CN115801388B - Message transmission method, device and storage medium - Google Patents

Message transmission method, device and storage medium Download PDF

Info

Publication number
CN115801388B
CN115801388B CN202211415448.0A CN202211415448A CN115801388B CN 115801388 B CN115801388 B CN 115801388B CN 202211415448 A CN202211415448 A CN 202211415448A CN 115801388 B CN115801388 B CN 115801388B
Authority
CN
China
Prior art keywords
message
master key
module
security
access gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211415448.0A
Other languages
Chinese (zh)
Other versions
CN115801388A (en
Inventor
彭成智
陈浩然
符刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, China Information Technology Designing and Consulting Institute Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202211415448.0A priority Critical patent/CN115801388B/en
Publication of CN115801388A publication Critical patent/CN115801388A/en
Application granted granted Critical
Publication of CN115801388B publication Critical patent/CN115801388B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a message transmission method, a message transmission device and a storage medium, which relate to the technical field of communication and are used for ensuring the safety of data between a safety system and a special server. The method comprises the following steps: establishing a transmission channel between a secure access terminal module and a secure access gateway; the security access gateway is an access gateway in an enterprise intranet accessed by the user terminal; the transmission channel is connected with the secure access terminal module and the secure access gateway through the secure chip and the second system; negotiating a key with a security access gateway through a transmission channel to determine a session master key; encrypting a data message to be transmitted according to a session master key, and determining a first encrypted message; and sending the first encrypted message to the security access gateway through the transmission channel. The embodiment of the application is applied to the message transmission process.

Description

报文传输方法、装置及存储介质Message transmission method, device and storage medium

技术领域Technical Field

本申请涉及通信领域,尤其涉及一种报文传输方法、装置及存储介质。The present application relates to the field of communications, and in particular to a message transmission method, device and storage medium.

背景技术Background technique

双系统终端包括安全系统和非安全系统,安全系统用于与专有的企业服务器连接,以提高传输信息的安全性;非安全系统是开放系统,用于满足用户日常的生活娱乐对用户终端的需求。双系统终端中安全系统和非安全系统之间设置有安全芯片,这样,可以防止非安全系统非法获取安全系统中的信息。The dual-system terminal includes a security system and a non-security system. The security system is used to connect to a proprietary enterprise server to improve the security of transmitted information; the non-security system is an open system used to meet the user's daily life and entertainment needs for user terminals. A security chip is set between the security system and the non-security system in the dual-system terminal, so that the non-security system can be prevented from illegally obtaining information in the security system.

然而,在安全系统与专有的企业服务器通信的过程中,安全系统发送的报文需要经过非安全系统和公网,这样存在非安全系统和公网非法盗取报文的风险,给安全系统与专有的企业服务器通信造成安全风险。因此,如何保证安全系统与专有服务器之间数据的安全性是仍待解决的问题。However, in the process of communication between the security system and the proprietary enterprise server, the messages sent by the security system need to pass through the non-security system and the public network. This poses a risk of illegal theft of messages by the non-security system and the public network, which poses a security risk to the communication between the security system and the proprietary enterprise server. Therefore, how to ensure the security of data between the security system and the proprietary server is a problem that still needs to be solved.

发明内容Summary of the invention

本申请提供了一种报文传输方法、装置及存储介质。用于保证安全系统与专有服务器之间数据的安全性。The present application provides a message transmission method, device and storage medium for ensuring the security of data between a security system and a dedicated server.

为达到上述目的,本申请采用如下技术方案:In order to achieve the above objectives, this application adopts the following technical solutions:

第一方面,本申请提供了一种报文传输方法,应用于安全接入终端模块,安全接入终端模块为用户终端的第一系统中的模块,用户终端包括第一系统和第二系统;第一系统为根据安全接入终端模块加密的系统,第二系统为未加密的系统,第一系统和第二系统通过安全芯片连接;方法包括:安全接入终端模块建立安全接入终端模块与安全接入网关之间的传输通道;其中,安全接入网关为用户终端接入的企业内网中的接入网关;传输通道通过安全芯片和第二系统连接安全接入终端模块与安全接入网关;安全接入终端模块通过传输通道与安全接入网关协商密钥,确定会话主密钥;安全接入终端模块根据会话主密钥加密待传输数据报文,确定第一加密报文;安全接入终端模块通过传输通道向安全接入网关发送第一加密报文。In a first aspect, the present application provides a message transmission method, which is applied to a security access terminal module, the security access terminal module is a module in a first system of a user terminal, the user terminal includes a first system and a second system; the first system is a system encrypted according to the security access terminal module, the second system is an unencrypted system, and the first system and the second system are connected through a security chip; the method includes: the security access terminal module establishes a transmission channel between the security access terminal module and the security access gateway; wherein the security access gateway is an access gateway in an enterprise intranet accessed by the user terminal; the transmission channel connects the security access terminal module and the security access gateway through the security chip and the second system; the security access terminal module negotiates a key with the security access gateway through the transmission channel to determine a session master key; the security access terminal module encrypts a data message to be transmitted according to the session master key to determine a first encrypted message; the security access terminal module sends the first encrypted message to the security access gateway through the transmission channel.

结合上述第一方面,在一种可能的实现方式中,该方法还包括:获取待传输数据报文;向外部加密模块发送第一指示信息;第一指示信息用于指示外部加密模块上报会话主密钥;接收来自外部加密模块的会话主密钥。In combination with the above-mentioned first aspect, in a possible implementation method, the method also includes: obtaining a data message to be transmitted; sending a first indication information to an external encryption module; the first indication information is used to instruct the external encryption module to report a session master key; and receiving a session master key from the external encryption module.

结合上述第一方面,在一种可能的实现方式中,该方法还包括:外部加密模块为外接于用户终端的加密模块,外部加密模块通过国密OpenVPN与用户终端通信。In combination with the first aspect above, in a possible implementation manner, the method further includes: the external encryption module is an encryption module externally connected to the user terminal, and the external encryption module communicates with the user terminal through the national encryption OpenVPN.

结合上述第一方面,在一种可能的实现方式中,该方法还包括:向外部加密模块发送第二指示信息,第二指示信息用于指示外部加密模块根据预制证书、预主密钥,生成会话主密钥;其中,预主密钥由外部加密模块生成,外部加密模块存储有预制证书。In combination with the above-mentioned first aspect, in a possible implementation, the method also includes: sending second indication information to an external encryption module, the second indication information being used to instruct the external encryption module to generate a session master key based on a premade certificate and a premaster key; wherein the premaster key is generated by the external encryption module, and the external encryption module stores a premade certificate.

结合上述第一方面,在一种可能的实现方式中,该方法还包括:在握手阶段,确定安全接入网关选择的安全参数;安全参数包括以下至少之一:会话标识、预制证书、压缩算法、密码规格、会话主密钥、重用标识;根据安全参数加密待传输数据报文,确定第一加密报文。In combination with the above-mentioned first aspect, in a possible implementation method, the method also includes: in the handshake phase, determining the security parameters selected by the secure access gateway; the security parameters include at least one of the following: session identifier, pre-made certificate, compression algorithm, encryption specification, session master key, reuse identifier; encrypting the data message to be transmitted according to the security parameters to determine the first encrypted message.

第二方面,本申请实施例提供了一种报文传输装置,该装置包括:通信单元和处理单元:处理单元,用于建立安全接入终端模块与安全接入网关之间的传输通道;其中,安全接入网关为用户终端接入的企业内网中的接入网关;传输通道通过安全芯片和第二系统连接安全接入终端模块与安全接入网关;处理单元,还用于通过传输通道与安全接入网关协商密钥,确定会话主密钥;处理单元,还用于根据会话主密钥加密待传输数据报文,确定第一加密报文;通信单元,用于通过传输通道向安全接入网关发送第一加密报文。In a second aspect, an embodiment of the present application provides a message transmission device, which includes: a communication unit and a processing unit: the processing unit is used to establish a transmission channel between a security access terminal module and a security access gateway; wherein the security access gateway is an access gateway in an enterprise intranet accessed by a user terminal; the transmission channel connects the security access terminal module and the security access gateway through a security chip and a second system; the processing unit is also used to negotiate a key with the security access gateway through the transmission channel to determine a session master key; the processing unit is also used to encrypt a data message to be transmitted according to the session master key to determine a first encrypted message; the communication unit is used to send the first encrypted message to the security access gateway through the transmission channel.

结合上述第二方面,在一种可能的实现方式中,处理单元,还用于获取待传输数据报文;通信单元,还用于向外部加密模块发送第一指示信息;第一指示信息用于指示外部加密模块上报会话主密钥;通信单元,还用于接收来自外部加密模块的会话主密钥。In combination with the above-mentioned second aspect, in a possible implementation method, the processing unit is also used to obtain a data message to be transmitted; the communication unit is also used to send a first indication message to an external encryption module; the first indication message is used to instruct the external encryption module to report a session master key; and the communication unit is also used to receive a session master key from the external encryption module.

结合上述第二方面,在一种可能的实现方式中,外部加密模块为外接于用户终端的加密模块,外部加密模块通过国密OpenVPN与用户终端通信。In combination with the above second aspect, in a possible implementation, the external encryption module is an encryption module externally connected to the user terminal, and the external encryption module communicates with the user terminal through the national encryption OpenVPN.

结合上述第二方面,在一种可能的实现方式中,通信单元,还用于向外部加密模块发送第二指示信息,第二指示信息用于指示外部加密模块根据预制证书、预主密钥,生成会话主密钥;其中,预主密钥由外部加密模块生成,外部加密模块存储有预制证书。In combination with the above-mentioned second aspect, in a possible implementation method, the communication unit is also used to send second indication information to the external encryption module, and the second indication information is used to instruct the external encryption module to generate a session master key based on a premade certificate and a premaster key; wherein the premaster key is generated by the external encryption module, and the external encryption module stores the premade certificate.

结合上述第二方面,在一种可能的实现方式中,处理单元,还用于在握手阶段,确定安全接入网关选择的安全参数;安全参数包括以下至少之一:会话标识、预制证书、压缩算法、密码规格、会话主密钥、重用标识;处理单元,还用于根据安全参数加密待传输数据报文,确定第一加密报文。In combination with the above-mentioned second aspect, in a possible implementation method, the processing unit is also used to determine the security parameters selected by the secure access gateway during the handshake phase; the security parameters include at least one of the following: session identifier, pre-made certificate, compression algorithm, encryption specification, session master key, reuse identifier; the processing unit is also used to encrypt the data message to be transmitted according to the security parameters to determine the first encrypted message.

第三方面,本申请实施例提供了一种报文传输装置,该报文传输装置包括:处理器以及存储器;其中,存储器用于存储计算机执行指令,当报文传输装置运行时,处理器执行存储器存储的计算机执行指令,以使报文传输装置执行如第一方面任一种可能的实现方式中描述的报文传输方法。In a third aspect, an embodiment of the present application provides a message transmission device, which includes: a processor and a memory; wherein the memory is used to store computer execution instructions, and when the message transmission device is running, the processor executes the computer execution instructions stored in the memory to enable the message transmission device to perform the message transmission method described in any possible implementation method of the first aspect.

第四方面,本申请实施例提供了一种计算机可读存储介质,计算机可读存储介质中存储有指令,当计算机可读存储介质中的指令由报文传输装置的处理器执行时,使得报文传输装置能够执行如第一方面任一种可能的实现方式中描述的报文传输方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, in which instructions are stored. When the instructions in the computer-readable storage medium are executed by a processor of a message transmission device, the message transmission device is enabled to execute the message transmission method described in any possible implementation of the first aspect.

本申请的这些方面或其他方面在以下的描述中会更加简明易懂。These and other aspects of the present application will become more apparent from the following description.

上述方案至少带来以下有益效果:本申请实施例中,在安全接入终端模块与安全接入网关通信的过程中,安全接入终端模块通过传输通道与安全接入网关协商密钥,确定会话主密钥。安全接入端可以通过会话主密钥加密报文,得到第一加密报文。由于,会话主密钥是安全接入终端模块与安全接入网关协商得到的,因此,安全接入终端模块与安全接入网关使用相同的会话主密钥。这样,安全接入网关可以对接收到的第一加密报文解密。第二系统(非安全系统)和公网即使获取到第一加密报文,由于无法获得会话主密钥,也无法获取第一加密报文中的信息。因此,本申请可以保证第一系统(安全系统)与专有服务器之间数据的安全性。The above scheme brings at least the following beneficial effects: In the embodiment of the present application, during the communication between the security access terminal module and the security access gateway, the security access terminal module negotiates a key with the security access gateway through a transmission channel to determine the session master key. The security access terminal can encrypt the message through the session master key to obtain a first encrypted message. Since the session master key is obtained through negotiation between the security access terminal module and the security access gateway, the security access terminal module and the security access gateway use the same session master key. In this way, the security access gateway can decrypt the received first encrypted message. Even if the second system (non-security system) and the public network obtain the first encrypted message, they cannot obtain the information in the first encrypted message because they cannot obtain the session master key. Therefore, the present application can ensure the security of data between the first system (security system) and the dedicated server.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required for use in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

图1为本申请实施例提供的一种报文传输装置的结构示意图;FIG1 is a schematic diagram of the structure of a message transmission device provided in an embodiment of the present application;

图2为本申请实施例提供的一种报文传输装置的结构示意图;FIG2 is a schematic diagram of the structure of a message transmission device provided in an embodiment of the present application;

图3为本申请实施例提供的一种报文传输方法的流程图;FIG3 is a flow chart of a message transmission method provided in an embodiment of the present application;

图4为本申请实施例提供的又一种报文传输方法的流程图;FIG4 is a flow chart of another message transmission method provided in an embodiment of the present application;

图5为本申请实施例提供的一种专用虚拟网卡与物理网卡比较的示意图;FIG5 is a schematic diagram showing a comparison between a dedicated virtual network card and a physical network card provided in an embodiment of the present application;

图6为本申请实施例提供的一种报文传输装置的结构示意图;FIG6 is a schematic diagram of the structure of a message transmission device provided in an embodiment of the present application;

图7为本申请实施例提供的一种报文传输方法的流程图;FIG7 is a flow chart of a message transmission method provided in an embodiment of the present application;

图8为本申请实施例提供的另一种报文传输方法的流程图;FIG8 is a flow chart of another message transmission method provided in an embodiment of the present application;

图9为本申请实施例提供的又一种报文传输装置的结构示意图。FIG9 is a schematic diagram of the structure of another message transmission device provided in an embodiment of the present application.

具体实施方式Detailed ways

本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。The term "and/or" in this article is merely a description of the association relationship of associated objects, indicating that three relationships may exist. For example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone.

本申请的说明书以及附图中的术语“第一”和“第二”等是用于区别不同的对象,或者用于区别对同一对象的不同处理,而不是用于描述对象的特定顺序。The terms "first" and "second" and the like in the specification and drawings of this application are used to distinguish different objects, or to distinguish different processing of the same object, rather than to describe a specific order of objects.

此外,本申请的描述中所提到的术语“包括”和“具有”以及它们的任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选的还包括其他没有列出的步骤或单元,或可选的还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。In addition, the terms "including" and "having" and any variations thereof mentioned in the description of the present application are intended to cover non-exclusive inclusions. For example, a process, method, system, product or device that includes a series of steps or units is not limited to the listed steps or units, but may optionally include other steps or units that are not listed, or may optionally include other steps or units that are inherent to these processes, methods, products or devices.

需要说明的是,本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。It should be noted that in the embodiments of the present application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "for example" in the embodiments of the present application should not be interpreted as being more preferred or more advantageous than other embodiments or designs. Specifically, the use of words such as "exemplary" or "for example" is intended to present related concepts in a specific way.

在本申请的描述中,除非另有说明,“多个”的含义是指两个或两个以上。In the description of the present application, unless otherwise specified, “plurality” means two or more.

本申请实施例的技术方案可用于各种通信系统,该通信系统可以为第三代合作伙伴计划(third generation partnership project,3GPP)通信系统,例如,长期演进(longterm evolution,LTE)系统,又可以为5G移动通信系统、NR系统、新空口车联网(vehicle toeverything,NR V2X)系统,还可以应用于LTE和5G混合组网的系统中,或者设备到设备(device-to-device,D2D)通信系统、机器到机器(machine to machine,M2M)通信系统、物联网(Internet of Things,IoT),以及其他下一代通信系统,也可以为非3GPP通信系统,不予限制。The technical solution of the embodiments of the present application can be used in various communication systems, which may be a third generation partnership project (3GPP) communication system, such as a long term evolution (LTE) system, or a 5G mobile communication system, an NR system, a vehicle to everything (NR V2X) system, or a system with a hybrid LTE and 5G network, or a device-to-device (D2D) communication system, a machine-to-machine (M2M) communication system, an Internet of Things (IoT), and other next generation communication systems, or a non-3GPP communication system without limitation.

本申请实施例的技术方案可以应用于各种通信场景,例如可以应用于以下通信场景中的一种或多种:增强移动宽带(enhanced mobile broadband,eMBB)、超可靠低时延通信(ultra reliable low latency communication,URLLC)、机器类型通信(machine typecommunication,MTC)、大规模机器类型通信(massive machine type communications,mMTC)、SA、D2D、V2X、和IoT等通信场景。The technical solutions of the embodiments of the present application can be applied to various communication scenarios, for example, one or more of the following communication scenarios: enhanced mobile broadband (eMBB), ultra-reliable low latency communication (URLLC), machine type communication (MTC), massive machine type communications (mMTC), SA, D2D, V2X, and IoT and other communication scenarios.

其中,上述适用本申请的通信系统和通信场景仅是举例说明,适用本申请的通信系统和通信场景不限于此,在此统一说明,以下不再赘述。Among them, the above-mentioned communication systems and communication scenarios applicable to the present application are only examples, and the communication systems and communication scenarios applicable to the present application are not limited to these. They are uniformly described here and will not be repeated below.

在一些实施例中,本申请涉及的终端设备可以是用于实现通信功能的设备。终端设备也可以称为用户设备(user equipment,UE)、终端、接入终端、用户单元、用户站、移动站(mobile station,MS)、远方站、远程终端、移动终端(mobile terminal,MT)、用户终端、无线通信设备、用户代理或用户装置等。终端设备例如可以是IoT、V2X、D2D、M2M、5G网络、或者未来演进的公共陆地移动网络(public land mobile network,PLMN)中的无线终端或有线终端。无线终端可以是指一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。In some embodiments, the terminal device involved in the present application may be a device for realizing a communication function. The terminal device may also be referred to as user equipment (UE), terminal, access terminal, user unit, user station, mobile station (MS), remote station, remote terminal, mobile terminal (MT), user terminal, wireless communication device, user agent or user device, etc. The terminal device may be, for example, a wireless terminal or a wired terminal in IoT, V2X, D2D, M2M, 5G network, or a future evolved public land mobile network (PLMN). A wireless terminal may refer to a device with wireless transceiver functions, which may be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; may also be deployed on water (such as ships, etc.); may also be deployed in the air (such as airplanes, balloons and satellites, etc.).

示例性的,终端设备可以是无人机、IoT设备(例如,传感器,电表,水表等)、V2X设备、无线局域网(wireless local area networks,WLAN)中的站点(station,ST)、蜂窝电话、无绳电话、会话启动协议(session initiation protocol,SIP)电话、无线本地环路(wireless local loop,WLL)站、个人数字处理(personal digital assistant,PDA)设备、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备(也可以称为穿戴式智能设备)、平板电脑或带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端、车载终端、具有车对车(vehicle-to-vehicle,V2V)通信能力的车辆、智能网联车、具有无人机对无人机(UAV toUAV,U2U)通信能力的无人机等等。终端可以是移动的,也可以是固定的,本申请对此不作具体限定。Exemplarily, the terminal device may be a drone, an IoT device (e.g., a sensor, an electric meter, a water meter, etc.), a V2X device, a station (ST) in a wireless local area network (WLAN), a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA) device, a handheld device with a wireless communication function, a computing device or other processing device connected to a wireless modem, an in-vehicle device, a wearable device (also referred to as a wearable smart device), a tablet computer or a computer with a wireless transceiver function, a virtual reality (VR) terminal, a wireless terminal in industrial control, a wireless terminal in self driving, a wireless terminal in remote medical, a wireless terminal in a smart grid, a wireless terminal in transportation safety, a wireless terminal in a smart city, a smart home, or a wireless terminal in a smart city. The terminal may be a wireless terminal in a home, a vehicle-mounted terminal, a vehicle with vehicle-to-vehicle (V2V) communication capability, an intelligent connected vehicle, a drone with UAV to UAV (U2U) communication capability, etc. The terminal may be mobile or fixed, and this application does not make specific restrictions on this.

为了实现本申请实施例提供的报文传输方法,本申请实施例提供了一种报文传输装置,用于执行本申请实施例提供的报文传输方法,图1为本申请实施例提供的一种报文传输装置的结构示意图。如图1所示,该报文传输装置100包括至少一个处理器101,通信线路102,以及至少一个通信接口104,还可以包括存储器103。其中,处理器101,存储器103以及通信接口104三者之间可以通过通信线路102连接。In order to implement the message transmission method provided in the embodiment of the present application, the embodiment of the present application provides a message transmission device for executing the message transmission method provided in the embodiment of the present application, and FIG1 is a structural schematic diagram of a message transmission device provided in the embodiment of the present application. As shown in FIG1, the message transmission device 100 includes at least one processor 101, a communication line 102, and at least one communication interface 104, and may also include a memory 103. Among them, the processor 101, the memory 103 and the communication interface 104 can be connected through the communication line 102.

处理器101可以是一个中央处理器(central processing unit,CPU),也可以是特定集成电路(application specific integrated circuit,ASIC),或者是被配置成实施本申请实施例的一个或多个集成电路,例如:一个或多个数字信号处理器(digital signalprocessor,DSP),或,一个或者多个现场可编程门阵列(field programmable gate array,FPGA)。The processor 101 may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application, such as one or more digital signal processors (DSP), or one or more field programmable gate arrays (FPGA).

通信线路102可以包括一通路,用于在上述组件之间传送信息。The communication link 102 may include a pathway for transmitting information between the above-mentioned components.

通信接口104,用于与其他设备或通信网络通信,可以使用任何收发器一类的装置,如以太网,无线接入网(radio access network,RAN),WLAN等。The communication interface 104 is used to communicate with other devices or communication networks, and can use any transceiver-like device, such as Ethernet, radio access network (RAN), WLAN, etc.

存储器103可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electricallyerasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于包括或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。The memory 103 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (RAM) or other types of dynamic storage devices that can store information and instructions, or an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, an optical disc storage (including a compressed optical disc, a laser disc, an optical disc, a digital versatile disc, a Blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to include or store desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited thereto.

一种可能的设计中,存储器103可以独立于处理器101存在,即存储器103可以为处理器101外部的存储器,此时,存储器103可以通过通信线路102与处理器101相连接,用于存储执行指令或者应用程序代码,并由处理器101来控制执行,实现本申请下述实施例提供的报文传输方法。又一种可能的设计中,存储器103也可以和处理器101集成在一起,即存储器103可以为处理器101的内部存储器,例如,该存储器103为高速缓存,可以用于暂存一些数据和指令信息等。In one possible design, the memory 103 can exist independently of the processor 101, that is, the memory 103 can be a memory outside the processor 101. In this case, the memory 103 can be connected to the processor 101 through the communication line 102, and is used to store execution instructions or application code, and the processor 101 controls the execution to implement the message transmission method provided in the following embodiment of the present application. In another possible design, the memory 103 can also be integrated with the processor 101, that is, the memory 103 can be the internal memory of the processor 101, for example, the memory 103 is a high-speed cache, which can be used to temporarily store some data and instruction information.

作为一种可能的实现方式,处理器101可以包括一个或多个CPU,例如图1中的CPU0和CPU1。作为另一种可实现方式,报文传输装置100可以包括多个处理器,例如图1中的处理器101和处理器107。作为再一种可实现方式,报文传输装置100还可以包括输出设备105和输入设备106。As a possible implementation, the processor 101 may include one or more CPUs, such as CPU0 and CPU1 in FIG1. As another implementation, the message transmission apparatus 100 may include multiple processors, such as the processor 101 and the processor 107 in FIG1. As yet another implementation, the message transmission apparatus 100 may further include an output device 105 and an input device 106.

现有技术中,在双系统终端中的安全系统与专有的企业服务器通信的过程中,由于安全系统发送的报文需要经过双系统终端中的非安全系统和公网,这样存在非安全系统和公网非法盗取报文的风险,给安全系统与专有的企业服务器通信造成安全风险。In the prior art, during the communication between the security system in the dual-system terminal and the proprietary enterprise server, since the messages sent by the security system need to pass through the non-security system and the public network in the dual-system terminal, there is a risk of the non-security system and the public network illegally stealing the messages, causing security risks to the communication between the security system and the proprietary enterprise server.

为了解决相关技术中存在的技术问题,本申请实施例中,在安全接入终端模块与安全接入网关通信的过程中,安全接入终端模块通过传输通道与安全接入网关协商密钥,确定会话主密钥。这样一来,安全接入端可以通过会话主密钥加密报文,得到第一加密报文。由于,会话主密钥是安全接入终端模块与安全接入网关协商得到的,因此,安全接入终端模块与安全接入网关使用相同的会话主密钥。这样,安全接入网关可以对接收到的第一加密报文进行解密。非安全系统和公网即使获取到第一加密报文,由于无法获得会话主密钥,也无法获取第一加密报文中的信息。因此,本申请保证安全系统与专有服务器之间数据的安全性。In order to solve the technical problems existing in the related art, in an embodiment of the present application, during the communication between the security access terminal module and the security access gateway, the security access terminal module negotiates a key with the security access gateway through a transmission channel to determine the session master key. In this way, the security access terminal can encrypt the message through the session master key to obtain the first encrypted message. Since the session master key is obtained through negotiation between the security access terminal module and the security access gateway, the security access terminal module and the security access gateway use the same session master key. In this way, the security access gateway can decrypt the received first encrypted message. Even if the non-secure system and the public network obtain the first encrypted message, they cannot obtain the information in the first encrypted message because they cannot obtain the session master key. Therefore, the present application ensures the security of data between the security system and the proprietary server.

以下,结合附图2对本申请实施例提供的一种报文传输系统进行详细说明,如图2所示,该报文传输系统包括:第一系统201、第二系统202安全芯片203以及企业内网204。Hereinafter, a message transmission system provided in an embodiment of the present application will be described in detail in conjunction with FIG2 . As shown in FIG2 , the message transmission system includes: a first system 201 , a second system 202 , a security chip 203 , and an enterprise intranet 204 .

第一系统201为根据安全接入终端模块加密的系统,用于与企业内网204建立加密连接;第二系统202为未加密的系统,用于满足用户日常的生活、娱乐对用户终端的需求;企业内网204用于保障企业员工之间的通信。The first system 201 is a system encrypted according to the secure access terminal module, and is used to establish an encrypted connection with the enterprise intranet 204; the second system 202 is an unencrypted system, and is used to meet the user's daily life and entertainment needs for user terminals; the enterprise intranet 204 is used to ensure communication between enterprise employees.

其中,第一系统201包括:应用模块2011、专用虚拟网卡模块2012、安全接入终端模块2013、密码守护进程模块2014、外部加密模块2015以及传输服务模块2016。The first system 201 includes: an application module 2011 , a dedicated virtual network card module 2012 , a secure access terminal module 2013 , a password daemon module 2014 , an external encryption module 2015 and a transmission service module 2016 .

应用模块2011,被配置为:接收用户的操作指令,根据用户的操作指令生成第三指示信息,第三指示信息用于指示专用虚拟网卡模块2012生成待传输数据报文。应用模块2011包括万维网(World Wide Web,WEB)应用、行业应用;第三指示信息包括因特网包探索器(Packet Internet Groper,PING)指令。The application module 2011 is configured to: receive the user's operation instruction, generate the third indication information according to the user's operation instruction, and the third indication information is used to instruct the dedicated virtual network card module 2012 to generate a data message to be transmitted. The application module 2011 includes World Wide Web (WEB) applications and industry applications; the third indication information includes an Internet Packet Groper (PING) instruction.

专用虚拟网卡模块2012,被配置为:接收应用模块2011的第三指示信息,根据第三指示信息生成待待传输数据报文。专用虚拟网卡模块2012用于实现第一系统201与应用模块2011之间的无缝衔接,无需对应用模块2011、第一系统201的内核以及网络协议栈进行修改,减少工作人员的工作。The dedicated virtual network card module 2012 is configured to: receive the third indication information of the application module 2011, and generate the data message to be transmitted according to the third indication information. The dedicated virtual network card module 2012 is used to achieve seamless connection between the first system 201 and the application module 2011, without modifying the application module 2011, the kernel of the first system 201 and the network protocol stack, thereby reducing the work of the staff.

安全接入终端模块2013,被配置为:根据接收到的会话主密钥加密待传输数据报文,确定第一加密报文;并向传输服务模块2016发送第一加密报文。The secure access terminal module 2013 is configured to: encrypt the data message to be transmitted according to the received session master key to determine a first encrypted message; and send the first encrypted message to the transmission service module 2016 .

密码守护进程模块2014,被配置为:连接安全接入终端模块2013和外部加密模块2015。The password daemon module 2014 is configured to connect to the security access terminal module 2013 and the external encryption module 2015 .

外部加密模块2015,被配置为:接收安全接入终端模块2013发送的第二指示信息,第二指示信息用于指示外部加密模块根据预制证书、预主密钥,生成会话主密钥。外部加密模块2015包括国密SD卡。The external encryption module 2015 is configured to receive the second indication information sent by the secure access terminal module 2013, wherein the second indication information is used to instruct the external encryption module to generate a session master key according to the pre-made certificate and the pre-master key. The external encryption module 2015 includes a national encryption SD card.

第二系统202,包括:传输服务模块2021。The second system 202 includes: a transmission service module 2021 .

传输服务模块2021,被配置为:通过安全芯片203接收第一系统201中的传输服务模块2016发送的第一加密报文,将第一加密报文转发至企业内网204。The transmission service module 2021 is configured to: receive the first encrypted message sent by the transmission service module 2016 in the first system 201 through the security chip 203 , and forward the first encrypted message to the enterprise intranet 204 .

安全芯片203,被配置为:配置在第一系统201和第二系统202之间,用于隔离第一系统201和第二系统202的通信数据。The security chip 203 is configured to be disposed between the first system 201 and the second system 202 to isolate communication data between the first system 201 and the second system 202 .

企业内网204包括:安全接入网关2041。The enterprise intranet 204 includes: a secure access gateway 2041 .

安全接入网关2041,被配置为:与安全接入终端模块2013建立传输通道,并协商、计算会话主密钥;接收并解密第一加密报文。The secure access gateway 2041 is configured to: establish a transmission channel with the secure access terminal module 2013, and negotiate and calculate a session master key; and receive and decrypt the first encrypted message.

企业内网204还包括:企业通讯录模块2042、企业内部视频及会议模块2043、远程移动办公应用2044、其他网络应用2045。其中,企业通讯录模块2042用于保存各个企业员工的联系方式;企业内部视频及会议模块2043用于满足企业员工在内网中传输内部视频信息以及召开网络会议;远程移动办公应用2044用于满足企业员工通过终端与安全接入网关2041建立远程无线连接;其他网络应用2045用于满足企业员工的其他网络需求。The enterprise intranet 204 also includes: an enterprise address book module 2042, an enterprise internal video and conference module 2043, a remote mobile office application 2044, and other network applications 2045. Among them, the enterprise address book module 2042 is used to save the contact information of each enterprise employee; the enterprise internal video and conference module 2043 is used to meet the needs of enterprise employees to transmit internal video information and hold network conferences in the intranet; the remote mobile office application 2044 is used to meet the needs of enterprise employees to establish a remote wireless connection with the secure access gateway 2041 through a terminal; and other network applications 2045 are used to meet other network needs of enterprise employees.

本申请实施例提供了一种报文传输方法,可以应用于如图2所示的报文传输系统中。如图3所示,该报文传输方法包括:The embodiment of the present application provides a message transmission method, which can be applied to the message transmission system shown in Figure 2. As shown in Figure 3, the message transmission method includes:

S301、安全接入终端模块建立安全接入终端模块与安全接入网关之间的传输通道。S301: The security access terminal module establishes a transmission channel between the security access terminal module and the security access gateway.

其中,安全接入终端模块为用户终端的第一系统中的模块,用户终端包括第一系统和第二系统;第一系统为根据安全接入终端模块加密的系统,第二系统为未加密的系统,第一系统和第二系统通过安全芯片连接。Among them, the security access terminal module is a module in the first system of the user terminal, and the user terminal includes the first system and the second system; the first system is a system encrypted according to the security access terminal module, and the second system is an unencrypted system. The first system and the second system are connected through a security chip.

可选的,第二系统为开放系统。Optionally, the second system is an open system.

示例性的,第二系统为Android系统。Exemplarily, the second system is an Android system.

S302、安全接入终端模块通过传输通道与安全接入网关协商密钥,确定会话主密钥。S302: The secure access terminal module negotiates a key with the secure access gateway through a transmission channel to determine a session master key.

可选的,在S302之前,安全接入终端模块与安全接入网关之前可以先互相进行身份验证,并在身份验证通过之后协商确定会话主密钥。Optionally, before S302, the secure access terminal module and the secure access gateway may first perform identity authentication on each other, and negotiate to determine a session master key after the identity authentication is passed.

安全接入终端模块与安全接入网关之前可以先互相进行身份验证的过程包括:安全接入终端模块向安全接入网关发送安全接入终端模块的证书,安全接入网关验证安全接入终端模块的身份。安全接入网关向安全接入终端模块发送安全接入网关的证书,安全接入终端模块验证安全接入网关的身份。The process in which the security access terminal module and the security access gateway can perform mutual identity authentication includes: the security access terminal module sends the security access terminal module's certificate to the security access gateway, and the security access gateway verifies the identity of the security access terminal module. The security access gateway sends the security access gateway's certificate to the security access terminal module, and the security access terminal module verifies the identity of the security access gateway.

S303、安全接入终端模块根据会话主密钥加密待传输数据报文,确定第一加密报文。S303: The secure access terminal module encrypts the data message to be transmitted according to the session master key to determine a first encrypted message.

一种可能的实现方式中,安全接入终端模块根据会话主密钥加密待传输数据报文以及与安全接入网关协商的密码规格(密码算法),确定第一加密报文。In a possible implementation, the secure access terminal module encrypts the data message to be transmitted according to the session master key and the cryptographic specification (cryptographic algorithm) negotiated with the secure access gateway to determine the first encrypted message.

S304、安全接入终端模块通过传输通道向安全接入网关发送第一加密报文。S304: The secure access terminal module sends a first encrypted message to the secure access gateway through a transmission channel.

一种可能的实现方式中,安全接入终端模块通过传输通道向安全接入网关发送第一加密报文,以使得安全接入网关根据会话主密钥,解密第一加密报文。In a possible implementation manner, the secure access terminal module sends a first encrypted message to a secure access gateway through a transmission channel, so that the secure access gateway decrypts the first encrypted message according to a session master key.

上述方案至少带来以下有益效果:本申请实施例中,在安全接入终端模块与安全接入网关通信的过程中,安全接入终端模块通过传输通道与安全接入网关协商密钥,确定会话主密钥。这样一来,安全接入端可以通过会话主密钥加密报文,得到第一加密报文。由于,会话主密钥是安全接入终端模块与安全接入网关协商得到的,因此,安全接入终端模块与安全接入网关使用相同的会话主密钥。这样,安全接入网关可以对接收到的第一加密报文解密。第二系统和公网即使获取到第一加密报文,由于无法获得会话主密钥,也无法获取第一加密报文中的信息。因此,本申请可以保证第一系统与专有服务器之间数据的安全性。The above scheme brings at least the following beneficial effects: In the embodiment of the present application, during the communication between the security access terminal module and the security access gateway, the security access terminal module negotiates a key with the security access gateway through a transmission channel to determine the session master key. In this way, the security access terminal can encrypt the message through the session master key to obtain the first encrypted message. Since the session master key is obtained through negotiation between the security access terminal module and the security access gateway, the security access terminal module and the security access gateway use the same session master key. In this way, the security access gateway can decrypt the received first encrypted message. Even if the second system and the public network obtain the first encrypted message, they cannot obtain the information in the first encrypted message because they cannot obtain the session master key. Therefore, the present application can ensure the security of data between the first system and the dedicated server.

一种可能的实现方式中,在上述S303之前,安全接入终端模块获取待传输数据报文和会话主密钥。以下,对安全接入终端模块获取待传输数据报文和会话主密钥的过程进行介绍。In a possible implementation, before S303, the secure access terminal module obtains the data message to be transmitted and the session master key. The following describes the process of the secure access terminal module obtaining the data message to be transmitted and the session master key.

结合图3,如图4所示,上述安全接入终端模块获取待传输数据报文和会话主密钥的过程具体可以通过以下S401-S403实现。In combination with FIG. 3 , as shown in FIG. 4 , the process in which the security access terminal module obtains the data message to be transmitted and the session master key can be specifically implemented through the following S401 - S403 .

S401、安全接入终端模块获取待传输数据报文。S401: The secure access terminal module obtains a data message to be transmitted.

一种可能的实现方式中,安全接入终端模块从专用虚拟网卡中获取待传输数据报文。In a possible implementation, the secure access terminal module obtains the data message to be transmitted from the dedicated virtual network card.

可选的,专用虚拟网卡为第一系统中的内核态程序,用于连接终端中的应用程序(Application,APP)和第一系统中的安全接入终端模块,使得用户通过APP向第一系统中的安全接入终端模块发送待传输数据报文。由于第一系统包括虚拟网卡,终端中的APP可以通过第一系统终端中的虚拟网卡直接与安全接入网关通信,无需对用户终端上的APP和第一系统底层通信模块做适应性改造,节约了资源。Optionally, the dedicated virtual network card is a kernel-mode program in the first system, which is used to connect the application (Application, APP) in the terminal and the secure access terminal module in the first system, so that the user sends the data message to be transmitted to the secure access terminal module in the first system through the APP. Since the first system includes a virtual network card, the APP in the terminal can directly communicate with the secure access gateway through the virtual network card in the first system terminal, without the need to make adaptive modifications to the APP on the user terminal and the underlying communication module of the first system, thus saving resources.

需要说明的是,结合图4,如图5所示,内核态的物理网卡通过网络协议栈(NetworkProtocol Stack)接收用户态的APP的第三指示信息,并根据第三指示信息生成待传输数据报文,将待传输数据报文转发至物理网络。内核态的虚拟网卡通过网络协议栈接收用户态的APP的第三指示信息,并根据第三指示信息生成待传输数据报文,将待传输数据报文转发至应用程序。由于第一系统不存在物理网卡,因此,在第一系统中设置虚拟网卡以实现物理网卡的功能。示例性的,虚拟网卡驱动应用程序与网络协议通信。It should be noted that, in combination with Figure 4, as shown in Figure 5, the physical network card in kernel state receives the third indication information of the APP in user state through the network protocol stack (NetworkProtocol Stack), generates a data message to be transmitted according to the third indication information, and forwards the data message to be transmitted to the physical network. The virtual network card in kernel state receives the third indication information of the APP in user state through the network protocol stack, generates a data message to be transmitted according to the third indication information, and forwards the data message to be transmitted to the application. Since there is no physical network card in the first system, a virtual network card is set in the first system to realize the function of the physical network card. Exemplarily, the virtual network card drives the application to communicate with the network protocol.

S402、安全接入终端模块向外部加密模块发送第一指示信息。S402: The secure access terminal module sends first indication information to the external encryption module.

其中,第一指示信息用于指示外部加密模块上报会话主密钥。外部加密模块为外接于用户终端的加密模块,外部加密模块通过国密虚拟专用通道(OpenVPN,OPN)与用户终端通信。The first indication information is used to instruct the external encryption module to report the session master key. The external encryption module is an encryption module externally connected to the user terminal, and the external encryption module communicates with the user terminal through a national virtual private channel (OpenVPN, OPN).

可选的,外部加密模块为国密安全数字存储卡(Secure Digital Memory Card,SD),外部加密模块可以为安全接入终端模块提供密码相关能力。Optionally, the external encryption module is a national secure digital memory card (Secure Digital Memory Card, SD), and the external encryption module can provide password-related capabilities for the secure access terminal module.

一种可能的实现方式中,安全接入终端模块通过密码守护进程模块向外部加密模块发送第一指示信息,以使得外部加密模块根据相关信息计算出会话主密钥。In a possible implementation, the security access terminal module sends first indication information to the external encryption module through the password daemon module, so that the external encryption module calculates the session master key according to the relevant information.

可选的,密码守护进程模块为接口,用于与外部加密模块的对接。S403、安全接入终端模块接收来自外部加密模块的会话主密钥。Optionally, the password daemon module is an interface for interfacing with an external encryption module. S403: The secure access terminal module receives a session master key from the external encryption module.

一种可能的实现方式中,安全接入终端模块保存会话主密钥,以便对后续的待传输数据报文加密。In a possible implementation, the secure access terminal module stores the session master key so as to encrypt subsequent data messages to be transmitted.

另一种可能的实现方式中,结合图4,如图6所示,安全接入模块包括国密SSL协议模块和通信模块。国密SSL协议用于建立传输信道以及协商会话主密钥。安全接入模块接收虚拟网卡发送的待传输数据报文;安全接入模块通过密码守护进程模块接收国密SD卡的会话主密钥。从而安全接入模块根据会话主密钥加密待传输数据报文,确定第一加密报文,并通过通信模块将第一加密报文发送至传输服务模块。传输服务模块用于传输安全接入模块与安全接入网关之间的信息。In another possible implementation, in combination with Figure 4, as shown in Figure 6, the security access module includes a national secret SSL protocol module and a communication module. The national secret SSL protocol is used to establish a transmission channel and negotiate a session master key. The security access module receives the data message to be transmitted sent by the virtual network card; the security access module receives the session master key of the national secret SD card through the password daemon module. Thereby, the security access module encrypts the data message to be transmitted according to the session master key, determines the first encrypted message, and sends the first encrypted message to the transmission service module through the communication module. The transmission service module is used to transmit information between the security access module and the security access gateway.

上述方案至少带来以下有益效果:本申请实施例中,安全接入终端模块从外部加密模块调用会话主密钥,避免由于安全接入终端模块需要计算会话主密钥,造成的资源浪费。且本申请实施例中,对外部加密模块进行改造,改造简单,拆卸方便,无需对终端内部进行改造。The above scheme brings at least the following beneficial effects: In the embodiment of the present application, the secure access terminal module calls the session master key from the external encryption module, avoiding the waste of resources caused by the need to calculate the session master key by the secure access terminal module. In addition, in the embodiment of the present application, the external encryption module is modified, the modification is simple, and the disassembly is convenient, without the need to modify the terminal internally.

结合图3,如图7所示,上述安全接入终端模块通过传输通道与安全接入网关协商密钥,确定会话主密钥的过程具体可以通过以下S701实现。In combination with FIG. 3 , as shown in FIG. 7 , the process in which the security access terminal module negotiates a key with the security access gateway through a transmission channel and determines the session master key can be specifically implemented through the following S701 .

S701、安全接入终端模块向外部加密模块发送第二指示信息。S701. The security access terminal module sends second indication information to the external encryption module.

第二指示信息用于指示外部加密模块根据预制证书、预主密钥,生成会话主密钥。The second indication information is used to instruct the external encryption module to generate a session master key based on the pre-made certificate and the pre-master key.

其中,预主密钥由外部加密模块生成,外部加密模块存储有预制证书。The pre-master key is generated by an external encryption module, and the external encryption module stores a pre-made certificate.

需要说明的是,安全接入终端模块接收安全接入网关发送的Server KeyExchange消息之后,向外部加密模块发送请求消息。请求消息用于请求预主密钥和预制证书,Server Key Exchange消息用于请求预主密钥。安全接入终端模块将预主密钥和预制证书发送给安全接入网关,以使得安全接入网关根据预制证书、预主密钥,生成解密会话主密钥。由于安全接入网关与外部加密模块使得相同的参数(预制证书、预主密钥),因此,外部加密模块生成会话主密钥与安全接入网关生成解密会话主密钥相同,从而安全接入网关可以根据解密会话主密钥解密第一加密报文。可选的,预制证书包括认证证书(Certification Authority,CA)。外部加密模块从CA系统中下载CA证书。It should be noted that after the security access terminal module receives the Server KeyExchange message sent by the security access gateway, it sends a request message to the external encryption module. The request message is used to request the pre-master key and the pre-made certificate, and the Server Key Exchange message is used to request the pre-master key. The security access terminal module sends the pre-master key and the pre-made certificate to the security access gateway so that the security access gateway generates a decryption session master key based on the pre-made certificate and the pre-master key. Since the security access gateway and the external encryption module use the same parameters (pre-made certificate, pre-master key), the session master key generated by the external encryption module is the same as the decryption session master key generated by the security access gateway, so that the security access gateway can decrypt the first encrypted message based on the decryption session master key. Optionally, the pre-made certificate includes a certification authority (CA). The external encryption module downloads the CA certificate from the CA system.

需要指出的是,外部加密模块根据第二指示信息生成会话主密钥后,可以响应于安全接入终端模块的第一指示信息,向安全接入终端模块上报会话主密钥;外部加密模块也可以主动向安全接入终端模块上报会话主密钥。It should be noted that after the external encryption module generates the session master key according to the second indication information, it can report the session master key to the security access terminal module in response to the first indication information of the security access terminal module; the external encryption module can also actively report the session master key to the security access terminal module.

上述方案至少带来以下有益效果:本申请实施例中,由于安全接入终端模块向外部加密模块发送第二指示信息,这样一来,外部加密模块可以根据第二指示信息生成会话主密钥,从而避免安全接入终端模块自身计算会话主密钥造成的计算资源的浪费。The above scheme brings at least the following beneficial effects: in the embodiment of the present application, since the security access terminal module sends the second indication information to the external encryption module, the external encryption module can generate a session master key according to the second indication information, thereby avoiding the waste of computing resources caused by the security access terminal module itself calculating the session master key.

结合图3,如图8所示,上述根据会话主密钥加密待传输数据报文,确定第一加密报文的过程具体可以通过以下S801-S802实现。In combination with FIG. 3 , as shown in FIG. 8 , the above process of encrypting the data message to be transmitted according to the session master key and determining the first encrypted message can be specifically implemented through the following S801 - S802 .

S801、在握手阶段,安全接入终端模块确定安全接入网关选择的安全参数。S801. In the handshake phase, the secure access terminal module determines the security parameters selected by the secure access gateway.

其中,安全参数包括以下至少之一:会话标识、预制证书、压缩算法、密码规格、会话主密钥、重用标识。The security parameters include at least one of the following: a session identifier, a pre-made certificate, a compression algorithm, a password specification, a session master key, and a reuse identifier.

需要说明的是,会话标识是安全接入网关选取的随意的字节序列,用于识别活跃或可恢复的会话;重用标识用于标明能否用该会话发起一个新连接的标识。It should be noted that the session identifier is an arbitrary byte sequence selected by the secure access gateway to identify active or resumable sessions; the reuse identifier is an identifier used to indicate whether a new connection can be initiated using the session.

可选的,在握手阶段,安全接入终端模块向安全接入网关发送通过Client Hello消息。Client Hello消息包括:会话标识、压缩算法、密码规格。安全接入网关向安全接入终端模块回复Server Hello消息,Server Hello消息包括:会话标识、压缩算法、密码规格。Optionally, during the handshake phase, the secure access terminal module sends a Client Hello message to the secure access gateway. The Client Hello message includes: session identifier, compression algorithm, and password specification. The secure access gateway replies to the secure access terminal module with a Server Hello message, which includes: session identifier, compression algorithm, and password specification.

一种可能的实现方式中,安全接入终端模块向安全接入网关发送至少一个压缩算法和/或至少一个密码规格;安全接入网关根据自身支持的选择算法从至少一个压缩算法和/或至少一个密码规格中选择第一目标压缩算法和/或第一目标密码规格,并向安全接入终端模块发送第一响应消息,第一响应消息包括第一目标算法和/或第一目标密码规格。In one possible implementation, the security access terminal module sends at least one compression algorithm and/or at least one cryptographic specification to the security access gateway; the security access gateway selects a first target compression algorithm and/or a first target cryptographic specification from the at least one compression algorithm and/or at least one cryptographic specification according to a selection algorithm supported by itself, and sends a first response message to the security access terminal module, the first response message including the first target algorithm and/or the first target cryptographic specification.

示例性的,第一目标算法为Server Hello消息中的压缩算法,第一目标密码规格为Server Hello消息中的密码规格。Exemplarily, the first target algorithm is a compression algorithm in a Server Hello message, and the first target cryptographic specification is a cryptographic specification in a Server Hello message.

另一种可能的实现方式中,安全接入终端模块向安全接入网关发送至少一个压缩算法和/或至少一个密码规格,至少一个压缩算法和/或至少一个密码规格按照优先级顺序排列;安全接入网关根据自身支持的选择算法从至少一个压缩算法中选择优先级最高的第二目标压缩算法,从至少一个密码规格中选择优先级最高的第二目标密码规格,并向安全接入终端模块发送第二响应消息,第二响应消息包括第二目标算法和/或第二目标密码规格。In another possible implementation, the security access terminal module sends at least one compression algorithm and/or at least one cryptographic specification to the security access gateway, and the at least one compression algorithm and/or at least one cryptographic specification are arranged in order of priority; the security access gateway selects a second target compression algorithm with the highest priority from at least one compression algorithm according to a selection algorithm supported by itself, selects a second target cryptographic specification with the highest priority from at least one cryptographic specification, and sends a second response message to the security access terminal module, the second response message including the second target algorithm and/or the second target cryptographic specification.

示例性的,第二目标算法为Server Hello消息中的压缩算法,第二目标密码规格为Server Hello消息中的密码规格。Exemplarily, the second target algorithm is a compression algorithm in a Server Hello message, and the second target cryptographic specification is a cryptographic specification in a Server Hello message.

可选的,安全接入终端模块向外部加密模块发送安全参数。Optionally, the security access terminal module sends security parameters to the external encryption module.

S802、安全接入终端模块根据安全参数加密待传输数据报文,确定第一加密报文。S802: The secure access terminal module encrypts the data message to be transmitted according to the security parameter and determines a first encrypted message.

一种可能的实现方式中,安全接入终端模块对待传输数据报文进行数据分段处理,得到多个子报文;然后使用压缩算法分别对每个子报文进行压缩,得到压缩后的子报文;根据密码规格和会话主密钥对每个压缩后的子报文进行压缩,得到第一加密报文。In one possible implementation, the security access terminal module performs data segmentation processing on the data message to be transmitted to obtain multiple sub-messages; then uses a compression algorithm to compress each sub-message separately to obtain a compressed sub-message; compresses each compressed sub-message according to the password specification and the session master key to obtain a first encrypted message.

上述方案至少带来以下有益效果:本申请实施例中,安全接入终端模块与向安全接入网关进行密钥协商,得到安全参数。安全接入端可以通过安全参数加密报文,得到第一加密报文。由于,会话主密钥是安全接入终端模块与安全接入网关协商得到的,因此,安全接入终端模块与安全接入网关使用相同的安全参数。这样,安全接入网关可以对接收到的第一加密报文解密。第二系统(非安全系统)和公网即使获取到第一加密报文,由于无法获得安全参数,也无法获取第一加密报文中的信息。因此,本申请可以保证第一系统(安全系统)与专有服务器之间数据的安全性。The above scheme brings at least the following beneficial effects: In the embodiment of the present application, the security access terminal module negotiates a key with the security access gateway to obtain security parameters. The security access terminal can encrypt the message through the security parameters to obtain the first encrypted message. Since the session master key is obtained by negotiation between the security access terminal module and the security access gateway, the security access terminal module and the security access gateway use the same security parameters. In this way, the security access gateway can decrypt the received first encrypted message. Even if the second system (non-security system) and the public network obtain the first encrypted message, they cannot obtain the information in the first encrypted message because they cannot obtain the security parameters. Therefore, the present application can ensure the security of data between the first system (security system) and the dedicated server.

可以看出,上述主要从方法的角度对本申请实施例提供的技术方案进行了介绍。为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的模块及算法步骤,本申请实施例能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。It can be seen that the technical solution provided by the embodiment of the present application is introduced above mainly from the perspective of the method. In order to realize the above functions, it includes hardware structures and/or software modules corresponding to the execution of each function. Those skilled in the art should be easily aware that, in combination with the modules and algorithm steps of each example described in the embodiment disclosed herein, the embodiment of the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is executed in the form of hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to exceed the scope of the present invention.

本申请实施例可以根据上述方法示例对报文传输装置进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。可选的,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiment of the present application can divide the functional modules of the message transmission device according to the above method example. For example, each functional module can be divided according to each function, or two or more functions can be integrated into one processing module. The above integrated module can be implemented in the form of hardware or in the form of software functional modules. Optionally, the division of modules in the embodiment of the present application is schematic and is only a logical function division. There may be other division methods in actual implementation.

如图9所示,为本申请实施例提供的一种报文传输装置90的结构示意图。该报文传输装置90包括:处理单元901和通信单元902。As shown in FIG9 , it is a schematic diagram of the structure of a message transmission device 90 provided in an embodiment of the present application. The message transmission device 90 includes: a processing unit 901 and a communication unit 902 .

处理单元901,用于建立安全接入终端模块与安全接入网关之间的传输通道;其中,安全接入网关为用户终端接入的企业内网中的接入网关;传输通道通过安全芯片和第二系统连接安全接入终端模块与安全接入网关;处理单元901,还用于通过传输通道与安全接入网关协商密钥,确定会话主密钥;处理单元901,还用于根据会话主密钥加密待传输数据报文,确定第一加密报文;通信单元902,用于通过传输通道向安全接入网关发送第一加密报文。The processing unit 901 is used to establish a transmission channel between the security access terminal module and the security access gateway; wherein the security access gateway is an access gateway in the enterprise intranet accessed by the user terminal; the transmission channel connects the security access terminal module and the security access gateway through the security chip and the second system; the processing unit 901 is also used to negotiate a key with the security access gateway through the transmission channel to determine a session master key; the processing unit 901 is also used to encrypt a data message to be transmitted according to the session master key to determine a first encrypted message; the communication unit 902 is used to send the first encrypted message to the security access gateway through the transmission channel.

可选的,处理单元901,还用于获取待传输数据报文;通信单元902,还用于向外部加密模块发送第一指示信息;第一指示信息用于指示外部加密模块上报会话主密钥;通信单元902,还用于接收来自外部加密模块的会话主密钥。Optionally, the processing unit 901 is also used to obtain a data message to be transmitted; the communication unit 902 is also used to send a first indication message to an external encryption module; the first indication message is used to instruct the external encryption module to report a session master key; the communication unit 902 is also used to receive a session master key from an external encryption module.

可选的,外部加密模块为外接于用户终端的加密模块,外部加密模块通过国密OpenVPN与用户终端通信。Optionally, the external encryption module is an encryption module externally connected to the user terminal, and the external encryption module communicates with the user terminal through the national encryption OpenVPN.

可选的,通信单元902,还用于向外部加密模块发送第二指示信息,第二指示信息用于指示外部加密模块根据预制证书、预主密钥,生成会话主密钥;其中,预主密钥由外部加密模块生成,外部加密模块存储有预制证书。Optionally, the communication unit 902 is also used to send a second indication message to the external encryption module, and the second indication message is used to instruct the external encryption module to generate a session master key based on a premade certificate and a premaster key; wherein the premaster key is generated by the external encryption module, and the external encryption module stores the premade certificate.

可选的,处理单元901,还用于在握手阶段,确定安全接入网关选择的安全参数;安全参数包括以下至少之一:会话标识、预制证书、压缩算法、密码规格、会话主密钥、重用标识;处理单元901,还用于根据安全参数加密待传输数据报文,确定第一加密报文。Optionally, processing unit 901 is also used to determine the security parameters selected by the secure access gateway during the handshake phase; the security parameters include at least one of the following: session identifier, pre-made certificate, compression algorithm, cipher specification, session master key, reuse identifier; processing unit 901 is also used to encrypt the data message to be transmitted according to the security parameters to determine the first encrypted message.

其中,处理单元901可以是处理器或控制器。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。处理器也可以是实现计算功能的组合,例如包括一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元902可以是收发电路或通信接口等。存储模块可以是存储器。当处理单元901为处理器,通信单元902为通信接口,存储模块为存储器时,本申请实施例所涉及的报文传输装置可以为图1所示报文传输装置。Among them, the processing unit 901 can be a processor or a controller. It can implement or execute various exemplary logic blocks, modules and circuits described in conjunction with the disclosure of this application. The processor can also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of DSP and microprocessors, etc. The communication unit 902 can be a transceiver circuit or a communication interface, etc. The storage module can be a memory. When the processing unit 901 is a processor, the communication unit 902 is a communication interface, and the storage module is a memory, the message transmission device involved in the embodiment of the present application can be the message transmission device shown in Figure 1.

通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将网络节点的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的系统,模块和网络节点的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Through the description of the above implementation methods, technicians in the relevant field can clearly understand that for the convenience and simplicity of description, only the division of the above functional modules is used as an example. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the network node is divided into different functional modules to complete all or part of the functions described above. The specific working process of the system, module and network node described above can refer to the corresponding process in the aforementioned method embodiment, and will not be repeated here.

本申请实施例还提供一种计算机可读存储介质,计算机可读存储介质中存储有指令,当计算机执行该指令时,该计算机执行上述方法实施例所示的方法流程中的各个步骤。An embodiment of the present application also provides a computer-readable storage medium, in which instructions are stored. When a computer executes the instructions, the computer executes each step in the method flow shown in the above method embodiment.

本申请实施例还提供一种芯片,芯片包括处理器和通信接口,通信接口和处理器耦合,处理器用于运行计算机程序或指令,以实现上述方法实施例中的报文传输方法。An embodiment of the present application also provides a chip, which includes a processor and a communication interface, the communication interface and the processor are coupled, and the processor is used to run a computer program or instruction to implement the message transmission method in the above method embodiment.

本申请的实施例提供一种包含指令的计算机程序产品,当指令在计算机上运行时,使得计算机执行上述方法实施例中的报文传输方法。An embodiment of the present application provides a computer program product including instructions. When the instructions are executed on a computer, the computer executes the message transmission method in the above method embodiment.

其中,计算机可读存储介质,例如可以是但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘。随机存取存储器(Random Access Memory,RAM)、只读存储器(Read-Only Memory,ROM)、可擦式可编程只读存储器(Erasable Programmable Read Only Memory,EPROM)、寄存器、硬盘、光纤、便携式紧凑磁盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、光存储器件、磁存储器件、或者上述的人以合适的组合、或者本领域数值的任何其他形式的计算机可读存储介质。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于特定用途集成电路(Application Specific Integrated Circuit,ASIC)中。在本发明实施例中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。Among them, the computer-readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination of the above. More specific examples of computer-readable storage media (a non-exhaustive list) include: an electrical connection with one or more wires, a portable computer disk, and a hard disk. Random Access Memory (RAM), Read-Only Memory (ROM), Erasable Programmable Read Only Memory (EPROM), registers, hard disks, optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any other form of computer-readable storage medium in a suitable combination of the above, or numerical values in the art. An exemplary storage medium is coupled to a processor so that the processor can read information from the storage medium and write information to the storage medium. Of course, the storage medium can also be a component of the processor. The processor and the storage medium can be located in an Application Specific Integrated Circuit (ASIC). In embodiments of the present invention, computer-readable storage media may be any tangible media that contains or stores a program that may be used by or in conjunction with an instruction execution system, apparatus, or device.

由于本发明的实施例中的装置、设备、计算机可读存储介质、计算机程序产品可以应用于上述方法,因此,其所能获得的技术效果也可参考上述方法实施例,本申请实施例在此不再赘述。Since the apparatus, device, computer-readable storage medium, and computer program product in the embodiments of the present invention can be applied to the above-mentioned method, the technical effects that can be obtained can also refer to the above-mentioned method embodiments, and the embodiments of the present application will not be repeated here.

以上,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应该以权利要求的保护范围为准。The above are only specific implementations of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope disclosed in the present application should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (6)

1. The message transmission method is characterized by being applied to a secure access terminal module, wherein the secure access terminal module is a module in a first system of a user terminal, and the user terminal comprises the first system and a second system; the first system is an encrypted system according to the secure access terminal module, the second system is an unencrypted system, and the first system and the second system are connected through a secure chip; the method comprises the following steps:
establishing a transmission channel between the secure access terminal module and a secure access gateway; the security access gateway is an access gateway in an enterprise intranet accessed by the user terminal; the transmission channel connects the secure access terminal module and the secure access gateway through the secure chip and the second system;
Negotiating a key with the security access gateway through the transmission channel to determine a session master key;
encrypting a data message to be transmitted according to the session master key, and determining a first encrypted message;
sending the first encrypted message to the security access gateway through the transmission channel;
before the data message is encrypted according to the session master key and the first encrypted message is determined, the method further comprises:
acquiring the data message to be transmitted;
sending first indication information to an external encryption module; the first indication information is used for indicating the external encryption module to report the session master key;
receiving the session master key from the external encryption module;
the external encryption module is an encryption module externally connected to the user terminal, and is communicated with the user terminal through a national secret virtual private channel OpenVPN;
the step of negotiating a key with the security access gateway through the transmission channel to determine a session master key includes:
sending second indication information to the external encryption module, wherein the second indication information is used for indicating the external encryption module to generate the session master key according to a pre-made certificate and a pre-master key; wherein the premaster secret is generated by the external encryption module, which stores the premade certificate.
2. The method of claim 1, wherein the encrypting the data message to be transmitted according to the session master key, and determining the first encrypted message, comprises:
in a handshake phase, determining security parameters selected by the security access gateway; the security parameters include at least one of: session identification, the prefabricated certificate, a compression algorithm, a password specification, a session master key and a reuse identification;
and encrypting the data message to be transmitted according to the security parameters, and determining the first encrypted message.
3. A message transmission device, characterized in that the device comprises a communication unit and a processing unit:
the processing unit is used for establishing a transmission channel between the secure access terminal module and the secure access gateway; the security access gateway is an access gateway in an enterprise intranet accessed by the user terminal; the transmission channel is connected with the secure access terminal module and the secure access gateway through a secure chip and a second system;
the processing unit is further configured to negotiate a key with the secure access gateway through the transmission channel, and determine a session master key;
the processing unit is further used for encrypting the data message to be transmitted according to the session master key and determining a first encrypted message;
The communication unit is used for sending the first encryption message to the security access gateway through the transmission channel;
the processing unit is further configured to obtain the data packet to be transmitted;
the communication unit is further used for sending first indication information to the external encryption module; the first indication information is used for indicating the external encryption module to report the session master key;
the communication unit is further configured to receive the session master key from the external encryption module;
the external encryption module is an encryption module externally connected to the user terminal, and is communicated with the user terminal through a national cipher OpenVPN;
the communication unit is further configured to send second indication information to the external encryption module, where the second indication information is used to instruct the external encryption module to generate the session master key according to a pre-made certificate and a pre-master key; wherein the premaster secret is generated by the external encryption module, which stores the premade certificate.
4. The apparatus of claim 3, wherein the device comprises a plurality of sensors,
the processing unit is further configured to determine, in a handshake phase, a security parameter selected by the security access gateway; the security parameters include at least one of: session identification, the prefabricated certificate, a compression algorithm, a password specification, a session master key and a reuse identification;
The processing unit is further configured to encrypt the data packet to be transmitted according to the security parameter, and determine the first encrypted packet.
5. A message transmission apparatus, comprising: a processor and a memory; wherein the memory is configured to store computer-executable instructions that, when executed by the message transmission device, cause the message transmission device to perform the message transmission method of any of claims 1-2.
6. A computer readable storage medium comprising instructions which, when executed by a message transmission apparatus, cause the computer to perform the message transmission method of any of claims 1-2.
CN202211415448.0A 2022-11-11 2022-11-11 Message transmission method, device and storage medium Active CN115801388B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211415448.0A CN115801388B (en) 2022-11-11 2022-11-11 Message transmission method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211415448.0A CN115801388B (en) 2022-11-11 2022-11-11 Message transmission method, device and storage medium

Publications (2)

Publication Number Publication Date
CN115801388A CN115801388A (en) 2023-03-14
CN115801388B true CN115801388B (en) 2024-04-09

Family

ID=85437118

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211415448.0A Active CN115801388B (en) 2022-11-11 2022-11-11 Message transmission method, device and storage medium

Country Status (1)

Country Link
CN (1) CN115801388B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101790160A (en) * 2009-01-23 2010-07-28 中兴通讯股份有限公司 Method and device for safely consulting session key
CN206003101U (en) * 2016-07-06 2017-03-08 山东同智伟业软件股份有限公司 Safety mobile terminal based on double hard disk dual system patterns
CN107317925A (en) * 2017-06-20 2017-11-03 北京壹人壹本信息科技有限公司 Mobile terminal
CN107360154A (en) * 2017-07-10 2017-11-17 中国科学院沈阳计算技术研究所有限公司 A kind of intranet security cut-in method and system
CN108810023A (en) * 2018-07-19 2018-11-13 北京智芯微电子科技有限公司 Safe encryption method, key sharing method and safety encryption isolation gateway
CN111934879A (en) * 2020-07-08 2020-11-13 福建亿能达信息技术股份有限公司 Data transmission encryption method, device, equipment and medium for internal and external network system
WO2022123068A2 (en) * 2020-12-10 2022-06-16 Abn Amro Bank N.V. Orchestrated quantum key distribution

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104216777B (en) * 2014-08-29 2017-09-08 宇龙计算机通信科技(深圳)有限公司 Dual system electronic installation and terminal
CN104468611B (en) * 2014-12-24 2017-09-08 宇龙计算机通信科技(深圳)有限公司 The data safety processing method and device switched based on dual system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101790160A (en) * 2009-01-23 2010-07-28 中兴通讯股份有限公司 Method and device for safely consulting session key
CN206003101U (en) * 2016-07-06 2017-03-08 山东同智伟业软件股份有限公司 Safety mobile terminal based on double hard disk dual system patterns
CN107317925A (en) * 2017-06-20 2017-11-03 北京壹人壹本信息科技有限公司 Mobile terminal
CN107360154A (en) * 2017-07-10 2017-11-17 中国科学院沈阳计算技术研究所有限公司 A kind of intranet security cut-in method and system
CN108810023A (en) * 2018-07-19 2018-11-13 北京智芯微电子科技有限公司 Safe encryption method, key sharing method and safety encryption isolation gateway
CN111934879A (en) * 2020-07-08 2020-11-13 福建亿能达信息技术股份有限公司 Data transmission encryption method, device, equipment and medium for internal and external network system
WO2022123068A2 (en) * 2020-12-10 2022-06-16 Abn Amro Bank N.V. Orchestrated quantum key distribution

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
移动办公安全保障体系关键技术浅析;符刚;《保密科学技术》;20220920;全文 *

Also Published As

Publication number Publication date
CN115801388A (en) 2023-03-14

Similar Documents

Publication Publication Date Title
EP3308519B1 (en) System, apparatus and method for transferring ownership of a device from manufacturer to user using an embedded resource
TWI388180B (en) Key generation in a communication system
EP3982590B1 (en) Security authentication method, configuration method, and related device
WO2019029471A1 (en) Bluetooth network and network configuration method
KR20160078475A (en) Key configuration method, system and apparatus
KR101688118B1 (en) Security communication apparatus of internet of things environment and method thereof
CN112602290B (en) Identity authentication method and device and readable storage medium
US10542570B2 (en) System and method for relaying data over a communication network
US20240244681A1 (en) Communication method, apparatus, and system
WO2014127751A1 (en) Wireless terminal configuration method, apparatus and wireless terminal
WO2022028538A1 (en) Method, system and apparatus for determining user plane security algorithm
CN112449323B (en) Communication method, device and system
CN104012130B (en) Communication security processing method and processing device
WO2023083170A1 (en) Key generation method and apparatus, terminal device, and server
US11652910B2 (en) Data transmission method, device, and system
CN115801388B (en) Message transmission method, device and storage medium
CN103974245B (en) Equipment configuration method, equipment and system
CN115714681B (en) Data verification method, device and storage medium
EP4250641A1 (en) Method, devices and system for performing key management
TWI656771B (en) Bluetooth communication method, device and device thereof
CN120238860A (en) Communication method and device
CN117857065A (en) Secure communication processing method, first terminal, second terminal and storage medium
KR20240114494A (en) Secure communication device in IoT environment
CN117014838A (en) Communication connection establishment method, device, equipment and storage medium
WO2018201429A1 (en) Bluetooth communication method and apparatus, application system and device therefor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant