CN116915388A

CN116915388A - Information transmission method, related equipment and storage medium

Info

Publication number: CN116915388A
Application number: CN202211490615.8A
Authority: CN
Inventors: 沈斌斌; 池庆国; 汤敏彦; 潘梦圆
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Hangzhou Information Technology Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Hangzhou Information Technology Co Ltd
Priority date: 2022-11-25
Filing date: 2022-11-25
Publication date: 2023-10-20

Abstract

The application discloses an information transmission method, related equipment and a storage medium. The method comprises the following steps: the first device determines a first key and first information, and obtains second information and a time stamp by using the first key, a second key in the first information and a first encryption algorithm; encrypting the second information, the third information and the time stamp by using a second encryption algorithm to obtain fourth information; encrypting the first data, the third key and the timestamp in the first information by using a third encryption algorithm to obtain fifth information; encrypting the first key, the timestamp, the fourth information and the fifth information by using a fourth encryption algorithm to obtain sixth information; and transmitting the sixth information and the identification to the second device. According to the scheme provided by the application, in the authentication process, the first equipment adopts the encryption algorithm to encrypt the authentication related information layer by layer, and the second equipment adopts the repeated encryption mode to authenticate, so that the risk of information leakage in the transmission process can be reduced, and the safety is ensured.

Description

Information transmission method, related equipment and storage medium

Technical Field

The present application relates to the field of network security technologies, and in particular, to an information transmission method, a related device, and a storage medium.

Background

With the rapid development of computer technology, the bottom capability of the internet cloud is gradually valued, and can provide assistance for enterprise development application programs. To invoke the underlying capabilities of the cloud, the application typically communicates with the cloud based on hypertext transfer protocol (HTTP, hyper Text Transfer Protocol) or hypertext transfer security protocol (HTTPs, hyper Text Transfer Protocol Secure). However, with the capability of the bottom layer of the cloud end open, there may be a security risk caused by a malicious attack, thereby affecting the stability of the cloud end.

In order to ensure stability of the cloud, in the process of calling the bottom layer capability of the cloud through a network transmission protocol (such as HTTP or HTTPS), an application party can send authentication information so as to authenticate the cloud and provide the bottom layer capability for the application party after the authentication is passed. Therefore, the safety risk can be reduced, and the stability of the cloud end is guaranteed. However, in the related art, there is a risk of information leakage, i.e., security is low, in the authentication process.

Disclosure of Invention

In order to solve the related technical problems, the embodiment of the application provides an information transmission method, related equipment and a storage medium.

The technical scheme of the embodiment of the application is realized as follows:

The embodiment of the application provides an information transmission method, which is applied to first equipment and comprises the following steps:

determining a first key and first information, and obtaining second information and a time stamp by using the first key, a second key in the first information and a first encryption algorithm, wherein the first information comprises information obtained by negotiation with second equipment;

encrypting the second information, the third information and the timestamp by using a second encryption algorithm to obtain fourth information, wherein the third information represents the resource of the second equipment to be accessed;

encrypting first data, a third key and the timestamp in the first information by using a third encryption algorithm to obtain fifth information, wherein the first data comprises an identifier of the first device, and the third key is associated with the first data;

encrypting the first key, the timestamp, the fourth information and the fifth information by using a fourth encryption algorithm to obtain sixth information;

and sending the sixth information and an identifier to the second device, wherein the sixth information is used for authenticating the first device, and the identifier is associated with the second key and the first data.

In the above solution, the encrypting the first key, the timestamp, the fourth information and the fifth information by using a fourth encryption algorithm to obtain sixth information includes:

generating a first parameter in a random manner;

determining the fourth encryption algorithm using the first parameter;

splicing the first key, the timestamp, the fourth information and the fifth information to obtain seventh information;

and obtaining the sixth information by using the fourth encryption algorithm, the seventh information and the first parameter.

In the above solution, encrypting the first data, the third key and the timestamp in the first information by using a third encryption algorithm to obtain fifth information includes:

splicing the third key and the timestamp to obtain eighth information;

encrypting the eighth information by using a fifth encryption algorithm to obtain the encrypted eighth information;

and obtaining the fifth information by using the third encryption algorithm, the first data and the encrypted eighth information.

In the above scheme, the determining the first key includes:

obtaining a second parameter and a third parameter in a random manner;

Determining the first key using the second parameter and the third parameter.

The embodiment of the application also provides an information transmission method which is applied to the second equipment and comprises the following steps:

receiving sixth information and an identifier sent by first equipment, wherein the sixth information is used for authenticating the first equipment, the identifier is associated with a second key and first data in the first information, and the first information comprises information obtained by negotiation with the first equipment;

obtaining a first key, a time stamp, fourth information and fifth information by using a first decryption algorithm and the sixth information;

determining the second key and the first data by using the identifier, and obtaining ninth information by using the first key, the second key and a first encryption algorithm, wherein the first data comprises the identifier of the first device;

determining third information, and encrypting the ninth information, the third information and the timestamp by using a second encryption algorithm to obtain tenth information, wherein the third information represents resources of the second equipment to be accessed;

determining a third key, and encrypting the first data, the third key and the timestamp by using a third encryption algorithm to obtain eleventh information, wherein the third key is associated with the first data;

And determining that the first device is authenticated when the fourth information matches the tenth information and the fifth information matches the eleventh information.

In the above solution, the obtaining the first key, the timestamp, the fourth information and the fifth information by using the first decryption algorithm and the sixth information includes:

acquiring a first parameter, and determining the first decryption algorithm by using the first parameter;

obtaining twelfth information by using the first decryption algorithm and the sixth information;

dividing the twelfth information to obtain the first key, the timestamp, the fourth information and the fifth information.

In the above solution, encrypting the first data, the third key, and the timestamp by using a third encryption algorithm to obtain eleventh information includes:

splicing the third key and the timestamp to obtain thirteenth information;

encrypting the thirteenth information by using a fifth encryption algorithm to obtain the encrypted thirteenth information;

and obtaining the eleventh information by using the third encryption algorithm, the first data and the encrypted thirteenth information.

The embodiment of the application also provides first equipment, which comprises: a first processor and a first memory for storing a computer program capable of running on the processor,

the first processor is configured to execute any one of the steps of the method on the first device side when running the computer program.

The embodiment of the application also provides a second device, which comprises: a second processor and a second memory for storing a computer program capable of running on the processor,

and the second processor is used for executing any step of the method at the second equipment side when the computer program is run.

The embodiment of the application also provides a storage medium, on which a computer program is stored, the computer program implementing the steps of any method on the first equipment side or implementing the steps of any method on the second equipment side when being executed by a processor.

The first device determines a first key and first information, and obtains second information and a timestamp by using the first key, a second key in the first information and a first encryption algorithm, wherein the first information comprises information obtained by negotiation with the second device; encrypting the second information, the third information and the timestamp by using a second encryption algorithm to obtain fourth information, wherein the third information represents the resource of the second equipment to be accessed; encrypting first data, a third key and the timestamp in the first information by using a third encryption algorithm to obtain fifth information, wherein the first data comprises an identifier of the first device, and the third key is associated with the first data; encrypting the first key, the timestamp, the fourth information and the fifth information by using a fourth encryption algorithm to obtain sixth information; transmitting the sixth information and an identification to the second device, the sixth information being used for authenticating the first device, the identification being associated with the second key and the first data; the second device obtains a first key, a time stamp, fourth information and fifth information by using a first decryption algorithm and the sixth information; determining the second key and the first data by using the identifier, and obtaining ninth information by using the first key, the second key and a first encryption algorithm; determining third information, and encrypting the ninth information, the third information and the timestamp by using a second encryption algorithm to obtain tenth information; determining a third key, and encrypting the first data, the third key and the timestamp by using a third encryption algorithm to obtain eleventh information; and determining that the first device is authenticated when the fourth information matches the tenth information and the fifth information matches the eleventh information. In the scheme provided by the embodiment of the application, in the authentication process of the application side (namely the first device) and the service side (namely the second device), the application side encrypts the authentication related information layer by adopting a plurality of encryption algorithms, and the service side authenticates the authentication related information encrypted at the application side by adopting a repeated encryption mode. Therefore, the encrypted information is difficult to crack, the risk of information leakage in the transmission process can be reduced, and the safety is ensured.

Drawings

Fig. 1 is a schematic flow chart of a first method for information transmission according to an embodiment of the present application;

fig. 2 is a flow chart of a second method for information transmission according to an embodiment of the present application;

FIG. 3 is a flow chart of a method of encrypting by using an authentication algorithm according to an application example of the present application;

FIG. 4 is a flow chart of a method for decrypting by using an authentication algorithm according to an application example of the present application;

fig. 5 is a schematic structural diagram of a first information transmission device according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a second information transmission device according to an embodiment of the present application;

FIG. 7 is a schematic diagram of a first device according to an embodiment of the present application;

FIG. 8 is a schematic diagram of a second apparatus according to an embodiment of the present application;

fig. 9 is a schematic diagram of an information transmission system according to an embodiment of the application.

Detailed Description

The present application will be described in further detail with reference to the accompanying drawings and examples.

In the related art, common authentication schemes include a static authentication scheme and a dynamic authentication scheme. In the static authentication scheme, an application party and a service party (namely a cloud) providing bottom layer capability can obtain an inherent value through negotiation; when the application sends a request to the service side, the intrinsic value of negotiation can be added into the request head; after receiving the request, the server judges whether the request is a target user or not by checking whether the request header contains the negotiated intrinsic value, so as to realize authentication of the application party, and if the request is contained, the server provides corresponding bottom layer capacity for the application party; if not, the service side refuses to provide the application side with the corresponding underlying capability.

However, there is a certain safety risk in the above manner of transmitting the static parameters (i.e., the eigenvalues). Once the intrinsic value is leaked in the transmission process, for example, the intrinsic value is stolen by a third party, the stability of the cloud is affected. That is, the static authentication scheme has a risk of leakage of an intrinsic value, i.e., security is low.

Aiming at the dynamic authentication scheme, an application party encrypts authentication parameters by utilizing a related encryption algorithm and sends the encrypted authentication parameters to a service party through a request; the server decrypts the encrypted authentication parameters in the request by using a corresponding decryption algorithm to judge whether the application party is a target user, thereby realizing authentication of the application party. The encryption algorithms include symmetric encryption algorithms (such as data encryption standard (DES, data Encryption Standard), advanced encryption standard (AES, advanced Encryption Standard)) and asymmetric encryption algorithms (such as Message Digest Algorithm (MD 5), secure hash Algorithm (SHA, secure Hash Algorithm), and RSA (Rivest Shamir Adleman) Algorithm), among others. However, with the development of technologies such as network intrusion, corresponding cracking methods exist for some types of encryption algorithms, so that a single encryption algorithm is easily found and reversely cracked by a third party, and important privacy information in authentication parameters is revealed.

In summary, in the related art, the information may be cracked in the authentication process, which may lead to disclosure of important privacy information, i.e. there is a problem of low security.

Based on this, in various embodiments of the present application, in the process of communication based on a network transmission protocol (such as HTTP or HTTPs), an application side encrypts authentication related information layer by using an encryption algorithm, and a service side authenticates authentication related encrypted on the application side by using a repeated encryption manner, so as to reduce risk of information leakage in the authentication process, and improve security.

The embodiment of the application provides an information transmission method, which is applied to first equipment, as shown in fig. 1, and comprises the following steps:

step 101: determining a first key and first information, and obtaining second information and a time stamp by using the first key, a second key in the first information and a first encryption algorithm, wherein the first information comprises information obtained by negotiation with second equipment;

step 102: encrypting the second information, the third information and the timestamp by using a second encryption algorithm to obtain fourth information, wherein the third information represents the resource of the second equipment to be accessed;

Step 103: encrypting first data, a third key and the timestamp in the first information by using a third encryption algorithm to obtain fifth information, wherein the first data comprises an identifier of the first device, and the third key is associated with the first data;

step 104: encrypting the first key, the timestamp, the fourth information and the fifth information by using a fourth encryption algorithm to obtain sixth information;

step 105: and sending the sixth information and an identifier to the second device, wherein the sixth information is used for authenticating the first device, and the identifier is associated with the second key and the first data.

In practical application, the first device may be referred to as a requester, an application party, a client, etc., which is not limited in the embodiment of the present application, so long as the function thereof is implemented.

In addition, the second device may be called a server, a cloud, etc., which is not limited in the embodiment of the present application, so long as the function thereof is implemented.

In practical application, before step 101, the first device needs to negotiate relevant parameters in the authentication process with the second device, which may specifically include an identifier, a second key and first data in the first information; that is, the first device side and the second device side may establish an association relationship of the identifier, the second key, and the first data. In this way, during the authentication process, the second device may determine the corresponding second key and the first data according to the identifier, so as to implement authentication of the first device.

Illustratively, in the negotiation process, the first device and the second device may interact based on protocols such as HTTP, HTTPs, and the like, which is not limited by the embodiment of the present application.

After the negotiation is completed, the first device may generate the first key in a random manner, so as to reduce the risk of cracking information due to encryption by using the fixed key.

Specifically, in an embodiment, the determining the first key includes:

obtaining a second parameter and a third parameter in a random manner;

determining the first key using the second parameter and the third parameter.

The value ranges of the second parameter and the third parameter may be set according to needs, for example, 0 to 1000, which is not limited in the embodiment of the present application; that is, the first device may randomly select two natural numbers from the set value range, and use the selected two natural numbers as the second parameter and the third parameter, respectively.

In practical application, the first device may obtain the first key through the second parameter and the third parameter, where the first key may also be referred to as a dynamic private key, which is not limited by the embodiment of the present application.

Illustratively, the first device may sum the second parameter and the third parameter to obtain a sum result; the first key can be obtained by converting the result of the summation into hexadecimal form. The embodiment of the application does not limit the way of obtaining the first key.

Then, the first device encrypts the first key and the second key through a first encryption algorithm to obtain second information; the first encryption algorithm may include md5, and the type of the first encryption algorithm is not limited in the embodiment of the present application, so long as the function thereof is implemented.

In addition, the first device may further obtain the current time in real time, so that the timestamp is obtained according to the obtained current time. Illustratively, the first device obtains the timestamp by converting the current time into hexadecimal form; under the scene that letters exist in the current time, the first device needs to carry out capitalization processing on the letters in the current time, and then converts the processed current time into hexadecimal form to obtain a time stamp.

In practice, in order to access the resources of the second device (which may also be understood as obtaining the underlying capabilities of the second device), the first device may generate a request to enable the second device to provide the resources to the first device after the authentication is passed. In this case, the first device is further capable of determining the requested third information; wherein the third information may comprise a uniform resource locator (URL, uniform Resource Locator) of the request. The embodiment of the application does not limit the manner of determining the third information.

Then, by encrypting the second information, the third information, and the timestamp using the second encryption algorithm, the first device may obtain the fourth information, the second encryption algorithm may include md5, and the types of the second encryption algorithm and the first encryption algorithm may be the same or different, and the embodiment of the present application does not limit the type of the second encryption algorithm as long as the function thereof is implemented.

Illustratively, the first device is capable of generating a first result by concatenating the third information and the timestamp; next, the first result and the second information are encrypted using md5 to obtain the fourth information.

In practical application, the identifiers of the plurality of devices and the corresponding keys are stored in the database in advance, so that the first device can search the keys corresponding to the identifiers from the database by utilizing the identifiers, thereby obtaining the third key.

Here, after determining the third key, the first device may obtain the fifth information by using the third encryption algorithm, the first data in the first information, the third key, and the timestamp, where the third encryption algorithm may include a DES algorithm, and the embodiment of the present application does not limit a type of the third encryption algorithm as long as a function thereof is implemented.

Specifically, in an embodiment, the encrypting, by using a third encryption algorithm, the first data, the third key, and the timestamp in the first information to obtain fifth information includes:

splicing the third key and the timestamp to obtain eighth information;

The fifth encryption algorithm includes a Hash message authentication code (HMAC, hash-based Message Authentication Code), and the embodiment of the present application does not limit the type of the fifth encryption algorithm, so long as the function thereof is implemented.

Here, the first device may obtain the eighth information based on the manner of the request. For example, in the case that the request mode is POST, the incoming parameters of the request are not null, and the incoming parameters of different requests are different, at this time, the first device may splice the incoming parameters of the request, the third key, and the timestamp, to obtain the eighth information. And under the condition that the request mode is GET, the incoming parameter of the request is null, and at the moment, the first device can splice the third key and the timestamp to obtain the eighth information. In this way, the eighth information corresponding to the different request can be obtained.

In the actual application process, in the process of generating the fifth information, the first device may splice the first data and the encrypted eighth information to obtain a second result; and encrypting the second result using the third encryption algorithm to obtain the fifth information.

Here, since the eighth information is associated with the request and dynamically changed, the encrypted information obtained based on the eighth information is difficult to crack, and the security is ensured.

In practical applications, in order to reduce the possibility of cracking the information due to the fixed encryption, the first device may encrypt by using a random encryption method to obtain the sixth information.

Specifically, in an embodiment, the encrypting the first key, the timestamp, the fourth information and the fifth information by using a fourth encryption algorithm to obtain sixth information includes:

generating a first parameter in a random manner;

determining the fourth encryption algorithm using the first parameter;

The value range of the first parameter may be set according to requirements, for example, 0 to 1999, which is not limited in the embodiment of the present application.

In practical application, the first device may determine the fourth encryption algorithm according to the parity of the first parameter, and the embodiment of the present application does not limit a manner of determining the fourth encryption algorithm, so long as a function thereof is implemented.

Illustratively, if the first parameter is odd, the first device takes an RSA encryption algorithm as the fourth encryption algorithm; if the first parameter is even, the first device uses elliptic curve cryptography (ECC, ellipse Curve Ctyptography) encryption algorithm as the fourth encryption algorithm.

Here, after determining the fourth encryption algorithm, the first device may obtain the seventh information by concatenating the first key, the timestamp, the fourth information, and the fifth information. Then, the first device encrypts the seventh information by using the fourth encryption algorithm, and splices the encrypted seventh information and the first parameter, so that the sixth information can be generated.

It should be noted that, in the process of splicing, the first device needs to add a splice identifier between different pieces of information, so that the second device can determine how to accurately divide the sixth information and the seventh information based on the splice identifier.

In practical application, after the sixth information is generated, the first device may send a request to the second device, where the request at least carries the sixth information and the identifier, so that the second device authenticates the first device, and provides resources corresponding to the request for the first device after the authentication is passed.

Correspondingly, the embodiment of the application also provides an information transmission method which is applied to the second equipment, as shown in fig. 2, and comprises the following steps:

step 201: receiving sixth information and an identifier sent by first equipment, wherein the sixth information is used for authenticating the first equipment, the identifier is associated with a second key and first data in the first information, and the first information comprises information obtained by negotiation with the first equipment;

step 202: obtaining a first key, a time stamp, fourth information and fifth information by using a first decryption algorithm and the sixth information;

step 203: determining the second key and the first data by using the identifier, and obtaining ninth information by using the first key, the second key and a first encryption algorithm, wherein the first data comprises the identifier of the first device;

step 204: determining third information, and encrypting the ninth information, the third information and the timestamp by using a second encryption algorithm to obtain tenth information, wherein the third information represents resources of the second equipment to be accessed;

step 205: determining a third key, and encrypting the first data, the third key and the timestamp by using a third encryption algorithm to obtain eleventh information, wherein the third key is associated with the first data;

Step 206: and determining that the first device is authenticated when the fourth information matches the tenth information and the fifth information matches the eleventh information.

In practical application, if the second device generates a key pair (including a public key and a private key) for a first device of a different manufacturer to authenticate the first device through the key pair (i.e., the first device encrypts authentication information by using the public key and the second device decrypts the authentication information by using the private key), it is necessary to generate a specific key pair for the different manufacturer and provide the public key to the manufacturer, so that the authentication step is complicated. In order to simplify the authentication step, the second device may perform authentication by repeating the encryption process; specifically, the second device encrypts the related parameters by adopting the same encryption flow as the first device, then compares the encrypted result of the second device side with the encrypted result of the first device side, and realizes the authentication of the first device according to the comparison result. In this way, the second device does not need to generate different key pairs for the first device of different vendors, and only needs to negotiate the encryption flow with the first device.

Therefore, before step 201, in the process of negotiating between the first device and the second device, an encryption process needs to be determined, so that the second device can determine how to encrypt the relevant parameters, and then authenticate the first device.

In actual application, after receiving the request sent by the first device, the second device determines that the second key and the first data in the first information can be obtained by using the identifier, and executes step 202; the above process may also be understood as performing static authentication on the first device, that is, performing authentication on the first device through a static parameter (i.e., the identifier) obtained through negotiation.

Here, if it is determined that the second key and the first data in the first information cannot be obtained using the identification, it is interpreted that authentication has failed, at which time the second device may send a response to the first device to notify the first device of the authentication result.

Next, in order to decrypt the sixth information carried in the request, the second device needs to determine a first decryption algorithm to decrypt, so as to obtain related information such as the first key, the timestamp, and the like.

Based on this, in an embodiment, the obtaining the first key, the timestamp, the fourth information, and the fifth information using the first decryption algorithm and the sixth information includes:

Here, in the encryption process, since the sixth information is obtained by splicing the first device based on the two parts of content (including the first parameter and the encrypted seventh information), the second device can divide the sixth information based on the splicing identifier, thereby obtaining the first parameter. In addition, since the second device negotiates the flow of encryption with the first device, the second device may determine a corresponding first decryption algorithm according to the parity of the first parameter. The embodiment of the application does not limit the manner of determining the first decryption algorithm.

Illustratively, if the first parameter is odd, the second device takes an RSA decryption algorithm as the first decryption algorithm; if the first parameter is even, the second device takes an ECC decryption algorithm as the first decryption algorithm.

In actual application, the first decryption algorithm is used for decrypting, and the second device can obtain the twelfth information; based on the splice identification, the second device may accurately divide the twelfth information, thereby obtaining the first key, the timestamp, the fourth information, and the fifth information.

Here, for the time stamp, the second device can implement verification of the time stamp by converting the time stamp into a decimal form. Specifically, if the timestamp can be successfully converted into a decimal form, the second device can continue to verify the fourth information and the fifth information by verifying the timestamp, so as to finish authentication of the first device; otherwise, the time stamp is not checked, that is, the first device is not authenticated, and at this time, the second device may send a response to the first device to notify the result of authentication failure.

In addition, based on the request sent by the first device, the second device can determine the third information, and at the same time, by using the first data found, the second device can also determine a third key corresponding to the first data from the database.

In practical application, after determining relevant parameters required in the authentication process, the second device may encrypt the relevant parameters by using the same encryption process as the first device; specifically, the second device obtains the ninth information by using the first encryption algorithm to the first key and the second key; further, encrypting the ninth information, the third information, and the timestamp using the second encryption algorithm, the second device may generate the tenth information. In addition, the second device encrypts the first data, the third key, and the timestamp using the third encryption algorithm to obtain the eleventh information.

Specifically, in an embodiment, the encrypting the first data, the third key, and the timestamp with a third encryption algorithm to obtain eleventh information includes:

splicing the third key and the timestamp to obtain thirteenth information;

Here, in actual application, the second device may splice the first data and the encrypted thirteenth information to obtain a third result; and encrypting the third result using the third encryption algorithm to obtain the eleventh information.

In the actual application, in step 206, the second device may obtain a first matching result by matching the fourth information with the tenth information; by matching the fifth information and the eleventh information, a second comparison result can be obtained. In the case that the first matching result indicates that the fourth information and the tenth information match (which may be understood as the same), and the second matching result indicates that the fifth information and the eleventh information match, the second device can determine that the first device is authenticated, and provide a resource corresponding to the request for the first device; otherwise, indicating authentication failure, the second device may send a response to the first device to notify the authentication result.

According to the information transmission method provided by the embodiment of the application, a first device determines a first key and first information, and obtains second information and a time stamp by using the first key, a second key in the first information and a first encryption algorithm, wherein the first information comprises information obtained by negotiation with a second device; encrypting the second information, the third information and the timestamp by using a second encryption algorithm to obtain fourth information, wherein the third information represents the resource of the second equipment to be accessed; encrypting first data, a third key and the timestamp in the first information by using a third encryption algorithm to obtain fifth information, wherein the first data comprises an identifier of the first device, and the third key is associated with the first data; encrypting the first key, the timestamp, the fourth information and the fifth information by using a fourth encryption algorithm to obtain sixth information; transmitting the sixth information and an identification to the second device, the sixth information being used for authenticating the first device, the identification being associated with the second key and the first data; the second device obtains a first key, a time stamp, fourth information and fifth information by using a first decryption algorithm and the sixth information; determining the second key and the first data by using the identifier, and obtaining ninth information by using the first key, the second key and a first encryption algorithm; determining third information, and encrypting the ninth information, the third information and the timestamp by using a second encryption algorithm to obtain tenth information; determining a third key, and encrypting the first data, the third key and the timestamp by using a third encryption algorithm to obtain eleventh information; and determining that the first device is authenticated when the fourth information matches the tenth information and the fifth information matches the eleventh information. According to the scheme provided by the embodiment of the application, in the authentication process of the application side and the service side, the application side encrypts the authentication related information layer by adopting a plurality of encryption algorithms, and the service side authenticates the authentication related information encrypted on the application side by adopting a repeated encryption mode. Therefore, the encrypted information is difficult to crack, the risk of information leakage in the transmission process can be reduced, and the safety is ensured.

The application is described in further detail below in connection with application examples.

In order to solve the problem that information in an authentication encryption scheme is easy to leak, in this application example, an authentication scheme is provided, which is composed of a plurality of different encryption algorithms; the application side (namely the first equipment) adopts a plurality of different encryption algorithms, can realize the layer-by-layer encryption of the authentication related information, and then sends the encrypted authentication related information to the service side; after receiving the encrypted authentication related information, the service side (namely the second device) verifies the authentication related information in a repeated encryption mode, so that authentication of the application side is realized.

Specifically, the encryption process of the application party by adopting the authentication algorithm, as shown in fig. 3, comprises the following steps:

step 301: the application side determines parameters required by encryption;

in practical application, before step 301, the application side negotiates with the service side to obtain a negotiated field value (Accesskey) (i.e. the identifier), a first key (key) (i.e. the second key) and enterprise information (cpid) (i.e. the first data). The Accesskey may be understood as a static parameter (may also be referred to as a field value) negotiated by the application and the service party, and the cpid may be understood as an identity of the application party.

Here, in actual application, in order to obtain the underlying capability of the server (which may also be understood as a need to access the resource of the server), the application side generates a request, where the request includes at least a request header and a request body (english may be expressed as body); in this case, the application may determine the URL of the request.

In this way, the application can determine URL, key, cpid and Accesskey required for encryption, and then, step 302 is performed.

Step 302: the application side generates a dynamic private key n1 (namely the first key);

here, the application randomly selects two parameters (i.e., the second parameter and the third parameter described above) from the value range of 0-99999, adds the two parameters, and converts the added result into a 16-ary form to obtain the dynamic private key n1, and then, performs step 303.

Step 303: the application side determines k2 (namely the second information) according to the key, and simultaneously, determines time;

in practical application, the application party encrypts n1 and the key by using md5 (i.e. the first encryption algorithm), so as to obtain k2.

In addition, the application side can acquire the current time to obtain a time stamp (timestamp) according to the time. Specifically, by converting the time into a 16-ary form, the application can obtain a timestamp; in the specific time format, if letters exist in time, an application party needs to capitalize the letters, and then the processed time is converted into a 16-system form to obtain the timestamp. Then, step 304 is performed.

Step 304: the application side generates information (message) according to the URL and the timestamp (i.e., the eighth information described above), and performs step 305;

in practical application, the application party can obtain the message by splicing the URL and the timestamp. Then, the application side needs to judge whether the incoming parameter (i.e. the request body) is empty; if not, a new message is obtained by using the incoming parameters.

For example, if the request is GET, the application side can determine that the incoming parameter is empty, and keep the original message; if the request mode is POST, the application side determines that the incoming parameter is not null, and at the moment, the application side combines the incoming parameter with the message to obtain a new message.

Step 305: using md5 (i.e., the second encryption algorithm described above), the application generates token1 (i.e., the fourth information described above);

specifically, the application party encrypts k2 and the message by using md5, and can generate token1.

Step 306: using cpid, the application side queries from the database to obtain the corresponding n2;

in actual application, since a plurality of enterprise information and corresponding keys are stored in the database in advance, the application party can query the database for the corresponding n2 according to the cpid, and then step 307 is performed.

Step 307: the application side generates a token2 (namely fifth information) according to n2, timestamp and cpid;

here, the application party encrypts n2 and timestamp by using the HmacSHA256 algorithm (i.e., the fifth encryption algorithm) to obtain an encrypted ciphertext; the encrypted ciphertext and the cpid are spliced to obtain signature information (sign); the token2 can be obtained by encrypting sign by DES (i.e., the third encryption algorithm described above). Then, step 308 is performed.

It should be noted that the execution sequence of steps 304 to 305 and steps 306 to 307 is not sequential.

Step 308: the application side generates a token3 (namely the seventh information) according to the n1, the timestamp, token1 and the token 2; then, step 309 is performed;

the application party generates a token3 by splicing n1, timestamp, token1 and token2.

Step 309: the application party randomly generates a selection code x and executes step 310;

where x is a randomly generated natural number.

Step 310: the application side judges whether x is an odd number or not;

here, if x is an odd number, step 311 is performed; otherwise, step 312 is performed.

Step 311: the application party encrypts the token3 by adopting an RSA encryption algorithm (namely the fourth encryption algorithm) to obtain an encrypted token3, and then, step 313 is executed;

Step 312: the application party encrypts the token3 by using an ECC encryption algorithm (i.e., the fourth encryption algorithm described above) to obtain an encrypted token3, and then, step 313 is executed;

step 313; based on the encrypted token3 and x, the application party generates authentication information (i.e., the sixth information described above).

In practical application, the authority can be obtained by splicing the encrypted token3 and the encrypted token x. Then, the application side adds the Access key to the request header of the request, and simultaneously adds the authentications to the body of the request, and sends the request to the server side based on HTTP/HTTPS to request for obtaining the underlying capabilities of the server side.

Specifically, the process of decrypting by the service side using the authentication algorithm, as shown in fig. 4, includes the following steps:

step 401: the server receives a request sent by the application;

in actual application, before step 401, the server negotiates an encryption mode with the application party in the negotiation process, so that the server can determine the encryption flow of the application party side, so as to authenticate the application party subsequently.

Then, the server acquires an Access key from the request header of the request to perform static authentication. Specifically, the server searches the parameters matched with the Access key from the database, if the matched parameters can be found, the static authentication is passed, and step 402 is executed; otherwise, the service side can send a response to the requester to inform the result of authentication failure.

Step 402: based on the request, the service side acquires a selection code x;

in actual application, a service side acquires an Authorization from a requested body and obtains x based on the Authorization; because the authentications are obtained by splicing encrypted token3 and x, the server can divide the authentications according to the identifiers added in the splicing process to obtain x and encrypted token3, and can determine the requested URL. Then, step 403 is performed.

Step 403: the server judges whether x is an odd number;

if x is an odd number, step 404 is executed; otherwise, step 405 is performed.

Here, since the service side and the application side negotiate the encryption scheme in advance, the service side may select a decryption algorithm corresponding to the encryption algorithm according to the parity of x to decrypt to obtain token3.

Step 404: the server decrypts the encrypted token3 by adopting an RSA decryption algorithm (namely the first decryption algorithm), and executes step 406;

step 405: the server decrypts the encrypted token3 by using an ECC decryption algorithm (i.e., the first decryption algorithm described above), and executes step 406;

step 406: the server obtains the encrypted token3 (i.e., the twelfth information), and then, step 407 is performed;

Step 407: the server divides the encrypted token3 to obtain a0 (also called n 1), a1 (also called timestamp), a2 (also called token 2) and a3 (also called token 3);

specifically, the server may accurately divide the token3 according to the identifier added in the splicing process, so as to obtain a0, a1, a2 and a3. Then, step 408 is performed.

Step 408: the server side judges whether the a1 can be reversely converted to obtain time;

here, if the service side can convert a1 into decimal form, resulting in time, step 413 is performed; otherwise, it is indicated that the authentication is not passed, at which time the server may send a response to the application, the response being used to inform the application of the authentication result.

Step 409: based on a0 and key, the server generates a2' (i.e., tenth information described above);

similar to the description of steps 303 to 305, the server encrypts a0 and the key with md5 to obtain k2' (i.e. the ninth information described above); generating message1 according to the URL and a 1; using md5, messages 2 and k2 'are encrypted to yield a2', and then step 410 is performed.

Step 410: the server judges whether a2 is equal to a2';

Here, if it is determined that a2 is equal to a2', step 413 is performed; otherwise, the server side can send a response to the application side to inform the application side of the authentication result.

Step 411: the server generates a3' (namely the eleventh information) according to the Access key and the a 1;

in actual application, firstly, the server side can determine the cpid and key negotiated with the application side according to the Access key. Next, similar to the description of steps 306 to 307, according to the cpid, the server can query the database for the corresponding n2; encrypting n2 and a1 by adopting an HmacSHA256 algorithm to obtain encrypted ciphertext (namely thirteenth information); encrypting the encrypted ciphertext and the cpid by using the DES, and generating a3'; step 412 is then performed.

Step 412: the server judges whether a3 is equal to a3';

here, if it is determined that a3 is equal to a3', step 413 is performed; otherwise, the server side can send a response to the application side to inform the application side of the authentication result.

It should be noted that the execution sequence of steps 409 to 410 and steps 411 to 412 is not separate.

Step 413: in case the timestamp is satisfied, it can be converted into time, a2 equals a2 'and a3 equals a3', the server determines that the authentication passes and provides the application with the underlying capability corresponding to the request.

In this application example, a random multiple dynamic encryption algorithm is provided and applied to an application party, wherein different types of encryption modes such as md5 and HMAC are utilized for multiple times in the algorithm, and a token3 is generated by combining dynamically obtained parameters (such as n1 and timestamp); in addition, in order to prevent a third party from stealing the encryption algorithm, the outermost layer encrypts the token3 in a random encryption mode to generate encrypted authentication information, so that the security of information transmission is ensured. In the above process, since the encryption step is complex and a large number of dynamic parameters are used, the encrypted authentication information is difficult to crack, so that the stability of the cloud (which can be understood as the robustness of the cloud) is ensured. In addition, in the encryption process, important privacy information (such as enterprise information) is added into the information, so that the risk of information leakage in the transmission process can be reduced.

In order to implement the method at the first device side in the embodiment of the present application, the embodiment of the present application further provides an information transmission device, which is disposed on the first device, as shown in fig. 5, and the device includes:

a first determining unit 501, configured to determine a first key and first information, and obtain second information and a timestamp by using the first key, a second key in the first information, and a first encryption algorithm, where the first information includes information obtained by negotiating with a second device;

The first processing unit 502 is configured to encrypt the second information, the third information, and the timestamp by using a second encryption algorithm to obtain fourth information, where the third information characterizes a resource of the second device that needs to be accessed;

a second processing unit 503, configured to encrypt, with a third encryption algorithm, first data in the first information, a third key, and the timestamp to obtain fifth information, where the first data includes an identifier of the first device, and the third key is associated with the first data;

a third processing unit 504, configured to encrypt the first key, the timestamp, the fourth information, and the fifth information by using a fourth encryption algorithm, so as to obtain sixth information;

a sending unit 505, configured to send the sixth information and an identifier to the second device, where the sixth information is used to authenticate the first device, and the identifier is associated with the second key and the first data.

Wherein, in an embodiment, the third processing unit 504 is configured to:

generating a first parameter in a random manner;

determining the fourth encryption algorithm using the first parameter;

In an embodiment, the second processing unit 503 is configured to:

splicing the third key and the timestamp to obtain eighth information;

In an embodiment, the first determining unit 501 is configured to:

obtaining a second parameter and a third parameter in a random manner;

determining the first key using the second parameter and the third parameter.

In practical applications, the first determining unit 501, the first processing unit 502, the second processing unit 503, and the third processing unit 504 may be implemented by a processor in an information transmission device, and the sending unit 505 may be implemented by a communication interface in the information transmission device.

In order to implement the method at the second device side in the embodiment of the present application, the embodiment of the present application further provides an information transmission device, which is disposed on the second device, as shown in fig. 6, and the device includes:

A receiving unit 601, configured to receive sixth information and an identifier, where the sixth information is used to authenticate a first device, the identifier is associated with a second key and first data in first information, and the first information includes information obtained by negotiating with the first device;

a fourth processing unit 602, configured to obtain a first key, a timestamp, fourth information, and fifth information by using a first decryption algorithm and the sixth information;

a fifth processing unit 603, configured to determine the second key and the first data by using the identifier, and obtain ninth information by using the first key, the second key, and a first encryption algorithm, where the first data includes the identifier of the first device;

a sixth processing unit 604, configured to determine third information, and encrypt the ninth information, the third information, and the timestamp with a second encryption algorithm to obtain tenth information, where the third information characterizes a resource of the second device that needs to be accessed;

a seventh processing unit 605, configured to determine a third key, and encrypt the first data, the third key, and the timestamp with a third encryption algorithm to obtain eleventh information, where the third key is associated with the first data;

A second determining unit 606, configured to determine that the first device passes authentication when the fourth information matches the tenth information and the fifth information matches the eleventh information.

Wherein, in an embodiment, the fourth processing unit 602 is configured to:

In an embodiment, the seventh processing unit 605 is configured to:

splicing the third key and the timestamp to obtain thirteenth information;

In practical application, the receiving unit 601 may be implemented by a communication interface in the information transmission device; the fourth processing unit 602, the fifth processing unit 603, the sixth processing unit 604, the seventh processing unit 605 and the second determining unit 606 may be implemented by a processor in an information transmission device.

It should be noted that: the information transmission device provided in the above embodiment is only exemplified by the division of the above program modules when communication is performed, and in practical application, the above processing allocation may be performed by different program modules according to needs, i.e., the internal structure of the device is divided into different program modules to complete all or part of the above processing. In addition, the information transmission device and the information transmission method provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.

Based on the hardware implementation of the program modules, and in order to implement the method on the first device side in the embodiment of the present application, the embodiment of the present application further provides a first device, as shown in fig. 7, where the first device 700 includes:

a first communication interface 701 capable of interacting with a second device;

a first processor 702, connected to the first communication interface 701, for interacting with a second device, and configured to execute, when executing a computer program, a method provided by one or more technical solutions on the first device side;

a first memory 703, the computer program being stored on the first memory 703.

Specifically, the first processor 702 is configured to:

and sending the sixth information and an identifier to the second device through the first communication interface 701, where the sixth information is used to authenticate the first device, and the identifier is associated with the second key and the first data in the first information.

Wherein, in an embodiment, the first processor 702 is configured to:

generating a first parameter in a random manner;

determining the fourth encryption algorithm using the first parameter;

In one embodiment, the first processor 702 is configured to:

splicing the third key and the timestamp to obtain eighth information;

In one embodiment, the first processor 702 is configured to:

obtaining a second parameter and a third parameter in a random manner;

determining the first key using the second parameter and the third parameter.

It should be noted that: the specific processing of the first processor 702 and the first communication interface 701 may be understood by reference to the methods described above.

Of course, in actual practice, the various components of the first device 700 would be coupled together via the bus system 704. It is appreciated that bus system 704 is used to enable connected communications between these components. The bus system 704 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration, the various buses are labeled as bus system 704 in fig. 7.

The first memory 703 in the embodiment of the present application is used to store various types of data to support the operation of the first device 700. Examples of such data include: any computer program for operating on the first device 700.

The method disclosed in the above embodiment of the present application may be applied to the first processor 702, or implemented by the first processor 702. The first processor 702 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the method may be implemented by integrated logic of hardware in the first processor 702 or instructions in software form. The first processor 702 described above may be a general purpose processor, a digital signal processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The first processor 702 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the application can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software module may be located in a storage medium located in the first memory 703, and the first processor 702 reads information in the first memory 703, and in combination with its hardware, performs the steps of the method described above.

In an exemplary embodiment, the first device 700 can be implemented by one or more application specific integrated circuits (ASIC, application Specific Integrated Circuit), DSPs, programmable logic devices (PLD, programmable Logic Device), complex programmable logic devices (CPLD, complex Programmable Logic Device), field-programmable gate arrays (FPGA, field-Programmable Gate Array), general purpose processors, controllers, microcontrollers (MCU, micro Controller Unit), microprocessors (Microprocessor), or other electronic components for performing the aforementioned methods.

Based on the hardware implementation of the program modules, and in order to implement the method on the second device side in the embodiment of the present application, the embodiment of the present application further provides a second device, as shown in fig. 8, where the second device 800 includes:

a second communication interface 801 capable of information interaction with the first device;

a second processor 802, connected to the second communication interface 801, for implementing interaction with the first device, and configured to execute, when running a computer program, a method provided by one or more technical solutions on the second device side;

a second memory 803, the computer program being stored on the second memory 803.

Specifically, the second communication interface 801 is configured to receive sixth information and an identifier, where the sixth information is used to authenticate the first device, the identifier is associated with a second key and first data in first information, and the first information includes information obtained by negotiation with the first device;

the second processor 802 is configured to:

Wherein, in an embodiment, the second processor 802 is configured to:

In an embodiment, the third key and the timestamp are spliced to obtain thirteenth information;

It should be noted that: the specific processing procedure of the second processor 802 and the second communication interface 801 can be understood by referring to the above method.

Of course, in actual practice, the various components in the second device 800 are coupled together by a bus system 804. It is to be appreciated that the bus system 804 is employed to enable connected communications between these components. The bus system 804 includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for clarity of illustration the various buses are labeled as bus system 804 in fig. 8.

The second memory 803 in the embodiment of the present application is used to store various types of data to support the operation of the second device 800. Examples of such data include: any computer program for operating on the second device 800.

The method disclosed in the above embodiment of the present application may be applied to the second processor 802 or implemented by the second processor 802. The second processor 802 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the method described above may be performed by integrated logic circuits of hardware or instructions in software form in the second processor 802. The second processor 802 described above may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The second processor 802 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the application can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software module may be located in a storage medium located in the second memory 803, said second processor 802 reading the information in the second memory 803, in combination with its hardware performing the steps of the method as described above.

In an exemplary embodiment, the second device 800 can be implemented by one or more ASIC, DSP, PLD, CPLD, FPGA, general purpose processors, controllers, MCU, microprocessor, or other electronic elements for performing the foregoing methods.

It is to be understood that the memories (the first memory 703 and the second memory 803) of the embodiments of the present application may be volatile memories or nonvolatile memories, and may include both volatile and nonvolatile memories. Wherein the nonvolatile Memory may be Read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read-Only Memory), magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk Read Only Memory (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (ddr SDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory described by embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.

In order to implement the method provided by the embodiment of the present application, the embodiment of the present application further provides an information transmission system, as shown in fig. 9, where the system includes: a first device 901 and a second device 902.

Here, it should be noted that: specific processing procedures of the first device 901 and the second device 902 are described in detail above, and will not be described herein.

In an exemplary embodiment, a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, is provided, for example, including a first memory 703 storing a computer program, where the computer program may be executed by the first processor 702 of the first device 700 to perform the steps of the first device side method, and further, for example, including a second memory 803 storing a computer program, where the computer program may be executed by the second processor 802 of the second device 800 to perform the steps of the second device side method. The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.

It should be noted that: "first," "second," etc. are used to distinguish similar objects and not necessarily to describe a particular order or sequence.

The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the present application.

Claims

1. An information transmission method, applied to a first device, comprising:

encrypting the second information, the third information and the timestamp by using a second encryption algorithm to obtain fourth information, wherein the first data represents the resource of the second equipment to be accessed;

2. The method of claim 1, wherein encrypting the first key, the timestamp, the fourth information, and the fifth information using a fourth encryption algorithm to obtain sixth information comprises:

generating a first parameter in a random manner;

determining the fourth encryption algorithm using the first parameter;

3. The method of claim 1, wherein encrypting the first data, the third key, and the timestamp in the first information using a third encryption algorithm to obtain fifth information comprises:

splicing the third key and the timestamp to obtain eighth information;

4. A method according to any one of claims 1 to 3, wherein said determining a first key comprises:

obtaining a second parameter and a third parameter in a random manner;

determining the first key using the second parameter and the third parameter.

5. An information transmission method, applied to a second device, comprising:

6. The method of claim 5, wherein using the first decryption algorithm and the sixth information to obtain the first key, the timestamp, the fourth information, and the fifth information comprises:

7. The method of claim 5, wherein encrypting the first data, the third key, and the timestamp using a third encryption algorithm results in eleventh information, comprising:

Splicing the third key and the timestamp to obtain thirteenth information;

8. A first device, comprising: a first processor and a first memory for storing a computer program capable of running on the processor,

wherein the first processor is adapted to perform the steps of the method of any of claims 1 to 4 when the computer program is run.

9. A second device, comprising: a second processor and a second memory for storing a computer program capable of running on the processor,

wherein the second processor is adapted to perform the steps of the method of any of claims 5 to 7 when the computer program is run.

10. A storage medium having stored thereon a computer program, which when executed by a processor, performs the steps of the method of any of claims 1 to 4 or performs the steps of the method of any of claims 5 to 7.