CN117650950B - Secure communication method and apparatus - Google Patents
Secure communication method and apparatus Download PDFInfo
- Publication number
- CN117650950B CN117650950B CN202410121768.8A CN202410121768A CN117650950B CN 117650950 B CN117650950 B CN 117650950B CN 202410121768 A CN202410121768 A CN 202410121768A CN 117650950 B CN117650950 B CN 117650950B
- Authority
- CN
- China
- Prior art keywords
- target
- account
- target account
- equipment
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 title claims abstract description 123
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000001514 detection method Methods 0.000 claims description 36
- 230000004044 response Effects 0.000 claims description 23
- 238000012545 processing Methods 0.000 claims description 6
- 238000002360 preparation method Methods 0.000 claims description 3
- 238000006467 substitution reaction Methods 0.000 description 13
- 230000004927 fusion Effects 0.000 description 8
- 238000013507 mapping Methods 0.000 description 7
- 230000004888 barrier function Effects 0.000 description 6
- 238000000265 homogenisation Methods 0.000 description 5
- 238000013139 quantization Methods 0.000 description 5
- 238000011282 treatment Methods 0.000 description 4
- 238000013528 artificial neural network Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011002 quantification Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000004043 responsiveness Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Abstract
The application discloses a secure communication method and a secure communication device, and belongs to the technical field of computers. The method comprises the steps of acquiring an account fingerprint of a target account under the condition that a first equipment access request is received; predicting the access times of the target account to the network in a future preset time interval according to the account fingerprint; generating a dynamic access token corresponding to the target account according to the prediction result; returning the dynamic access token to the client corresponding to the target account; realizing the safe communication between the target account and the target equipment; receiving a second equipment access request aiming at target equipment and sent by a client corresponding to the target account, wherein the second equipment access request carries a dynamic access token; if the dynamic access token is valid and the network environment information is not changed, the secure communication between the target account and the target equipment is directly realized again according to the communication security information. The application reduces the load of the server in the case of frequently receiving the device access request.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and apparatus for secure communication.
Background
Under the intelligent networking multi-network convergence environment, the communication security system needs to secure the communication between the network access equipment and the account accessing the network, and maintains the communication security of the account and the equipment. The ecological construction of communication safety comprises omnibearing safety management of accounts, equipment, networks and applications in a trusted network environment, so that the communication safety of information between the accounts and the equipment is fully ensured, the content of the communication safety system is numerous and complex, the algorithm is complex, the problems of overload of the communication safety system, reduced response force and the like can be caused under the condition of large communication volume between the accounts and the equipment, the burden of the communication safety system is reduced, and particularly, the total number of operations executed by the communication safety system and the starting times of related algorithms are extremely important to be reduced as much as possible under the condition of large communication volume between the accounts and the equipment, but related technical schemes are lacking in related technologies.
Disclosure of Invention
The embodiment of the application provides a secure communication method and a secure communication device, which are used for solving at least one technical problem.
In one aspect, the present application provides a secure communication method applied to a server, the secure communication method including:
Under the condition that a first equipment access request is received, acquiring an account fingerprint of a target account;
According to the account fingerprint, security detection is carried out on a target account, whether the target account has the authority for accessing the target equipment is judged, and when the security detection passes and the target account has the authority for accessing the target equipment, and the first equipment access request does not carry a dynamic access token, an access record corresponding to the target account is extracted;
Under the condition that the access record is empty, predicting the network access times of the target account in a future preset time interval according to the account fingerprint of the target account; generating a dynamic access token corresponding to the target account according to the prediction result; returning the dynamic access token to the client corresponding to the target account;
realizing the secure communication between the target account and the target equipment, and reserving the communication security information of the secure communication;
receiving a second equipment access request aiming at the target equipment, which is sent by a client corresponding to the target account, and carrying the dynamic access token by the second equipment access request; detecting whether the dynamic access token is valid;
And if the dynamic access token is valid and the network environment information is not changed, directly realizing the secure communication between the target account and the target equipment again according to the communication security information, wherein the network environment information comprises a resource access strategy and a network environment trusted state.
In one embodiment, the enabling secure communications between the target account and the target device includes:
obtaining public key parameters, wherein the public key parameters comprise a first public key, a second public key and a third public key; encrypting and transmitting the public key parameters to the target equipment; the first public key is a prime number larger than a preset value, and the second public key is a primitive root of the first public key;
Generating a private key parameter corresponding to a secure communication link, and encrypting and transmitting the private key parameter to the target equipment; the public key parameter and the private key parameter belong to the communication security information; the second public key is used as a base number, the private key parameter is an index, an index characteristic value is obtained, and the remainder of the index characteristic value to the first public key is the third public key;
the target device generates response data according to the first device access request; generating a signature parameter, wherein the signature parameter and a first target value are prime numbers, and the first target value is a result obtained by subtracting one from the first public key; taking the second public key as a base number, taking the signature parameter as an index, obtaining a second target value, and taking the remainder of the second target value on the first public key as first signature data; taking the difference of the product of the response data and the first signature data and the private key parameter as a third target value, taking the ratio of the third target value and the signature parameter as a fourth target value, and taking the remainder of the fourth target value to the first target value as second signature data; obtaining a secure communication signature according to the first signature data and the second signature data; transmitting the response data and the secure communication signature to the server;
The server analyzes the secure communication signature to obtain third signature data and fourth signature data, and obtains a fifth target value by taking the third public key as a base number and the third signature data as an index; taking the third signature data as a base number and the fourth signature data as an index to obtain a sixth target value; taking the product of the fifth target value and the sixth target value as a first reference value, taking the second public key as a base, and taking the response data as an index to obtain a second reference value; and if the first reference value and the second reference value have congruence relation with respect to the first public key, encrypting and transmitting the response data to the client corresponding to the target account.
In one embodiment, the method further comprises:
And if the interval duration of the second device access request and the first device access request is smaller than a preset time interval corresponding to the dynamic access token, and the number of the device access requests sent by the target device in response to the target account in the preset time interval does not reach the network access times corresponding to the dynamic access token, judging that the dynamic access token is valid.
In one embodiment, the predicting the number of access times of the target account to the internet in a future preset time interval according to the account fingerprint of the target account includes:
Searching an associated account with the account fingerprint similarity of the target account being greater than a preset threshold value in an account fingerprint library, wherein the associated account is an account accessed to the server;
Acquiring access records of each associated account in a preset time interval after the server is accessed for the first time;
And predicting the network access times of the target account in a future preset time interval according to each access record.
In one embodiment, the method further comprises:
if the network environment information is changed, performing invalidation processing on the dynamic access token, and performing security detection on the target account again, and acquiring an access record corresponding to the target account under the condition that the security detection is passed; predicting the access times of the target account to the network in a future preset time interval according to the access record; generating a dynamic access token corresponding to the target account according to the prediction result; returning the dynamic access token to the client corresponding to the target account;
in one embodiment, the obtaining the access record corresponding to the target account when the security detection passes includes:
Judging whether the target account has the authority to access the target equipment according to the current resource access strategy under the condition that the security detection is passed;
and under the condition of having the authority, acquiring the access record corresponding to the target account.
In one embodiment, the method further comprises:
and if the resource access strategy changes or the network credible state changes, judging that the network environment information changes.
In another aspect, the present application also provides a secure communication apparatus applied to a server, the secure communication apparatus including:
The communication preparation module is used for acquiring an account fingerprint of the target account under the condition that the first equipment access request is received; according to the account fingerprint, security detection is carried out on a target account, whether the target account has the authority for accessing the target equipment is judged, and when the security detection passes and the target account has the authority for accessing the target equipment, and the first equipment access request does not carry a dynamic access token, an access record corresponding to the target account is extracted; under the condition that the access record is empty, predicting the network access times of the target account in a future preset time interval according to the account fingerprint of the target account; generating a dynamic access token corresponding to the target account according to the prediction result; returning the dynamic access token to the client corresponding to the target account;
The communication implementation module is used for realizing the secure communication between the target account and the target equipment and reserving the communication security information of the secure communication; receiving a second equipment access request aiming at the target equipment, which is sent by a client corresponding to the target account, and carrying the dynamic access token by the second equipment access request; detecting whether the dynamic access token is valid; and if the dynamic access token is valid and the network environment information is not changed, directly realizing the secure communication between the target account and the target equipment again according to the communication security information.
In another aspect, the present application also provides a computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by a processor to implement the secure communication method mentioned in the foregoing.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method of secure communication according to one embodiment of the present application;
fig. 2 is a schematic flow chart of predicting the access times of a target account to a network in a future preset time interval according to an account fingerprint of the target account in the secure communication method according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of implementing secure communication between the target account and the target device in a secure communication method according to an embodiment of the present application;
Fig. 4 is a block diagram of a secure communication device according to an embodiment of the present application.
Detailed Description
Before describing the method embodiments of the present application, related terms or nouns that may be involved in the method embodiments of the present application are briefly described, so as to be understood by those skilled in the art of the present application.
Referring to fig. 1, a flow diagram of a secure communication method applied to a server for supporting communication between an account and a device is shown, the method comprising:
s101, under the condition that a first equipment access request is received, acquiring an account fingerprint of a target account.
In the embodiment of the present application, the device access request is a request sent to the server for accessing a device in the network, where the device access request carries an account fingerprint, and the account fingerprint is a concept of the prior art and is not described herein. The devices in the network are all subjected to unified management of the server.
S102, carrying out security detection on a target account according to the account fingerprint, judging whether the target account has the authority for accessing the target equipment, and extracting an access record corresponding to the target account under the condition that the security detection is passed and the target account has the authority for accessing the target equipment and the first equipment access request does not carry a dynamic access token.
The present application is not limited to the method for determining the target device, and the target device may be a contracted device or a device specified by the first device access request. The security detection is to check whether the target account is an account of the target equipment which is safely and legally accessed, and whether the target account has threat or not, and the security detection is the basic operation of the communication security system, so that the security detection is unnecessary to be repeated. The operation of judging whether the target account has the authority to access the target device is implemented according to the resource access policy built in the server, and whether a certain account can access a certain device or not is judged according to the resource access policy, which is not necessary to be repeated. Although both security detection and authority detection are basic operations, it is very important to maintain the security of the communication security system, so that the related art needs to implement both detection for each access request of the access to the network, which results in problems of overload of the communication security system, reduced responsiveness and the like in the case of frequent communication.
The embodiment of the application reduces the starting frequencies of the two detections by designing the dynamic access token without starting the two detections for each access request, and can greatly reduce the starting frequencies of the two operations during the effective period of the dynamic access token without influencing the safety communication. And the dynamic access token is dynamically managed, and can be invalidated when the situation that the security is possibly damaged occurs, and regenerated after the security risk is confirmed to be eliminated, so that the security of the communication security system is flexibly and continuously maintained while the starting frequency of the two operations is sufficiently reduced.
If the target account is accessed for the first time, then a dynamic access token needs to be generated. In order to generate a dynamic access token, the access record corresponding to the target account is extracted in this step. The embodiment of the application does not limit the specific content of the dynamic access token, namely a piece of credential information which carries the information of the access times of the network access in a preset time interval.
S103, under the condition that the access record is empty, predicting the access times of the target account in the future preset time interval according to the account fingerprint of the target account; generating a dynamic access token corresponding to the target account according to the prediction result; and returning the dynamic access token to the client corresponding to the target account.
The server keeps access records, if the access records are empty, the target account is allowed to access the in-network device for the first time, and the target account is allowed to access the target device for the first time, then a dynamic access token cannot be directly generated according to the recorded content in the access records. The embodiment of the application does not limit the length of the preset time interval, can be set according to actual conditions and does not form an implementation obstacle.
Fig. 2 is a schematic flow chart for predicting the access times of the target account to the internet in a future preset time interval according to the account fingerprint of the target account. The predicting the network access times of the target account in a future preset time interval according to the account fingerprint of the target account comprises the following steps:
s201, searching an associated account with the account fingerprint similarity greater than a preset threshold value with the target account in an account fingerprint library, wherein the associated account is the account accessed to the server.
The calculation of the fingerprint similarity and the setting of the preset threshold are all the prior art, and will not be described in detail.
S202, acquiring access records of each associated account in a preset time interval after the server is accessed for the first time; and predicting the network access times of the target account in a future preset time interval according to each access record.
According to the method and the device for searching the related account sufficiently similar to the target account through the account fingerprint, the related account is provided with the access record, and the access record of the related account is analyzed, so that the access times of the target account in the future preset time interval can be predicted, and the technical problem of generating a proper dynamic access token for the target account accessed for the first time is solved. Specifically, the access records may be analyzed to obtain an average number of accesses to the associated account within a preset time interval in the future, and the average number of accesses is determined as the number of access to the network.
The key point of searching the associated account is to construct an account fingerprint library, the generation mode of the account fingerprint of each account in the account fingerprint library can be the same, and the generation mode of the account fingerprint is not limited in the embodiment of the application. However, in order to improve account fingerprint quality and thus improve accuracy of network access frequency prediction, and maximize the technical effect of playing a dynamic access token, the embodiment of the application provides an account fingerprint generation method.
According to the account fingerprint generation method, an account identifier is generated for account information of an account needing to generate an account fingerprint, the account fingerprint is generated according to the account identifier and the account information, the account fingerprint has uniqueness, the account fingerprint is a unique mapping of an account mark characteristic set, the account mark characteristic set is determined according to the account information, the characteristic mark degree meets the characteristic set formed by characteristics of characteristic dimensions required by limiting a preset mark degree, and the characteristic mark degree is used for comprehensively quantifying the information expression capacity of a characteristic per se under the corresponding characteristic dimension, the association degree of the characteristic and other characteristics and the information coincidence degree of the characteristic and other characteristics.
The account information comprises account feature data corresponding to each feature dimension in a plurality of feature dimensions, and the account feature data is obtained by collecting information in the corresponding feature dimension; the feature dimension of the account information can be selected according to actual requirements, such as a region dimension, an education dimension, an interest dimension, an economic condition dimension, a basic physiological parameter dimension and the like, which are selected according to the actual requirements, do not form an implementation barrier, and are related to services specifically provided by a server in a communication security system and in-network equipment. And carrying out information acquisition, quantification, discretization and homogenization treatment on each characteristic dimension to obtain account characteristic data. Specific implementation manners of acquisition, quantization, discretization and homogenization processing used in the embodiments of the present application may refer to the prior art, and will not be described in detail. The homogenization in the present application can be understood as a homogenization map, that is, the data is mapped forward into a number between 0 and 1, and the larger the number is, the larger the number is after mapping. The quantization purpose of the embodiment of the application is to store in a numerical form, the quantization mode is not limited, and the requirement of numerical operation is met.
The method for generating the account identifier for the account information can refer to the prior art, and only uniqueness is required to be ensured. The embodiment of the application emphasizes that features with higher redundancy and features with higher association degree can exist in the account information, the higher the association degree is, the higher the redundancy is, the purity of the account information is insufficient, the quality of the account fingerprint is affected, the embodiment of the application provides an index of feature marking degree, the feature marking degree is a comprehensive quantization index, and the index simultaneously quantifies the feature self information expression level, the association degree of the feature and other adjacent features and the information coincidence degree of the feature and other adjacent features, wherein the lower the feature self information expression level is, the higher the association degree is, the lower the feature marking degree is, and the higher the information coincidence degree is, and the lower the feature marking degree is. The embodiment of the application provides a specific feature scale calculation method, which is not described herein.
And selecting account feature data corresponding to the feature dimensions of which the feature marking degree meets the limiting requirement of the preset marking degree by calculating the feature marking degree corresponding to each feature dimension in the account information to form an account marking feature set. And generating an account fingerprint according to the account indicative feature set and the account identifier. The specific account fingerprint generation algorithm is an algorithm for mapping the input information to the account fingerprint, and the mapping method can refer to the prior art and is not described in detail. The embodiment of the application provides an acquisition method of an account marking characteristic set, which comprises the following steps:
firstly, setting corresponding labels for each characteristic dimension according to a label increasing sequence, and splicing account characteristic data corresponding to each characteristic dimension according to the label increasing sequence to obtain a first characteristic sequence;
for example, feature dimension 1, feature dimension 2, feature dimension 3, feature dimension 4, and feature dimension 5, where 1,2, 3, 4, and 5 are labels, which are used to uniquely distinguish feature dimensions, and according to the increment of the labels, unique feature dimension ranks can be obtained, and each feature dimension corresponds to account feature data, so that a first feature sequence is obtained as a result of the ranking.
Secondly, carrying out a plurality of disorder treatments on each feature dimension, and splicing account feature data corresponding to the feature dimensions after the disorder treatments to obtain a plurality of second feature sequences, wherein different second feature sequences cannot be identical;
Thirdly, determining the feature marking degree corresponding to each feature dimension in each second feature sequence to obtain a single feature marking degree corresponding to the feature dimension; carrying out homogenization treatment on the single feature standard degree corresponding to the feature dimension with the same label in each second feature sequence to obtain the feature standard degree corresponding to the feature dimension;
obviously, the feature index corresponding to a feature dimension is a comprehensive result obtained according to a plurality of single feature indexes, or is a comprehensive feature index. According to the embodiment of the application, by generating a plurality of disordered second feature sequences, a certain feature dimension and a plurality of feature dimensions can form a temporary adjacent relation in the plurality of second feature sequences, so that the adjacent relation and redundancy generated by the adjacent relation are automatically taken into consideration when single feature marking degree calculation corresponding to the feature dimension is carried out on the plurality of second feature sequences, the finally calculated comprehensive feature marking degree shows consideration of the association degree and information overlapping degree under the condition that various possible features are adjacent, and the comprehensive feature marking degree can quantify the association degree of the feature and other features and the information overlapping degree of the feature and other features. In order to obtain the comprehensive feature marking degree, the information expression capability of the feature is considered when each single feature marking degree is calculated, so that the finally obtained comprehensive feature marking degree can comprehensively quantify the information expression capability of the feature, the association degree of the feature and other features and the information coincidence degree of the feature and other features.
Determining the feature marking degree corresponding to each feature dimension in each second feature sequence to obtain a single feature marking degree corresponding to the feature dimension, including: performing the following operations for each feature dimension of each of the second feature sequences: emptying the account feature data corresponding to the feature dimension in the second feature sequence to obtain a third feature sequence; and inputting the third feature sequence into a feature standard degree prediction model to obtain the single feature standard degree corresponding to the feature dimension.
Further, the embodiment of the application provides a feature scale prediction model training method, which comprises the following steps:
(1) Acquiring a sample original sequence; and (3) nulling the feature corresponding to a certain feature dimension in the original sample sequence to obtain a sample feature sequence. The acquisition mode of the original sample sequence is consistent with the first characteristic sequence or the second characteristic sequence, and details are not repeated. The sample feature sequence is obtained in a manner consistent with the third feature sequence, which will not be described in detail.
(2) And inputting the sample characteristic sequence into a neural network to obtain a characteristic marking degree predicted value corresponding to the characteristic dimension. The embodiment of the application does not limit the structure of the neural network and does not form an implementation barrier.
(3) Inputting the sample feature sequence into a feature prediction model, wherein the feature prediction model is used for predicting a blank feature according to the non-blank feature in the sample feature sequence to obtain a blank feature prediction value; and determining original features before emptying corresponding to the emptying features in the sample original sequence, and determining a first substitution value according to the difference between the original features and the emptying feature predicted value.
The feature prediction model corresponds to more artificial intelligence models, and redundant description is not needed. And obtaining a first substitution value according to the difference between the predicted value of the emptying characteristic and the original characteristic before emptying, which corresponds to the emptying characteristic. The embodiment of the application is not limited to the difference quantization mode, and can refer to the prior art. The specific functional relationship between the difference and the first alternative value is not limited, and the technical purpose of the application can be achieved by only ensuring that the difference and the first alternative value have a one-to-one mapping positive correlation relationship.
We assume that the feature being nulled is a feature of strong feature scale, then the feature being nulled necessarily results in inaccuracy of the nulled feature prediction value, resulting in an increase in the first surrogate value, and vice versa. Therefore, the true value of the first substitution value and the feature standard deviation have strong correlation, so that although the true value of the feature standard deviation cannot be determined, the true value can be quantized from the angle of the first substitution value, or a substitute of the true value (the feature standard deviation substitution value below) can be found based on the first substitution value, and the technical problem of how to train the feature standard deviation prediction model under the condition that the feature standard deviation true value cannot be known is solved.
(4) Performing fusion operation on each feature in the original sequence of the sample to obtain a first fusion feature; performing fusion operation on each feature in the sample feature sequence to obtain a second fusion feature; and determining a second substitution value according to the feature distance of the first fusion feature and the second fusion feature.
The embodiment of the application points out that the problem that the quantification of the true value from the perspective of the first alternative value may be insufficiently accurate, and therefore, the embodiment of the application also proposes a second alternative value which is actually considered from the perspective of the data distance. We assume that the feature being nulled is a feature of strong feature scale, and that the feature being nulled results in a feature distance that is large, meaning that the difference in fusion features obtained before and after the nulling is large, and vice versa. The embodiment of the application does not limit the fusion operation, and refers to the prior art. The embodiment of the application does not limit the specific functional relation between the characteristic distance and the second substitution value, and can achieve the technical purpose of the application only by ensuring that the positive correlation relation of one-to-one mapping is provided between the characteristic distance and the second substitution value.
(5) And respectively weighting and adding the first substitution value and the second substitution value, and carrying out normalized mapping on the weighted results to obtain the characteristic mark degree substitution value, wherein the weight value is not limited, does not form an implementation barrier of the application, and is set according to actual requirements. And adjusting parameters of the neural network according to the difference between the characteristic marking degree substitution value and the characteristic marking degree predicted value to obtain the characteristic marking degree predicted model.
The method for quantifying the difference in the embodiment of the present application, the method for adjusting parameters according to the difference, the training stop conditions, and the like are not described, and reference may be made to the prior art.
Fourth, deleting account feature data corresponding to feature dimensions of which the feature marking degree does not meet the requirement of the preset feature marking degree in the first feature sequence, and obtaining the account marking feature set. The embodiment of the application does not limit the preset feature marking degree requirement, for example, a lower limit value can be set, and if the feature marking degree is smaller than the lower limit value, the preset feature marking degree requirement is not met. The lower limit value may be set according to the actual situation, and does not constitute an obstacle to the implementation of the present application.
S104, realizing the secure communication between the target account and the target equipment, and reserving the communication security information of the secure communication.
The method for implementing the secure communication between the target account and the target device is not limited in the embodiment of the present application, and there are many methods in the prior art, but in order to achieve the purposes of improving the secure communication speed and improving the security, a specific communication method is provided in the embodiment of the present application, please refer to fig. 3, where the implementing the secure communication between the target account and the target device includes:
S301, acquiring public key parameters, wherein the public key parameters comprise a first public key, a second public key and a third public key; encrypting and transmitting the public key parameters to the target equipment; the first public key is a prime number larger than a preset value, and the second public key is a primitive root of the first public key;
to improve security, the embodiment of the present application suggests that the first public key is a relatively large number, and a relatively large preset value, for example, 1500 may be set.
S302, generating a private key parameter corresponding to a secure communication link, and encrypting and transmitting the private key parameter to the target equipment; the public key parameter and the private key parameter belong to the communication security information; the second public key is used as a base number, the private key parameter is an index, an index characteristic value is obtained, and the remainder of the index characteristic value to the first public key is the third public key;
The encryption mode for transmitting the public key parameter and the private key parameter in the embodiment of the application is the agreement between the target equipment and the server, and the agreement is observed, so that the implementation barrier is not formed, and the description is omitted. The generation mode of the private key parameter is not limited, and the requirement of the step is met.
S303, the target equipment generates response data according to the first equipment access request; generating a signature parameter, wherein the signature parameter and a first target value are prime numbers, and the first target value is a result obtained by subtracting one from the first public key; taking the second public key as a base number, taking the signature parameter as an index, obtaining a second target value, and taking the remainder of the second target value on the first public key as first signature data; taking the difference of the product of the response data and the first signature data and the private key parameter as a third target value, taking the ratio of the third target value and the signature parameter as a fourth target value, and taking the remainder of the fourth target value to the first target value as second signature data; obtaining a secure communication signature according to the first signature data and the second signature data; transmitting the response data and the secure communication signature to the server;
The response data is the data which the target account hopes to acquire from the target device, and the data is acquired by the target device according to the first device access request. The embodiment of the application does not limit the method for generating the signature parameters, and the aim of the step is achieved.
S304, the server analyzes the secure communication signature to obtain third signature data and fourth signature data, and a fifth target value is obtained by taking the third public key as a base number and the third signature data as an index; taking the third signature data as a base number and the fourth signature data as an index to obtain a sixth target value; taking the product of the fifth target value and the sixth target value as a first reference value, taking the second public key as a base, and taking the response data as an index to obtain a second reference value; and if the first reference value and the second reference value have congruence relation with respect to the first public key, encrypting and transmitting the response data to the client corresponding to the target account.
In the embodiment of the application, the target device obtains the secure communication signature according to the first signature data and the second signature data, and the server analyzes the secure communication signature in a manner that the server and the target device agree on each other, and the method and the device observe the agreement, do not form implementation barriers, and do not need to be repeated. If the transmission is correct, the third signature data and the fourth signature data which are analyzed by the server are the first signature data and the second signature data respectively. The server verifies whether the response data is missed in the transmission process through the congruence relation, if the congruence verification is passed, the response data can be confirmed to be free of errors, the response data is encrypted and sent to the client corresponding to the target account, the encryption and decryption method is agreed with the client, implementation barriers are not formed, and no description is given.
S105, under the condition that a second equipment access request aiming at the target equipment and sent by a client corresponding to the target account is received and the second equipment access request carries the dynamic access token; detecting whether the dynamic access token is valid; and if the dynamic access token is valid and the network environment information is not changed, directly realizing the secure communication between the target account and the target equipment again according to the communication security information.
In one embodiment, the network environment information includes resource access policies and network environment trusted status. If the dynamic access token is valid and the network environment information is not changed, the dynamic access token is directly validated, the safety detection and the authority detection are not needed, the safety communication can be directly realized by directly using the communication safety information such as the public key, the private key and the like which are reserved in advance, and the application conception of the safety communication step is consistent with the previous description and is not necessary to be repeated. The embodiment of the application does not limit the meaning of the resource access strategy and the trusted state of the network environment, which is the basic concept of the communication security system, and the content of the communication security system is not limited, which can be set according to the actual situation.
And if the interval duration of the second equipment access request and the first equipment access request is smaller than a preset time interval corresponding to the dynamic access token, and the number of the equipment access requests sent by the target equipment in response to the target account in the preset time interval does not reach the network access times corresponding to the dynamic access token, judging that the dynamic access token is valid. Otherwise, performing invalidation processing on the dynamic access token, and re-performing security detection on the target account, and acquiring an access record corresponding to the target account under the condition that the security detection passes; predicting the access times of the target account to the network in a future preset time interval according to the access record; generating a dynamic access token corresponding to the target account according to the prediction result; and returning the dynamic access token to the client corresponding to the target account. And re-enabling the secure communication between the target account and the target equipment from the beginning, and reserving communication security information of the secure communication. The prior art method for failure processing is numerous and is not limited.
If the resource access policy changes or the network trusted state changes, the network environment information is determined to change. If the network environment information is changed, performing invalidation processing on the dynamic access token, and performing security detection on the target account again, and acquiring an access record corresponding to the target account under the condition that the security detection is passed; predicting the access times of the target account to the network in a future preset time interval according to the access record; generating a dynamic access token corresponding to the target account according to the prediction result; and returning the dynamic access token to the client corresponding to the target account. And re-enabling the secure communication between the target account and the target equipment from the beginning, and reserving communication security information of the secure communication.
In this case, the target account has already accessed the target device, and has a corresponding access record, so that the network access times of the target account in the future preset time interval can be predicted according to the access record, the account fingerprint is not required to be relied on any more, and the method for predicting the network access times of the target account in the future preset time interval according to the access record is numerous and can refer to the prior art.
In one embodiment, the obtaining the access record corresponding to the target account when the security detection passes includes: judging whether the target account has the authority to access the target equipment according to the current resource access strategy under the condition that the security detection is passed; and under the condition of having the authority, acquiring the access record corresponding to the target account.
An embodiment of the present application provides a secure communication apparatus, as shown in fig. 4, including:
A communication preparation module 401, configured to obtain an account fingerprint of a target account when receiving a first device access request; according to the account fingerprint, security detection is carried out on a target account, whether the target account has the authority for accessing the target equipment is judged, and when the security detection passes and the target account has the authority for accessing the target equipment, and the first equipment access request does not carry a dynamic access token, an access record corresponding to the target account is extracted; under the condition that the access record is empty, predicting the network access times of the target account in a future preset time interval according to the account fingerprint of the target account; generating a dynamic access token corresponding to the target account according to the prediction result; returning the dynamic access token to the client corresponding to the target account;
A communication implementation module 402, configured to implement secure communication between the target account and the target device, and reserve communication security information of the secure communication; receiving a second equipment access request aiming at the target equipment, which is sent by a client corresponding to the target account, and carrying the dynamic access token by the second equipment access request; detecting whether the dynamic access token is valid; and if the dynamic access token is valid and the network environment information is not changed, directly realizing the secure communication between the target account and the target equipment again according to the communication security information.
The network environment information includes a resource access policy and a network environment trusted state.
Details of the implementation of the secure communication device will not be described in detail, refer to the corresponding method embodiments.
In one embodiment, there is also provided a computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions loaded and executed by a processor to implement a secure communication method as previously described.
The foregoing is illustrative of the present application and is not to be construed as limiting thereof, but rather, any modification, equivalent replacement, improvement or the like which comes within the spirit and principles of the present application are intended to be included within the scope of the present application.
Claims (9)
1. A secure communication method, wherein the secure communication method is applied to a server, the secure communication method comprising:
Under the condition that a first equipment access request is received, acquiring an account fingerprint of a target account;
According to the account fingerprint, security detection is carried out on a target account, whether the target account has the authority for accessing the target equipment is judged, and when the security detection passes and the target account has the authority for accessing the target equipment, and the first equipment access request does not carry a dynamic access token, an access record corresponding to the target account is extracted;
Under the condition that the access record is empty, predicting the network access times of the target account in a future preset time interval according to the account fingerprint of the target account; generating a dynamic access token corresponding to the target account according to the prediction result; returning the dynamic access token to the client corresponding to the target account;
realizing the secure communication between the target account and the target equipment, and reserving the communication security information of the secure communication;
receiving a second equipment access request aiming at the target equipment, which is sent by a client corresponding to the target account, and carrying the dynamic access token by the second equipment access request; detecting whether the dynamic access token is valid;
and if the dynamic access token is valid and the network environment information is not changed, directly realizing the secure communication between the target account and the target equipment again according to the communication security information.
2. The secure communication method of claim 1, wherein the enabling secure communication between the target account and the target device comprises:
obtaining public key parameters, wherein the public key parameters comprise a first public key, a second public key and a third public key; encrypting and transmitting the public key parameters to the target equipment; the first public key is a prime number larger than a preset value, and the second public key is a primitive root of the first public key;
Generating a private key parameter corresponding to a secure communication link, and encrypting and transmitting the private key parameter to the target equipment; the public key parameter and the private key parameter belong to the communication security information; the second public key is used as a base number, the private key parameter is an index, an index characteristic value is obtained, and the remainder of the index characteristic value to the first public key is the third public key;
The target device generates response data according to the first device access request; generating a signature parameter, wherein the signature parameter and a first target value are prime numbers, and the first target value is a result obtained by subtracting one from the first public key; taking the second public key as a base number, taking the signature parameter as an index, obtaining a second target value, and taking the remainder of the second target value on the first public key as first signature data; taking the difference of the product of the response data and the first signature data and the private key parameter as a third target value, taking the ratio of the third target value and the signature parameter as a fourth target value, and taking the remainder of the fourth target value to the first target value as second signature data; obtaining a secure communication signature according to the first signature data and the second signature data; transmitting the response data and the secure communication signature to the server;
The server analyzes the secure communication signature to obtain third signature data and fourth signature data, and obtains a fifth target value by taking the third public key as a base number and the third signature data as an index; taking the third signature data as a base number and the fourth signature data as an index to obtain a sixth target value; taking the product of the fifth target value and the sixth target value as a first reference value, taking the second public key as a base, and taking the response data as an index to obtain a second reference value; and if the first reference value and the second reference value have congruence relation with respect to the first public key, encrypting and transmitting the response data to the client corresponding to the target account.
3. The secure communication method according to claim 1 or 2, characterized in that the method further comprises:
And if the interval duration of the second device access request and the first device access request is smaller than a preset time interval corresponding to the dynamic access token, and the number of the device access requests sent by the target device in response to the target account in the preset time interval does not reach the network access times corresponding to the dynamic access token, judging that the dynamic access token is valid.
4. The method according to claim 1, wherein predicting the number of access times of the target account to the internet within a future preset time interval according to the account fingerprint of the target account comprises:
Searching an associated account with the account fingerprint similarity of the target account being greater than a preset threshold value in an account fingerprint library, wherein the associated account is an account accessed to the server;
Acquiring access records of each associated account in a preset time interval after the server is accessed for the first time;
And predicting the network access times of the target account in a future preset time interval according to each access record.
5. The secure communication method of claim 4, further comprising:
If the network environment information is changed, performing invalidation processing on the dynamic access token, and performing security detection on the target account again, and acquiring an access record corresponding to the target account under the condition that the security detection is passed; predicting the access times of the target account to the network in a future preset time interval according to the access record; generating a dynamic access token corresponding to the target account according to the prediction result; and returning the dynamic access token to the client corresponding to the target account.
6. The method according to claim 5, wherein the obtaining the access record corresponding to the target account in the case where the security detection passes includes:
Judging whether the target account has the authority to access the target equipment according to the current resource access strategy under the condition that the security detection is passed;
and under the condition of having the authority, acquiring the access record corresponding to the target account.
7. The secure communication method of claim 1, further comprising:
and if the resource access strategy changes or the network credible state changes, judging that the network environment information changes.
8. A secure communications device for use with a server, the secure communications device comprising:
The communication preparation module is used for acquiring an account fingerprint of the target account under the condition that the first equipment access request is received; according to the account fingerprint, security detection is carried out on a target account, whether the target account has the authority for accessing the target equipment is judged, and when the security detection passes and the target account has the authority for accessing the target equipment, and the first equipment access request does not carry a dynamic access token, an access record corresponding to the target account is extracted; under the condition that the access record is empty, predicting the network access times of the target account in a future preset time interval according to the account fingerprint of the target account; generating a dynamic access token corresponding to the target account according to the prediction result; returning the dynamic access token to the client corresponding to the target account;
The communication implementation module is used for realizing the secure communication between the target account and the target equipment and reserving the communication security information of the secure communication; receiving a second equipment access request aiming at the target equipment, which is sent by a client corresponding to the target account, and carrying the dynamic access token by the second equipment access request; detecting whether the dynamic access token is valid; and if the dynamic access token is valid and the network environment information is not changed, directly realizing the secure communication between the target account and the target equipment again according to the communication security information.
9. A computer readable storage medium having stored therein at least one instruction, at least one program, code set, or instruction set, the at least one instruction, the at least one program, the code set, or instruction set being loaded and executed by a processor to implement the secure communication method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410121768.8A CN117650950B (en) | 2024-01-30 | 2024-01-30 | Secure communication method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410121768.8A CN117650950B (en) | 2024-01-30 | 2024-01-30 | Secure communication method and apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117650950A CN117650950A (en) | 2024-03-05 |
| CN117650950B true CN117650950B (en) | 2024-04-19 |
Family
ID=90045460
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410121768.8A Active CN117650950B (en) | 2024-01-30 | 2024-01-30 | Secure communication method and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117650950B (en) |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259502A (en) * | 2018-01-29 | 2018-07-06 | 平安普惠企业管理有限公司 | For obtaining the identification method of interface access rights, server-side and storage medium |
| CN109104378A (en) * | 2018-08-17 | 2018-12-28 | 四川新网银行股份有限公司 | The pre- recovery method of intelligent token based on time series forecasting |
| CN110968745A (en) * | 2019-11-13 | 2020-04-07 | 泰康保险集团股份有限公司 | Data processing method and device, electronic equipment and computer readable medium |
| CN113691379A (en) * | 2021-10-25 | 2021-11-23 | 徐州蜗牛智能科技有限公司 | Authentication method and device for big data |
| CN115001714A (en) * | 2022-07-15 | 2022-09-02 | 中国电信股份有限公司 | Resource access method and device, electronic equipment and storage medium |
| CN115459992A (en) * | 2022-09-05 | 2022-12-09 | 山石网科通信技术股份有限公司 | Resource access request processing method and device, storage medium and electronic equipment |
| CN115801293A (en) * | 2021-09-08 | 2023-03-14 | 海信集团控股股份有限公司 | Access control security detection method, device and apparatus |
| CN116127494A (en) * | 2023-03-29 | 2023-05-16 | 云镝智慧科技有限公司 | Control method and related device for concurrent access of users |
| CN116248351A (en) * | 2022-12-29 | 2023-06-09 | 中国联合网络通信集团有限公司 | Resource access method and device, electronic equipment and storage medium |
| WO2023103527A1 (en) * | 2021-12-10 | 2023-06-15 | 深圳前海微众银行股份有限公司 | Access frequency prediction method and device |
| CN116545650A (en) * | 2023-04-03 | 2023-08-04 | 中国华能集团有限公司北京招标分公司 | Network dynamic defense method |
| US11769145B1 (en) * | 2021-12-22 | 2023-09-26 | United Services Automobile Association (Usaa) | Simulations using a token exchange system |
| CN116961918A (en) * | 2023-06-25 | 2023-10-27 | 中国建设银行股份有限公司 | Token acquisition method and device |
| CN117093977A (en) * | 2023-08-11 | 2023-11-21 | 中国工商银行股份有限公司 | User authentication method, system, device, storage medium and electronic equipment |
| CN117155606A (en) * | 2023-08-02 | 2023-12-01 | 浙江印象软件有限公司 | Webpage login state maintaining method and system |
| CN117375986A (en) * | 2023-11-08 | 2024-01-09 | 中国工商银行股份有限公司 | Application access method, device and server |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10630650B2 (en) * | 2017-10-27 | 2020-04-21 | Brightplan Llc | Secure messaging systems and methods |
| US11509634B2 (en) * | 2017-10-27 | 2022-11-22 | Brightplan Llc | Secure messaging systems and methods |
| EP3553718A1 (en) * | 2018-04-11 | 2019-10-16 | Barclays Services Limited | System for efficient management and storage of access tokens |
-
2024
- 2024-01-30 CN CN202410121768.8A patent/CN117650950B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259502A (en) * | 2018-01-29 | 2018-07-06 | 平安普惠企业管理有限公司 | For obtaining the identification method of interface access rights, server-side and storage medium |
| CN109104378A (en) * | 2018-08-17 | 2018-12-28 | 四川新网银行股份有限公司 | The pre- recovery method of intelligent token based on time series forecasting |
| CN110968745A (en) * | 2019-11-13 | 2020-04-07 | 泰康保险集团股份有限公司 | Data processing method and device, electronic equipment and computer readable medium |
| CN115801293A (en) * | 2021-09-08 | 2023-03-14 | 海信集团控股股份有限公司 | Access control security detection method, device and apparatus |
| CN113691379A (en) * | 2021-10-25 | 2021-11-23 | 徐州蜗牛智能科技有限公司 | Authentication method and device for big data |
| WO2023103527A1 (en) * | 2021-12-10 | 2023-06-15 | 深圳前海微众银行股份有限公司 | Access frequency prediction method and device |
| US11769145B1 (en) * | 2021-12-22 | 2023-09-26 | United Services Automobile Association (Usaa) | Simulations using a token exchange system |
| CN115001714A (en) * | 2022-07-15 | 2022-09-02 | 中国电信股份有限公司 | Resource access method and device, electronic equipment and storage medium |
| CN115459992A (en) * | 2022-09-05 | 2022-12-09 | 山石网科通信技术股份有限公司 | Resource access request processing method and device, storage medium and electronic equipment |
| CN116248351A (en) * | 2022-12-29 | 2023-06-09 | 中国联合网络通信集团有限公司 | Resource access method and device, electronic equipment and storage medium |
| CN116127494A (en) * | 2023-03-29 | 2023-05-16 | 云镝智慧科技有限公司 | Control method and related device for concurrent access of users |
| CN116545650A (en) * | 2023-04-03 | 2023-08-04 | 中国华能集团有限公司北京招标分公司 | Network dynamic defense method |
| CN116961918A (en) * | 2023-06-25 | 2023-10-27 | 中国建设银行股份有限公司 | Token acquisition method and device |
| CN117155606A (en) * | 2023-08-02 | 2023-12-01 | 浙江印象软件有限公司 | Webpage login state maintaining method and system |
| CN117093977A (en) * | 2023-08-11 | 2023-11-21 | 中国工商银行股份有限公司 | User authentication method, system, device, storage medium and electronic equipment |
| CN117375986A (en) * | 2023-11-08 | 2024-01-09 | 中国工商银行股份有限公司 | Application access method, device and server |
Non-Patent Citations (3)
| Title |
|---|
| Secure Fingerprint Authentication with Homomorphic Encryption;Wencheng Yang;《2020 Digital Image Computing: Techniques and Applications (DICTA)》;20210301;全文 * |
| 基于AHP-GRA的用户身份可信评价方法;梁晓实;邹福泰;谭越;;通信技术;20200410(第04期);全文 * |
| 基于动态授权机制的自适应云访问控制方法研究;陆佳炜;吴斐斐;徐俊;张元鸣;肖刚;;计算机应用与软件;20170715(第07期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117650950A (en) | 2024-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103166917A (en) | Method and system for network equipment identity recognition | |
| CN106033461A (en) | Sensitive information query method and apparatus | |
| CN116405187B (en) | Distributed node intrusion situation sensing method based on block chain | |
| CN111787011A (en) | Intelligent analysis and early warning system, method and storage medium for security threat of information system | |
| CN113111359A (en) | Big data resource sharing method and resource sharing system based on information security | |
| CN116938590B (en) | Cloud security management method and system based on virtualization technology | |
| CN116633615A (en) | Access control method based on blockchain and risk assessment | |
| CN114884680B (en) | Multi-server sustainable trust evaluation method based on context authentication | |
| Mujawar et al. | Behavior and feedback based trust computation in cloud environment | |
| Sun | Research on the tradeoff between privacy and trust in cloud computing | |
| CN113067802B (en) | User identification method, device, equipment and computer readable storage medium | |
| CN112702410B (en) | Evaluation system, method and related equipment based on blockchain network | |
| CN117650950B (en) | Secure communication method and apparatus | |
| CN111917760A (en) | Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis | |
| CN116506206A (en) | Big data behavior analysis method and system based on zero trust network user | |
| CN116527317A (en) | Access control method, system and electronic equipment | |
| CN113872959B (en) | Method, device and equipment for judging risk asset level and dynamically degrading risk asset level | |
| CN111953637B (en) | Application service method and device | |
| CN116167025A (en) | Multi-factor user identity dynamic authentication system and method thereof | |
| CN116112264B (en) | Method and device for controlling access to strategy hidden big data based on blockchain | |
| CN117675755B (en) | Intelligent networking equipment management method and device | |
| CN112367360B (en) | Method and device for expanding public cloud data processing capacity | |
| CN117408395B (en) | Method and device for optimizing running stability of wind control platform based on digital supply chain | |
| Kumar et al. | Review on Social Network Trust With Respect To Big Data Analytics | |
| CN116074118B (en) | API access control method, system, intelligent terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |