CN116566723A - Local area network information safety transmission method - Google Patents
Local area network information safety transmission method Download PDFInfo
- Publication number
- CN116566723A CN116566723A CN202310679166.XA CN202310679166A CN116566723A CN 116566723 A CN116566723 A CN 116566723A CN 202310679166 A CN202310679166 A CN 202310679166A CN 116566723 A CN116566723 A CN 116566723A
- Authority
- CN
- China
- Prior art keywords
- staff
- key
- private network
- encrypted file
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000005540 biological transmission Effects 0.000 title claims abstract description 7
- 238000012795 verification Methods 0.000 claims description 32
- 230000001815 facial effect Effects 0.000 claims description 30
- 238000005516 engineering process Methods 0.000 claims description 9
- 230000000737 periodic effect Effects 0.000 claims description 3
- 230000011218 segmentation Effects 0.000 claims description 2
- 238000010276 construction Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/127—Trusted platform modules [TPM]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a local area network information security transmission method, which relates to the technical field of data processing, and comprises the steps of constructing a data sharing private network, encrypting data by utilizing a TPM security chip, registering and logging in by staff through VPN private network software to connect the data sharing private network, selecting a required encrypted file through the data sharing private network, decrypting the encrypted file in a virtual space by the staff to obtain a private key, and obtaining data in the encrypted file through the obtained private key.
Description
Technical Field
The invention relates to the technical field of data processing, in particular to a local area network information security transmission method.
Background
Along with the rapid development of science and technology and internet technology, a plurality of potential safety hazards exist while people are brought convenience; for some enterprises and other departments of different levels, leakage of enterprise or department information may cause huge economic loss to the enterprises or departments;
however, in the common information encryption process, violent modes such as an exhaustion method can be adopted to crack, the safety of encrypted target data is low, the target data is leaked, and staff mobile equipment is easy to lose and be falsified by people.
Disclosure of Invention
The invention aims to provide a local area network information security transmission method.
The aim of the invention can be achieved by the following technical scheme: a local area network information security transmission method comprises the following steps:
s1: constructing a data sharing private network by using VPN technology, uploading the data to be encrypted into the data sharing private network, and encrypting the data by using a TPM security chip;
s2: the staff registers and logs in the data sharing private network through VPN private network software, selects the needed encrypted file, and transmits the selected encrypted file into the virtual space;
s3: and the staff verifies in the virtual space, the verification is successful to obtain a secret key in the TPM security chip, and the secret key is used for decrypting the encrypted file to obtain data in the encrypted file.
Further, the construction process of the data sharing private network comprises the following steps:
constructing a data sharing private network by utilizing a VPN technology, wherein a plurality of data with different grades are arranged in the data sharing private network, hardware key encryption is carried out on the data with different grades by utilizing a TPM security chip to obtain encrypted files with different grades, and the encrypted files comprise: and the primary encryption file and the secondary encryption file store the hardware key to the TPM security chip.
Further, the process of encrypting the data by the TPM security chip comprises the following steps:
creating a hardware key through the TPM security chip, wherein the hardware key is calculated by a random number in the TPM security chip, and determining the key length according to a formula I, wherein the formula I is as follows: n=q×p;
wherein q is a first preset prime number, p is a second preset prime number, and n is a key length;
determining a first quantity which is compatible with the key length according to the key length and a formula II;
randomly generating a first target number which is equal to the first number, wherein the first target number is a positive number smaller than the first number, and determining a second target number according to the first number, the first target number and a formula III, wherein the formula III is phi mod=1;
wherein e is a first target number and d is a second target number;
determining a hardware key according to the first target number, the second target number and the key length, wherein the hardware key comprises: a private key and a public key, wherein the private key is (n, d), and the public key is (n, e).
Further, the process of personnel registering and logging in through VPN private network software comprises the following steps:
setting a registration port and a login port in VPN private network software, and inputting personal basic information to the registration port, wherein the personal basic information comprises a name, a gender, an age, a position and a real-name authenticated mobile phone number;
and entering the data sharing private network through the login port link, wherein the data sharing private network cannot be logged in through the website connection if VPN private network software is not available.
Further, the process of selecting the encrypted file by the staff in the data sharing private network comprises the following steps:
the method comprises the steps of popup window is carried out on the mobile equipment of staff, preset electronic signature is set through the popup window, camera shooting authority of the mobile equipment of the staff is acquired by inquiring, preset facial features of the staff are input, a database is established, the preset facial features and the preset electronic signature are transmitted into the database, the preset facial features and the preset electronic signature are bound with personal basic information of the staff, the staff can select needed encrypted files in a data sharing private network, the data sharing private network sends the selected encrypted files into a virtual space, and the virtual space is an independent space and is established between the data sharing private network and the mobile equipment of the staff.
Further, the process of decrypting and verifying the encrypted file in the virtual space comprises the following steps:
the private key in the TPM security chip is obtained through verification by reading the public key of the TPM security chip and verifying the encrypted file in the virtual space according to the held public key;
if the encrypted file is a secondary encrypted file, carrying out periodic mobile phone short message verification on the staff, and if the encrypted file passes the verification, allowing the staff to obtain a private key in a TPM security chip of the secondary encrypted file in a single period; if the staff does not pass the verification of the mobile phone short message, closing the virtual space;
if the encrypted file is the primary encrypted file, carrying out electronic signature verification on the staff, calling a preset electronic signature in a database, carrying out half-and-half segmentation, sending the segmented electronic signature into the mobile terminal of the staff, and completing the other half of electronic signature by the staff;
if the completed electronic signature is consistent with the preset electronic signature, a private key in the TPM security chip is obtained, the encrypted file is successfully decrypted to obtain data, and the virtual space sends the decrypted data to staff mobile equipment;
if the facial features are inconsistent, facial verification is required, the current facial features of staff are obtained, the preset facial features in the database are called for facial verification, if the similarity is greater than or equal to 99%, the facial verification is judged to pass, and the staff cabinet obtains a private key in the TPM security chip;
if the similarity is smaller than 99%, judging that the facial verification is not passed, marking the mobile equipment of the staff, sending alarm information to the data sharing private network, returning the encrypted file according to the original path, and closing the current virtual space.
Compared with the prior art, the invention has the beneficial effects that: by creating a hardware key and binding the hardware key with the encryptor device, the file is encrypted by the hardware key. Because the hardware key is bound with the encryption party equipment, even if the software key is cracked in a violent mode such as an exhaustion method, the target data cannot be decrypted by the obtained software key, so that the safety of the encrypted target data can be improved, private networks can be prevented from being connected with the company data private networks by personnel outside the company by utilizing a VPN technology, and whether the mobile equipment is operated by the personnel can be well confirmed by setting an electronic signature.
Drawings
Fig. 1 is a schematic diagram of the present invention.
Description of the embodiments
As shown in fig. 1, a method for safely transmitting information of a local area network includes the following steps:
s1: constructing a data sharing private network by using VPN technology, uploading the data to be encrypted into the data sharing private network, and encrypting the data by using a TPM security chip;
s2: the staff registers and logs in the data sharing private network through VPN private network software, selects the needed encrypted file, and transmits the selected encrypted file into the virtual space;
s3: and the staff verifies in the virtual space, the verification is successful to obtain a secret key in the TPM security chip, and the secret key is used for decrypting the encrypted file to obtain data in the encrypted file.
It should be further noted that, in the implementation process, the construction process of the data sharing platform includes:
constructing a data sharing private network by using VPN technology; the administrator can divide the data to be uploaded into different grades to obtain a plurality of different grades of data, and the divided data are uploaded to the data sharing private network;
the method comprises the steps of carrying out hardware key encryption on a plurality of data with different grades by utilizing a TPM security chip to obtain encrypted files with different grades, wherein the encrypted files with different grades comprise: and the first-level encryption file and the second-level encryption file are stored by the TPM security chip.
It should be further noted that, the TPM security chip refers to a security chip that meets the TPM standard, and can effectively protect a PC from being accessed by an illegal user, in this embodiment, a hardware key is created by the TPM security chip, and the hardware key is calculated by a random number in the TPM security chip, so that the hardware key cannot be derived from the TPM security chip, and therefore, a key generated by the TPM security chip can only be used by the TPM security chip.
And because the TPM security chip is bound with the encryption party equipment, any physical equipment except the encryption party equipment cannot acquire the hardware key, so that the security of the hardware key is improved, and the security of the encrypted target data and the security of the hardware key are further improved.
In one embodiment of the present invention, to ensure security of the hardware key, the process of creating the hardware key includes: determining the key length according to a first formula, wherein the first formula is: n=q×p;
q is used for representing a first preset prime number, p is used for representing a second preset prime number, and n is used for representing the key length;
determining a first quantity which is compatible with the key length according to the key length and a formula II;
randomly generating a first target number which is compatible with phi, wherein the first target number is a positive number smaller than the phi, and determining a second target number according to the first number, the first target number and a formula III, and the formula III is phi mod=1;
wherein e is the first target number and d is the second target number;
determining the hardware key according to the first target number, the second target number and the key length, wherein the hardware key comprises: a private key and a public key, wherein the private key is (n, d) and the public key is (n, e);
encrypting the subkey by the hardware key to generate a first file, comprising: encrypting the subkey according to a formula IV and the public key to generate a first file, wherein the formula IV is as follows: C≡M++emodn;
wherein C is the first file, M is the subkey;
it is worth noting that the length of n is used to characterize the key length. For example: in a key, n=3233, if n is written in binary form as 110010100001, there are 12 bits in total, so the key is 12 bits, the length of the key can be 1024 bits, and the key can be 2048 bits in important cases. The euler function refers to the number of numbers that are mutually exclusive with n among the numbers equal to or smaller than n, and represents e and mutually exclusive, wherein the remainder representing the product of e and d divided by n is 1.
The method can also be used for creating the subkeys of the hardware key, so that the security of the subkeys is higher, for example: p=61, q=53, then n=61×53=3233; where e is any number less than and of equal quality, where e=17, d=2753.
Thus, a pair of asymmetric keys (3233,17) and (3233,2753) is obtained, wherein the public key is (3233,17) and the private key is (3233,2753).
It should be further noted that, in the implementation process, the VPN private network software is sent to the mobile terminal of the employee, and the employee registers and logs in personal information through the VPN private network software, and the specific process includes:
setting a registration port and a login port, and inputting personal basic information to the registration port by staff; it should be further noted that, in the specific implementation process, the personal basic information includes name, gender, age, position and mobile phone number of real name authentication;
verifying personal basic information input by staff, and generating a login account and a login password after verification is passed;
and the staff is connected to enter the data sharing private network through a login port of the VPN private network software according to the generated login account number and login password, and cannot log in the data sharing private network through website connection if the VPN private network software is not available.
It should be further noted that, in the implementation process, the process that the staff performs the operation in the data sharing private network includes:
the method comprises the steps that popup is conducted on mobile equipment of staff, preset electronic signatures are set through the popup, after the setting of the preset electronic signatures is completed, the staff is inquired to obtain shooting authority of the mobile equipment of the staff, the staff is prompted to input preset facial features through the mobile equipment, a database is built, the preset facial features and the preset electronic signatures of the staff are transmitted into the database, the preset facial features and the preset electronic signatures are bound with personal basic information of the staff, the staff can select needed encryption files in a data sharing private network, after the staff selects the encryption files, the data sharing private network sends the encryption files needed by the staff into a virtual space, and the virtual space is an independent space and is built between the data sharing private network and the mobile equipment of the staff.
It should be further noted that, in the implementation process, the encrypted file is decrypted in the virtual space, and the specific verification process includes:
staff can read the public key held by the staff and verify the encrypted file in the virtual space according to the held public key, and obtain the private key in the TPM security chip through verification;
if the encrypted file is a secondary encrypted file, carrying out periodic mobile phone short message verification on the staff, and if the staff passes the mobile phone short message verification, allowing the staff to obtain a TPM security chip internal private key of the secondary encrypted file in a single period; if the staff does not pass the verification of the mobile phone short message, closing the virtual space;
if the encrypted file is the primary encrypted file, carrying out electronic signature verification on the staff, calling the preset electronic signature corresponding to the staff in the database, carrying out half-segmentation on the electronic signature, sending the half-segmented electronic signature into the mobile terminal of the staff, and completing the other half of electronic signature by the staff;
if the electronic signature completed by the staff is consistent with the preset electronic signature, the staff obtains a private key in the TPM security chip, the staff inputs the private key, then the encrypted file is decrypted successfully to obtain data, and the data in the virtual space is sent to the staff mobile equipment;
if the electronic signature completed by the staff is inconsistent with the preset electronic signature, the staff needs to perform face verification, the virtual space acquires the current facial features of the staff, the preset facial features in the database are called and face verification is performed, if the similarity between the current facial features of the staff and the preset facial features is greater than or equal to 99%, the staff is judged to pass the face verification, and the staff cabinet acquires a private key in the TPM security chip;
if the similarity between the current facial features of the staff and the preset facial features is smaller than 99%, judging that the facial verification is not passed, marking the mobile equipment of the staff, sending alarm information to the data sharing private network, returning the encrypted files in the virtual space according to the original path, and closing the current virtual space to clean all residues and traces of the encrypted files.
The above embodiments are only for illustrating the technical method of the present invention and not for limiting the same, and it should be understood by those skilled in the art that the technical method of the present invention may be modified or substituted without departing from the spirit and scope of the technical method of the present invention.
Claims (6)
1. The local area network information safety transmission method is characterized by comprising the following steps:
s1: constructing a data sharing private network by using VPN technology, uploading the data to be encrypted into the data sharing private network, and encrypting the data by using a TPM security chip;
s2: the staff registers and logs in the data sharing private network through VPN private network software, selects the needed encrypted file, and transmits the selected encrypted file into the virtual space;
s3: and the staff verifies in the virtual space, the verification is successful to obtain a secret key in the TPM security chip, and the secret key is used for decrypting the encrypted file to obtain data in the encrypted file.
2. The method for securely transmitting information in a local area network according to claim 1, wherein the process of constructing the private data sharing network comprises:
constructing a data sharing private network by utilizing a VPN technology, wherein a plurality of data with different grades are arranged in the data sharing private network, hardware key encryption is carried out on the data with different grades by utilizing a TPM security chip to obtain encrypted files with different grades, and the encrypted files comprise: and the primary encryption file and the secondary encryption file store the hardware key to the TPM security chip.
3. The method for securely transmitting information in a local area network according to claim 2, wherein the process of encrypting the data by the TPM security chip comprises:
creating a hardware key through the TPM security chip, wherein the hardware key is calculated by a random number in the TPM security chip, and determining the key length according to a formula I, wherein the formula I is as follows: n=q×p;
wherein q is a first preset prime number, p is a second preset prime number, and n is a key length;
determining a first quantity which is compatible with the key length according to the key length and a formula II;
randomly generating a first target number which is equal to the first number, wherein the first target number is a positive number smaller than the first number, and determining a second target number according to the first number, the first target number and a formula III, wherein the formula III is phi mod=1;
wherein e is a first target number and d is a second target number;
determining a hardware key according to the first target number, the second target number and the key length, wherein the hardware key comprises: a private key and a public key, wherein the private key is (n, d), and the public key is (n, e).
4. A method for securely transmitting information in a local area network according to claim 3, wherein the process of registering and logging in personal information by staff through VPN private network software comprises:
setting a registration port and a login port in VPN private network software, and inputting personal basic information to the registration port, wherein the personal basic information comprises a name, a gender, an age, a position and a real-name authenticated mobile phone number;
and entering the data sharing private network through the login port link, wherein the data sharing private network cannot be logged in through the website connection if VPN private network software is not available.
5. The method for securely transmitting information in a local area network according to claim 4, wherein the process of selecting the encrypted file by the staff in the data sharing private network comprises:
the method comprises the steps of popup window is carried out on the mobile equipment of staff, preset electronic signature is set through the popup window, camera shooting authority of the mobile equipment of the staff is acquired by inquiring, preset facial features of the staff are input, a database is established, the preset facial features and the preset electronic signature are transmitted into the database, the preset facial features and the preset electronic signature are bound with personal basic information of the staff, the staff can select needed encrypted files in a data sharing private network, the data sharing private network sends the selected encrypted files into a virtual space, and the virtual space is an independent space and is established between the data sharing private network and the mobile equipment of the staff.
6. The method for securely transmitting information in a local area network according to claim 5, wherein the process of decrypting the encrypted file in the virtual space comprises:
the private key in the TPM security chip is obtained through verification by reading the public key of the TPM security chip and verifying the encrypted file in the virtual space according to the held public key;
if the encrypted file is a secondary encrypted file, carrying out periodic mobile phone short message verification on the staff, and if the encrypted file passes the verification, allowing the staff to obtain a private key in a TPM security chip of the secondary encrypted file in a single period; if the staff does not pass the verification of the mobile phone short message, closing the virtual space;
if the encrypted file is the primary encrypted file, carrying out electronic signature verification on the staff, calling a preset electronic signature in a database, carrying out half-and-half segmentation, sending the segmented electronic signature into the mobile terminal of the staff, and completing the other half of electronic signature by the staff;
if the completed electronic signature is consistent with the preset electronic signature, a private key in the TPM security chip is obtained, the encrypted file is successfully decrypted to obtain data, and the virtual space sends the decrypted data to staff mobile equipment;
if the facial features are inconsistent, facial verification is required, the current facial features of staff are obtained, the preset facial features in the database are called for facial verification, if the similarity is greater than or equal to 99%, the facial verification is judged to pass, and the staff cabinet obtains a private key in the TPM security chip;
if the similarity is smaller than 99%, judging that the facial verification is not passed, marking the mobile equipment of the staff, sending alarm information to the data sharing private network, returning the encrypted file according to the original path, and closing the current virtual space.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310679166.XA CN116566723A (en) | 2023-06-09 | 2023-06-09 | Local area network information safety transmission method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310679166.XA CN116566723A (en) | 2023-06-09 | 2023-06-09 | Local area network information safety transmission method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116566723A true CN116566723A (en) | 2023-08-08 |
Family
ID=87491649
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310679166.XA Pending CN116566723A (en) | 2023-06-09 | 2023-06-09 | Local area network information safety transmission method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116566723A (en) |
-
2023
- 2023-06-09 CN CN202310679166.XA patent/CN116566723A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6606156B2 (en) | Data security service | |
| Chang et al. | Untraceable dynamic‐identity‐based remote user authentication scheme with verifiable password update | |
| JP6329970B2 (en) | Policy enforcement with relevant data | |
| CN108737326B (en) | Method, system, device and electronic equipment for token verification | |
| US20170091463A1 (en) | Secure Audit Logging | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| CN105553951A (en) | Data transmission method and data transmission device | |
| CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
| MXPA03003710A (en) | Methods for remotely changing a communications password. | |
| CN110929272B (en) | Client with electronic contract private signing function, signing platform, system and method | |
| CN103701596A (en) | Document access method, system and equipment and document access request response method, system and equipment | |
| Singh | Network Security and Management | |
| CN117240625B (en) | Tamper-resistant data processing method and device and electronic equipment | |
| CN109547404B (en) | Data acquisition method and server | |
| CN114553566B (en) | Data encryption method, device, equipment and storage medium | |
| CN114070571B (en) | Method, device, terminal and storage medium for establishing connection | |
| Chinedu et al. | Security of cloud virtualized resource on a SaaS encryption solution | |
| CN116566723A (en) | Local area network information safety transmission method | |
| TWM605621U (en) | Information transmission encryption protection system | |
| TWI640887B (en) | User verification system implemented along with a mobile device and method thereof | |
| US11218472B2 (en) | Methods and systems to facilitate establishing a connection between an access-seeking device and an access granting device | |
| Algamdi | Security Risk Management in the Electronic Banking Environment: Some Evidence for Banking Systems | |
| CN116911988B (en) | Transaction data processing method, system, computer equipment and storage medium | |
| Maddipati | Implementation of Captcha as Graphical Passwords For Multi Security | |
| TWI644227B (en) | Cross verification system implemented along with a mobile device and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |