CN117375863A - Data encryption method, data decryption method and device - Google Patents

Data encryption method, data decryption method and device Download PDF

Info

Publication number
CN117375863A
CN117375863A CN202210767577.XA CN202210767577A CN117375863A CN 117375863 A CN117375863 A CN 117375863A CN 202210767577 A CN202210767577 A CN 202210767577A CN 117375863 A CN117375863 A CN 117375863A
Authority
CN
China
Prior art keywords
key
data
encryption component
encryption
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210767577.XA
Other languages
Chinese (zh)
Inventor
陈昌根
利惠光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Guangdong Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202210767577.XA priority Critical patent/CN117375863A/en
Publication of CN117375863A publication Critical patent/CN117375863A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a data encryption method, a data decryption method and a data decryption device, which belong to the technical field of computers, wherein the data encryption method is used for a first encryption component, the first encryption component is used for being embedded in a transmission channel between a client and a server, and the method comprises the following steps: negotiating with a second encryption component to obtain a first key, wherein the second encryption component is used for embedding a transmission channel between a server and a target service system; the second key is obtained by encrypting the second key based on the first key, and the second key is from the encryptor; under the condition that the first data uploaded by the client is obtained, the second key is obtained based on decryption of the first key, and the first data is encrypted by the second key to obtain an encrypted data packet. The invention can realize the encryption of the transmission channel from the client to the server and the decryption of the transmission channel from the server to the electronic signature system, thereby improving the safety performance of the data protection service.

Description

Data encryption method, data decryption method and device
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a data encryption method, a data decryption method and a data decryption device.
Background
In a real network environment, there is a risk of data leakage when only one network transmission is performed, in the related art, a data protection measure for a channel transmission side of an electronic signature system is a hypertext transfer security protocol (Hyper Text Transfer Protocol over SecureSocket Layer, HTTPS) protection mode, and the basic principle is that:
initiating HTTPS by the client, connecting to a server 433 port (HTTPS default port), generating a public key and a private key of the certificate by the server, and returning the public key of the certificate to the client;
after the client analyzes the certificate according to the public key, the client sends the encrypted secret key to the server;
the server analyzes the encrypted key and decrypts the encrypted key by utilizing the private key to obtain the key and the transmission content encrypted by the key;
and finally, the server sends the encrypted content to the client.
However, the above HTTPS data protection method may be cracked, and an attacker may decrypt by using a key to obtain plaintext traffic message information, thereby resulting in lower data security performance of the electronic signature system.
Disclosure of Invention
The invention aims to provide a data encryption method, a data decryption method and a data decryption device. The problem of low data security performance of the electronic signature system in the related technology can be solved.
In order to solve the technical problems, the invention is realized as follows:
in a first aspect, the present invention provides a data encryption method, for a first encryption component, where the first encryption component is used for embedding a transmission channel between a client and a server, and the method includes:
negotiating with a second encryption component to obtain a first key, wherein the second encryption component is used for embedding a transmission channel between the server and a target service system;
the second key is obtained by encrypting the second key based on the first key after the second key is interactively encrypted with the second encryption component, and the second key is obtained from an encryptor;
and under the condition that the first data uploaded by the client is obtained, decrypting based on the first key to obtain the second key, and encrypting the first data by utilizing the second key to obtain an encrypted data packet, wherein the encrypted data packet is transmitted to the second encryption component through the client and the server.
In a second aspect, the present invention further provides a data encryption device, configured to be used in a first encryption component, where the first encryption component is used to embed a transmission channel between a client and a server, and the device includes:
The first negotiation module is used for negotiating with the second encryption component to obtain a first key, and the second encryption component is used for embedding a transmission channel between the server and the target service system;
the first interaction module is used for interacting an encrypted second key with the second encryption component, the encrypted second key is obtained by encrypting the second key based on the first key, and the second key is from an encryptor;
the first processing module is used for obtaining the second key based on the first key under the condition that the first data uploaded by the client is obtained, and carrying out encryption processing on the first data by utilizing the second key to obtain an encrypted data packet, wherein the encrypted data packet is transmitted to the second encryption component through the client and the server.
In a third aspect, the present invention provides a data decryption method, for a second encryption component, where the second encryption component is used for embedding a transmission channel between a server and a target service system, and the method includes:
negotiating with a first encryption component to obtain a first key, wherein the first encryption component is used for embedding a transmission channel between a client and the server;
A second key which is interactively encrypted with the first encryption component, wherein the encrypted second key is obtained by encrypting the second key based on the first key, and the second key is from an encryptor;
under the condition that the encrypted data packet is obtained through the server side, the second key is obtained through decryption based on the first key, and the encrypted data packet is decrypted through the second key to obtain first data;
and sending the first data to the target service system.
In a fourth aspect, the present invention provides a data decryption apparatus for a second encryption component, where the second encryption component is used for embedding a transmission channel between a server and a target service system, and the apparatus includes:
the second negotiation module is used for negotiating with the first encryption component to obtain a first key, and the first encryption component is used for embedding a transmission channel between the client and the server;
the second interaction module is used for interacting an encrypted second key with the first encryption component, the encrypted second key is obtained by encrypting the second key based on the first key, and the second key is from an encryptor;
The second processing module is used for obtaining the second key based on the first key in a decryption mode under the condition that the encrypted data packet is obtained through the server side, and decrypting the encrypted data packet by utilizing the second key to obtain first data;
and the first sending module is used for sending the first data to the target service system.
In a fifth aspect, the present invention also provides an electronic device comprising a processor, a memory and a program or instruction stored on the memory and executable on the processor, the program or instruction when executed by the processor implementing the steps of the method according to the first or third aspect.
In a sixth aspect, the present invention also provides a computer readable storage medium having stored thereon a program or instructions which when executed by a processor implement the steps of the method according to the first or third aspect.
In the embodiment of the invention, a first encryption component is embedded in a transmission channel between a client and a server, a second encryption component is embedded in a transmission channel between the server and a target service system (such as an electronic signature system), in operation, if the client initiates a data demand, the first encryption component can encrypt first initiated data, when the encrypted data packet is transmitted to the second encryption component, the second encryption component can decode the second key based on a session key (first key) agreed with the first encryption component, and decrypt the received encrypted data packet by using the second key, thereby recovering the plaintext of the first data, and the server can transmit the plaintext of the first data to the target service system. In this way, the encryption service is modified on the channel transmission side of the electronic signature system in the form of an external component, the algorithm corresponding to the second key is packaged by the channel encryption component, the external service data encryption and decryption computing capability is provided for the user, the encryption of the transmission channel from the client to the server and the decryption of the transmission channel from the server to the electronic signature system are realized, the encryption automation of the data protection service of the target service system is realized, and the safety performance of the data protection service of the target service system is improved.
Drawings
FIG. 1 is a schematic diagram of data interaction of an electronic signature system in the related art;
fig. 2 is a schematic diagram of a data encryption transmission system to which the data encryption and decryption method provided by the present invention can be applied;
FIG. 3 is a flow chart of a data encryption method provided by the invention;
FIG. 4 is a schematic diagram of the encryption and decryption process of the data encryption transmission system shown in FIG. 2;
FIG. 5 is a schematic diagram of the packaging principle of a first encryption component and a second encryption component in an embodiment of the present invention;
FIG. 6 is a schematic diagram of an encryption business process at a channel side of an electronic signature system in an embodiment of the present invention;
FIG. 7 is a flow chart of a data decryption method provided by the present invention;
fig. 8 is a schematic structural diagram of a data encryption device according to the present invention;
fig. 9 is a schematic structural diagram of a data decryption device according to the present invention;
fig. 10 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms first, second and the like in the description and in the claims, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged, as appropriate, such that embodiments of the present invention may be implemented in sequences other than those illustrated or described herein, and that the objects identified by "first," "second," etc. are generally of a type, and are not limited to the number of objects, such as the first object may be one or more.
In the related art, the data protection measure for the transmission side of the electronic signature system channel is an HTTPS protection method, as shown in fig. 1, the basic principle of the HTTPS protection method is as follows:
initiating HTTPS by the client, connecting to a server 433 port (HTTPS default port), providing public and private keys of the certificate by the server, and returning the public key of the certificate to the client; after the client analyzes the certificate, the encrypted secret key is sent to the server; the server analyzes the encrypted key, for example: obtaining a secret key based on the private key decryption and encrypting the transmission content by the secret key; and finally, the server sends the encrypted content to the client.
The HTTPS data protection mode is possibly cracked, or an attacker decrypts by using a secret key to obtain plaintext traffic message information, especially for a business system with a large number of data, a plurality of kinds and a large amount of biological information, such as an electronic signature system, the data protection safety short-circuit is very likely to cause huge data safety loss.
In addition, the HTTPS protection method in the related art has the following defects:
1) The encryption range of the HTTPS protocol is limited, and the HTTPS protocol has little effect on hacking, denial of service attack, server hijacking and the like;
2) The HTTPS protocol affects the electronic signature service system cache, has lower efficiency than HTTP, increases data overhead and power consumption, and even the existing security measures are affected;
3) HTTPS must be trusted with secure socket layer protocol (Secure Sockets Layer, SSL) certificates and not compatible with part of the plugins;
4) The resource occupation of the HTTPS connection server is much higher, the handshake phase is time-consuming, and the corresponding speed of the operation of the electronic signature service system is negatively affected.
In the embodiment of the invention, the encryption component is embedded in the transmission channel between the client and the server and the transmission channel between the server and the electronic signature system respectively, so that the encryption of the transmission channel from the client to the server and the decryption of the transmission channel from the server to the electronic signature system are realized, the encryption automation of the data protection service of the electronic signature system is further realized, and the safety performance of the data protection service of the electronic signature system is improved.
For example: as shown in fig. 2, a first encryption component 24 is embedded in a transmission channel between the client program 21 and the server program 22, and a second encryption component 25 is embedded in a transmission channel between the server program 22 and the electronic signature system 23. In operation, the first encryption component 24 is responsible for encrypting data output from the client program 21 to the server program 22, and the second encryption component 25 is responsible for decrypting the encrypted data output from the server program 22 and transmitting the decrypted data to the electronic signature system, so that the electronic signature system performs electronic signature related processing on the decrypted plaintext data. Wherein the first encryption component 24 is communicatively coupled to the second encryption component 25 to agree on a key to be used in the encryption and decryption process.
For convenience of explanation, the target service system is taken as an electronic signature system for illustration in the embodiment of the present invention, and in implementation, the target service system may be another service system that needs to perform secure transmission, which is not specifically limited herein.
For convenience of explanation, in the following embodiments, a data encryption method, a data decryption method, a data encryption device, a data decryption device, and the like provided in the embodiments of the present invention are illustrated with reference to the accompanying drawings.
Referring to fig. 3, a flowchart of a data encryption method provided by the present invention may be applied to a first encryption component, where the first encryption component is used for embedding a transmission channel between a client and a server.
As shown in fig. 3, the data encryption method may include the steps of:
step 301, negotiating with a second encryption component to obtain a first key, where the second encryption component is used to embed a transmission channel between the server and the target service system.
In implementations, the first encryption component may be disposed on a server pre-channel side of the client, such as: the component embedding technology facing to the encryption and decryption of the data transmission of the tangent plane interface is adopted, and a tangent plane encryption component (a first encryption component) is embedded into a channel between a client and a server, so that the first encryption component can be configured to replace an original release port of the client, and in addition, a second encryption component can be deployed on a front-end channel side of a server of the server, for example: the method comprises the steps of embedding a section encryption component (a second encryption component) into a channel between a server and an electronic signature system by adopting a component embedding technology for encrypting and decrypting section interface data transmission, connecting the server to an application interface of the electronic signature service system, and realizing the access of encrypted and decrypted data by the service program mutual access transmission data.
The principle of section encryption can be that a pre-encryption program is compiled in advance by using Java language, encryption on the data transmission channel side is realized under the condition of not changing the original data form, and the following configuration can be carried out:
1) Writing an encryption and decryption section and annotating encryption and decryption attributes, so that encryption and decryption of sensitive data can be completed through simple annotation under the condition that sensitive data are not allowed to be clearly stored;
2) Section declaration is carried out on the channel: cutting in from a transmission channel side, and writing a channel side section statement, wherein the section statement is used for defining a section coding mode so as to realize section encryption;
3) A declaration tangent point, a method for locating User information (message) to a User Service (User Service) class, wherein the User Service is @ Service annotation declaration Service class, and the message is found from a User data access object (User Data Access Object, userDAO) and returned; userDAO declares the warehouse class for the @ Repository (@ Repository) annotation, where a data return is simulated; they can implement section encryption as Java database connectivity (Java Database Connectivity, JDBC) tools provided by Spring MVC (a Java framework);
4) A method of adding an encrypted member variable to a User Model (User Model), wherein the value of a control is obtained or changed by the operation of adding the member variable, and is used for the exchange and verification of encrypted data;
5) The proxy approach is changed, using a view more content code generation library (Code Generation Library, CGLIB) proxy instead of a software development kit (Java Development Kit, JDK) proxy in Java language.
After the configuration, the encryption component packaged with the secure transmission protocol and the first encryption algorithm can be embedded into the channels of the client and the server and the channels between the server and the target service system by using the component embedding technology of data transmission encryption and decryption facing the tangential interface. Therefore, development and transformation of an original electronic signature service system and an interface can be reduced, the electronic signature service system and the interface can be deployed on a server for service interview by one key, a new port is issued by a agile implementation and portable configuration component to replace an original service port, a service end and a plurality of application clients (one-to-many interface modes) are supported, and the electronic signature service system and the interface can be applied to national encryption of a transmission channel.
In practical application, the encryption component is embedded and butted with the server side of the electronic signature system, a login page (such as a uniform resource locator (Uniform Resource Locator, URL) of the electronic signature system is embedded with a specified tangent plane encryption program, and submitted data is encrypted, decrypted and packaged by an SM4 symmetric encryption algorithm and then transmitted.
The SM4 algorithm is a block cipher algorithm, the packet length of which is 128 bits, and the key length of which is 128 bits. The encryption algorithm and the key expansion algorithm both adopt a 32-round nonlinear iteration structure, encryption operation is carried out by taking a word (32 bits) as a unit, and each iteration operation is a round of transformation function. The SM4 algorithm encryption/decryption algorithm is the same in structure except that round keys are used instead, where the decryption round keys are the reverse order of the encryption round keys. SM4 has high flexibility, and the S-boxes used can be flexibly replaced to cope with bursty security threats.
In practice, the first key may be understood as a session key between the first encryption component and the second encryption component, which is used to protect a session between the first encryption component and the second encryption component. In implementations, different session keys may be used for different sessions, and the session keys may not be stored within the first encryption component and the second encryption component, and the first encryption component may negotiate a session key for the session with the second encryption component each time the session encryption is performed.
Step 302, the second encrypted key is obtained by performing encryption processing on the second key based on the first key, wherein the second key is obtained from an encryptor.
In an implementation, the second key may be a key issued by the encryptor for encrypting the data. In implementation, the encryptor may update the second key periodically, and send the latest second key to the first encrypting component and the second encrypting component, respectively, where the first encrypting component and the second encrypting component may encrypt one of the second keys with the first key and interact with the second key, so that the first encrypting component and the second encrypting component use the same second key for encrypting the present data.
In implementation, the first and second encryption components may encapsulate a secure transport layer protocol (Transport Layer Security, TLS) and a first block cipher algorithm (e.g., a cryptographic SM4 symmetric encryption algorithm) that corresponds to the second key. Thus, the first encryption component and the second encryption component can respectively perform secure transmission based on TLS, encrypt data to be transmitted based on the first block cipher algorithm, or decrypt received encrypted data.
In this embodiment, the first encryption component and the second encryption component may directly communicate, and interact with the second key in a session manner, where the second key is encrypted based on the first key, so as to improve security of the second key in the interaction process.
Step 303, under the condition that the first data uploaded by the client is obtained, decrypting based on the first key to obtain the second key, and encrypting the first data by using the second key to obtain an encrypted data packet, wherein the encrypted data packet is transmitted to the second encryption component through the client and the server.
The first encryption component is embedded in a transmission channel between the client and the server, so that the first encryption component can intercept data sent by the client to the server, encrypt the data based on the second key and send the encrypted data to the server, so that the encrypted data is transmitted to the second encryption component through the server, the second encryption component can decode the second key based on the first key which is agreed with the first encryption component, then decrypt the encrypted data by using the second key, and obtain a data plaintext and then transmit the data plaintext to the electronic signature system.
Specifically, taking the data encryption transmission system shown in fig. 2 as an example, the encryption and decryption process may refer to fig. 4, and the encryption and decryption process may include the following steps:
Step 1, embedding a first encryption component 24 at channel sides of a client 21 and a server 22, and realizing data encryption after sending task directory configuration inspection to the first encryption component 24;
step 2, detecting an original system (the original system refers to a system uploading files through a client, and the system is responsible for uploading data and files sent by a user) through a first encryption component 24, discarding a response message when detecting that a data request exists, recombining the response message by using the first encryption component 24, and then sending the recombined response message to a server 22 end to end through the first encryption component 24, wherein the data in the transmission process are encrypted through a national encryption SM4 algorithm, and the whole service process does not need to be modified;
step 3, embedding a second encryption component 25 at the channel sides of the server 22 and the electronic signature system 23, decrypting the encrypted data when the second encryption component 25 receives the encrypted data from the server 22, and transmitting the plaintext data obtained after decryption to the electronic signature system for use;
step 4, the encryptor (which may be set at the server 22) performs a timing policy rotation (e.g. a periodic rotation), replaces the second key, and issues the second key to the first encryption component 24 and the second encryption component 25 for buffering.
In implementation, the encryption component may perform correctness checking on the received key (second key), and perform encryption operation or decryption operation on data based on triggering of a data port of the client or the server, where in view of the second key being encrypted based on the first key and the first key being commonly negotiated by the two encryption components, at this time, the first key may be decrypted based on the first key negotiated by the two encryption components, so that encryption or decryption on data is implemented based on the first key.
For example: as shown in fig. 5, the packaging principle of the first encryption component and the second encryption component includes:
1) The SM4 keys (namely the second keys) of the first encryption component and the second encryption component are generated and distributed from an encryption machine (the encryption machine can be used as an external hardware system for providing keys for the first encryption component and the second encryption component), and the SM4 keys are keys based on complex random number transformation;
2) The first encryption component and the second encryption component communicate to complete digital signature verification, the first encryption component requests the second encryption component to negotiate a distribution key protection session, the second encryption component distributes the latest SM4 key, and the SM4 key is encrypted using the session key (i.e., the first key) and then distributed.
Optionally, the data encryption method further includes:
performing digital signature verification with the second encryption component;
the negotiating with the second encryption component to obtain the first key includes:
and negotiating with the second encryption component to obtain a first key under the condition that the digital signature passes verification.
In this embodiment, digital signature verification may be used to mutually verify identity information of the first encryption component and the second encryption component, so that two encryption components having authority or matching each other can pass the digital signature verification, and only if the digital signature verification passes, the first encryption component negotiates with the second encryption component to obtain the first key.
3) The first encryption component receives the encrypted SM4 key, performs a correctness checking algorithm on the key (i.e., the SM4 key received from the encryptor matches the SM4 key from the second encryption component, which indicates that the verification is successful), and decrypts the encrypted SM4 key using the session key when there is data triggering the encryption source code.
In this process, the encryptor may periodically issue different SM4 keys, and the first encryption component and the second encryption component need to agree on the received SM4 keys.
Optionally, the data encryption method further includes:
receiving a second key from the encryptor in real time;
transmitting first information to the second encryption component, wherein the first information comprises a second key which is newly acquired by the first encryption component and is encrypted based on the first key;
the second key encrypted based on the first key is received from the second encryption component.
In this embodiment, the first encryption component may inform the second encryption component of the latest SM4 key received by the first encryption component from the encryptor, and/or the second encryption component may inform the first encryption component of the latest SM4 key received by the second encryption component from the encryptor, so that the first encryption component and the second encryption component may perform matching verification based on the latest SM4 key received by themselves from the encryptor and the SM4 key received from the other party, and if they match, it means that the first encryption component and the second encryption component agree on the SM4 key.
4) After the deployment of the first encryption component is completed, the original transmission data initiating terminal is embedded in a tangent plane, so that when a data request server port exists, data is led to the first encryption component, the first encryption component decodes an SM4 key by using a session key, encryption operation is carried out on an initiated data packet after the decoding is completed (encryption operation is based on an SM4 algorithm), and data requirements are initiated after the decoding is completed;
5) After the second encryption component receives the encrypted data, the SM4 key is decoded by using the session key, the received encrypted data is decrypted by using the SM4 key after decoding, and the data is returned to the original server (namely, the data plaintext is provided for the server of the electronic signature system) after decryption.
As an alternative embodiment, the first data includes request server port data, and the data encryption method further includes:
under the condition that the request server port data is obtained, discarding the original response message corresponding to the request server port data, and recombining the response message to obtain a target response message, wherein the target response message is encrypted based on the first key;
and sending the target response message to the server.
In this embodiment, the first encryption component receives and encrypts the plaintext data embedded through the cut surface, and interacts with the server to discard the original message Wen Mingwen, but obtains the message ciphertext based on the first key encryption by responding to the message reorganization, so that the message plaintext in the related art can be replaced by the message ciphertext, and the security performance of the message is improved. At the second encryption component side, the message ciphertext can be decrypted based on the first key, and the decrypted message plaintext is provided to the server.
Optionally, the step of recombining the response message to obtain a target response message includes:
receiving data response information transmitted by the second encryption component under the condition that the second encryption component decrypts the first data, wherein the data response information is encrypted based on the first key;
and determining the target response message based on the data response information.
In this embodiment, the second encryption component generates a corresponding data response when decrypting the first data, where the data response may be transmitted from the second encryption component to the first encryption component, so that the first encryption component determines a target response packet according to the target response message, and encrypts and decrypts the transmitted data using the session key in the whole encryption and decryption flow. For example: the second encryption component encrypts the data response based on the first key and sends the data response to the first encryption component, and the first encryption component can directly determine the data response received from the second encryption component and encrypted based on the first key as a target response message.
As shown in fig. 6, in the case where the data encryption method and the data decryption method provided by the present invention are applied to an electronic signature system, an electronic signature service may be implemented based on the following procedures:
Step one: by defining the user use rights in the first encryption component and the second encryption component, the legal use of the data encryption service by the user is ensured, for example: in the third step, the first encryption component and the second encryption component can perform digital signature verification based on the user use authority, and negotiate a first key under the condition that the digital signature verification passes;
step two: embedding the first encryption component into a transmission channel side of the client, embedding the second encryption component into a transmission channel side of the server, and respectively issuing task catalog configuration to the first encryption component and the second encryption component through the server so as to configure the behaviors of the first encryption component and the second encryption component in the process of executing the electronic signature service;
step three: performing identity verification and authority control on a user needing to use the first encryption component and the second encryption component, and ensuring that encryption and decryption services can be legally used only after being authorized;
step four: when a user accesses the electronic signature system, the checking of the plaintext data is automatically realized through the authentication services of the first encryption component and the second encryption component.
Therefore, the method of the embedded service component is adopted to provide a basic support for encryption of SM4 national encryption algorithm for the security protection of the data at the transmission channel side, and the high confidentiality and security of the data at the transmission side are protected; the encryption and decryption service capability is sunk to the data transmission channel side through the section encryption technology, and is linked with the electronic signature service system, so that the encryption and decryption service and response flow are simplified, and a new embedded encryption service mode of the electronic signature system component is realized.
It is worth to put forward that, in the embodiment of the invention, the channel side data security protection is realized based on the tangent plane encryption technology, and the problems of narrow data security protection range, low efficiency, difficult compatibility, low speed and the like of the application of an HTTPS protocol in the past are solved by the encryption and decryption processes in the self-adaptive electronic signature system in the embedding mode of the tangent plane encryption component. In addition, the encryption and decryption service is carried out on the electronic signature system by adopting a transmission channel side encryption component embedding mode, and the electronic signature system, a server side interface and a client side interface do not need to be modified, so that the method has wide applicability.
Fig. 7 is a flowchart of a data decryption method according to the present invention, where the data decryption method is applied to a second encryption component, and the second encryption component is used for embedding a transmission channel between a server and a target service system.
In implementation, the steps of the data decryption method performed by the second encryption component correspond to the steps of the data encryption method performed by the first encryption component in the method embodiment shown in fig. 3, and the data on the transmission channel side of the client is encrypted by the first encryption component, and the data on the transmission channel side of the server is decrypted by the second encryption component, so that an embedded encrypted transmission service can be provided for the target service system, and the data in plaintext is provided for the target service system in a self-adaptive manner, which is not described herein.
As shown in fig. 7, the data decryption method performed by the second encryption component may include the steps of:
step 701, negotiating with a first encryption component to obtain a first key, where the first encryption component is used to embed a transmission channel between a client and the server.
Step 702, the second key after being encrypted is interacted with the first encryption component, the encrypted second key is obtained by encrypting the second key based on the first key, and the second key is from an encryptor.
Step 703, under the condition that the encrypted data packet is obtained by the server, decrypting the encrypted data packet based on the first key to obtain the second key, and decrypting the encrypted data packet by using the second key to obtain the first data.
Step 704, sending the first data to the target service system.
Optionally, the target service system is an electronic signature system.
Optionally, the first encryption component and/or the second encryption component encapsulates a secure transport layer protocol TLS and a first block cipher algorithm, the first block cipher algorithm corresponding to the second key.
Optionally, the first encryption component is configured to be deployed on a server pre-channel side of the client, and/or the second encryption component is configured to be deployed on a server pre-channel side of the server.
Optionally, after the decrypting the encrypted data packet with the second key to obtain the first data, the data decrypting method further includes:
and sending data response information to the first encryption component, wherein the data response information is encrypted based on the first key, and the data response information is used for the first encryption component to carry out response message reorganization.
Optionally, the data decryption method further includes:
performing digital signature verification with the first encryption component;
the negotiating with the first encryption component to obtain a first key includes:
and negotiating with the first encryption component to obtain a first key under the condition that the digital signature passes verification.
Optionally, the data decryption method further includes:
receiving first information from the first encryption component, wherein the first information comprises a second key which is newly acquired by the first encryption component and is encrypted based on the first key;
decrypting the encrypted second key based on the first key to obtain a second key;
encrypting the second key based on the first key, and sending the second key encrypted based on the first key to the first encryption component.
In the embodiment of the invention, the second encryption component decrypts the data on the transmission channel side of the server, so that the embedded encrypted transmission service can be provided for the target service system, and the plaintext data can be provided for the target service system in a self-adaptive manner, which is not described herein.
In order to facilitate understanding of the data encryption method and the data decryption method provided by the embodiments of the present invention, taking the following data encryption system as an example, the data encryption method and the data decryption method provided by the embodiments of the present application are described in combination:
a data encryption system comprising: the system comprises a first encryption component, a second encryption component, a client, a server and an electronic signature subsystem, wherein the server is connected between the client and the electronic signature subsystem, the first encryption component is embedded into a transmission channel between the client and the server, the second encryption component is embedded into the transmission channel between the server and the electronic signature subsystem, and the first encryption component and the second encryption component are in communication connection.
In operation, a first encryption component negotiates with a second encryption component to obtain a first key, the second encryption component encrypts the second key by using the first key to obtain an encrypted second key, and the encrypted second key is sent to the first encryption component, wherein the second key is from an encryptor;
The first encryption component obtains the second key based on decryption of the first key under the condition that the first data uploaded by the client is obtained, and encrypts the first data by utilizing the second key to obtain an encrypted data packet, wherein the encrypted data packet is sent to the server through the client;
and under the condition that the server acquires the encrypted data packet, the second encryption component decrypts the encrypted data packet based on the first key to obtain the second key, and decrypts the encrypted data packet by using the second key to obtain the first data so as to enable the server to acquire the decrypted first data.
Optionally, the client sends first request information to the server under the condition that the first encryption component obtains the encrypted data packet, where the first request information includes the encrypted data packet;
the second encryption component obtains the second key based on decryption of the first key under the condition that the encrypted data packet is obtained through the server, decrypts the encrypted data packet by utilizing the second key to obtain the first data, and sends the first data to the electronic signature system;
The electronic signature system is used for carrying out electronic signature related processing on the first data.
Wherein the first data may be request server port data. In this way, the first encryption component discards the original response message corresponding to the request server port data and performs response message recombination to obtain a target response message under the condition that the request server port data is obtained, and sends the target response message to the client.
The process of the response message reorganization can be: and the second encryption component sends data response information to the first encryption component under the condition that the first data is obtained through decryption, and the first encryption component determines the target response message based on the received data response information, wherein the data response information is encrypted data after encryption processing based on the first key.
Optionally, the server is configured to perform policy rotation, and the encryptor is configured to update the second key according to the rotated policy, and send the updated second key to the first encrypting component and the second encrypting component.
Further, the first encryption component and the second encryption component are further used for performing digital signature verification, and under the condition that the digital signature verification is passed, the first encryption component negotiates a first key with the second encryption component, and interacts a second key according to the negotiated first key, so that the two encryption components agree on the second key.
Optionally, the server is further configured to send a task directory configuration to the first encryption component and the second encryption component, where the task directory configuration is configured to configure the first encryption component and the second encryption component to perform tasks related to encrypting and decrypting the first data.
The data encryption and decryption system provided by the invention has the following advantages:
1) The method provides a flow service for the encryption of the required data transmission, and can add the encryption function to the original module and decouple the encryption function from the original module by utilizing the section programming without changing the original module. The occupied server resource is low, the channel is directly bridged with the service system, the problem that the handshake stage is time-consuming is avoided, and the service execution of the electronic signature system is not adversely affected in speed.
2) The encryption component automatically encrypts the SM4 of the data input by the client, the encryption range is greatly widened, the high-performance requirement of data transmission transaction processing is met, and the service continuity is not affected;
3) The encryption component is configured at the service end, and before the service system is used for the first time, the service system is checked and deployed by using a configuration and installation package key downloaded from a page, and the original service client is re-embedded, so that the modification is not needed, and the service system is efficient and convenient;
4) The application of the encryption component does not affect the cache of the electronic signature system, does not increase or decrease data overhead and power consumption, and uses an end-to-end mode to carry out transparent non-perception encryption on the application side, so that the operation of other modules of the electronic signature system is not affected, the habit of a user is not changed, the encryption and decryption service efficiency is improved, and the service interruption event caused by hardware faults is reduced;
5) After the encryption component is applied, the system does not need to apply SSL certificates for encryption, and can realize data encryption key isolation storage, eliminate key information islands and stop self-stored key modes in the business system, and eliminate the risk of guarding and theft.
Referring to fig. 8, a block diagram of a data encryption device according to an embodiment of the present invention may be a device in a first encryption component, where the first encryption component is used for embedding a transmission channel between a client and a server, as shown in fig. 8, the data encryption device 800 includes:
a first negotiation module 801, configured to negotiate with a second encryption component to obtain a first key, where the second encryption component is used to embed a transmission channel between the server and a target service system;
a first interaction module 802, configured to interact with the second encrypted component with an encrypted second key, where the encrypted second key is obtained by encrypting the second key based on the first key, and the second key is from an encryptor;
And the first processing module 803 is configured to decrypt, based on the first key, the second key and encrypt the first data with the second key to obtain an encrypted data packet when the first data uploaded by the client is obtained, where the encrypted data packet is transmitted to the second encryption component through the client and the server.
Optionally, the first encryption component and/or the second encryption component encapsulates a secure transport layer protocol TLS and a first block cipher algorithm, the first block cipher algorithm corresponding to the second key.
Optionally, the first encryption component is configured to be deployed on a server pre-channel side of the client, and/or the second encryption component is configured to be deployed on a server pre-channel side of the server.
Optionally, the first data includes request server port data, and the data encryption device 800 further includes:
the message processing module is used for discarding the original response message corresponding to the request server port data under the condition that the request server port data is acquired, and carrying out response message recombination to obtain a target response message, wherein the target response message is encrypted based on the first key;
And the second sending module is used for sending the target response message to the server.
Optionally, the message processing module includes:
the receiving unit is used for receiving data response information transmitted by the second encryption component under the condition that the second encryption component decrypts the first data, wherein the data response information is encrypted based on the first key;
and the determining unit is used for determining the target response message based on the data response information.
Optionally, the data encryption device 800 further includes:
the first verification module is used for carrying out digital signature verification with the second encryption component;
the first negotiation module 801 is specifically configured to:
and negotiating with the second encryption component to obtain a first key under the condition that the digital signature passes verification.
Optionally, the data encryption device 800 further includes:
the first receiving module is used for receiving the second secret key from the encryption machine in real time;
the third sending module is used for sending first information to the second encryption component, wherein the first information comprises a second key which is newly acquired by the first encryption component and is encrypted based on the first key;
And the second receiving module is used for receiving the second key encrypted based on the first key from the second encryption component.
The data encryption device 800 provided in the embodiment of the present invention can implement each process implemented by the method embodiment shown in fig. 3, and can achieve the same beneficial effects, so that repetition is avoided, and no further description is provided herein.
Referring to fig. 9, a block diagram of a data decryption device according to an embodiment of the present invention may be a device in a second encryption component, where the second encryption component is used for embedding a transmission channel between a server and a target service system, as shown in fig. 9, the data decryption device 900 includes:
the second negotiation module 901 is configured to negotiate with a first encryption component to obtain a first key, where the first encryption component is used to embed a transmission channel between a client and the server;
a second interaction module 902, configured to interact with the first encryption component with an encrypted second key, where the encrypted second key is obtained by encrypting the second key based on the first key, and the second key is from an encryptor;
the second processing module 903 is configured to decrypt the encrypted data packet based on the first key to obtain the second key, and decrypt the encrypted data packet with the second key to obtain first data when the encrypted data packet is obtained by the server;
A first sending module 904, configured to send the first data to the target service system.
Optionally, the target service system is an electronic signature system.
Optionally, the first encryption component and/or the second encryption component encapsulates a secure transport layer protocol TLS and a first block cipher algorithm, the first block cipher algorithm corresponding to the second key.
Optionally, the first encryption component is configured to be deployed on a server pre-channel side of the client, and/or the second encryption component is configured to be deployed on a server pre-channel side of the server.
Optionally, the data decryption device 900 further includes:
and the fourth sending module is used for sending data response information to the first encryption component, wherein the data response information is encrypted based on the first key, and the data response information is used for the first encryption component to carry out response message recombination.
Optionally, the data decryption device 900 further includes:
the second verification module is used for carrying out digital signature verification with the first encryption component;
the second negotiation module 901 is specifically configured to:
and negotiating with the first encryption component to obtain a first key under the condition that the digital signature passes verification.
Optionally, the data decryption device 900 further includes:
a third receiving module, configured to receive first information from the first encryption component, where the first information includes a second key that is newly acquired by the first encryption component and is encrypted based on the first key;
the decryption module is used for decrypting the encrypted second key based on the first key to obtain a second key;
an encryption module configured to encrypt the second key based on the first key;
and the fourth sending module is used for sending the second key encrypted based on the first key to the first encryption component.
The data decryption device 900 provided in the embodiment of the present invention can implement each process implemented by the method embodiment shown in fig. 7, and can achieve the same beneficial effects, so that repetition is avoided, and no further description is given here.
Optionally, as shown in fig. 10, an embodiment of the present invention further provides an electronic device 1000, including a processor 1001, a memory 1002, and a program or an instruction stored in the memory 1002 and capable of being executed on the processor 1001, where the program or the instruction implements each process of the method embodiment shown in fig. 3 and fig. 7 when executed by the processor 1001, and the process may achieve the same technical effect, and for avoiding repetition, a detailed description is omitted herein.
The embodiment of the present invention further provides a computer readable storage medium, where a program or an instruction is stored, where the program or the instruction implements each process of the method embodiment shown in fig. 3 and fig. 7 when executed by a processor, and the process can achieve the same technical effect, so that repetition is avoided, and no redundant description is provided herein.
Wherein the processor is a processor in the electronic device described in the above embodiment. The readable storage medium includes a computer readable storage medium such as a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk or an optical disk, and the like.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Furthermore, it should be noted that the scope of the methods and apparatus in the embodiments of the present invention is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The embodiments of the present invention have been described above with reference to the accompanying drawings, but the present invention is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present invention and the scope of the claims, which are to be protected by the present invention.

Claims (18)

1. A data encryption method, characterized by being used for a first encryption component, where the first encryption component is used for a transmission channel embedded between a client and a server, the method includes:
negotiating with a second encryption component to obtain a first key, wherein the second encryption component is used for embedding a transmission channel between the server and a target service system;
the second key is obtained by encrypting the second key based on the first key after the second key is interactively encrypted with the second encryption component, and the second key is obtained from an encryptor;
and under the condition that the first data uploaded by the client is obtained, decrypting based on the first key to obtain the second key, and encrypting the first data by utilizing the second key to obtain an encrypted data packet, wherein the encrypted data packet is transmitted to the second encryption component through the client and the server.
2. The method according to claim 1, wherein the first encryption component and/or the second encryption component encapsulates a secure transport layer protocol TLS and a first block cipher algorithm, the first block cipher algorithm corresponding to the second key.
3. The method according to claim 2, wherein the first encryption component is configured to be deployed on a server pre-channel side of the client and/or the second encryption component is configured to be deployed on a server pre-channel side of the server.
4. The method of claim 3, wherein the first data comprises request server port data, the method further comprising:
under the condition that the request server port data is obtained, discarding the original response message corresponding to the request server port data, and recombining the response message to obtain a target response message, wherein the target response message is encrypted based on the first key;
and sending the target response message to the server.
5. The method of claim 4, wherein the performing the response message reassembling to obtain the target response message comprises:
receiving data response information transmitted by the second encryption component under the condition that the second encryption component decrypts the first data, wherein the data response information is encrypted based on the first key;
and determining the target response message based on the data response information.
6. The method according to claim 1, wherein the method further comprises:
performing digital signature verification with the second encryption component;
the negotiating with the second encryption component to obtain the first key includes:
and negotiating with the second encryption component to obtain a first key under the condition that the digital signature passes verification.
7. The method of claim 6, wherein the method further comprises:
receiving a second key from the encryptor in real time;
transmitting first information to the second encryption component, wherein the first information comprises a second key which is newly acquired by the first encryption component and is encrypted based on the first key;
the second key encrypted based on the first key is received from the second encryption component.
8. A data decryption method, characterized by being used for a second encryption component, where the second encryption component is used for a transmission channel embedded between a server and a target service system, and the method includes:
negotiating with a first encryption component to obtain a first key, wherein the first encryption component is used for embedding a transmission channel between a client and the server;
A second key which is interactively encrypted with the first encryption component, wherein the encrypted second key is obtained by encrypting the second key based on the first key, and the second key is from an encryptor;
under the condition that the encrypted data packet is obtained through the server side, the second key is obtained through decryption based on the first key, and the encrypted data packet is decrypted through the second key to obtain first data;
and sending the first data to the target service system.
9. The method of claim 8, wherein the target business system is an electronic signature system.
10. The method according to claim 8, wherein the first encryption component and/or the second encryption component encapsulates a secure transport layer protocol TLS and a first block cipher algorithm, the first block cipher algorithm corresponding to the second key.
11. The method of claim 10, wherein the first encryption component is configured to be deployed on a server pre-channel side of the client and/or the second encryption component is configured to be deployed on a server pre-channel side of the server.
12. The method of claim 11, wherein after decrypting the encrypted data packet using the second key to obtain first data, the method further comprises:
and sending data response information to the first encryption component, wherein the data response information is encrypted based on the first key, and the data response information is used for the first encryption component to carry out response message reorganization.
13. The method of claim 8, wherein the method further comprises:
performing digital signature verification with the first encryption component;
the negotiating with the first encryption component to obtain a first key includes:
and negotiating with the first encryption component to obtain a first key under the condition that the digital signature passes verification.
14. The method of claim 13, wherein the method further comprises:
receiving first information from the first encryption component, wherein the first information comprises a second key which is newly acquired by the first encryption component and is encrypted based on the first key;
decrypting the encrypted second key based on the first key to obtain a second key;
Encrypting the second key based on the first key, and sending the second key encrypted based on the first key to the first encryption component.
15. A data encryption device, for a first encryption component, the first encryption component being configured to be embedded in a transmission channel between a client and a server, the device comprising:
the first negotiation module is used for negotiating with the second encryption component to obtain a first key, and the second encryption component is used for embedding a transmission channel between the server and the target service system;
the first interaction module is used for interacting an encrypted second key with the second encryption component, the encrypted second key is obtained by encrypting the second key based on the first key, and the second key is from an encryptor;
the first processing module is used for obtaining the second key based on the first key under the condition that the first data uploaded by the client is obtained, and carrying out encryption processing on the first data by utilizing the second key to obtain an encrypted data packet, wherein the encrypted data packet is transmitted to the second encryption component through the client and the server.
16. A data decryption apparatus for a second encryption component, the second encryption component being configured to be embedded in a transmission channel between a server and a target service system, the apparatus comprising:
the second negotiation module is used for negotiating with the first encryption component to obtain a first key, and the first encryption component is used for embedding a transmission channel between the client and the server;
the second interaction module is used for interacting an encrypted second key with the first encryption component, the encrypted second key is obtained by encrypting the second key based on the first key, and the second key is from an encryptor;
the second processing module is used for obtaining the second key based on the first key in a decryption mode under the condition that the encrypted data packet is obtained through the server side, and decrypting the encrypted data packet by utilizing the second key to obtain first data;
and the first sending module is used for sending the first data to the target service system.
17. An electronic device comprising a processor and a memory storing a program or instructions executable on the processor, which when executed by the processor, implement the steps of the data encryption method of any one of claims 1 to 7, or the steps of the data decryption method of any one of claims 8 to 14.
18. A readable storage medium, characterized in that the readable storage medium has stored thereon a program or instructions which, when executed by a processor, implement the steps of the data encryption method according to any one of claims 1 to 7 or the steps of the data decryption method according to any one of claims 8 to 14.
CN202210767577.XA 2022-06-30 2022-06-30 Data encryption method, data decryption method and device Pending CN117375863A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210767577.XA CN117375863A (en) 2022-06-30 2022-06-30 Data encryption method, data decryption method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210767577.XA CN117375863A (en) 2022-06-30 2022-06-30 Data encryption method, data decryption method and device

Publications (1)

Publication Number Publication Date
CN117375863A true CN117375863A (en) 2024-01-09

Family

ID=89395168

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210767577.XA Pending CN117375863A (en) 2022-06-30 2022-06-30 Data encryption method, data decryption method and device

Country Status (1)

Country Link
CN (1) CN117375863A (en)

Similar Documents

Publication Publication Date Title
US12047362B2 (en) Systems and methods for secure multi-party communications using a proxy
CN101247232B (en) Encryption technique method based on digital signature in data communication transmission
CN106790090A (en) Communication means, apparatus and system based on SSL
KR20060100920A (en) Trusted third party authentication for web services
CN103036880A (en) Network information transmission method, transmission equipment and transmission system
CN116132043B (en) Session key negotiation method, device and equipment
CN101170413A (en) A digital certificate and private key acquisition, distribution method and device
CN103716280B (en) data transmission method, server and system
CN115242392A (en) Method and system for realizing industrial information safety transmission based on safety transmission protocol
CN105871858A (en) Method and system for ensuring high data safety
CN110611679A (en) Data transmission method, device, equipment and system
CN116866029B (en) Random number encryption data transmission method, device, computer equipment and storage medium
Zubair et al. A hybrid algorithm-based optimization protocol to ensure data security in the cloud
Mohammed et al. Secure third party auditor (tpa) for ensuring data integrity in fog computing
CN115001744A (en) Cloud platform data integrity verification method and system
CN117375863A (en) Data encryption method, data decryption method and device
CN104580129A (en) SSL asynchronization agent method based on stream processing
CN113810422A (en) Emqx browser architecture-based secure connection method for data of internet of things platform device
Al-Humadi Cryptography in Cloud Computing for Data Security and Network Security
CN106464684B (en) Service processing method and device
CN110457171A (en) A kind of embedded apparatus debugging method and system
Jain “Sec-KeyD” an efficient key distribution protocol for critical infrastructures
King et al. HTTPA/2: a Trusted End-to-End Protocol for Web Services
CN117424742B (en) Session key restoring method of non-perception transmission layer security protocol
CN118174967B (en) Information verification method and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination