by using the exclusive private key to obtain the first session key of the issuer. Then, a third session key of the subscriber side about the specific topic is randomly generated. And then, generating a process key according to the newly generated third session key of the subscriber end and the first session key of the publisher end.
Further, the third session key of the subscriber side is encrypted by using an exclusive private key of the related subject, so as to prevent the proxy server from obtaining the unencrypted third session key. And finally, returning the generated process key and the encrypted fourth session key of the subscriber to the proxy server.
Further, the proxy server encrypts the first message ciphertext for the second time through the process key. And the proxy server forwards the message to the subscriber end so as to forward the message ciphertext subjected to the secondary encryption and the encrypted fourth session key to the subscriber end.
Further, the session key used by the subscriber end to decrypt the message cipher text is included in the data forwarded by the proxy server. And the subscriber end firstly decrypts the fourth session key by using the second exclusive public key of the subscriber end, simultaneously decrypts by using the process key to obtain a ciphertext main body, and finally decrypts the ciphertext main body by using the session key to obtain the message main body.
Further, after the main message is decrypted, the subscriber end first checks the timestamp. If the timestamp passes the verification, the subscriber side continuously verifies the signature key of the message body, and if the verification passes, the subscriber side accepts the data resource in the message body, otherwise, the message is rejected.
Specifically, the following three keys are mainly used in the embodiment of the present application:
first, session key: the symmetric key is used by the client and used for encrypting and decrypting the message. The publisher side encrypts the original message using its session key before publishing the message, and the subscriber side eventually decrypts the encrypted message using its session key. The session key of the publisher side is generated by the publisher side, and the session key of the subscriber side is generated by the authentication center. It can be seen that, since the message is encrypted before being transmitted and forwarded, an additional handshake process is not required to be performed to negotiate a subsequent symmetric key, as in the SSL/TLS scheme, which also solves the overhead problem that the SSL/TLS scheme requires additional network round-trip.
Second, process key: the authentication center uses the session keys of the related publisher end and the subscriber end to generate a process key so that the proxy server uses the process key to perform secondary encryption processing on a message ciphertext. The encrypted data is still the ciphertext message, and finally the subscriber end can directly decrypt the ciphertext message by using the session key of the subscriber end to obtain the original message. So that the proxy server cannot back-derive only the publisher-side or subscriber-side session keys from the process keys. The problem that messages which cannot be solved by an SSL/TLS scheme are stored and processed in a plaintext mode at the proxy end is solved.
Third, monopolizing public and private keys: the key belongs to an asymmetric key, is generated by a publisher end, a subscriber end and an authentication center, and is used for encrypting and decrypting a session key used by the publisher end and the subscriber end. The exclusive public and private keys are mainly used for solving the problem of session key management and control and the problem of security of the session key when a large number of clients exist in a scheme without security authentication.
According to the data transmission method provided by the embodiment of the application, the process key is set, so that the proxy server can directly use the process key to perform secondary encryption on the message ciphertext transmitted by the publisher side on the premise that the plaintext message cannot be known. The proxy server can not deduce the content of the original message only from the existing process key and message ciphertext calculation, so that an attacker has no way to do so, and the security of data transmission is ensured. Further, in order to solve the problem of key management and control and the security problem of the key, which may exist in a large number, the client no longer requests the session key from the authentication center, the authentication center only generates and manages a public and private key pair with a theme as granularity, and a final exclusive public and private key pair is generated by the public and private key of the client and the public and private key of the authentication center on the theme for encrypting and decrypting the session key of the client.
Further, as a specific implementation of the method shown in fig. 1, an embodiment of the present application provides a data transmission apparatus 200, which is applied to a secure communication system, where the secure communication system includes a first client, a second client, a proxy server, and an authentication center, and as shown in fig. 2, the apparatus includes:
a generating module 201, configured to generate, by a first client, a first exclusive public key according to a private key of the first client and a public key corresponding to a preset theme;
the generating module 201 is further configured to encrypt the first session key by the first client using the first exclusive public key to obtain a second session key;
a sending module 202, configured to send the second session key and the first message ciphertext to the proxy server by the first client;
the generating module 201 is further configured to, in response to the process key request sent by the proxy server, the authentication center generates a process key according to the session key of the client;
the sending module 202 is further configured to send the process key to the proxy server by the authentication center;
the generating module 201 is further configured to encrypt, by the authentication center, the third session key of the second client by using the exclusive private key, so as to obtain a fourth session key;
the sending module 202 is further configured to send the fourth session key to the proxy server by the authentication center;
the generating module 201 is further configured to encrypt the first message ciphertext by using the process key by the proxy server to obtain a second message ciphertext;
the sending module 202 is further configured to send the second message ciphertext, the fourth session key, and the process key to the second client by the proxy server;
the generating module 201 is further configured to generate, by the second client, a second exclusive public key according to a private key of the second client and a public key corresponding to the preset theme;
the generating module 201 is further configured to decrypt the second message ciphertext by using the second exclusive public key, the fourth session key, and the process key by the second client, so as to obtain the target message.
Optionally, the apparatus further comprises:
the obtaining module 203, configured to, in response to the device registration request, the authentication center obtain a device identifier, a device attribute, and a device theme of the target device included in the device registration request;
the registration module 204 is used for registering the target equipment by the authentication center according to the equipment identifier, the equipment attribute and the equipment theme;
the generating module 201 is further configured to generate, by the authentication center, a public and private key pair and a signature key pair corresponding to the target device by using a preset key generating algorithm according to the device theme;
a determining module 205, configured to determine, by the authentication center, an equipment identifier corresponding to the target client according to the signature key pair;
a loading module 206, configured to load the device identifier, the device attribute, the device theme, the device identifier, the signature key pair, and the public-private key pair to the target device.
Optionally, the apparatus further comprises:
the obtaining module 203 is further configured to, in response to the data transmission request, the first client obtain data content, a preset theme, and transmission time included in the data transmission request;
the obtaining module 203 is further configured to obtain, by the first client, a signature key corresponding to the first client;
the generating module 201 is further configured to generate, by the first client, a target message according to the data content, the preset topic, the transmission time, and the signature key pair;
the generating module 201 is further configured to generate a first session key by the first client using a preset key derivation function;
the generating module 201 is further configured to encrypt the target message by the first client using the first session key to obtain a first message ciphertext.
Optionally, the generating module 201 is specifically configured to:
the authentication center responds to a process key request sent by the proxy server and acquires a preset theme included in the request;
the authentication center generates an exclusive private key corresponding to a first exclusive public key of the first client according to the public key of the first client and a private key corresponding to a preset theme;
the authentication center decrypts the second session key sent by the proxy server by using the exclusive private key to obtain a first session key;
the authentication center generates a third session key corresponding to the second client according to a preset theme;
the authentication center generates a process key according to the first session key and the third session key, and sends the process key to the proxy server
Optionally, the generating module 201 is specifically configured to:
the second client generates a second exclusive public key according to the private key of the second client and the public key corresponding to the preset theme;
the second client decrypts the fourth session key by using the second exclusive public key to obtain a third session key;
the second client decrypts the second message ciphertext by using the process key to obtain a first message ciphertext;
and the second client decrypts the first message ciphertext by using the third session key to obtain the target message.
Optionally, the apparatus further comprises:
the verification module 207 is configured to verify the transmission time and the signature key pair in the target message by the second client, respectively;
a receiving module 208, configured to receive, by the second client, the data content in the target message when both the transmission time and the signature key pair pass verification;
a rejecting module 209, configured to reject to receive the data content in the target message when any one of the transmission time or the signature key pair is not verified.
The data transmission apparatus 200 according to the embodiment of the present application encrypts the original message by using its own session key at the issuer side, and encrypts the session key by using its own exclusive public key. The method comprises the steps that a process key is generated at an authentication center according to session keys of a publisher end and a subscriber end, after a proxy server acquires the process key from the authentication center, a message ciphertext is encrypted for the second time by the process key, so that the proxy server cannot push out the session key when only knowing the process key, and the session key is encrypted and decrypted by using an exclusive public and private key on the basis of an application process key, so that on one hand, in the data transmission process, the key and the message are encrypted, an attacker can only acquire the encrypted message and the session key and cannot obtain the plaintext of the message, and the corresponding message cannot be eavesdropped, leaked and the like, so that the safety problem when the message is stored and processed in a plaintext form at the proxy end is solved, and the security of the key is improved; on the other hand, an extra handshake process is not needed to be added to negotiate a key as in the SSL/TLS scheme, so that the problem of overhead possibly caused by extra network round trip in the SSL/TLS scheme is solved, the burden on a client in communication is avoided, the portability of Internet of things communication is improved, and a better compromise effect of the MQTT protocol between a performance index and data security is achieved.
According to an embodiment of the present invention, a secure communication system is provided, which includes the above data transmission method.
In this embodiment of the application, optionally, the secure communication system further includes: the first client is used for issuing messages, the first client is in communication connection with the authentication center, and the first client is in communication connection with the proxy server; the second client is used for receiving the subscribed message of the theme, and the second client is in communication connection with the proxy server; a proxy server; and (4) an authentication center.
In this embodiment, a secure communication system includes a first client, a second client, a proxy server, and an authentication center. It should be noted that the first client is a client that issues a message; the second client is a client for receiving the subscribed messages on the theme; the proxy server is a server with a message storage and processing function; the authentication center is a trusted third-party organization with a message security authentication function.
Specifically, the first client is a client that issues a message, and generates an exclusive public key by itself, and generates a session key by itself. The data sent to the proxy server is divided into two parts: a message encrypted by a session key, and a session key encrypted by an exclusive public key. Because the message is in an encrypted state before transmission, an attacker is difficult to acquire the original text of the message on the premise that the session key is not leaked.
Further, the second client is a client that receives messages on the subscribed topic. The second client decrypts the session key by using the exclusive public key forwarded by the proxy server, and then decrypts the ciphertext by using the session key obtained by decryption to obtain the original message. Similar to the first client, before the proxy server forwards the data, the message is still in an encrypted state, and on the premise that the session key is not leaked, an attacker is difficult to obtain the original text of the message.
Further, when the message is forwarded to the second client, the proxy server uses the acquired process key to encrypt the message ciphertext transmitted by the first client for the second time to obtain a new ciphertext, and forwards the new ciphertext to the second client, and then carries the session key which belongs to the second client and is encrypted by the exclusive public and private key. The proxy server cannot derive the session key of the first client or the second client, which improves the problem of storing and processing the message in plaintext form at the proxy.
Further, as shown in fig. 3, the certificate authority mainly includes a registration management center, a key generation center, and a database. The publish/subscribe device registers with the authentication center through the client, and after the registration is successful, a key generation center of the authentication center generates a public and private key pair and a signature key pair for each device. The authentication center matches according to the registered attribute and theme of the device, generates process keys for each pair of publisher-subscriber peers, and sends the process keys to the proxy server, and at the same time, encrypts and decrypts the session key of the client by using the generated exclusive public and private key.
Alternatively, as shown in fig. 4, the communication flow between the first client and the proxy server is one-way, i.e. from the first client to the proxy server, since the session key is randomly generated by the first client, an attacker cannot steal the encryption key. In the transmission process, the key and the message are encrypted, an attacker can only obtain the encrypted message and the encrypted message key and cannot obtain the plaintext of the message, and the corresponding message cannot be intercepted, leaked and the like. This also ensures the security of the data during transmission.
Further, as shown in fig. 4, the communication between the proxy server and the authentication center is bidirectional, and the request and response process of the process key is mainly performed between the proxy server and the authentication center, and because the proxy server and the authentication center do not have the problems of hardware limitations of the client under the environment of the internet of things, such as memory and computing capability limitations, the communication between the proxy server and the authentication center can be completely solved by the existing scheme, i.e., the SSL/TLS protocol scheme. Due to the use of the SSL/TLS protocol scheme, the corresponding attack means can not be effective. In addition, even if the proxy server is invaded, because the data transmitted in the whole communication process is encrypted, an attacker can only obtain the process key returned by the authentication center and the encrypted session key of the subscriber end, and as for the process key, the encryption key of the publisher end or the subscriber end cannot be independently pushed out through the process key, so the attacker cannot decrypt the original message through the process key. For the encrypted session key of the subscriber side, the encrypted session key needs to be decrypted by first obtaining the exclusive public key generated by the subscriber side, and the process needs to use the private key of the subscriber side, but the private key of the subscriber side is unique, so that the security of data in the aspect of storage and processing is ensured.
Further, as shown in fig. 4, the communication between the proxy server and the second client is also unidirectional, and the proxy server forwards and pushes the message cipher text and the encrypted session key to the corresponding second client. In the transmission process, the session key and the corresponding message ciphertext are in an encrypted state, an attacker cannot independently deduce the corresponding plaintext according to the ciphertext, and can only indirectly obtain the plaintext content by cracking the encryption key. And the session key is encrypted through a related exclusive private key, and only the second client can calculate and derive the corresponding exclusive public key. Therefore, an attacker cannot acquire the original plaintext message content, and the safety of data transmission is guaranteed.
According to an embodiment of the present invention, a storage medium is provided, where the storage medium stores at least one executable instruction, and the computer executable instruction can execute the data transmission method in any method embodiment.
Through the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by hardware, and can also be implemented by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, or the like), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, or the like) to execute the method described in the implementation scenarios of the present application.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application.
Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial number is merely for description and does not represent the superiority and inferiority of the implementation scenario.
The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.

Claims (10)

1. A data transmission method is applied to a secure communication system, wherein the secure communication system comprises a first client, a second client, a proxy server and an authentication center, and the method comprises the following steps:
the first client generates a first exclusive public key according to a private key of the first client and a public key corresponding to a preset theme;
the first client encrypts a first session key by using the first exclusive public key to obtain a second session key;
the first client sends the second session key and a first message ciphertext to the proxy server;
the authentication center responds to a process key request sent by the proxy server, generates a process key according to a session key of a client and sends the process key to the proxy server;
the authentication center encrypts a third session key of the second client by using an exclusive private key to obtain a fourth session key, and sends the fourth session key to the proxy server;
the proxy server encrypts the first message ciphertext by using the process key to obtain a second message ciphertext;
the proxy server sends the second message ciphertext, the fourth session key and the process key to the second client;
the second client generates a second exclusive public key according to the private key of the second client and the public key corresponding to the preset theme;
and the second client decrypts the second message ciphertext by using the second exclusive public key, the fourth session key and the process key to obtain a target message.
2. The data transmission method according to claim 1, wherein before the first client generates the first exclusive public key according to a private key of the first client and a public key corresponding to a preset theme, the method further comprises:
the authentication center responds to the equipment registration request, and obtains the equipment identification, the equipment attribute and the equipment theme of the target equipment in the equipment registration request;
the authentication center registers the target equipment according to the equipment identification, the equipment attribute and the equipment theme;
the authentication center generates a public and private key pair and a signature key pair corresponding to the target equipment by using a preset key generation algorithm according to the equipment theme;
the authentication center determines an equipment identification code corresponding to the target client according to the signature key pair;
loading the device identification, the device attributes, the device theme, the device identification code, the signature key pair, and the public-private key pair to the target device.
3. The data transmission method according to claim 1, wherein before the first client generates the first exclusive public key according to a private key of the first client and a public key corresponding to a preset theme, the method further comprises:
the first client responds to a data transmission request, and acquires data content, a preset theme and transmission time which are included in the data transmission request;
the first client acquires a signature key corresponding to the first client;
the first client generates the target message according to data content, a preset theme, transmission time and a signature key pair;
the first client generates the first session key by using a preset key derivation function;
and the first client encrypts the target message by using the first session key to obtain the first message ciphertext.
4. The data transmission method according to claim 1, wherein the step of the authentication center generating a process key according to a session key of a client in response to a process key request sent by the proxy server, and sending the process key to the proxy server specifically includes:
the authentication center responds to a process key request sent by the proxy server and acquires a preset theme included in the request;
the authentication center generates an exclusive private key corresponding to the first exclusive public key of the first client according to a public key of the first client and a private key corresponding to a preset theme;
the authentication center decrypts the second session key sent by the proxy server by using the exclusive private key to obtain the first session key;
the authentication center generates the third session key corresponding to the second client according to the preset theme;
and the authentication center generates the process key according to the first session key and the third session key and sends the process key to the proxy server.
5. The data transmission method according to claim 1, wherein the step of decrypting, by the second client, the second message ciphertext by using the second exclusive public key, the fourth session key, and the process key to obtain the target message specifically includes:
the second client generates a second exclusive public key according to a private key of the second client and a public key corresponding to a preset theme;
the second client decrypts the fourth session key by using the second exclusive public key to obtain the third session key;
the second client decrypts the second message ciphertext by using the process key to obtain the first message ciphertext;
and the second client decrypts the first message ciphertext by using the third session key to obtain the target message.
6. The data transmission method according to claim 1, wherein after the second client decrypts the second message ciphertext using the second exclusive public key, the fourth session key, and the process key to obtain a target message, the method further includes:
the second client side verifies the transmission time and the signature key pair in the target message respectively;
when the transmission time and the signature key pair are verified, the second client receives the data content in the target message;
and when any one of the transmission time or the signature key pair is not verified, the second client refuses to receive the data content in the target message.
7. A data transmission apparatus, applied to a secure communication system, wherein the secure communication system includes a first client, a second client, a proxy server and an authentication center, the apparatus comprising:
the first generation module is used for generating a first exclusive public key by the first client according to a private key of the first client and a public key corresponding to a preset theme;
a second generation module, configured to encrypt the first session key by using the first exclusive public key by the first client, to obtain a second session key;
a sending module, configured to send, by the first client, the second session key and the first message ciphertext to the proxy server;
a third generation module, configured to, in response to the process key request sent by the proxy server, the authentication center generates a process key according to a session key of the client;
the sending module is further configured to send the process key to the proxy server by the authentication center;
the fourth generation module is used for encrypting the third session key of the second client by the authentication center by using the exclusive private key to obtain a fourth session key;
the sending module is further configured to send, by the authentication center, the fourth session key to the proxy server;
a fifth generation module, configured to encrypt the first message ciphertext by using the process key by the proxy server to obtain a second message ciphertext;
the sending module is further configured to send, by the proxy server, the second message ciphertext, the fourth session key, and the process key to the second client;
the sixth generation module is used for the second client to generate a second exclusive public key according to the private key of the second client and the public key corresponding to the preset theme;
and a seventh generating module, configured to decrypt, by the second client, the second message ciphertext using the second exclusive public key, the fourth session key, and the process key, to obtain a target message.
8. A secure communication system, comprising:
the data transmission method according to any one of claims 1-6.
9. The secure communications system of claim 8, further comprising:
the first client is used for issuing messages, the first client is in communication connection with the authentication center, and the first client is in communication connection with the proxy server;
the second client is used for receiving the subscribed message of the theme, and the second client is in communication connection with the proxy server;
the proxy server;
the authentication center.
10. A storage medium having stored therein at least one executable instruction that causes a processor to perform operations corresponding to the data transfer method of any one of claims 1-6.
CN202211174096.4A 2022-09-26 2022-09-26 Data transmission method, device, safety communication system and storage medium Pending CN115766066A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211174096.4A CN115766066A (en) 2022-09-26 2022-09-26 Data transmission method, device, safety communication system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211174096.4A CN115766066A (en) 2022-09-26 2022-09-26 Data transmission method, device, safety communication system and storage medium

Publications (1)

Publication Number Publication Date
CN115766066A true CN115766066A (en) 2023-03-07

Family

ID=85351972

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211174096.4A Pending CN115766066A (en) 2022-09-26 2022-09-26 Data transmission method, device, safety communication system and storage medium

Country Status (1)

Country Link
CN (1) CN115766066A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116112152A (en) * 2023-04-11 2023-05-12 广东徐工汉云工业互联网有限公司 Data sharing security encryption method and device across enterprise network
CN116405327A (en) * 2023-06-08 2023-07-07 天津市津能工程管理有限公司 Data processing method and device, electronic equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116112152A (en) * 2023-04-11 2023-05-12 广东徐工汉云工业互联网有限公司 Data sharing security encryption method and device across enterprise network
CN116112152B (en) * 2023-04-11 2023-06-02 广东徐工汉云工业互联网有限公司 Data sharing security encryption method and device across enterprise network
CN116405327A (en) * 2023-06-08 2023-07-07 天津市津能工程管理有限公司 Data processing method and device, electronic equipment and storage medium
CN116405327B (en) * 2023-06-08 2023-08-22 天津市津能工程管理有限公司 Data processing method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
JP7011646B2 (en) Methods and systems for data security based on quantum communication and trusted computing
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
US11799656B2 (en) Security authentication method and device
CN110380852B (en) Bidirectional authentication method and communication system
CN107040369B (en) Data transmission method, device and system
CN111756529B (en) Quantum session key distribution method and system
EP3170282B1 (en) Data distributing over network to user devices
CN106941404B (en) Key protection method and device
CN115766066A (en) Data transmission method, device, safety communication system and storage medium
EP3673610B1 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
CN112532580B (en) Data transmission method and system based on block chain and proxy re-encryption
CN110493272B (en) Communication method and communication system using multiple keys
US11528127B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
CN109547413B (en) Access control method of convertible data cloud storage with data source authentication
US8006249B2 (en) Method of implementing a state tracking mechanism in a communications session between a server and a client system
CN114499837B (en) Message leakage prevention method, device, system and equipment
CN110581829A (en) Communication method and device
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN113918971A (en) Block chain based message transmission method, device, equipment and readable storage medium
KR101595056B1 (en) System and method for data sharing of intercloud enviroment
Singh et al. Handshake Comparison Between TLS V 1.2 and TLS V 1.3 Protocol
US12010216B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
WO2023103099A1 (en) Control method and system for message storage processing and security authentication, and medium
US20230041783A1 (en) Provision of digital content via a communication network
US11743293B2 (en) Remote attestation transport layer security and split trust encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination