CN116232639A - Data transmission method, device, computer equipment and storage medium - Google Patents

Data transmission method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN116232639A
CN116232639A CN202211563695.5A CN202211563695A CN116232639A CN 116232639 A CN116232639 A CN 116232639A CN 202211563695 A CN202211563695 A CN 202211563695A CN 116232639 A CN116232639 A CN 116232639A
Authority
CN
China
Prior art keywords
data
key
terminal
random number
transmission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211563695.5A
Other languages
Chinese (zh)
Other versions
CN116232639B (en
Inventor
陈旭
李红飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Kedun Quantum Information Technology Co ltd
Original Assignee
Shenzhen Kedun Quantum Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Kedun Quantum Information Technology Co ltd filed Critical Shenzhen Kedun Quantum Information Technology Co ltd
Priority to CN202211563695.5A priority Critical patent/CN116232639B/en
Priority claimed from CN202211563695.5A external-priority patent/CN116232639B/en
Publication of CN116232639A publication Critical patent/CN116232639A/en
Application granted granted Critical
Publication of CN116232639B publication Critical patent/CN116232639B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The present application relates to a data transmission method, apparatus, computer device, storage medium and computer program product. The method comprises the following steps: when receiving a data transmission request sent by a terminal, carrying out identity authentication on the terminal to obtain an identity authentication result; when the identity authentication result is that the authentication passes, generating a random number, and sending the random number to the terminal; acquiring first ciphertext data corresponding to the data transmission request, and decrypting the first ciphertext data according to a first key to obtain first plaintext data; encrypting the first plaintext data according to a second secret key to obtain second ciphertext data; the second key is determined according to the random number and the seed key corresponding to the terminal; and sending the second ciphertext data to the terminal. The method can ensure the safety of data transmission and prevent data from being intercepted illegally in the transmission process by transmitting the encrypted data.

Description

Data transmission method, device, computer equipment and storage medium
Technical Field
The present application relates to the field of computer technology, and in particular, to a data transmission method, apparatus, computer device, storage medium, and computer program product.
Background
With the development of internet technology, the use of digital services becomes more convenient and faster, and a necessary condition is provided for data sharing of various digital applications, but a plurality of challenges are also provided for data security protection. The data security protection comprises data security storage and data security transmission.
At present, in the conventional data transmission process, data is generally encrypted by a key formed by a public key and a private key, and data is transmitted through ciphertext obtained by encryption. However, the key pair formed by the public key and the private key still has the risk of being cracked, resulting in lower security in the data transmission process.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a data transmission method, apparatus, computer device, computer-readable storage medium, and computer program product that can improve transmission security.
In a first aspect, the present application provides a data transmission method. The method comprises the following steps:
when receiving a data transmission request sent by a terminal, carrying out identity authentication on the terminal to obtain an identity authentication result;
when the identity authentication result is that the authentication passes, generating a random number, and sending the random number to the terminal;
Acquiring first ciphertext data corresponding to the data transmission request, and decrypting the first ciphertext data according to a first key to obtain first plaintext data;
encrypting the first plaintext data according to a second secret key to obtain second ciphertext data; the second key is determined according to the random number and the seed key corresponding to the terminal;
and sending the second ciphertext data to the terminal.
In one embodiment, before receiving the data transmission request sent by the terminal, the method further includes:
receiving initial data sent by the terminal;
and when the initial data meets a preset encryption condition, encrypting the initial data according to the first key to obtain the first ciphertext data.
In one embodiment, after decrypting the first ciphertext data according to the first key to obtain the first plaintext data, the method further comprises:
verifying the integrity of the first plaintext data according to the first hash value of the initial data and the second hash value of the first plaintext data to obtain an integrity verification result of the first plaintext data;
and when the integrity verification result of the first plaintext data is verification passing, executing the step of encrypting the first plaintext data according to a second secret key to obtain second ciphertext data.
In one embodiment, the method further comprises:
and sending the second hash value of the first plaintext data to a terminal to instruct the terminal to verify the integrity of target data according to the second hash value, wherein the target data is obtained by decrypting the second ciphertext data according to a second key by the terminal.
In one embodiment, the seed key is issued and updated by the cryptographic management platform according to the transmission protection key; the method for acquiring the transmission protection key comprises the following steps:
after passing the authentication between the password management platform and the password equipment, the password management platform sends a first random number to the password equipment, receives a second random number sent by the password equipment, and determines a first transmission key according to the first random number and the second random number;
the secret management platform determines a second transmission key according to a negotiation result of the secret management platform and the password equipment on the target quantum key;
and the secret management platform determines the transmission protection key according to the first transmission key and the second transmission key.
In a second aspect, the present application further provides a data transmission device. The device comprises:
The identity authentication module is used for carrying out identity authentication on the terminal when receiving a data transmission request sent by the terminal, so as to obtain an identity authentication result;
the random number generation module is used for generating a random number when the identity authentication result is that the authentication is passed, and sending the random number to the terminal;
the first key module is used for acquiring first ciphertext data corresponding to the data transmission request, decrypting the first ciphertext data according to a first key and obtaining first plaintext data;
the second key module is used for encrypting the first plaintext data according to a second key to obtain second ciphertext data; the second key is determined according to the random number and the seed key corresponding to the terminal;
and the data transmitting module is used for transmitting the second ciphertext data to the terminal.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the data transmission method described above when the processor executes the computer program.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the data transmission method described above.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when being executed by a processor, implements the steps of the data transmission method described above.
The data transmission method, the data transmission device, the computer equipment, the storage medium and the computer program product are used for carrying out identity authentication on the terminal when receiving a data transmission request sent by the terminal, so as to obtain an identity authentication result; when the identity authentication result is that authentication passes, generating a random number, sending the random number to a terminal, acquiring first ciphertext data corresponding to a data transmission request, and decrypting the first ciphertext data according to a first key to obtain first plaintext data; and encrypting the first plaintext data according to a second secret key to obtain second ciphertext data, wherein the second secret key is determined according to the random number and a seed secret key corresponding to the terminal, and then the second ciphertext data is sent to the terminal. According to the method and the device, different second secret keys can be generated aiming at different terminals or different data transmission requests, so that the safety of the second secret keys is enhanced to a great extent, meanwhile, the second ciphertext data is sent to the terminal which initiates the data transmission request, namely the server directly sends the data with higher encryption to the terminal, the safety of data transmission can be guaranteed, and the data is prevented from being leaked in the transmission process.
In a sixth aspect, the present application provides a data transmission method, applied to a terminal, where the method includes:
sending a data transmission request to a server;
receiving a random number sent by the server; the random number is generated when the server receives a data transmission request sent by a terminal and performs identity authentication on the terminal and the identity authentication result is authentication passing;
receiving second ciphertext data sent by a server; the second ciphertext data is obtained by decrypting the first ciphertext data by the server according to a first key to obtain first plaintext data and encrypting the first plaintext data according to a second key, wherein the first ciphertext data corresponds to the data transmission request; and the second key is determined according to the random number and the seed key corresponding to the terminal.
In one embodiment, the seed key is issued and updated by the cryptographic management platform according to the transmission protection key; the method for acquiring the transmission protection key comprises the following steps:
after passing the authentication between the password management platform and the password equipment, the password management platform sends a first random number to the password equipment, receives a second random number sent by the password equipment, and determines a first transmission key according to the first random number and the second random number;
The secret management platform determines a second transmission key according to a negotiation result of the secret management platform and the password equipment on the target quantum key;
and the secret management platform determines the transmission protection key according to the first transmission key and the second transmission key.
In a seventh aspect, the present application further provides a data transmission device, which is applied to a terminal. The device comprises:
the transmission request module is used for sending a data transmission request to the server;
the first receiving module is used for receiving the random number sent by the server; the random number is generated when the server receives a data transmission request sent by a terminal and performs identity authentication on the terminal and the identity authentication result is authentication passing;
the second receiving module is used for receiving second ciphertext data sent by the server; the second ciphertext data is obtained by decrypting the first ciphertext data by the server according to a first key to obtain first plaintext data and encrypting the first plaintext data according to a second key, wherein the first ciphertext data corresponds to the data transmission request; and the second key is determined according to the random number and the seed key corresponding to the terminal.
In an eighth aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the data transmission method described above when the processor executes the computer program.
In a ninth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the data transmission method described above.
In a tenth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when being executed by a processor, implements the steps of the data transmission method described above.
The data transmission method, the data transmission device, the computer equipment, the storage medium and the computer program product are characterized in that the terminal sends a data transmission request to the server, and receives a random number sent by the server, wherein the random number is generated when the server receives the data transmission request sent by the terminal and performs identity authentication on the terminal, and the identity authentication result is generated when the authentication result is authentication passing; receiving second ciphertext data sent by a server, wherein the second ciphertext data is obtained by decrypting the first ciphertext data by the server according to a first key to obtain first plaintext data and encrypting the first plaintext data according to a second key, and the first ciphertext data corresponds to a data transmission request; the second key is determined according to the random number and the seed key corresponding to the terminal. In the method, the terminal can determine the second secret key according to the received random number and the seed secret key of the terminal, the security of the second secret key is higher, corresponding plaintext data can be obtained by decrypting the received second ciphertext data through the second secret key, secret key transmission is avoided, and therefore the risk of secret key leakage is reduced to a greater extent. In addition, the terminal receives the second ciphertext data according to the data transmission request, so that the risk of data leakage caused by the transmission of plaintext data is avoided.
Drawings
FIG. 1 is a diagram of an application environment for a data transmission method in one embodiment;
FIG. 2 is a flow chart of a data transmission method in one embodiment;
FIG. 3 is a flow diagram of the determination of a protection key for transmission in one embodiment;
FIG. 4 is a flow chart of a data transmission method in another embodiment;
FIG. 5 is a diagram of an application environment of a data transmission method in another embodiment;
FIG. 6 is a flow chart of a data transmission method in another embodiment;
FIG. 7 is a block diagram of a data transmission device in one embodiment;
fig. 8 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The data transmission method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server. The terminal 102 sends a data transmission request to the server 104, when the server 104 receives the data transmission request sent by the terminal 102, the server 102 performs identity authentication on the terminal 102 to obtain an identity authentication result, and when the identity authentication result is passed, a random number is generated and sent to the terminal 102; the server 104 obtains first ciphertext data corresponding to the data transmission request, and decrypts the first ciphertext data according to the first key to obtain first plaintext data; encrypting the first plaintext data according to a second secret key to obtain second ciphertext data, wherein the second secret key is determined according to the random number and a seed secret key corresponding to the terminal; the server 104 transmits the second ciphertext data to the terminal 102, and the terminal 102 receives the second ciphertext data transmitted by the server.
The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In one embodiment, as shown in fig. 2, a data transmission method is provided, and the method is applied to the server in fig. 1 for illustration, and includes the following steps 202 to 210.
Step 202, when receiving a data transmission request sent by a terminal, performing identity authentication on the terminal to obtain an identity authentication result.
When the server receives a data transmission request sent by the terminal, identity authentication is performed on the terminal, and an identity authentication result is obtained. The data transmission request is initiated by the terminal for requesting corresponding data from the server, e.g. for requesting acquisition of transaction data or communication data from the server, etc.
Optionally, when the server receives the data transmission request sent by the terminal, the server may perform identity authentication on the terminal by using at least one identity authentication mode of password authentication, digital certificate authentication, random number authentication or quantum key authentication, and so on, to obtain an identity authentication result. The identity authentication result may include authentication pass and authentication fail.
And 204, when the identity authentication result is that the authentication passes, generating a random number and sending the random number to the terminal.
The random number may be any number, quantum random number, random identification, or the like. For example, the random number is a random number or a random identification generated by a random algorithm, or a quantum random number generated by a quantum random number generator.
Alternatively, when the authentication result of the terminal is authentication pass, the server may generate a random number through a random number generator and transmit the generated random number to the terminal. The generated random numbers are different for different data transmission requests sent by different terminals.
Conventional random number generators rely primarily on computer software simulation to generate pseudo-random numbers, or to extract random numbers from some classical physical noise (e.g., thermal noise, electrical noise, etc.). However, classical physical processes can be modeled with all variables in mind, with only some quantum physical processes producing completely truly random randomness, such as a collapse process of quantum states. The quantum random number generated by the quantum random number generator is a random number generated based on a quantum physical process, and has higher randomness, unpredictability and irreproducibility. The randomness source of the quantum random number is clearer, and the randomness can be strictly proved by adopting a physical entropy theory, so that the quantum random number has higher safety.
Step 206, obtaining the first ciphertext data corresponding to the data transmission request, and decrypting the first ciphertext data according to the first key to obtain the first plaintext data.
The server acquires first ciphertext data corresponding to the data transmission request, and decrypts the first ciphertext data according to the first key through the crypto-engine to obtain first plaintext data. The first key may be a quantum key, and the first cipher text data may be obtained by encrypting the initial data by the first key. Optionally, some information systems currently adopt a software encryption mode, the adopted encryption algorithm is also an international general cryptographic algorithm, and there is a safety risk, in this embodiment, cryptographic operations such as encryption and decryption can be implemented by using a matched hardware cryptographic card or a cryptographic chip, other processes except for updating the corresponding key are stored in the cryptographic card or the cryptographic chip, and the cryptographic machine also has an electromagnetic radiation protection function.
Quantum keys exploit the properties of quantum mechanics to perform encryption tasks. Traditional public key encryption is generally referred to as conditional security, whereas quantum key encryption can do unconditional security. The quantum key is reliable and is mainly determined by the basic characteristics of quantum mechanics, and most importantly, the principle of the Hassenberg measurement inaccuracy, namely, the process of carrying out identical replication on any unknown quantum in the quantum mechanics, is not realized, because the premise of replication is measurement, and the state of the quantum is generally changed by the measurement.
Step 208, encrypting the first plaintext data according to the second secret key to obtain second ciphertext data; the second key is determined according to the random number and the seed key corresponding to the terminal.
Optionally, the server encrypts the first plaintext data according to a second key through a crypto machine to obtain second ciphertext data, wherein the second key is determined according to the random number and a seed key corresponding to the terminal. Alternatively, the encryption algorithm may use a cryptographic algorithm such as SM3 or SM 4.
The server performs identity authentication on the terminal when receiving a data transmission request sent by the terminal, generates a random number and stores the random number when the identity authentication result is that the authentication is passed, further determines a second key according to the random number and a seed key of the terminal, and encrypts the first plaintext data according to the second key to obtain second ciphertext data. The seed key of the terminal is issued to the terminal by the secret management platform and is updated periodically, and meanwhile, the corresponding relation between the terminal passing the identity authentication and the corresponding seed key is also stored in the server, for example, the seed key can be stored in a database or a storage medium of the server, and the seed keys corresponding to different terminals are different.
Optionally, the second key can be obtained after performing exclusive-or calculation on the random number and the seed key corresponding to the terminal; alternatively, the random number and the seed key corresponding to the terminal may be spliced to be used as the second key, or a hash value of the splicing result may be used as the second key, or the like.
And step 210, transmitting the second ciphertext data to the terminal.
And the server sends the second ciphertext data to the terminal. Optionally, the server may send the second ciphertext data to the terminal directly through the network, or may send the second ciphertext data to the terminal through a transmission protection key, where the transmission protection key is used to protect the sent data in a transmission process, so as to avoid interception or theft after cracking of the transmitted data.
In the data transmission method, when receiving a data transmission request sent by a terminal, identity authentication is performed on the terminal to obtain an identity authentication result; when the identity authentication result is that authentication passes, generating a random number, sending the random number to a terminal, acquiring first ciphertext data corresponding to a data transmission request, and decrypting the first ciphertext data according to a first key to obtain first plaintext data; and encrypting the first plaintext data according to a second secret key to obtain second ciphertext data, wherein the second secret key is determined according to the random number and a seed secret key corresponding to the terminal, and then the second ciphertext data is sent to the terminal. The method can generate different second secret keys aiming at different terminals or different data transmission requests, so that the security of the second secret keys is enhanced to a great extent, and meanwhile, second ciphertext data obtained by encrypting the second secret keys is sent to the terminal which initiates the data transmission request, namely, the server sends encrypted data to the terminal, thereby ensuring the security of data transmission and preventing the data from being leaked in the transmission process.
In one embodiment, before receiving the data transmission request sent by the terminal, the method further includes:
receiving initial data sent by a terminal; and when the initial data meets the preset encryption condition, encrypting the initial data according to the first key to obtain first ciphertext data.
Optionally, when the initial data needs to be encrypted for storage, the initial data is input from the terminal, the terminal sends the initial data to the server, the server identifies the type of the initial data and the corresponding security level when receiving the initial data sent by the terminal, and when a preset encryption condition is met, for example, the type of the initial data meets the preset encryption type in the preset encryption condition and the security level reaches the preset encryption level in the preset encryption condition, the initial data is encrypted according to the first key by the cipher machine to obtain first ciphertext data, and the first ciphertext data is stored.
In this embodiment, when the initial data meets the preset encryption condition, the initial data is encrypted according to the first key to obtain the first ciphertext data, that is, the data meeting the preset encryption condition is screened to be encrypted and stored, so that the occupancy rate of the server resource can be reduced, and meanwhile, the security of the stored data can be ensured.
In one embodiment, after decrypting the first ciphertext data based on the first key to obtain the first plaintext data, the method further comprises:
verifying the integrity of the first plaintext data according to the first hash value of the initial data and the second hash value of the first plaintext data to obtain an integrity verification result of the first plaintext data; and when the integrity verification result of the first plaintext data is verification passing, executing the step of encrypting the first plaintext data according to the second secret key to obtain second ciphertext data.
In this embodiment, the first ciphertext data is decrypted according to the first key to obtain first plaintext data, a first hash value of the initial data is obtained, a second hash value of the first plaintext data is calculated, when the first hash value is identical to the second hash value, it is indicated that the first plaintext data is identical to the initial data, that is, the first plaintext data is complete, and an integrity verification result of the first plaintext data is verification passing; otherwise, when the first hash value is different from the second hash value, it is indicated that the first plaintext data is different from the initial data, i.e. the first plaintext data is incomplete and may be damaged, and the integrity verification result of the first plaintext data is that the verification is failed. And when the integrity verification result of the first plaintext data is verification passing, encrypting the first plaintext data according to the second secret key to obtain second ciphertext data. Alternatively, when the server acquires the initial data, calculating a first hash value of the initial data, and storing the first hash value; the initial data may be copied and saved, and the first hash value of the saved initial data may be directly calculated, thereby obtaining the first hash value.
In this embodiment, after the first plaintext data is obtained, the integrity of the first plaintext data is verified according to the first hash value of the initial data and the second hash value of the first plaintext data, so that the first plaintext data is ensured to be complete, and then the step of encrypting the first plaintext data according to the second key to obtain the second ciphertext data is performed, thereby improving the transmission quality of the second ciphertext data.
In one embodiment, the data transmission method further comprises: and sending the second hash value of the first plaintext data to the terminal to instruct the terminal to verify the integrity of the target data according to the second hash value, wherein the target data is obtained by decrypting the second ciphertext data according to the second key by the terminal.
The server sends the second hash value of the first plaintext data to the terminal, and the terminal can calculate the hash value of the target data, and verify whether the target data is complete by comparing whether the hash value of the target data is identical to the second hash value. And when the hash value of the target data is the same as the second hash value, indicating that the target data is complete, otherwise, when the hash value of the target data is different from the second hash value, indicating that the target data is incomplete.
In this embodiment, after obtaining the first plaintext data, the server calculates a second hash value of the first plaintext data, and sends the second hash value to the terminal, so that the terminal can verify the integrity of the target data according to the second hash value. On the premise that the first plaintext data is complete, after receiving the second ciphertext data, the terminal decrypts the second ciphertext data according to the second key to obtain target data, so that the integrity of the target data is verified according to the first plaintext data, and the target data acquired by the terminal is ensured to be consistent with a data transmission request, namely the accuracy of the target data is ensured.
In one embodiment, as shown in fig. 3, the seed key is issued and updated by the cryptographic platform according to the transmission protection key; the method for obtaining the transmission protection key includes the following steps 302 to 306.
Step 302, after the authentication between the password management platform and the password device is passed, the password management platform sends a first random number to the password device, receives a second random number sent by the password device, and determines a first transmission key according to the first random number and the second random number.
In this embodiment, the cryptographic device is a special device that performs encryption and decryption processing and authentication on information by using a password, and may be, for example, a cryptographic machine, ukey, or the like. The password management platform is a platform for controlling and managing password equipment. The cryptographic platform may be communicatively coupled to a plurality of cryptographic devices. The seed key may be issued to the cryptographic device by the cryptographic platform according to the transmission protection key and updated according to a preset condition, for example, periodically, or when an update request is received. The transmission protection key is used for carrying out encryption protection on a key and the like transmitted between the password management platform and the password equipment.
Optionally, two-way authentication is performed between the password management platform and the password device, for example, authentication is performed by means of mutually exchanging certificates, after authentication is passed, the password management platform may send a first random number to the password device according to the technical specification of GM/T0050-2016 password device management, and the password device sends a second random number to the password management platform, so that the first transmission key is determined according to the first random number and the second random number, for example, after the first random number and the second random number are subjected to exclusive-or operation, the obtained exclusive-or result is used as the first transmission key.
Step 304, the cryptographic management platform determines a second transmission key according to the negotiation result of the cryptographic device on the target quantum key.
The quantum key table can be distributed to the password equipment in an online or offline mode through the password management platform before identity authentication is carried out between the password equipment and the password platform, and the quantum key table comprises a plurality of groups of quantum keys. Optionally, the cryptographic platform and the cryptographic device co-determine, in an online or offline negotiation manner, one quantum key from the quantum key table as a target quantum key, and use the target quantum key as a second transmission key.
In step 306, the cryptographic management platform determines a transmission protection key according to the first transmission key and the second transmission key.
Optionally, the cryptographic management platform uses an exclusive-or operation result of the first transmission key and the second transmission key as a transmission protection key. Alternatively, the cryptographic management platform may use the concatenation result of the first transmission key and the second transmission key as the transmission protection key. The cryptographic platform may issue the seed key to the cryptographic device by transmitting the protection key. Illustratively, the cryptographic device includes a Ukey and a cryptographic engine of the terminal, and the cryptographic platform may send the seed key to the Ukey and the cryptographic engine of the terminal by transmitting the protection key, so that the terminal may obtain the seed key from the Ukey, and the server may obtain the seed key from the cryptographic engine.
In this embodiment, on the basis of the first transmission key, a second transmission key is determined according to a negotiation result of the target quantum key between the cryptographic device and the cryptographic platform, and then a final transmission protection key is determined according to the first transmission key and the second transmission key; the negotiation results between different cipher devices and the cipher device are different, and the determined second transmission key is different, so that the security of the transmission protection key is greatly enhanced, and the security of the transmission channel between the cipher device and the cipher device is also enhanced.
In one embodiment, as shown in fig. 4, a data transmission method is provided and applied to a terminal, and the method includes the following steps 402 to 406.
Step 402, a data transmission request is sent to a server.
The terminal sends a data transmission request to the server. The data transmission request is used for acquiring corresponding target data.
Step 404, receiving a random number sent by a server; the random number is generated when the server receives a data transmission request sent by the terminal and performs identity authentication on the terminal and the identity authentication result is authentication passing.
The terminal receives a random number sent by the server, wherein the random number is generated when the server receives a data transmission request sent by the terminal and performs identity authentication on the terminal and the identity authentication result is authentication passing. Specifically, the server may generate the random number by a random number generator.
Step 406, receiving second ciphertext data sent by the server; the second ciphertext data is obtained by decrypting the first ciphertext data by the server according to the first key to obtain first plaintext data, encrypting the first plaintext data according to the second key, and the first ciphertext data corresponds to the data transmission request; the second key is determined according to the random number and the seed key corresponding to the terminal.
Optionally, the terminal receives the second ciphertext data sent by the server. The second ciphertext data is obtained by decrypting the first ciphertext data corresponding to the data transmission request according to the first key by the server to obtain first plaintext data and encrypting the first plaintext data according to the second key by the crypto; the second key is determined according to the random number and the seed key corresponding to the terminal.
Optionally, the terminal obtains a second key according to the received random number and the seed key, and decrypts the second ciphertext data according to the second key to obtain the target data, wherein the target data is plaintext data.
Optionally, the terminal receives a second hash value corresponding to the first plaintext data sent by the server, and verifies the integrity of the target data according to the second hash value. Specifically, calculating the hash value of the target data, if the hash value of the target data is the same as the second hash value, indicating that the target data is complete; otherwise, the target data is incomplete.
According to the data transmission method, the terminal sends the data transmission request to the server, the random number sent by the server is received, the server performs identity authentication on the terminal when receiving the data transmission request sent by the terminal, and the identity authentication result is generated when authentication is passed; receiving second ciphertext data sent by a server, wherein the second ciphertext data is obtained by decrypting the first ciphertext data by the server according to a first key to obtain first plaintext data and encrypting the first plaintext data according to a second key, and the first ciphertext data corresponds to a data transmission request; the second key is determined according to the random number and the seed key corresponding to the terminal. In the method, the terminal can determine the second secret key according to the received random number and the seed secret key of the terminal, the second secret key is high in safety, corresponding plaintext data can be obtained by decrypting the received second ciphertext data through the second secret key, secret key transmission is avoided, and therefore the risk of secret key leakage is reduced to a large extent. In addition, the terminal receives the second ciphertext data according to the data transmission request, so that the risk of data leakage caused by the transmission of plaintext data is avoided.
In one embodiment, the seed key is issued and updated by the cryptographic platform according to the transmission protection key; the method for acquiring the transmission protection key comprises the following steps:
after passing the authentication between the password management platform and the password equipment, the password management platform sends a first random number to the password equipment, receives a second random number sent by the password equipment, and determines a first transmission key according to the first random number and the second random number; the secret management platform determines a second transmission key according to a negotiation result of the secret management platform and the password equipment on the target quantum key; and the cryptographic management platform determines a transmission protection key according to the first transmission key and the second transmission key.
The explanation of the terms in this embodiment and the corresponding descriptions can be referred to the explanation in the embodiment shown in fig. 3, and will not be repeated here.
In one example, as shown in fig. 5, an application scenario of archive data transmission is provided, where the application scenario applies the above data transmission method. The archive management server and the terminal may communicate, and the archive management server may transmit regional archive data to the terminal. The archive management server can comprise a secret management platform, a cipher machine module, a quantum key filling module, a quantum random number generation module and the like; the terminal comprises a Ukey module. The cryptographic engine module can provide cryptographic services for the archive management server to realize encryption of stored archive data by the server. The cryptographic management platform comprises a certificate issuing service supporting the cryptographic equipment, a cryptographic equipment online management service, a quantum key production service, a quantum key management service and other functional services. The secret management platform is connected with the cryptographic machine module, and can provide cryptographic equipment management and quantum key updating for the cryptographic machine module; the secret management platform is also connected with a key charging module for providing Ukey quantum key update; the dense tube platform is also connected with a quantum random number generation module to obtain a quantum random number; the cryptographic management platform is also connected with a quantum key management tool set, and provides quantum key management, equipment management initialization and the like.
In one embodiment, as shown in fig. 6, the data transmission method includes the following steps 602 to 622.
In step 602, the terminal initiates a data transmission request to the server.
Step 604, the server receives the data transmission request, and performs identity authentication on the terminal to obtain an identity authentication result.
Step 606, when the identity authentication result is that the authentication is passed, the server generates a random number and sends the random number to the terminal.
In step 608, the terminal receives the random number sent by the server.
Step 610, the server obtains first ciphertext data corresponding to the data transmission request, and decrypts the first ciphertext data according to the first key to obtain first plaintext data; the first key encrypts the initial data to obtain first ciphertext data.
In step 612, the server verifies the integrity of the first plaintext data according to the first hash value of the initial data and the second hash value of the first plaintext data, and obtains an integrity verification result of the first plaintext data.
Step 614, when the integrity verification result of the first plaintext data is that the verification is passed, the server encrypts the first plaintext data according to the second key to obtain second ciphertext data; the second key is determined from the random number and a seed key of the terminal.
In step 616, the server sends the second ciphertext data and the second hash value of the first plaintext data to the terminal.
In step 618, the terminal receives the second ciphertext data and the second hash value that are sent by the server.
And 620, the terminal decrypts the second ciphertext data according to the second key to obtain the target data, wherein the second key is determined by the terminal according to the random number and the seed key sent by the server.
In step 622, the terminal verifies the integrity of the target data according to the hash value of the target data and the hash value of the first plaintext data.
According to the data transmission method, the second secret key is determined through the random number and the quantum secret key, the first plaintext data is encrypted by using the second secret key according to different terminals or different second secret keys corresponding to different data transmission requests, so that second ciphertext data is obtained, the second ciphertext data is sent to the terminals, encryption safety of the second ciphertext data is enhanced, the problem of data leakage caused by plaintext transmission is avoided, and the capability of an encryption system for resisting replay attack is improved; after the data are decrypted into the plaintext, the integrity of the data is checked, so that the data are prevented from being tampered, the integrity of the acquired data can be ensured, and the data transmission quality is improved.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a data transmission device for realizing the above related data method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in one or more embodiments of the data transmission device provided below may refer to the limitation of the data transmission method hereinabove, and will not be repeated herein.
In one embodiment, as shown in fig. 7, there is provided a data transmission apparatus including: an identity authentication module 702, a random number generation module 704, a first key module 706, a second key module 708, and a data transmission module 710, wherein:
the identity authentication module 702 is configured to perform identity authentication on a terminal when receiving a data transmission request sent by the terminal, so as to obtain an identity authentication result;
a random number generation module 704, configured to generate a random number when the identity authentication result is that the authentication is passed, and send the random number to the terminal;
a first key module 706, configured to obtain first ciphertext data corresponding to the data transmission request, and decrypt the first ciphertext data according to a first key, to obtain first plaintext data;
a second key module 708, configured to encrypt the first plaintext data according to a second key, to obtain second ciphertext data; the second key is determined according to the random number and the seed key corresponding to the terminal;
and the data sending module 710 is configured to send the second ciphertext data to a terminal.
In one embodiment, the apparatus further comprises an initial encryption module for:
Receiving initial data sent by the terminal; and when the initial data meets a preset encryption condition, encrypting the initial data according to the first key to obtain the first ciphertext data.
In one embodiment, the apparatus further comprises an integrity checking module for:
verifying the integrity of the first plaintext data according to the first hash value of the initial data and the second hash value of the first plaintext data to obtain an integrity verification result of the first plaintext data; and when the integrity verification result of the first plaintext data is verification passing, executing the step of encrypting the first plaintext data according to a second secret key to obtain second ciphertext data.
In one embodiment, the apparatus further comprises a hash sending module configured to:
and sending the second hash value of the first plaintext data to a terminal to instruct the terminal to verify the integrity of target data according to the second hash value, wherein the target data is obtained by decrypting the second ciphertext data according to a second key by the terminal.
In one embodiment, the seed key is issued and updated by a cryptographic platform according to a transmission protection key; the device further comprises a transmission protection module, which is used for obtaining a transmission protection key, wherein the determination mode of the transmission protection key comprises the following steps: after passing the authentication between the password management platform and the password equipment, the password management platform sends a first random number to the password equipment, receives a second random number sent by the password equipment, and determines a first transmission key according to the first random number and the second random number; the secret management platform determines a second transmission key according to a negotiation result of the secret management platform and the password equipment on the target quantum key; and the secret management platform determines the transmission protection key according to the first transmission key and the second transmission key.
In one embodiment, there is provided a data transmission apparatus applied to a terminal, including: the device comprises a transmission request module, a first receiving module and a second receiving module, wherein:
the transmission request module is used for sending a data transmission request to the server;
the first receiving module is used for receiving the random number sent by the server; the random number is generated when the server receives a data transmission request sent by a terminal and performs identity authentication on the terminal and the identity authentication result is authentication passing;
the second receiving module is used for receiving second ciphertext data sent by the server; the second ciphertext data is obtained by decrypting the first ciphertext data by the server according to a first key to obtain first plaintext data and encrypting the first plaintext data according to a second key, wherein the first ciphertext data corresponds to the data transmission request; and the second key is determined according to the random number and the seed key corresponding to the terminal.
In one embodiment, the seed key is issued and updated by a cryptographic platform according to a transmission protection key; the device further comprises a transmission protection module, which is used for obtaining a transmission protection key, wherein the determination mode of the transmission protection key comprises the following steps: after passing the authentication between the password management platform and the password equipment, the password management platform sends a first random number to the password equipment, receives a second random number sent by the password equipment, and determines a first transmission key according to the first random number and the second random number; the secret management platform determines a second transmission key according to a negotiation result of the secret management platform and the password equipment on the target quantum key; and the secret management platform determines the transmission protection key according to the first transmission key and the second transmission key.
The respective modules in the above-described data transmission apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 8. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing seed key data corresponding to the terminal. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a data transmission method.
It will be appreciated by those skilled in the art that the structure shown in fig. 8 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the data transmission method described above when the computer program is executed.
In one embodiment, a computer readable storage medium is provided, on which a computer program is stored which, when executed by a processor, implements the steps of the data transmission method described above.
In an embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, implements the steps of the data transmission method described above.
It should be noted that, user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims (10)

1. A method of data transmission, the method comprising:
when receiving a data transmission request sent by a terminal, carrying out identity authentication on the terminal to obtain an identity authentication result;
when the identity authentication result is that the authentication passes, generating a random number, and sending the random number to the terminal;
acquiring first ciphertext data corresponding to the data transmission request, and decrypting the first ciphertext data according to a first key to obtain first plaintext data;
Encrypting the first plaintext data according to a second secret key to obtain second ciphertext data; the second key is determined according to the random number and the seed key corresponding to the terminal;
and sending the second ciphertext data to the terminal.
2. The method of claim 1, wherein prior to receiving the data transmission request sent by the terminal, the method further comprises:
receiving initial data sent by the terminal;
and when the initial data meets a preset encryption condition, encrypting the initial data according to the first key to obtain the first ciphertext data.
3. The method of claim 2, wherein after decrypting the first ciphertext data based on the first key to obtain the first plaintext data, the method further comprises:
verifying the integrity of the first plaintext data according to the first hash value of the initial data and the second hash value of the first plaintext data to obtain an integrity verification result of the first plaintext data;
and when the integrity verification result of the first plaintext data is verification passing, executing the step of encrypting the first plaintext data according to a second secret key to obtain second ciphertext data.
4. The method according to claim 1, wherein the method further comprises:
and sending the second hash value of the first plaintext data to a terminal to instruct the terminal to verify the integrity of target data according to the second hash value, wherein the target data is obtained by decrypting the second ciphertext data according to a second key by the terminal.
5. The method according to any of claims 1-4, wherein the seed key is issued and updated by a secure management platform based on a transport protection key; the method for acquiring the transmission protection key comprises the following steps:
after passing the authentication between the password management platform and the password equipment, the password management platform sends a first random number to the password equipment, receives a second random number sent by the password equipment, and determines a first transmission key according to the first random number and the second random number;
the secret management platform determines a second transmission key according to a negotiation result of the secret management platform and the password equipment on the target quantum key;
and the secret management platform determines the transmission protection key according to the first transmission key and the second transmission key.
6. A data transmission method, applied to a terminal, the method comprising:
Sending a data transmission request to a server;
receiving a random number sent by the server; the random number is generated when the server receives a data transmission request sent by a terminal and performs identity authentication on the terminal and the identity authentication result is authentication passing;
receiving second ciphertext data sent by a server; the second ciphertext data is obtained by decrypting the first ciphertext data by the server according to a first key to obtain first plaintext data and encrypting the first plaintext data according to a second key, wherein the first ciphertext data corresponds to the data transmission request; and the second key is determined according to the random number and the seed key corresponding to the terminal.
7. The method of claim 6, wherein the seed key is issued and updated by a cryptographic platform based on a transmission protection key; the method for acquiring the transmission protection key comprises the following steps:
after passing the authentication between the password management platform and the password equipment, the password management platform sends a first random number to the password equipment, receives a second random number sent by the password equipment, and determines a first transmission key according to the first random number and the second random number;
The secret management platform determines a second transmission key according to a negotiation result of the secret management platform and the password equipment on the target quantum key;
and the secret management platform determines the transmission protection key according to the first transmission key and the second transmission key.
8. A data transmission apparatus, the apparatus comprising:
the identity authentication module is used for carrying out identity authentication on the terminal when receiving a data transmission request sent by the terminal, so as to obtain an identity authentication result;
the random number generation module is used for generating a random number when the identity authentication result is that the authentication is passed, and sending the random number to the terminal;
the first key module is used for acquiring first ciphertext data corresponding to the data transmission request, decrypting the first ciphertext data according to a first key and obtaining first plaintext data;
the second key module is used for encrypting the first plaintext data according to a second key to obtain second ciphertext data; the second key is determined according to the random number and the seed key corresponding to the terminal;
and the data transmitting module is used for transmitting the second ciphertext data to the terminal.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
CN202211563695.5A 2022-12-07 Data transmission method, device, computer equipment and storage medium Active CN116232639B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211563695.5A CN116232639B (en) 2022-12-07 Data transmission method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211563695.5A CN116232639B (en) 2022-12-07 Data transmission method, device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116232639A true CN116232639A (en) 2023-06-06
CN116232639B CN116232639B (en) 2024-05-03

Family

ID=

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719826A (en) * 2009-05-13 2010-06-02 北京宏基恒信科技有限责任公司 Dynamic token having function of updating seed key and updating method for seed key thereof
CN103001771A (en) * 2012-11-14 2013-03-27 广东电网公司电力科学研究院 Data transmission security encryption method for metering automation system
KR20200024426A (en) * 2018-08-28 2020-03-09 주식회사 이와이엘 User authentication system and method using combination of user pattern authentication and quantum random number
CN112910644A (en) * 2021-03-29 2021-06-04 安徽华典大数据科技有限公司 Security authentication system based on quantum secret data
CN113067699A (en) * 2021-03-04 2021-07-02 深圳科盾量子信息科技有限公司 Data sharing method and device based on quantum key and computer equipment
CN113079022A (en) * 2021-03-31 2021-07-06 郑州信大捷安信息技术股份有限公司 Secure transmission method and system based on SM2 key negotiation mechanism

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719826A (en) * 2009-05-13 2010-06-02 北京宏基恒信科技有限责任公司 Dynamic token having function of updating seed key and updating method for seed key thereof
CN103001771A (en) * 2012-11-14 2013-03-27 广东电网公司电力科学研究院 Data transmission security encryption method for metering automation system
KR20200024426A (en) * 2018-08-28 2020-03-09 주식회사 이와이엘 User authentication system and method using combination of user pattern authentication and quantum random number
CN113067699A (en) * 2021-03-04 2021-07-02 深圳科盾量子信息科技有限公司 Data sharing method and device based on quantum key and computer equipment
CN112910644A (en) * 2021-03-29 2021-06-04 安徽华典大数据科技有限公司 Security authentication system based on quantum secret data
CN113079022A (en) * 2021-03-31 2021-07-06 郑州信大捷安信息技术股份有限公司 Secure transmission method and system based on SM2 key negotiation mechanism

Similar Documents

Publication Publication Date Title
US11449641B2 (en) Integrity of communications between blockchain networks and external data sources
CN110855671B (en) Trusted computing method and system
JP6547079B1 (en) Registration / authorization method, device and system
CN110519260B (en) Information processing method and information processing device
TWI709314B (en) Data processing method and device
CN106534092B (en) The privacy data encryption method of key is depended on based on message
US8660266B2 (en) Method of delivering direct proof private keys to devices using an on-line service
CN111130757A (en) Multi-cloud CP-ABE access control method based on block chain
CN113691502B (en) Communication method, device, gateway server, client and storage medium
US9178881B2 (en) Proof of device genuineness
WO2019129459A1 (en) Secure provisioning of keys
CN108132977A (en) Ciphertext database querying method and system based on vertical division
CN111740995B (en) Authorization authentication method and related device
CN116049802B (en) Application single sign-on method, system, computer equipment and storage medium
CN117155549A (en) Key distribution method, key distribution device, computer equipment and storage medium
CN116232639B (en) Data transmission method, device, computer equipment and storage medium
Kamboj et al. DEDUP: Deduplication system for encrypted data in cloud
CN116232639A (en) Data transmission method, device, computer equipment and storage medium
CN116318784B (en) Identity authentication method, identity authentication device, computer equipment and storage medium
CN114553557B (en) Key calling method, device, computer equipment and storage medium
CN116599771B (en) Data hierarchical protection transmission method and device, storage medium and terminal
CN116318784A (en) Identity authentication method, identity authentication device, computer equipment and storage medium
CN105262743A (en) Data storage method, safety device and network storage system
CN114553557A (en) Key calling method, key calling device, computer equipment and storage medium
CN114244502A (en) Signature key generation method and device based on SM9 algorithm and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination