CN117879873A

CN117879873A - Data encryption transmission method and system based on transport layer security protocol

Info

Publication number: CN117879873A
Application number: CN202311677386.5A
Authority: CN
Inventors: 查文中
Original assignee: Sichuan Cancer Hospital
Current assignee: Sichuan Cancer Hospital
Priority date: 2023-12-08
Filing date: 2023-12-08
Publication date: 2024-04-12

Abstract

The invention provides a data encryption transmission method and a system based on a transmission layer security protocol, wherein the method comprises the following key steps: first, a secure connection between the client and the server is established via TLS handshake protocol. In the handshake process, the two communication parties exchange digital certificates and carry out digital verification through PKI, so as to ensure the legitimacy of the identities of the two communication parties. And then, introducing two-factor authentication, and independently generating a unique symmetric key through a Diffie-Hellman key exchange protocol after the authentication of both communication parties passes, thereby realizing safe key negotiation. The data to be transmitted is obtained and segmented, and each data segment is subjected to nested encryption by using a master key to form an encrypted data packet containing nested encrypted data segments and necessary metadata. After the transmission is finished, the identity of both communication parties is verified through the password and the dynamic token, and decryption is carried out through the negotiation key. The invention ensures the safety and reliability of data transmission.

Description

Data encryption transmission method and system based on transport layer security protocol

Technical Field

The invention relates to the technical field of computer networks, in particular to a data encryption transmission method and system based on a transmission layer security protocol.

Background

With the advent of the digital age, network communications have become an integral part of people's daily life and business activities. However, there is a concomitant network security problem, one of the most critical being the threat that data may face during transmission. The traditional data transmission mode has a certain weakness in terms of guaranteeing the data integrity and confidentiality, for example, the traditional data transmission mode can be intercepted, tampered or eavesdropped by a hacker in the transmission process, and hidden dangers are buried for security risks such as information leakage, identity theft and the like.

In such a context, transport layer security protocols (Transport Layer Security, TLS) have evolved. TLS is a communication protocol that provides security and data integrity for network communications, and is widely used for secure data transmission over the internet. The TLS protocol provides an end-to-end secure communication channel by encrypting data of a transmission layer, so that a plurality of traditional network attack means are effectively resisted.

However, although TLS protocol greatly improves security of network communication, there are still some problems in practical application. One of these is the evolution of protocol versions, some older versions may have known vulnerabilities that make the system vulnerable to specific attacks. In addition, some risks in key management and exchange processes may also affect the security of the overall system. Therefore, there is a need for an innovative method and system to enhance the security of the transport layer security protocol and to improve the confidentiality and integrity of data transmission.

Disclosure of Invention

In view of this, in order to overcome some potential safety hazards existing in the conventional network transmission, the present invention aims to provide a data encryption transmission method and system based on a transport layer security protocol, which are capable of improving the security, privacy protection level and overall defensive capability of the system by establishing a secure transmission connection between two communication parties through the transport layer security protocol.

Based on the above object, in a first aspect, the present invention provides a data encryption transmission method based on a transport layer security protocol, which includes the following steps:

step one: establishing a secure connection

Before communication starts, establishing a secure connection between a client and a server through a handshake protocol of a transport layer security protocol (TLS), exchanging digital certificates by both communication parties, and verifying the numbers through Public Key Infrastructure (PKI);

step two: two-factor identity verification

After TLS handshake is completed, introducing two-factor authentication, and performing authentication of both communication parties of the client and the server through a password and a dynamic token of the two-factor authentication;

step three: key agreement

After the identity authentication of both communication parties is passed, a unique symmetric key for encrypting and decrypting data between the client and the server is independently generated through a Diffie-Hellman key exchange protocol, so as to obtain a negotiation key;

Step four: data encryption

Acquiring data to be transmitted, segmenting the data, and performing nested encryption on each data segment by using a master key to obtain an encrypted data packet containing nested encrypted data segments and necessary metadata;

step five: data packet encryption mechanism

Introducing a data packet encryption mechanism, deeply encrypting the data packet content through the data packet encryption mechanism, and transmitting the data packet content to a receiver;

step six: authentication and decryption

After transmission, carrying out authentication of both communication parties through a password and a dynamic token and decrypting through a negotiation key;

step seven: real-time monitoring and exception handling

And monitoring the flow in real time, judging the attack behavior and recording the abnormality when the flow abnormality is detected, and interrupting the connection and returning to the key exchange protocol step to renegotiate the key when the attack behavior is judged to exist.

As a further aspect of the present invention, establishing a secure connection between a client and a server through a TLS handshake protocol includes the steps of:

the client sends at least one ClientHello message containing supported TLS protocol version, encryption algorithm and random number information to the server;

the server selects one from the encryption algorithm and the TLS protocol version provided by the client and responds to a ServerHello message containing the TLS protocol version supported by the server, the encryption algorithm and the random number information;

The server sends the stored digital certificate to the client, the client uses a preloaded root certificate chain for verification, and the digital certificate of the server is trusted after verification is legal; the digital certificate comprises a public key of a server;

the client generates a random number, encrypts a premaster secret (premaster secret) by using a public key of the server, and sends the encrypted premaster secret to the server;

the server uses the private key of the server to decrypt the premaster secret sent by the client to obtain the shared premaster secret;

the client and the server generate a session key by using respective random numbers and a premaster secret key, and respectively send Finished messages containing abstracts of handshake processes to perform a verification handshake process;

after the handshake is successful, the secure connection is established, and the client and the server use the session key to carry out encrypted communication.

In the invention, when the secure connection between the client and the server is established through the TLS handshake protocol, the client sends ClientHello, the server responds to ServerHello, the server sends a certificate, the client verifies the certificate, the client generates a random number and a PreMasterSecret, the server decrypts the PreMasterSecret, the two parties generate a session key, the two parties send Finished messages to complete the secure connection establishment, and the generated session key is used for encrypted communication after the secure connection establishment.

As a further aspect of the invention, digital authentication by Public Key Infrastructure (PKI) comprises the steps of:

the server acquires a digital certificate, wherein the digital certificate comprises a public key, information of a certificate holder and a digital signature;

the server sends the digital certificate to the client, and the client acquires a root certificate for constructing a trust chain;

the client builds a trust chain, verifies the digital certificate sent by the server, and comprises the purposes of verifying whether the signature of the digital certificate is issued by a known CA, verifying the validity period of the certificate, checking a Certificate Revocation List (CRL) and checking the certificate;

the digital certificate passes all verification steps, and the client receives the certificate with the digital certificate as valid, namely the verification is successful.

As a further scheme of the invention, the authentication of both communication parties of the client and the server is carried out through the password and the dynamic token of the two-factor authentication, and the method comprises the following steps:

the client sends an identity credential containing a user name and a password to the server, the server verifies the received user name and password, and if the user name and the password pass verification, the server generates a dynamic token and sends the dynamic token to the client;

the client receives the dynamic token sent by the server, binds the dynamic token with the digital signed identity certificate and sends the dynamic token to the server;

The server verifies the dynamic token sent by the client, and if the dynamic token passes the verification, the server considers that the client is a legal user and completes the identity verification;

after the authentication is successful, the two parties share the secret key.

The data encryption transmission method based on the transmission layer security protocol realizes the two-factor identity authentication by combining the password and the dynamic token, and improves the security of communication.

As a further aspect of the present invention, generating a negotiation key through a Diffie-Hellman key exchange protocol includes the steps of:

a. two large prime numbers p and g are selected as parameters of a protocol, wherein p is a modulus used for calculating a public key and a private key, and g is a primitive root used for calculating the public key;

b. the server generates a private key (private key_s) and a public key (public key_s), wherein the public key_s=gζ private key_s mod p, and the private key_s is a random integer less than p;

c. the client generates a private key (private key_c) and a public key (public key_c), wherein the public key_c=gζ private key_cmod p, and the private key_c is a random integer smaller than p;

d. the client sends the public key_c to the server;

e. after receiving the public key of the client, the server calculates a negotiation key (negotiation key_s): negotiation key_s=public key_c private key_s mod p;

f. After receiving the public key of the server, the client calculates a negotiation key (negotiation key_c): negotiation key_c=public key_s private key_c mod p;

g. the server and the client get the same negotiation key, negotiation key_s=negotiation key_c, for encrypting and decrypting communications.

The data encryption transmission method based on the transmission layer security protocol realizes the safe generation of the negotiation key shared by both parties through the Diffie-Hellman key exchange protocol.

As a further aspect of the present invention, performing nested encryption on each data segment using a master key to obtain an encrypted data packet containing nested encrypted data segments and necessary metadata, comprising the steps of:

generating a random nested encryption key based on an AES nested encryption algorithm;

dividing the acquired data to be transmitted into data segments, performing nested encryption on each data segment by using a nested encryption key, and generating necessary metadata for each nested encrypted data segment by deriving different keys, wherein the necessary metadata comprise the number of the data segment and an initialization vector;

and combining the nested encrypted data segments and the generated metadata into a structure to form an encrypted data packet.

As a further scheme of the invention, a data packet encryption mechanism is introduced, and the data packet content is deeply encrypted through the data packet encryption mechanism, comprising the following steps:

generating independent keys for different layers of deep encryption based on a multi-layer encryption hash function, and carrying out layered encryption on a data packet to be transmitted, wherein each layer uses different keys;

noise is added in each layer of encryption, a random Initialization Vector (IV) is used, an identity verification layer is introduced in the deep encryption process, and the data packet after layered encryption is combined with necessary metadata to form a deep encrypted data packet.

As a further aspect of the invention, the multi-level encrypted hash function employs SHA-256 for generating independent keys for different levels of deep encryption.

As a further scheme of the invention, the method for carrying out authentication of both communication parties through the password and the dynamic token and decryption through the negotiation key comprises the following steps:

the client sends an identity verification request comprising a user identifier, a password and a dynamic token to the server;

the server verifies the identity, including the validity of the user password and the dynamic token;

if the authentication is successful, the server generates a temporary symmetric key for data transmission;

The server transmits the generated temporary secret key to the client through a secure channel;

the client and the server encrypt and decrypt the data to be transmitted by using the negotiated temporary key.

As a further scheme of the invention, the flow is monitored in real time and the flow abnormality is detected, and the method comprises the following steps:

deploying a flow monitoring system, and capturing and recording data packets of network communication in real time;

setting a normal flow base line, and establishing a standard of frequency and protocol service conditions of the normal flow;

carrying out flow analysis on the data packet captured in real time, and comparing the current flow with a set normal flow baseline;

detecting abnormal flow, and marking the flow as abnormal, wherein the abnormal flow shows a characteristic which is obviously different from a normal baseline;

an attack behavior judgment algorithm is applied to analyze whether the abnormal flow is matched with the known attack behavior;

recording the detected abnormal flow and possible attack, and triggering an alarm mechanism.

In a second aspect, the present invention provides a data encryption transmission system based on a transport layer security protocol, including:

and a secure connection establishment module: the method is responsible for establishing a secure connection between a client and a server through a handshake protocol of a transport layer security protocol (TLS) before communication starts, and comprises the generation of ClientHello and ServerHello messages, the exchange and verification of digital certificates and the execution of a Diffie-Hellman key exchange protocol.

Two-factor identity verification module: the method is used for introducing the two-factor authentication after the TLS handshake is completed, and is responsible for carrying out the authentication of both communication parties of the client and the server by using the password and the dynamic token of the two-factor authentication.

Key negotiation module: and after the identity authentication of the two communication parties is passed, independently generating a unique symmetric key for encrypting and decrypting the data between the client and the server through a Diffie-Hellman key exchange protocol, thereby obtaining a negotiation key.

And a data encryption module: the method comprises the steps of obtaining data to be transmitted, segmenting the data, and performing nested encryption on each data segment by using a master key to obtain an encrypted data packet containing nested encrypted data segments and necessary metadata.

Depth encryption module: the method comprises the steps of introducing a data packet encryption mechanism, generating independent keys for different layers of deep encryption through a hash function of multi-layer encryption, conducting layered encryption on data packets to be transmitted, using different keys for each layer, adding noise in each layer of encryption, using a random Initialization Vector (IV), introducing an identity verification layer, and finally forming the deep encrypted data packets.

Identity verification and decryption module: and the method is used for carrying out authentication of both communication parties through the password and the dynamic token after transmission and carrying out decryption through the negotiation key. The method comprises the steps of sending an identity verification request to a server by a client, verifying the identity by the server, generating a temporary symmetric key for data transmission, key transmission, decryption of the data transmission and the like.

The real-time monitoring and abnormality processing module: when the traffic abnormality is detected, the attack behavior is judged and recorded, and when the attack behavior is judged, the connection is interrupted and the key exchange protocol step is returned to renegotiate the key.

The modules together form a data encryption transmission system based on a transmission layer security protocol, and safe and reliable communication is realized through the cooperative work of the modules.

In yet another aspect of the present invention, there is also provided a computer device including a memory and a processor, the memory storing a computer program which, when executed by the processor, performs any one of the above-mentioned data encryption transmission methods based on a transport layer security protocol according to the present invention.

In yet another aspect of the present invention, there is also provided a computer readable storage medium storing computer program instructions that when executed implement any one of the above-described data encryption transmission methods based on a transport layer security protocol according to the present invention.

Compared with the prior art, the data encryption transmission method and system based on the transmission layer security protocol provided by the invention have the following beneficial effects:

1. High security:

and establishing a secure connection through a TLS handshake protocol, exchanging digital certificates, and performing digital verification by using Public Key Infrastructure (PKI) to ensure the legitimacy of the identities of the two communication parties. And introducing the two-factor identity authentication to improve the security of the identity authentication.

2. Powerful key security:

and a unique symmetric key is generated by using a Diffie-Hellman key exchange protocol, so that the security of the key is improved, and the risk of key leakage is reduced.

3. Multilevel data encryption guarantee:

and the data is encrypted by adopting a nested encryption mode, and each data segment is subjected to nested encryption by using a master key, so that the encryption complexity is increased, and the data security is improved. And a data packet encryption mechanism is introduced, an independent key is generated by using a hash function of multi-level encryption, and the confidentiality of data is enhanced by deep encryption.

4. The two-factor identity authentication improves the security:

the dual-factor authentication is introduced, and the password and the dynamic token are combined, so that the complexity of the authentication is improved, the unauthorized access difficulty is increased, and the overall security of the system is improved.

5. Real-time monitoring and attack detection:

the flow is monitored in real time by introducing a real-time monitoring flow and abnormality processing module, so that the flow abnormality can be detected rapidly and the attack behavior can be judged. The connection is interrupted in time and the secret key is renegotiated, so that potential attacks are effectively prevented.

6. Scalability and flexibility of the system:

and the compatibility and the expandability of the system are ensured by adopting a TLS-based method. Meanwhile, due to the modularized design, all modules are relatively independent, and are easy to adjust and improve according to actual requirements.

7. Improvement of communication efficiency:

by adopting a symmetric key encryption mode, the encryption and decryption efficiency is improved, and meanwhile, the Diffie-Hellman key exchange protocol is used, so that the complexity of key management is reduced, and the system can keep higher communication efficiency while ensuring the security.

8. Complete secure communication system:

the cooperative work among the modules forms a complete safety communication system, which covers a plurality of key steps of safety connection establishment, identity verification, key negotiation, data encryption, data packet encryption, real-time monitoring, exception handling and the like, and comprehensively improves the overall safety of the system.

Through the design, the data encryption transmission method and system based on the transmission layer security protocol comprehensively consider the security, efficiency and expandability in the data transmission process, and provide a comprehensive and effective solution for the secure transmission of data.

These and other aspects of the present application will be more readily apparent from the following description of the embodiments. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

Drawings

In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are necessary for the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention and that other embodiments may be obtained according to these drawings without inventive effort for a person skilled in the art.

In the figure:

fig. 1 is an encrypted transmission schematic diagram of a data encrypted transmission method based on a transport layer security protocol according to an embodiment of the present invention.

Fig. 2 is a flowchart of a data encryption transmission method based on a transport layer security protocol according to an embodiment of the present invention.

Fig. 3 is a flowchart of establishing a secure connection in a data encryption transmission method based on a transport layer security protocol according to an embodiment of the present invention.

Fig. 4 is a flowchart of digital authentication in a data encryption transmission method based on a transport layer security protocol according to an embodiment of the present invention.

Fig. 5 is a flowchart of authentication and decryption in a data encryption transmission method based on a transport layer security protocol according to an embodiment of the present invention.

Fig. 6 is a flowchart of real-time monitoring and exception handling in a data encryption transmission method based on a transport layer security protocol according to an embodiment of the present invention.

Detailed Description

The present application will be further described with reference to the drawings and detailed description, which should be understood that, on the premise of no conflict, the following embodiments or technical features may be arbitrarily combined to form new embodiments.

In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention will be described in further detail with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

It should be noted that, in the embodiments of the present invention, all the expressions "first" and "second" are used to distinguish two non-identical entities with the same name or non-identical parameters, and it is noted that the "first" and "second" are only used for convenience of expression, and should not be construed as limiting the embodiments of the present invention. Furthermore, the terms "comprise" and "have," and any variations thereof, are intended to cover a non-exclusive inclusion, such as a process, method, system, article, or other step or unit that comprises a list of steps or units.

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

The flow diagrams depicted in the figures are merely illustrative and not necessarily all of the elements and operations/steps are included or performed in the order described. For example, some operations/steps may be further divided, combined, or partially combined, so that the order of actual execution may be changed according to actual situations.

Some embodiments of the present application are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.

Aiming at the security problem of the transmission layer, the invention provides a data encryption transmission method based on the transmission layer security protocol, which comprehensively ensures the security and reliability of data transmission by comprehensively applying encryption technology, identity verification means and a real-time monitoring mechanism.

Referring to fig. 1 and 2, an embodiment of the present invention provides a data encryption transmission method based on a transport layer security protocol, which includes the following steps:

step S10, before communication starts, establishing a secure connection between a client and a server through a TLS handshake protocol, exchanging digital certificates by both communication parties, and verifying the digital certificate through PKI;

step S20, after TLS handshake is completed, introducing double-factor authentication, and carrying out authentication of both communication parties of the client and the server through a password and a dynamic token of the double-factor authentication;

step S30, after the identity authentication of both communication parties is passed, a unique symmetric key for encrypting and decrypting data between the client and the server is independently generated through a Diffie-Hellman key exchange protocol, and a negotiation key is obtained;

step S40, acquiring data to be transmitted, segmenting the data, and performing nested encryption on each data segment by using a master key to obtain an encrypted data packet containing nested encrypted data segments and necessary metadata;

s50, introducing a data packet encryption mechanism, deeply encrypting the data packet content through the data packet encryption mechanism, and transmitting the data packet content to a receiver;

step S60, carrying out authentication of both communication parties through a password and a dynamic token after transmission and decrypting through a negotiation key;

And step S70, monitoring the flow in real time, judging the attack behavior and recording the abnormality when the flow abnormality is detected, and interrupting the connection and returning to the key exchange protocol step to renegotiate the key when the attack behavior is judged to exist.

The invention relates to a data encryption transmission method based on a transmission layer security protocol, and aims to provide a safe and efficient data transmission solution. In the method steps, first, a secure connection between a client and a server is established via a handshake protocol of a transport layer security protocol (TLS). In the handshake process, the two communication parties exchange digital certificates and carry out digital verification through Public Key Infrastructure (PKI) to ensure the legitimacy of the identities of the two communication parties. And then, introducing double-factor identity authentication, and using the password and the dynamic token to carry out identity authentication on both communication sides of the client and the server, thereby improving the security of the identity authentication.

After the identity authentication of both communication parties is passed, a unique symmetric key for encrypting and decrypting data is independently generated through a Diffie-Hellman key exchange protocol, so that safe key negotiation is realized. The data to be transmitted is obtained and segmented, and each data segment is subjected to nested encryption by using a master key to form an encrypted data packet containing nested encrypted data segments and necessary metadata.

A data packet encryption mechanism is introduced, and independent keys for different layers of deep encryption are generated through a multi-layer encryption hash function. In each level of encryption, noise is added, a random Initialization Vector (IV) is used, and an authentication layer is introduced, so that a deeply encrypted data packet is finally formed. In this way, the data is protected in multiple layers in the transmission process, and the confidentiality of the data is improved.

After the transmission is finished, the identity of both communication parties is verified through the password and the dynamic token, and decryption is carried out through the negotiation key. Meanwhile, the flow is monitored in real time, when the flow abnormality is detected, the attack behavior judgment is carried out, the connection is interrupted in time, and the key exchange protocol step is returned to renegotiate the key.

In summary, the invention provides a data encryption transmission method and system based on a transmission layer security protocol, which comprehensively ensures the security and reliability of data transmission by comprehensively applying encryption technology, authentication means and a real-time monitoring mechanism.

In an embodiment of the present invention, referring to fig. 3, a secure connection between a client and a server is established through a TLS handshake protocol, including the steps of:

step S101, a client sends at least one ClientHello message containing supported TLS protocol version, encryption algorithm and random number information to a server;

Step S102, the server selects one from the encryption algorithm and the TLS protocol version provided by the client, and responds to a ServerHello message containing the TLS protocol version supported by the server, the encryption algorithm and the random number information;

step S103, the server sends the stored digital certificate to the client, the client uses a preloaded root certificate chain for verification, and the digital certificate of the server is trusted after verification is legal; the digital certificate comprises a public key of a server;

step S104, the client generates a random number, encrypts a premaster secret (PreMastersecret) by using a public key of the server, and sends the encrypted premaster secret to the server;

step S105, the server uses the private key of the server to decrypt the premaster secret sent by the client to obtain the shared premaster secret;

step S106, the client and the server use the random numbers and the premaster secret key to generate a session secret key, and the client and the server respectively send Finished messages containing abstracts of the handshake process to carry out a verification handshake process;

and step S107, after the handshake is successful, the secure connection is established, and the client and the server use the session key to carry out encrypted communication.

Wherein the premaster secret is a temporary secret value generated by the client and sent to the server when using the Diffie-Hellman key exchange protocol. In the TLS handshake protocol, the premaster secret is used to generate the final negotiation key. The specific flow is as follows:

1. the client generates a premaster secret: during the handshake, the client generates a random premaster secret, encrypts it with the server's public key, and sends it to the server.

2. The server decrypts the premaster secret: after receiving the encrypted premaster secret key sent by the client, the server decrypts the encrypted premaster secret key by using the private key of the server to obtain the premaster secret key generated by the client.

3. Sharing a negotiation key: both the server and the client have the same premaster secret and then use this premaster secret and other information negotiated by both parties to generate the final negotiated secret in a series of steps.

Through the above-mentioned flow, the Diffie-Hellman key exchange protocol allows the client and the server to negotiate a same key without directly transmitting the symmetric key, thereby realizing secure key negotiation.

The working process of establishing the secure connection through the TLS handshake protocol is as follows:

(1) The client sends ClientHello:

the client sends a ClientHello message to the server containing information such as supported TLS protocol version, encryption algorithm, random number, etc.

(2) The server responds ServerHello:

the server selects one from the encryption algorithm and protocol version provided by the client and sends a ServerHello message containing information such as TLS protocol version, encryption algorithm, random number, etc. supported by the server.

(3) The server sends a certificate:

the server sends the digital certificate to the client, and the certificate contains the public key of the server and related information.

(4) Client authentication credentials:

the client uses the previously preloaded root certificate or verifies through a certificate chain to ensure that the digital certificate of the server is legal and trusted.

(5) The client generates a random number and PreMasterSecret:

the client generates a random number, encrypts a premaster secret (premaster secret) by using the public key of the server, and sends the encrypted premaster secret to the server.

(6) The server decrypts PreMasterSecret:

the server uses the private key of the server to decrypt the premaster secret sent by the client to obtain the shared premaster secret.

(7) Both sides generate session keys:

The client and server generate session keys using respective random numbers and premaster secret keys. This session key will be used for subsequent symmetric encryption.

(8) Both parties send Finished messages:

the client and the server respectively send Finished messages containing summaries of handshake processes to verify the integrity and correctness of the handshake processes.

(9) And (3) establishing a secure connection:

after the handshake is successful, the secure connection is established and the client and server may begin to use the session key for encrypted communications.

In an embodiment of the invention, shown in fig. 4, digital authentication by Public Key Infrastructure (PKI) comprises the steps of:

step S110, a server acquires a digital certificate, wherein the digital certificate comprises a public key, information of a certificate holder and a digital signature;

Step S120, the server sends the digital certificate to the client, and the client acquires a root certificate for constructing a trust chain;

step S130, the client builds a trust chain, verifies the digital certificate sent by the server, and comprises the steps of verifying whether the signature of the digital certificate is issued by a known CA, verifying the validity period of the certificate, checking a Certificate Revocation List (CRL) and checking the purpose of the certificate;

step S140, the digital certificate passes through all verification steps, and the client receives the digital certificate as a valid certificate, namely, the verification is successful.

In this embodiment, the working procedure for verifying the digital certificate by Public Key Infrastructure (PKI) is:

1. acquiring a digital certificate:

a party to the communication (in this embodiment, a server) acquires and configures in advance a digital certificate containing a public key, information of a certificate holder, and a digital signature.

2. Certificate sending:

the server sends the digital certificate to the client during the handshake phase.

3. The client acquires a root certificate:

the client embeds or obtains root certificates from a trusted root Certificate Authority (CA) for building a trust chain.

4. Building a trust chain:

the client verifies the digital certificate sent by the server using the root certificate. This includes checking whether the signature of the digital certificate is issued by a known CA, and if not, continuing to verify the certificates of the previous CA until a complete trust chain is constructed.

5. Validity period of the verification certificate:

the client verifies the validity period of the digital certificate, ensuring that the certificate is valid for the current time.

6. Checking Certificate Revocation List (CRL):

the client may check the certificate revocation list to ensure that the digital certificate is not revoked.

7. Use of checking certificates:

the client verifies whether the digital certificate is for the current communication scenario, e.g., can be used for TLS handshaking.

8. And (3) completing digital certificate verification:

if the digital certificate passes all the verification steps, the client accepts the digital certificate as a valid certificate, i.e. the verification is successful.

The method for verifying the digital certificate through Public Key Infrastructure (PKI) ensures the validity and the validity of the digital certificate in the communication process, and improves the communication security.

In the embodiment of the invention, the authentication of both communication parties of the client and the server is carried out through the password and the dynamic token of the two-factor authentication, and the method comprises the following steps:

after the authentication is successful, the two parties share the secret key.

In an embodiment of the present invention, the generation of the negotiation key by the Diffie-Hellman key exchange protocol comprises the steps of:

d. the client sends the public key_c to the server;

In this embodiment, the working principle of generating the negotiation key through the Diffie-Hellman key exchange protocol is:

(1) Selection parameters:

two large primes (p and g) are defined, where p is the modulus used to calculate the public and private keys and g is one primitive root used to calculate the public key.

(2) The server generates a private key and a public key:

the server generates a private key (private key_s), which is a random integer less than p. Then, the server calculates a public key (public key_s): public key_s=gprivate key_s mod p.

(3) The client generates a private key and a public key:

the client also generates a private key (private key_c), which is a random integer less than p. Then, the client calculates a public key (public key_c): public key_c=gprivate key_c mod p.

(4) The client sends the public key to the server:

the client sends its own public key to the server.

(5) The server receives the public key of the client:

after receiving the public key of the client, the server calculates a negotiation key (negotiation key_s) by using the public key of the client, its own private key and modulus p: negotiation key_s=public key_c private key_s mod p.

(6) The client receives the public key of the server:

after receiving the public key of the server, the client calculates a negotiation key (negotiation key_c) by using the public key of the server, its own private key and modulus p: negotiation key_c=public key_s private key_c mod p.

(7) Both sides get the same negotiation key:

due to the nature of Diffie-Hellman, the negotiation keys obtained by the server and the client are the same, i.e. negotiation key_s=negotiation key_c, through the above calculations.

In an embodiment of the present invention, each data segment is subjected to nested encryption using a master key to obtain an encrypted data packet containing nested encrypted data segments and necessary metadata, comprising the steps of:

The symmetric encryption algorithm of AES (Advanced Encryption Standard) is selected, the symmetric encryption algorithm can be used as the basis of data encryption, a generated random symmetric key can be used for encrypting and decrypting data, the symmetric key can be used as a secret shared between a client and a server, when each data segment is symmetrically encrypted by using the generated symmetric key, each data block is encrypted by using a cipher block chain mode CBC (Cipher Block Chaining), in a CBC mode, each plaintext block is subjected to exclusive OR operation with the previous ciphertext block before encryption, then encryption is carried out, and the information of the previous block is introduced into each block, so that the randomness and security of encryption are improved.

In the embodiment of the invention, a data packet encryption mechanism is introduced, and the data packet content is deeply encrypted through the data packet encryption mechanism, comprising the following steps:

Wherein the hash function of multi-level encryption employs SHA-256 for generating independent keys for different levels of deep encryption.

In an embodiment of the present invention, referring to fig. 5, the authentication of both communication parties by means of a password and a dynamic token and decryption by means of a negotiation key comprises the following steps:

step S201, the client sends an identity verification request comprising a user identifier, a password and a dynamic token to the server;

step S202, the server verifies the identity, including the validity of the user password and the dynamic token;

step S203, if the authentication is successful, the server generates a temporary symmetric key for data transmission;

step S204, the server transmits the generated temporary secret key to the client through a secure channel;

Step S205, the client and the server encrypt and decrypt the data to be transmitted using the negotiated temporary key.

The working process of carrying out authentication of both communication parties through the password and the dynamic token and decrypting through the negotiation key is as follows:

1. password and dynamic token acquisition:

both parties in communication use their passwords and dynamic tokens, respectively, for authentication. The password may be set in advance by the user and the dynamic token may be a periodically replaced temporary validation code generated by hardware or software.

2. Initiating an authentication request:

the client sends an authentication request to the server, including a user identification (e.g., a user name), a password, and a dynamic token.

3. And (3) server side verification:

the server receives the authentication request and uses the user password stored on the server for authentication. At the same time, the server verifies the validity of the dynamic token, ensuring that it matches the expected token.

4. Authentication successfully generates a temporary key:

if authentication is successful, the server generates a temporary symmetric key or generates a key using other key agreement mechanisms. This key will be used for decryption of subsequent data transmissions.

5. Key transmission:

The server transmits the generated temporary key to the client through the secure channel. This transmission process requires the use of a previously negotiated key or other security means to ensure confidentiality of the key.

6. And (3) data transmission:

the client and the server encrypt and decrypt the data to be transmitted by using the negotiated temporary key. This may be a symmetric encryption algorithm, ensuring confidentiality of the data during transmission.

The invention uses the password and the dynamic token to carry out identity verification, and encrypts and decrypts the data through the temporary key, thereby ensuring the identity verification of both communication parties and the safe transmission of the data.

In an embodiment of the present invention, referring to fig. 6, the method for monitoring the flow in real time and detecting the abnormal flow includes the following steps:

step S301, deploying a flow monitoring system, and capturing and recording data packets of network communication in real time;

step S302, setting a normal flow base line, and establishing a standard of frequency and protocol service conditions of the normal flow;

step S303, carrying out flow analysis on the data packet captured in real time, and comparing the current flow with a set normal flow baseline;

step S304, detecting abnormal flow, and marking the flow as abnormal, wherein the abnormal flow shows a characteristic with obvious difference from a normal baseline;

Step S305, an attack behavior judgment algorithm is applied to analyze whether the abnormal flow is matched with the known attack behavior;

and step S306, recording the detected abnormal flow and possible attack behaviors, and triggering an alarm mechanism.

The working process for monitoring the flow in real time and detecting the flow abnormality comprises the following steps:

1. deployment of a flow monitoring system:

a traffic monitoring system is deployed in a communication system that is capable of capturing and recording packets of network traffic, including transport layer information, protocols, source destination addresses, etc., in real time.

2. Setting a normal flow baseline:

during normal operation, communication traffic is recorded and analyzed, establishing a baseline for normal traffic. This includes the frequency of traffic, protocol usage, normal behavior of both parties to the communication, etc.

3. Real-time flow analysis:

and analyzing the data packet captured in real time, and comparing the current flow with a set normal flow baseline. Any anomalies that deviate from the normal flow pattern are detected using a flow analysis algorithm.

4. Abnormal flow detection:

if the flow analysis finds that certain features indicate that there is a significant difference in the current flow from the normal baseline, the system will flag these flows as abnormal.

5. Judging attack behaviors:

Aiming at the abnormal flow mark, the system applies an attack behavior judgment algorithm. This may include detecting common attack patterns (e.g., DDoS attacks, SQL injection, etc.), and analyzing whether the traffic patterns match known attack behaviors.

6. Recording and alarming:

recording the detected abnormal flow and possible attack behaviors, and triggering an alarm mechanism. The alarm may include notifying a system administrator, triggering an automatic defense mechanism, etc.

The invention can discover potential attack behaviors in time and trigger corresponding alarm and recording mechanisms by monitoring the flow in real time, establishing a normal flow baseline and detecting abnormal flow.

In summary, the present invention provides a data encryption transmission method based on transport layer security protocol (TLS), and aims to provide a safe and efficient data transmission solution. The method fully considers various aspects of communication security, and comprises a plurality of key steps of secure connection establishment, authentication, key negotiation, data encryption, data packet encryption, real-time monitoring, exception handling and the like.

First, a secure connection between the client and the server is established through the handshake protocol of TLS. In the handshake process, the two communication parties exchange digital certificates, and digital verification is carried out through Public Key Infrastructure (PKI) to ensure the legitimacy of the identities of the two communication parties. Then, two-factor authentication is introduced, and the password and the dynamic token are used for authenticating the identity of the two communication parties of the client and the server, so that the security of the authentication is improved.

After the identity authentication of both communication parties is passed, a unique symmetric key for encrypting and decrypting data is generated through a Diffie-Hellman key exchange protocol, so that safe key negotiation is realized. The data to be transmitted is obtained and segmented, and each data segment is subjected to nested encryption by using a master key to form an encrypted data packet containing nested encrypted data segments and necessary metadata.

A data packet encryption mechanism is introduced, and independent keys for different layers of deep encryption are generated through a multi-layer encryption hash function. In each level of encryption, noise is added, a random Initialization Vector (IV) is used, and an authentication layer is introduced, so that a deeply encrypted data packet is finally formed. This multi-layered data encryption scheme increases the confidentiality of the data.

In a comprehensive view, the data encryption transmission method based on the transmission layer security protocol provides a comprehensive, efficient and safe data transmission scheme, and is suitable for various scenes needing to ensure communication security. By comprehensively applying the encryption technology, the identity verification means and the real-time monitoring mechanism, the method comprehensively improves the overall safety of the system in the data transmission process.

It is noted that the above-described figures are only schematic illustrations of processes involved in a method according to an exemplary embodiment of the invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.

It should be understood that although described in a certain order, the steps are not necessarily performed sequentially in the order described. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, some steps of the present embodiment may include a plurality of steps or stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily sequential, but may be performed alternately or alternately with at least a part of the steps or stages in other steps or other steps.

In a second aspect of the embodiment of the present invention, the present invention further provides a data encryption transmission system based on a transport layer security protocol, including:

The data encryption transmission system based on the transport layer security protocol is used for executing the steps of the data encryption transmission method based on the transport layer security protocol, and the steps of the data encryption transmission method are not repeated here.

The present invention provides a transport layer security protocol (TLS) based data encryption transmission system, which aims to create a secure and efficient data transmission solution. The system comprises a secure connection establishment module, a two-factor identity verification module, a key negotiation module, a data encryption module, a data packet encryption mechanism module, an identity verification and decryption module and a real-time monitoring and exception handling module, wherein each module plays a key role in different communication security layers, and the system is ensured to have high security in all links facing data transmission.

In a third aspect of the embodiments of the present invention, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program which, when executed by the processor, implements the method of any of the embodiments described above.

A processor and a memory are included in the computer device, and may further include: an input system and an output system. The processor, memory, input system, and output system may be connected by a bus or other means, and the input system may receive input digital or alphanumeric information and generate signal inputs related to migration of encrypted transmissions of data based on a transport layer security protocol. The output system may include a display device such as a display screen.

The memory is used as a non-volatile computer readable storage medium, and can be used for storing non-volatile software programs, non-volatile computer executable programs and modules, such as program instructions/modules corresponding to the data encryption transmission method based on the transport layer security protocol in the embodiment of the application. The memory may include a memory program area and a memory data area, wherein the memory program area may store an operating system, at least one application program required for a function; the storage data area may store data created by the use of a data encryption transmission method based on a transport layer security protocol, and the like. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the local module through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The processor may be a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor is typically used to control the overall operation of the computer device. In this embodiment, the processor is configured to execute the program code stored in the memory or process the data. The processors of the multiple computer devices of the computer device of the present embodiment execute various functional applications and data processing of the server by running nonvolatile software programs, instructions and modules stored in the memory, that is, implement the steps of the data encryption transmission method based on the transport layer security protocol of the above method embodiment.

It should be appreciated that all of the embodiments, features and advantages set forth above for a transport layer security protocol based data encryption transmission method according to the present invention apply equally to a transport layer security protocol based data encryption transmission and storage medium according to the present invention without conflicting therewith.

Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.

Finally, it should be noted that the computer-readable storage media (e.g., memory) herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which acts as external cache memory. By way of example, and not limitation, RAM may be available in a variety of forms such as synchronous RAM (DRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.

The various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein may be implemented or performed with the following components designed to perform the functions herein: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP and/or any other such configuration.

The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.

It should be understood that as used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items. The foregoing embodiment of the present invention has been disclosed with reference to the number of embodiments for the purpose of description only, and does not represent the advantages or disadvantages of the embodiments.

Those of ordinary skill in the art will appreciate that: the above discussion of any embodiment is merely exemplary and is not intended to imply that the scope of the disclosure of embodiments of the invention, including the claims, is limited to such examples; combinations of features of the above embodiments or in different embodiments are also possible within the idea of an embodiment of the invention, and many other variations of the different aspects of the embodiments of the invention as described above exist, which are not provided in detail for the sake of brevity. Therefore, any omission, modification, equivalent replacement, improvement, etc. of the embodiments should be included in the protection scope of the embodiments of the present invention.

Claims

1. The data encryption transmission method based on the transmission layer security protocol is characterized by comprising the following steps:

before communication starts, a secure connection between a client and a server is established through a TLS handshake protocol, and digital certificates are exchanged between two communication parties and are digitally verified through PKI;

2. The method for encrypted transmission of data based on a transport layer security protocol according to claim 1, wherein the secure connection between the client and the server is established by TLS handshake protocol, comprising the steps of:

the client generates a random number, encrypts a premaster secret by using a public key of the server, and sends the encrypted premaster secret to the server;

3. The transmission layer security protocol-based data encryption transmission method according to claim 2, wherein the digital authentication by PKI comprises the steps of:

the client builds a trust chain, verifies the digital certificate sent by the server, and comprises the purposes of verifying whether the signature of the digital certificate is issued by a known CA, verifying the validity period of the certificate, checking a certificate revocation list and checking the certificate;

4. The data encryption transmission method based on the transport layer security protocol according to claim 3, wherein the authentication of both communication parties of the client and the server is performed by the password and the dynamic token of the two-factor authentication, comprising the following steps:

after the authentication is successful, the two parties share the secret key.

5. The data encryption transmission method based on the transport layer security protocol according to claim 1, wherein the negotiation key is generated by Diffie-Hellman key exchange protocol, comprising the steps of:

b. the server generates a private key and a public key, wherein the public key_s=g≡private key_s mod p, and the private key_s is a random integer smaller than p;

c. the client generates a private key and a public key, wherein the public key_c=g≡private key_c mod p, and the private key_c is a random integer smaller than p;

d. the client sends the public key_c to the server;

e. after receiving the public key of the client, the server calculates a negotiation key, wherein the negotiation key is s=public key c private key s mod p;

f. After receiving the public key of the server, the client calculates the negotiation key: negotiation key_c=public key_s private key_c mod p;

6. The method for encrypted transmission of data based on a transport layer security protocol according to claim 5, wherein each data segment is nested encrypted using a master key to obtain an encrypted data packet containing nested encrypted data segments and necessary metadata, comprising the steps of:

7. The transmission layer security protocol-based data encryption transmission method according to claim 6, wherein a packet encryption mechanism is introduced, and the packet contents are deeply encrypted by the packet encryption mechanism, comprising the steps of:

noise is added in each layer of encryption, a random initialization vector is used, an identity verification layer is introduced in the process of deep encryption, and the data packet after layered encryption is combined with necessary metadata to form a deep encrypted data packet.

8. The method for encrypted transmission of data based on a transport layer security protocol according to claim 7, wherein the hash function of the multi-level encryption uses SHA-256 for generating independent keys for different levels of deep encryption.

9. The transmission layer security protocol-based data encryption transmission method according to claim 7, wherein the authentication of both communication parties by means of a password and a dynamic token and the decryption by means of a negotiation key comprises the steps of:

10. A data encryption transmission system based on a transport layer security protocol, for executing the data encryption transmission method based on a transport layer security protocol according to any one of claims 1 to 9, the data encryption transmission system based on a transport layer security protocol comprising:

and a secure connection establishment module: the method comprises the steps that a handshake protocol responsible for establishing a secure connection between a client and a server through a transport layer security protocol before communication begins;

two-factor identity verification module: the method comprises the steps of introducing two-factor authentication after TLS handshake is completed, and carrying out authentication of both communication parties of a client and a server by using a password and a dynamic token of the two-factor authentication;

key negotiation module: after the identity authentication of both communication parties is passed, independently generating a unique symmetric key for encrypting and decrypting data between the client and the server through a Diffie-Hellman key exchange protocol, thereby obtaining a negotiation key;

and a data encryption module: the method comprises the steps of obtaining data to be transmitted, segmenting the data, and performing nested encryption on each data segment by using a master key to obtain an encrypted data packet containing nested encrypted data segments and necessary metadata;

Depth encryption module: the method comprises the steps of introducing a data packet encryption mechanism, generating independent keys for different layers of deep encryption through a hash function of multi-layer encryption, carrying out layered encryption on a data packet to be transmitted, using different keys for each layer, adding noise in each layer of encryption, using a random initialization vector, introducing an identity verification layer, and finally forming a deep encrypted data packet;

identity verification and decryption module: the method is used for carrying out authentication of both communication parties through the password and the dynamic token after transmission and carrying out decryption through the negotiation key;