CN117955678A - Encryption transmission method, device, equipment and storage medium for data - Google Patents

Encryption transmission method, device, equipment and storage medium for data Download PDF

Info

Publication number
CN117955678A
CN117955678A CN202311190675.2A CN202311190675A CN117955678A CN 117955678 A CN117955678 A CN 117955678A CN 202311190675 A CN202311190675 A CN 202311190675A CN 117955678 A CN117955678 A CN 117955678A
Authority
CN
China
Prior art keywords
key
data
target
encrypted
length
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311190675.2A
Other languages
Chinese (zh)
Inventor
巴镜程
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mashang Consumer Finance Co Ltd
Original Assignee
Mashang Consumer Finance Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mashang Consumer Finance Co Ltd filed Critical Mashang Consumer Finance Co Ltd
Priority to CN202311190675.2A priority Critical patent/CN117955678A/en
Publication of CN117955678A publication Critical patent/CN117955678A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a data encryption transmission method, a device, equipment and a storage medium, which are applied to a key management party and comprise the following steps: determining a target key in response to a data encryption request carrying data to be encrypted sent by a data sender, and encrypting the data to be encrypted based on the target key to obtain encrypted data; determining the length of the key identification of the target key and the length of the encrypted data, and carrying out secondary encryption on the encrypted data based on the length of the key identification of the target key and the length of the encrypted data to obtain a target ciphertext; and sending the target ciphertext to the data sender. In this way, the security of encrypted transmission of data can be improved.

Description

Encryption transmission method, device, equipment and storage medium for data
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for encrypting and transmitting data.
Background
In the encryption transmission process of data in the related art, a secret key is mostly stored in the configuration of a sender and a receiver, the sender encrypts the data during transmission, and the receiver decrypts the data when the receiver acquires the data. However, when the key is stored to both sides, there is a risk of disclosure of the key, and if the external world obtains the key, the information can be forged and sent to the receiving party, so that the security of encrypted transmission of the data is further reduced.
Disclosure of Invention
The embodiment of the application provides a data encryption transmission method, device, equipment and storage medium, which can improve the security of data encryption transmission.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides a data encryption transmission method, which is applied to a key management party and comprises the following steps:
determining a target key in response to a data encryption request which is sent by a data sender and carries data to be encrypted, and encrypting the data to be encrypted based on the target key to obtain encrypted data;
Determining the length of the key identification of the target key and the length of the encrypted data, and carrying out secondary encryption on the encrypted data based on the length of the key identification of the target key and the length of the encrypted data to obtain a target ciphertext;
and sending the target ciphertext to the data sender.
The embodiment of the application provides a data encryption transmission device, which is applied to a key management party and comprises the following components:
The encryption module is used for responding to a data encryption request which is sent by a data sender and carries data to be encrypted, determining a target key, and encrypting the data to be encrypted based on the target key to obtain encrypted data;
The secondary encryption module is used for determining the length of the key identifier of the target key and the length of the encrypted data, and carrying out secondary encryption on the encrypted data based on the length of the key identifier of the target key and the length of the encrypted data to obtain a target ciphertext;
And the sending module is used for sending the target ciphertext to the data sender.
An embodiment of the present application provides an electronic device, including:
A memory for storing executable instructions;
and the processor is used for realizing the encryption transmission method of the data provided by the embodiment of the application when executing the executable instructions stored in the memory.
Embodiments of the present application provide a computer-readable storage medium having stored therein computer-executable instructions that, when executed by a processor, cause the processor to perform the method for encrypted transmission of data provided by embodiments of the present application.
Embodiments of the present application provide a computer program product comprising a computer program or computer-executable instructions stored in a computer-readable storage medium. The processor of the electronic device reads the computer executable instructions from the computer readable storage medium, and the processor executes the computer executable instructions, so that the electronic device executes the encryption transmission method of the data provided by the embodiment of the application.
The embodiment of the application has the following beneficial effects:
The key management side responds to a data encryption request which is sent by the data sender and carries data to be encrypted, encrypts the data to be encrypted based on a target key to obtain encrypted data, and then carries out secondary encryption on the encrypted data to obtain a target ciphertext, so that the target ciphertext is sent to the data sender. Therefore, compared with the configuration of storing the secret key in the sender, the secret key is saved in the secret key management party, so that the risk of secret key leakage is reduced, and the safety of encrypted transmission of data is improved; meanwhile, through the two encryption processes of the data to be encrypted, even if the external world obtains the secret key, the secret key cannot be simply leaked to forge the ciphertext, so that the security of the encrypted transmission of the data is further improved.
Drawings
Fig. 1 is a schematic architecture diagram of an encrypted transmission system 100 for data according to an embodiment of the present application;
Fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 3 is a flow chart of an encryption transmission method of data according to an embodiment of the present application;
fig. 4 is a schematic diagram of a ciphertext structure of a target ciphertext according to an embodiment of the present application;
Fig. 5 is a schematic diagram of a ciphertext structure of a target ciphertext obtained by performing secondary encryption on encrypted data obtained by encrypting different encryption modes according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a process for updating a target key according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a process for encrypting data based on different versions of a target key according to an embodiment of the present application;
FIG. 8 is a schematic diagram of a process for decrypting a target ciphertext based on different versions of a key provided by an embodiment of the application;
fig. 9 is a technical architecture diagram of a data encryption transmission method according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of an encryption transmission device 254 for data according to an embodiment of the present application.
Detailed Description
The present application will be further described in detail with reference to the accompanying drawings, for the purpose of making the objects, technical solutions and advantages of the present application more apparent, and the described embodiments should not be construed as limiting the present application, and all other embodiments obtained by those skilled in the art without making any inventive effort are within the scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
In the following description, the terms "first", "second", "third" and the like are merely used to distinguish similar objects and do not represent a particular ordering of the objects, it being understood that the "first", "second", "third" may be interchanged with a particular order or sequence, as permitted, to enable embodiments of the application described herein to be practiced otherwise than as illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.
Before describing embodiments of the present application in further detail, the terms and terminology involved in the embodiments of the present application will be described, and the terms and terminology involved in the embodiments of the present application will be used in the following explanation.
1) Artificial intelligence (AI, artificial Intelligence) is a theory, method, technique, and application system that uses a digital computer or a machine controlled by a digital computer to simulate, extend, and expand human intelligence, sense the environment, acquire knowledge, and use knowledge to obtain optimal results. The artificial intelligence technology is a comprehensive subject, and relates to the technology with wide fields, namely the technology with a hardware level and the technology with a software level. Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like.
2) The Client (Client), also called Client, refers to a program corresponding to a server and providing local service for a user, and besides some application programs which can only run locally, the Client is generally installed on a common Client and needs to cooperate with the server to run, that is, a corresponding server and service program in a network are needed to provide corresponding service, so that a specific communication connection needs to be established between the Client and the server to ensure the normal running of the application programs.
3) An identification (ID, identity Document) indicating the uniqueness of the respective object for identifying the respective object.
4) A hardware encryptor (HSM, hardware Security Module), also called a hardware security module, is a hardware device that performs cryptographic operations, securely generates and stores keys.
5) A key, means for encrypting and decrypting data.
6) Public and private keys, the public key being the non-secret half of a key pair used with the private key algorithm. The public key is typically used to encrypt a session key, verify a digital signature, or encrypt data that may be decrypted with a corresponding private key. The public key and the private key are a key pair (namely a public key and a private key) obtained by an algorithm, wherein one of the key pair is disclosed to the outside and is called a public key; and the other is reserved by itself and is called a private key.
7) Sm4, namely a block symmetric cipher algorithm, wherein the lengths of plaintext, ciphertext and key are 128bits, the key mainly comprises an encryption and decryption algorithm and a key expansion algorithm, and a mathematical structure of 32 rounds of nonlinear iteration is adopted, wherein each iteration operation in the algorithm is a round of nonlinear transformation, and the main operation comprises exclusive or, synthesis substitution, nonlinear iteration, reverse order transformation and the like.
8) Advanced encryption standard (AES, advanced Encryption Standard), a symmetric key algorithm, uses 128, 192 or 256 bit keys and encrypts and decrypts data with 128 bit data block packets, AES naming the different key sizes as AES-x, where x is the key size.
Referring to fig. 1, fig. 1 is a schematic architecture diagram of an encrypted data transmission system 100 according to an embodiment of the present application, for implementing an application scenario of encrypted data transmission, for implementing an exemplary application, a key manager device 400 is connected to a data sender device 200-1 through a network 300, where the data sender device 200-1 may be a mechanism that needs to perform data transmission, for example, a hospital, a bank, a market or a supermarket, the key manager device 400 may be a mechanism with public trust, the network 300 may be a wide area network or a local area network, or a combination of both, and data transmission is implemented using a wireless or wired link.
A data sender (including a data sender device 200-1) for sending a data encryption request carrying data to be encrypted to a key manager;
A key management side (including a key management side device 400) for determining a target key in response to a data encryption request carrying data to be encrypted sent by a data sender, and encrypting the data to be encrypted based on the target key to obtain encrypted data; determining the length of the key identification of the target key and the length of the encrypted data, and carrying out secondary encryption on the encrypted data based on the length of the key identification of the target key and the length of the encrypted data to obtain a target ciphertext; transmitting the target ciphertext to a data sender;
the data sender (including the data sender device 200-1) is configured to receive the target ciphertext transmitted by the key manager.
In some embodiments, the key manager device 400 and the data sender device 200-1 may be independent physical servers, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (CDNs, content Deliver Network), and basic cloud computing services such as big data and artificial intelligence platforms. Key manager device 400, data sender device 200-1 may be, but is not limited to, a smart phone, tablet, notebook, desktop, set-top box, smart voice interaction device, smart home appliance, vehicle-mounted terminal, aircraft, and mobile device (e.g., mobile phone, portable music player, personal digital assistant, dedicated messaging device, portable gaming device, smart speaker, and smart watch), etc. The terminal device and the server may be directly or indirectly connected through wired or wireless communication, which is not limited in the embodiment of the present application.
The hardware structure of the electronic device for implementing the encrypted transmission method of data provided by the embodiment of the application is described in detail below, and the electronic device includes, but is not limited to, a server or a terminal. Referring to fig. 2, fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present application, and the electronic device 200 shown in fig. 2 includes: at least one processor 210, a memory 250, at least one network interface 220, and a user interface 230. The various components in the electronic device 200 are coupled together by a bus system 240. It is understood that the bus system 240 is used to enable connected communications between these components. The bus system 240 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled as bus system 240 in fig. 2.
The Processor 210 may be an integrated circuit chip having signal processing capabilities such as a general purpose Processor, such as a microprocessor or any conventional Processor, a digital signal Processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like.
The user interface 230 includes one or more output devices 231, including one or more speakers and/or one or more visual displays, that enable presentation of media content. The user interface 230 also includes one or more input devices 232, including user interface components that facilitate user input, such as a keyboard, mouse, microphone, touch screen display, camera, other input buttons and controls.
The memory 250 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard drives, optical drives, and the like. Memory 250 optionally includes one or more storage devices physically located remote from processor 210.
Memory 250 includes volatile memory or nonvolatile memory, and may also include both volatile and nonvolatile memory. The non-volatile Memory may be a Read Only Memory (ROM) and the volatile Memory may be a random access Memory (RAM, random Access Memory). The memory 250 described in embodiments of the present application is intended to comprise any suitable type of memory.
In some embodiments, memory 250 is capable of storing data to support various operations, examples of which include programs, modules and data structures, or subsets or supersets thereof, as exemplified below.
An operating system 251 including system programs for handling various basic system services and performing hardware-related tasks, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and handling hardware-based tasks;
Network communication module 252 for reaching other computing devices via one or more (wired or wireless) network interfaces 220, exemplary network interfaces 220 include: bluetooth, wireless compatibility authentication (WiFi), and universal serial bus (USB, universal Serial Bus), etc.;
an input processing module 253 for detecting one or more user inputs or interactions from one of the one or more input devices 232 and translating the detected inputs or interactions.
In some embodiments, the encrypted transmission device for data provided by the embodiments of the present application may be implemented in software, and fig. 2 shows an encrypted transmission device 254 for data stored in a memory 250, which may be software in the form of a program and a plug-in, and includes the following software modules: the encryption module 2541, the secondary encryption module 2542, and the transmission module 2543 are logically, and thus may be arbitrarily combined or further split according to the implemented functions, and the functions of the respective modules will be described below.
In other embodiments, the encryption transmission apparatus for data provided by the embodiments of the present application may be implemented by combining software and hardware, and by way of example, the encryption transmission apparatus for data provided by the embodiments of the present application may be a processor in the form of a hardware decoding processor, which is programmed to perform the encryption transmission method for data provided by the embodiments of the present application, for example, the processor in the form of a hardware decoding processor may use one or more Application specific integrated circuits (ASICs, applications SPECIFIC INTEGRATED circuits), DSPs, programmable logic devices (PLDs, programmable Logic Device), complex Programmable logic devices (CPLDs, complex Programmable Logic Device), field-Programmable gate arrays (FPGAs), field-Programmable GATE ARRAY), or other electronic components.
In some embodiments, the method for encrypting and transmitting data provided by the embodiment of the application can also be implemented by running a computer program. For example, the computer program may be a native program or a software module in an operating system; the Application program can be a local (Native) Application program (APP), namely a program which can be installed in an operating system to run, such as an instant messaging APP and a web browser APP; the method can also be an applet, namely a program which can be run only by being downloaded into a browser environment; but also an applet that can be embedded in any APP. In general, the computer programs described above may be any form of application, module or plug-in.
Based on the description of the data encryption transmission system and the electronic device provided by the embodiments of the present application, the encryption transmission method of data provided by the embodiments of the present application is described below. In practical implementation, the encryption transmission method of the data provided by the embodiment of the application can be implemented by a terminal or a server alone or cooperatively, and the encryption transmission method of the data provided by the embodiment of the application is illustrated by taking the server as a key management party to execute alone. Referring to fig. 3, fig. 3 is a flowchart of an encryption transmission method for data according to an embodiment of the present application, and the following description will explain the steps shown in fig. 3.
Step 101, a key management side responds to a data encryption request which is sent by a data sender and carries data to be encrypted, determines a target key, encrypts the data to be encrypted based on the target key, and obtains encrypted data.
In actual implementation, the key management party may be a mechanism with public trust, and may perform operations such as access right control of the key, enabling and disabling of the key, deleting the key, and the like. The key management party can firstly receive a key generation request of a target key for encrypting the data to be encrypted, which is sent by the data sending party, before receiving the data encryption request carrying the data to be encrypted, which is sent by the data sending party, so as to respond to the key generation request, generate the target key through the hardware encryption machine, specifically, the key management party accesses the hardware encryption machine through a tcp/ip link mode and generates the target key through the hardware encryption machine, wherein the tcp/ip link hardware encryption machine can timely discover the state of the hardware encryption machine, when the hardware encryption machine fails, a software encryption program (an encryption algorithm is consistent with the hardware encryption machine) is used at the moment, and the target key is generated through the software encryption program.
It should be noted that, the target key may be generated in response to a key generation request, may be generated by the key manager itself, or may be generated in response to a data encryption request when receiving a data encryption request carrying data to be encrypted sent by the data sender, which is not limited in this embodiment of the present application.
In some embodiments, the process of determining the target key in response to a data encryption request carrying data to be encrypted sent by the data sender may also be that the first random number and the second random number are obtained in response to a data encryption request carrying data to be encrypted sent by the data sender; performing product processing on the first random number and the second random number to obtain a product result, and performing binary conversion on the product result to obtain a conversion result; a third random number, which is the same as the number of bits of the conversion result, is acquired as the target key.
As an example, a first random number and a second random number are obtained from a quantum random number generator, such as 61 and 53, then a product result of the first random number and the second random number is calculated, that is 61×53=3233, then binary conversion is performed on the product result to obtain a conversion result, that is 110010100001, for a total of 12 bits, and finally a third random number with the same number of bits as the conversion result, that is, 12 bits, is obtained from the quantum random number generator as a target key.
It should be noted that, here, the first random number, the second random number, and the third random number may be obtained from the quantum random number generator, and the first random number, the second random number, and the third random number may be prime numbers; meanwhile, the target key may be generated in response to the data encryption request, or may be generated in response to the key generation request when the key generation request of the target key for encrypting the data to be encrypted, which is sent by the data sender, is received. Here, when the target key is generated in response to the key generation request or generated by the key manager itself, the target key generated in advance is directly acquired when a data encryption request carrying data to be encrypted sent by the data sender is received.
In addition, the process of generating the target key by the hardware encryptor and the software encryptor may be a process of acquiring the first random number and the second random number; performing product processing on the first random number and the second random number to obtain a product result, and performing binary conversion on the product result to obtain a conversion result; the third random number, which is the same as the number of bits of the conversion result, is obtained as the target key, which is not limited in the embodiment of the present application.
In some embodiments, after the target key is determined in response to the key generation request, or after the key management side generates the target key by itself, the target key may be encrypted to obtain an encrypted target key, and the encrypted target key is stored in the storage device of the key management side, and when a data encryption request carrying data to be encrypted sent by the data sender or a data decryption request sent by the data receiver is received, the encrypted target key is decrypted to obtain the target key.
In practical implementation, after receiving a data encryption request carrying data to be encrypted, which is sent by a data sender, the data encryption request can be analyzed except for determining a target key, so that the data to be encrypted carried by the data encryption request is obtained, and the data to be encrypted is encrypted based on the target key, so that encrypted data is obtained.
It should be noted that, the method of encrypting the data to be encrypted here to obtain the encrypted data may be various, for example, encrypting the data to be encrypted using sm4 encryption algorithm or encrypting the data to be encrypted using AES256 algorithm. Here, the manner of encrypting the data to be encrypted to obtain the encrypted data is not limited in the embodiment of the present application.
Step 102, determining the length of the key identifier of the target key and the length of the encrypted data, and performing secondary encryption on the encrypted data based on the length of the key identifier of the target key and the length of the encrypted data to obtain the target ciphertext.
In practical implementation, the target key includes at least one version, so that before the encrypted data is secondarily encrypted, the version identifier of the current version of the target key needs to be determined, and the encrypted data is secondarily encrypted by combining the length of the key identifier of the target key, the key identifier, the version identifier and the length of the encrypted data to obtain the target ciphertext.
It should be noted that, the key identifier and the version identifier are used to indicate the ID of the key and the ID of the key version, where the version identifiers of the keys of different versions are different, and the key contents of the keys of different versions are different, but the key identifiers may be the same, for example, for the key identifier a, it may correspond to a plurality of versions of the key, such as the version identifier 1, the key 1 with the key content C 1, the version identifier 2, the key 2 with the key content C 2, and the key 3 with the version identifier 3 and the key content C 3, where the version identifiers of the keys 1,2, and 3 are all different, but the corresponding key IDs are all a. The process of determining the keys for the different version identifications will be described later.
In some embodiments, after determining the version identifier of the current version of the target key, performing secondary encryption on the encrypted data in combination with the length of the key identifier, the version identifier and the length of the encrypted data of the target key to obtain a target ciphertext, which may be a process of serializing the length of the key identifier, the version identifier, the length of the encrypted data and the encrypted data of the target key to obtain a length sequence of the key identifier, a key identifier sequence, a version identifier sequence, a length sequence of the encrypted data and an encrypted data sequence of the target key; and combining the length sequence of the key identification, the key identification sequence, the version identification sequence, the length sequence of the encrypted data and the encrypted data sequence based on the length of the key identification of the target key and the length of the encrypted data to obtain the target ciphertext.
It should be noted that, the serialization herein may indicate that the length of the key identifier of the target key, the key identifier, the version identifier, the length of the encrypted data, and the encrypted data are respectively binary-converted, so as to obtain a binary length sequence of the key identifier of the target key, a binary sequence of the key identifier, a binary length sequence of the version identifier, a binary sequence of the encrypted data, and a binary sequence of the encrypted data, so as to combine the binary length sequence of the key identifier of the target key, the binary sequence of the key identifier, the binary sequence of the version identifier, the binary length sequence of the encrypted data, and the binary sequence of the encrypted data, to obtain the target ciphertext. Therefore, the length of the key identification of the target key, the key identification, the version identification, the length of the encrypted data and the encrypted data are respectively serialized, so that the compression can be effectively performed, and the storage space is saved.
In some embodiments, after the serializing process, combining the length sequence of the key identifier, the key identifier sequence, the version identifier sequence, the length sequence of the encrypted data, and the encrypted data sequence based on the length of the key identifier of the target key, to obtain the target ciphertext, where the process may include determining a first location of the length sequence of the key identifier in the target ciphertext, and determining a second location of the key identifier sequence in the target ciphertext based on the first location and the length of the key identifier of the target key; determining a third position of the version identification sequence in the target secret based on the second position and the length of the key identification of the target key, and determining a fourth position of the length sequence of the encrypted data in the target secret based on the third position and the length of the key identification of the target key; determining a fifth position of the encrypted data sequence in the target secret based on the fourth position, the length of the key identification of the target key, and the length of the encrypted data; and combining the length sequence of the key identification, the key identification sequence, the version identification sequence, the length sequence of the encrypted data and the encrypted data sequence in sequence based on the first position, the second position, the third position, the fourth position and the fifth position to obtain the target ciphertext.
It should be noted that, the first position of the length sequence of the key identifier in the target secret may indicate the number of bits, such as bits 0-2, of the length sequence of the key identifier in the target secret, for example, when bits 0-2 in the target secret are the length sequence of the key identifier and the length of the key identifier is 2, bits 0-2 in the target ciphertext is 010, or when bits 0-2 in the target secret are the length sequence of the key identifier and the length of the key identifier is 1, bits 0-2 in the target ciphertext is 001.
In practical implementation, when the length sequence of the key identification is determined to be at the first position in the target secret, from the end bit number of the bit number indicated by the first position, the second position of the key identification sequence in the target secret, that is, the bit number of the key identification sequence in the target secret, is determined based on the length of the key identification of the target key, for example, when bits 0-2 in the target secret are the length sequence of the key identification, bits 3- (3+n) are the bit number of the key identification sequence in the target secret, wherein n is used for indicating the length of the key identification of the target key, for example, when bits 0-2 in the target secret are the length sequence of the key identification and the length of the key identification is 2, bits 3-5 are the key identification sequence, or when bits 0-2 in the target secret are the length sequence of the key identification and the length of the key identification is 1.
In practical implementation, when the second position of the key identification sequence in the target secret is determined, from the end bit number of the bit number indicated by the second position, the third position of the version identification sequence in the target secret, that is, the bit number of the version identification sequence in the target secret, is determined based on the length of the key identification of the target key, such as when bits 0-2 in the target secret are the length sequence of the key identification and bits 3- (3+n) are the length sequence of the key identification, bits (4+n) - (17+n) are the bit numbers of the version identification sequence in the target secret, wherein n is used to indicate the length of the key identification of the target key, for example, when bits 0-2 in the target secret are the length sequence of the key identification and the length of the key identification is 2, bits 3-5 are the key identification sequence, bits 6-19 are the version identification sequence, or when bits 0-2 in the target secret are the length sequence of the key identification and the length of the key identification is 1, bits 3-4 are the key identification sequence, and bits 5-18 are the version identification sequence.
In practical implementation, when the version identification sequence is determined to be at the third position in the target secret, from the end bit number of the bit number indicated by the third position, the bit number of the length sequence of the encrypted data in the fourth position in the target secret, that is, the bit number of the length sequence of the encrypted data in the target secret is determined based on the length of the key identification of the target key, such as when bits 0-2 in the target secret are the length sequence of the key identification and bits 3- (3+n) are the key identification sequence and bits (4+n) - (17+n) are the version identification sequence, bits (18+n) - (20+n) are the bit number of the length sequence of the encrypted data in the target secret, wherein n is used for indicating the length of the key identification of the target key, for example, bits 3-5 are the key identification sequence when bits 0-2 in the target secret are the length sequence of the key identification and the length of the key identification is 2, bits 6-19 are the length sequence of the key identification sequence, bits 20-22 are the length sequence of the encrypted data, or when bits 0-2 in the target secret are the length of the key identification sequence and bits 1-19 are the length of the bit sequence of the key identification sequence.
In practical implementation, when it is determined that the length sequence of the encrypted data is at the fourth position in the target secret, from the end bit number of the bit number indicated by the fourth position, the fifth position of the encrypted data sequence in the target secret, that is, the bit number of the encrypted data sequence in the target secret, is determined based on the length of the key identification of the target key, that is, when the 0-2 th bit in the target secret is the length sequence of the key identification, the 3- (3+n) th bit is the key identification sequence, the (4+n) - (17+n) th bit is the version identification sequence, the (18+n) - (20+n) th bit is the bit number of the encrypted data sequence in the target secret, wherein n is used to indicate the length of the key identifier of the target key, m is the length of the encrypted data, for example, when the 0 th to 2 nd bits in the target key are the length sequence of the key identifier, the length of the key identifier is 2, the length of the encrypted data is 5, the 3 rd to 5 th bits are the key identifier sequence, the 6 th to 19 th bits are the version identifier sequence, the 20 th to 22 th bits are the length sequence of the encrypted data, the 23 rd to 27 th bits are the encrypted data, or when the 0 th to 2 nd bits in the target key are the length sequence of the key identifier, the length of the key identifier is 1, the 3 rd to 4 th bits are the key identifier sequence, the 5 th to 18 th bits are the version identifier sequence, the 19 th to 21 th bits are the length sequence of the encrypted data, and the 22 nd to 26 th bits are the encrypted data.
In actual implementation, the first position, the second position, the third position, the fourth position and the fifth position are determined, and the length sequence of the key identification, the key identification sequence, the version identification sequence, the length sequence of the encrypted data and the encrypted data sequence are combined in sequence to obtain the target ciphertext. Referring to fig. 4, fig. 4 is a schematic diagram of a ciphertext structure of a target ciphertext according to an embodiment of the application, and based on fig. 4, after determining a first position, a second position, a third position, a fourth position, and a fifth position, a length sequence of a key identifier, a key identifier sequence, a version identifier sequence, a length sequence of encrypted data, and an encrypted data sequence are sequentially combined to obtain the target ciphertext.
It should be noted that, as described above, by serializing the length of the key identifier, the version identifier, the length of the encrypted data, and the encrypted data of the target key, the compression can be effectively performed, and the storage space is saved; meanwhile, based on the mode, the length sequence of the key identification, the key identification sequence, the version identification sequence, the length sequence of the encrypted data and the encrypted data sequence are combined, so that compared with the process of carrying out secondary encryption by using other keys in the related technology, the security of the secondary encryption process is improved, and the secondary encryption process has traceability and is convenient to decrypt on the basis of ensuring the security of the secondary encryption.
It should be noted that, as described above, the data to be encrypted may be encrypted in different manners, and the lengths of the encrypted data obtained by encrypting are different based on different encryption manners, and, for example, referring to fig. 5, fig. 5 is a schematic diagram of a ciphertext structure of a target ciphertext obtained by performing secondary encryption on the encrypted data obtained by encrypting in different encryption manners according to an embodiment of the present application, and based on fig. 5, the lengths of the ciphertext obtained by encrypting using the sm4 algorithm and the ciphertext obtained by encrypting using the AES256 algorithm are different, so that the structures of the corresponding target ciphertext obtained finally are also different, that is, the length of the target ciphertext corresponding to the ciphertext obtained by encrypting using the AES256 algorithm is greater than the target ciphertext corresponding to the ciphertext obtained by encrypting using the sm4 algorithm.
And step 103, transmitting the target ciphertext to the data sender.
It should be noted that, the target ciphertext is sent to the data sender, so that the data sender sends the target ciphertext to the data receiver; when determining the target key, the key management side also determines a target key pair comprising a private key and a public key, so that the encrypted data is secondarily encrypted based on the length of the key identifier of the target key and the length of the encrypted data, and after the target ciphertext is obtained, the target ciphertext is signed based on the private key, so that the target ciphertext signature is obtained. The process of sending the target ciphertext to the data sender may be sending the target ciphertext carrying the public key identification of the public key and the target ciphertext signature to the data sender.
In actual implementation, after the target ciphertext is sent to the data sender so that the data sender sends the target ciphertext to the data receiver, the key manager also receives a data decryption request which is sent by the data receiver and carries the target ciphertext, wherein the target ciphertext also carries a public key identifier of a public key and a target ciphertext signature; the key management side determines a public key based on the public key identification, and performs signature verification on the target ciphertext signature based on the public key; and when the signature verification result represents verification, decrypting the target ciphertext to obtain the data to be encrypted. Therefore, the data sender and the data receiver hold the secret key by only transmitting the identification of the secret key, and compared with the scheme of directly transmitting the public key in the related art, the risk of public key leakage is reduced, and therefore the security of the signing verification process is ensured.
In actual implementation, when determining the target key and the target key pair, the key management side records a corresponding relationship between the public key identifier and the key identifier of the target key, that is, the public key identifier and the key identifier of the target key have a corresponding relationship, so as to decrypt the target ciphertext to obtain data to be encrypted, which may be a process of determining the key identifier of the target key based on the public key identifier and the corresponding relationship; and determining a target key based on the key identification of the target key, and decrypting the target ciphertext based on the target key to obtain data to be encrypted.
It should be noted that, as described above, the target key has multiple versions, and the key contents of the target keys of different versions are different, so in the process of determining the target key based on the key identifier of the target key, the length of the key identifier may be obtained by analyzing the key identifier of the target key, then the number of bits of the version identifier sequence of the target key in the target ciphertext is determined based on the length of the key identifier, so as to determine the version identifier sequence of the target key, then the version identifier sequence of the target key is deserialized, so as to obtain the version identifier of the target key, and finally the target ciphertext is decrypted based on the version identifier of the target key, so as to obtain the data to be encrypted.
In practical implementation, the process of decrypting the target ciphertext based on the target key to obtain the data to be encrypted may be that, based on the length of the key identifier of the target key, the number of bits of the length sequence of the encrypted data in the target ciphertext is determined, so as to determine the length sequence of the encrypted data, then the length sequence of the encrypted data is deserialized to obtain the length of the encrypted data, then the length of the encrypted data and the length of the key identifier are combined to determine the number of bits of the encrypted data sequence in the target ciphertext, so as to determine the encrypted data sequence, then the encrypted data sequence is deserialized to obtain the encrypted data, and finally the encrypted data is decrypted based on the target key to obtain the data to be encrypted.
In some embodiments, as described above, there are multiple versions of the target key, and for the process of determining the keys identified by different versions, that is, the process of updating the key, specifically, after determining the target key, the target key may be updated to obtain a new target key; the new target key and the target key are keys with different versions, the key identifiers of the keys with different versions are the same, the version identifiers are different, and the corresponding data encryption processes are different; for example, referring to fig. 6, fig. 6 is a schematic diagram of a process for updating a target key according to an embodiment of the present application, based on fig. 6, for a key identifier a, it may correspond to a plurality of versions of keys, such as a key 1 with a version identifier 1 and a key content C 1, a key 2 with a version identifier 2 and a key content C 2, and a key n with a version identifier n and a key content C n, where the version identifiers and the key contents of the keys 1, 2, … …, and n are all different, but the corresponding key IDs are all a.
Based on the above, for the process of determining the target key based on the version identifier of the target key, that is, based on the version identifier of the target key, the key content of the target key corresponding to the version identifier is queried, so that the process of decrypting the encrypted data based on the target key to obtain the data to be encrypted, that is, based on the queried key content, the process of decrypting the encrypted data to obtain the data to be encrypted; meanwhile, in the process of updating the target key, the target key before updating is not deleted, but is continuously stored in the storage space of the key manager, and the key manager can decrypt the data to be encrypted based on the target key of the latest version.
It should be noted that, for the process of updating the key, the update period may be preset, for example, the update is performed once a day, or the update is performed once a week, so that the key is updated according to the preset update period; or when the key updating operation of the user is received, the key is updated in response to a key updating instruction triggered based on the key updating operation, wherein the key updating operation can be the triggering operation of the user on the human-computer interaction interface aiming at the corresponding function control. The process of updating the key includes, but is not limited to, the above two processes, and the embodiment of the application is not limited to this.
It should be noted that, when the target key is generated, the key identifier of the target key is automatically generated, and when the target key is updated in the updating process of the target key, the version identifier of the target key is automatically generated. Therefore, when the key identifier and the version identifier are used for carrying out secondary encryption on the encrypted data, the traceability of the secondary encryption process is ensured through the generated key identifier and version identifier, and the decryption by the key manager is facilitated.
In actual implementation, after generating a new target identifier, the new data to be encrypted can be encrypted based on a new target key in response to a data encryption request which is sent by a data sender and carries new data to be encrypted, so as to obtain new encrypted data, and the new encrypted data is subjected to secondary encryption so as to obtain a new target ciphertext; and transmitting the new target ciphertext to the data transmitter so that the data transmitter transmits the new target ciphertext to the data receiver.
For example, referring to fig. 7, fig. 7 is a schematic diagram of a process of encrypting data based on target keys of different versions, and based on fig. 7, for a key with a key identifier a, a corresponding version identifier 1, a key content C 1, a version identifier 2, and a key content C 2, a ciphertext obtained by encrypting data based on the key 1 and the key 2 is different, and a final target ciphertext is also different.
It should be noted that, here, the process of encrypting the new data to be encrypted based on the new target key to obtain new encrypted data and secondarily encrypting the new encrypted data to obtain the new target ciphertext is similar to the process of encrypting the data to be encrypted based on the target key to obtain the encrypted data and secondarily encrypting the encrypted data to obtain the target ciphertext described above, and therefore, the embodiment of the present application is not repeated.
Therefore, by updating the target key, the risk caused by the leakage of the target key is reduced, and the security in the data encryption process is further ensured.
In actual implementation, the new target ciphertext includes a version identifier of the new target key and new encrypted data; after the data sender sends the new target ciphertext to the data receiver, the key identification of the new target key corresponding to the new target ciphertext can be determined in response to a data decryption request carrying the new target ciphertext sent by the data receiver, wherein the new target ciphertext of the data receiver is the new target ciphertext sent by the data sender; analyzing the new target ciphertext based on the key identification of the new target key corresponding to the new target ciphertext to obtain the version identification of the new target key and the new encrypted data included in the new target ciphertext; and determining a new target key corresponding to the new target ciphertext based on the version identification, and decrypting the new encrypted data based on the new target key to obtain new data to be encrypted.
Referring to fig. 8, fig. 8 is a schematic diagram of a process of decrypting a target ciphertext based on keys of different versions according to an embodiment of the present application, based on fig. 8, key identifiers corresponding to corresponding ciphertexts are respectively determined for a target ciphertext a 1 and a target ciphertext a 2 obtained by encrypting a key a of different versions, so that, based on the key identifiers, the target ciphertext a 1 and the target ciphertext a 2 are respectively parsed to obtain version identifiers 1 and 2 and encrypted data a 1 and a 2, and based on the version identifiers 1 and 2, corresponding key contents C 1 and C 2 are queried, and finally, corresponding encrypted data are respectively decrypted to obtain plaintext.
It should be noted that, in the process of determining the key identifier of the new target key corresponding to the new target ciphertext, as described above, the key identifier of the new target key may be determined based on the public key identifier and the correspondence; correspondingly, the process of resolving the new target ciphertext based on the key identifier of the new target key corresponding to the new target ciphertext to obtain the version identifier of the new target key and the new encrypted data, as described above, may be that the length of the key identifier of the new target key is obtained by resolving the key identifier of the new target key, and then the number of bits of the version identifier sequence of the new target key in the new target ciphertext is determined based on the length of the key identifier of the new target key, so as to determine the version identifier sequence of the new target key, and then the version identifier sequence of the new target key is deserialized to obtain the version identifier of the new target key; then, based on the length of the key identification of the new target key, the number of bits of the length sequence of the new encrypted data in the new target ciphertext is determined, so as to determine the length sequence of the new encrypted data, then the length sequence of the new encrypted data is deserialized to obtain the length of the new encrypted data, then the number of bits of the new encrypted data sequence in the new target ciphertext is determined by combining the length of the new encrypted data and the length of the key identification of the new target key, so as to determine the new encrypted data sequence, then the new encrypted data sequence is deserialized to obtain new encrypted data, finally, based on the version identification of the new target key, the new target key is determined, and then the new encrypted data is decrypted based on the new target key, so as to obtain new data to be encrypted.
It should be noted that, here, the new target key is determined based on the version identifier of the new target key, which is described above, that is, based on the version identifier of the new target key, the key content of the new target key corresponding to the version identifier is queried, so that the new encrypted data is decrypted based on the key content of the new target key, and the new data to be encrypted is obtained.
By applying the embodiment of the application, the key management side responds to the data encryption request which is sent by the data sender and carries the data to be encrypted, encrypts the data to be encrypted based on the target key to obtain the encrypted data, and then carries out secondary encryption on the encrypted data to obtain the target ciphertext, so that the target ciphertext is sent to the data sender. Therefore, compared with the configuration of storing the secret key in the sender, the secret key is saved in the secret key management party, so that the risk of secret key leakage is reduced, and the safety of encrypted transmission of data is improved; meanwhile, through the two encryption processes of the data to be encrypted, even if the external world obtains the secret key, the secret key cannot be simply leaked to forge the ciphertext, so that the security of the encrypted transmission of the data is further improved.
In the following, an exemplary application of the embodiment of the present application in a practical application scenario will be described.
In the encryption transmission process of data in the related art, a secret key is mostly stored in the configuration of a sender and a receiver, the sender encrypts the data during transmission, and the receiver decrypts the data when the receiver acquires the data. However, when the key is stored to both sides, there is a risk of disclosure of the key, and if the external world obtains the key, the information can be forged and sent to the receiving party, so that the security of encrypted transmission of the data is further reduced.
Based on the above, the embodiment of the application provides a data encryption transmission method, a key management side responds to a data encryption request which is sent by a data sender and carries data to be encrypted, encrypts the data to be encrypted based on a target key to obtain encrypted data, and then carries out secondary encryption on the encrypted data to obtain a target ciphertext, so that the target ciphertext is sent to the data sender, and the data sender sends the target ciphertext to a data receiver. Therefore, compared with the configuration of storing the secret key in the sender and the receiver, the secret key is stored in the secret key management party, the risk of secret key leakage is reduced, and the safety of encrypted transmission of data is improved; meanwhile, through the two encryption processes of the data to be encrypted, even if the external world obtains the secret key, the secret key cannot be simply leaked to forge the ciphertext, so that the security of the encrypted transmission of the data is further improved.
Referring to fig. 9, fig. 9 is a technical architecture diagram of a data encryption transmission method according to an embodiment of the present application, based on fig. 9, the present application relates to interactions of three devices, namely, a data sender, a data receiver, and a key manager, and next, the data sender, the data receiver, and the key manager are described first.
For a data sender, applying for creating a target key and a target key pair to a key manager, so that a key identifier of the target key and an identifier of a public key in the target key pair obtained from a key management system are applied for encrypting transmission data by using the target key to obtain encrypted data (target ciphertext), applying for signing the encrypted data by using a private key in the target key pair, and finally transmitting the public key identifier and the encrypted data to a data receiver.
And for the data receiver, after receiving the public key identification and the encrypted data sent by the data sender, applying for the public key verification signature using the target key pair to the key management party, and after the verification signature passes, applying for decrypting the encrypted data using the target key so as to obtain a plaintext.
For a key management party, accessing a hardware encryption machine in a tcp/ip link mode and generating a target key through the hardware encryption machine, wherein the tcp/ip link hardware encryption machine can be used for timely finding the state of the hardware encryption machine, when the hardware encryption machine fails, communication can fail, and a software encryption program (an encryption algorithm is consistent with the hardware encryption machine) is used at the moment, so that the target key is generated through the software encryption program. And then encrypting the target key to obtain an encrypted target key, storing the encrypted target key in a storage device of a key management party, decrypting the encrypted target key to obtain the target key when a data encryption request carrying data to be encrypted sent by a data sender or a data decryption request sent by a data receiver is received, and finally encrypting and decrypting based on the target key.
The key manager may perform operations such as access right control of the key, enabling and disabling of the key, and deleting the key. At the same time, all keys are stored in the key management party, and the data sender and the data receiver only store the identification of the keys
In practical implementation, the encrypted data (target ciphertext) is a custom structure, the 0-2 bits are the length n of the key identifier of the target key, the 3- (3+n) bits are the key identifier of the target key, the (4+n) - (17+n) bits are the version identifier of the target key, the (17+n) - (20+n) bits are the specific length m of the ciphertext (encrypted data), and the (21+n) - (20+n-1+m) bits are the specific encrypted ciphertext (encrypted data). Therefore, the key identification and the key version identification can be obtained from the encrypted data after the key is updated to inquire specific key content, the key content is used for decrypting, meanwhile, the ciphertext obtaining length is variable, and the method can adapt to various encryption algorithms and is more flexible.
With continued reference to fig. 9, next, an interaction procedure of the data sender, the data receiver, and the key manager will be described based on fig. 9. Specifically, firstly, a data transmitting party applies for generating a target key for encrypting transmission data and a target key pair for signing the encrypted data, wherein the target key pair is a combination of a public key and a private key, at this time, the key manager generates the target key and the target key pair through a hardware encryptor, and stores the target key and the target key pair in a key management system, and when the hardware encryptor fails, a software encryptor is used for generating the target key and the target key pair. Then, when the key management side receives a request (data encryption request) sent by the data sender for encrypting the transmission data by using the target key, the transmission data is encrypted by using the target key to obtain encrypted data, then the encrypted data is signed by using the private key in the target key pair in response to a signature request for signing the encrypted data by using the private key in the target key pair sent by the data sender, and the public key identification carrying the public key and the signed encrypted data are sent to the data sender, so that the data sender resends the public key identification carrying the public key and the encrypted data signed by the encrypted data to the data receiver. After receiving the encrypted data, the data receiving party applies for verifying the signature by using the public key of the target key pair to the key management party, so that the key management party verifies the signature of the encrypted data based on the public key of the target key pair, and after the verification is passed, the key management party applies for decrypting the encrypted data by using the target key, so that the key management party decrypts the encrypted data into plaintext based on the target key, and sends the plaintext to the data receiving party.
It should be noted that, the key management side also updates the target key, the identifiers of the keys before and after the key update are not changed, only a new key version and the corresponding key content are added, and the keys of the old version are not deleted; meanwhile, when the key is used for encrypting the transmission data, the key of the latest version is used for encryption. In addition, after the key is updated, the corresponding key content is queried through the key version identifier in the encrypted data, so that decryption is performed based on the key content of the latest version.
Thus, with the present application, the key need not be sent to the data sender and the data receiver, but is stored in the key manager, and the ciphertext of the key is also stored; meanwhile, the key management side encrypts the data to be encrypted twice, so that the security of the data encryption process is improved; moreover, the transmitted data carry the signature of the data, and only if the signature is verified, the transmitted data is considered to be correct, so that the correctness of the data is guaranteed; in addition, the target ciphertext generated after encryption directly contains the content during decryption, so that the data sender and the data receiver only need to store the ciphertext, and do not need to store more information. Meanwhile, when the hardware encryption machine fails, a software encryption program can be used for replacing the hardware encryption machine, so that high availability of a target key generation process is ensured; in addition, the custom ciphertext structure can be adapted to flexibly change various encryption modes, and the reliability of data encryption is ensured.
By applying the embodiment of the application, the key management side responds to the data encryption request which is sent by the data sender and carries the data to be encrypted, encrypts the data to be encrypted based on the target key to obtain the encrypted data, and then carries out secondary encryption on the encrypted data to obtain the target ciphertext, so that the target ciphertext is sent to the data sender. Therefore, compared with the configuration of storing the secret key in the sender, the secret key is saved in the secret key management party, so that the risk of secret key leakage is reduced, and the safety of encrypted transmission of data is improved; meanwhile, through the two encryption processes of the data to be encrypted, even if the external world obtains the secret key, the secret key cannot be simply leaked to forge the ciphertext, so that the security of the encrypted transmission of the data is further improved.
Next, continuing to describe the encryption transmission device 254 for data provided by the embodiment of the present application, the device is applied to a key manager, referring to fig. 10, fig. 10 is a schematic structural diagram of the encryption transmission device 254 for data provided by the embodiment of the present application, where the encryption transmission device 254 for multiple data provided by the embodiment of the present application includes:
an encryption module 2541, configured to determine a target key in response to a data encryption request that is sent by a data sender and carries data to be encrypted, and encrypt the data to be encrypted based on the target key to obtain encrypted data;
A secondary encryption module 2542, configured to determine a length of a key identifier of the target key and a length of the encrypted data, and perform secondary encryption on the encrypted data based on the length of the key identifier of the target key and the length of the encrypted data, to obtain a target ciphertext;
a sending module 2543, configured to send the target ciphertext to the data sender.
In some embodiments, the target key comprises at least one version, the apparatus further comprising a determination module for determining a version identification of a current version of the target key; the secondary encryption module 2542 is further configured to combine the length of the key identifier of the target key, the key identifier, the version identifier, and the length of the encrypted data to perform secondary encryption on the encrypted data, so as to obtain a target ciphertext.
In some embodiments, the secondary encryption module 2542 is further configured to serialize the length of the key identifier of the target key, the key identifier, the version identifier, the length of the encrypted data, and the encrypted data to obtain a length sequence of the key identifier of the target key, a key identifier sequence, a version identifier sequence, a length sequence of the encrypted data, and an encrypted data sequence; and combining the length sequence of the key identification, the key identification sequence, the version identification sequence, the length sequence of the encrypted data and the encrypted data sequence based on the length of the key identification of the target key and the length of the encrypted data to obtain the target ciphertext.
In some embodiments, the secondary encryption module 2542 is further configured to determine a first location of the sequence of key identifications in the target secret, and determine a second location of the sequence of key identifications in the target secret based on the first location and a length of the key identifications of the target key; determining a third location of the version identification sequence in the target secret based on the second location and the length of the key identification of the target key, and determining a fourth location of the length sequence of the encrypted data in the target secret based on the third location and the length of the key identification of the target key; determining a fifth location of the encrypted data sequence in the target secret based on the fourth location, a length of a key identification of the target key, and a length of the encrypted data; and combining the length sequence of the key identification, the key identification sequence, the version identification sequence, the length sequence of the encrypted data and the encrypted data sequence in sequence based on the first position, the second position, the third position, the fourth position and the fifth position to obtain the target ciphertext.
In some embodiments, the encryption module 2541 is further configured to obtain a first random number and a second random number in response to a data encryption request sent by a data sender and carrying data to be encrypted; performing product processing on the first random number and the second random number to obtain a product result, and performing binary conversion on the product result to obtain a conversion result; and acquiring a third random number with the same bit number as the conversion result as the target key.
In some embodiments, the apparatus further includes an updating module, configured to update the target key to obtain a new target key; the new target key and the target key are keys with different versions, the key identifications of the keys with different versions are the same, the version identifications are different, and the corresponding data encryption processes are different; the data encryption request which is sent by the data sender and carries the new data to be encrypted is responded, the new data to be encrypted is encrypted based on the new target key to obtain new encrypted data, and the new encrypted data is subjected to secondary encryption to obtain a new target ciphertext; and sending the new target ciphertext to the data sender.
In some embodiments, the new target ciphertext includes a version identification of the new target key, and the new encrypted data; the device also comprises a decryption module, wherein the decryption module is used for responding to a data decryption request which is sent by a data receiver and carries the new target ciphertext, determining a key identification of a new target key corresponding to the new target ciphertext, and the new target ciphertext of the data receiver is the new target ciphertext which is received to be sent by the data sender; analyzing the new target ciphertext based on the key identification of the new target key corresponding to the new target ciphertext to obtain the version identification of the new target key and the new encrypted data, which are included in the new target ciphertext; and determining a new target key corresponding to the new target ciphertext based on the version identifier, and decrypting the new encrypted data based on the new target key to obtain the new data to be encrypted.
Embodiments of the present application provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the electronic device performs the encrypted transmission method of data according to the embodiment of the present application, for example, the encrypted transmission method of data as shown in fig. 3.
An embodiment of the present application provides a computer-readable storage medium storing executable instructions, in which the executable instructions are stored, which when executed by a processor, cause the processor to perform a method for encrypted transmission of data provided by the embodiment of the present application, for example, the method for encrypted transmission of data as shown in fig. 3.
In some embodiments, the computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash memory, magnetic surface memory, optical disk, or CD-ROM; but may be a variety of devices including one or any combination of the above memories.
In some embodiments, the executable instructions may be in the form of programs, software modules, scripts, or code, written in any form of programming language (including compiled or interpreted languages, or declarative or procedural languages), and they may be deployed in any form, including as stand-alone programs or as modules, components, subroutines, or other units suitable for use in a computing environment.
As an example, executable instructions may, but need not, correspond to files in a file system, may be stored as part of a file that holds other programs or data, such as in one or more scripts in a hypertext markup language (HTML, hyper Text Markup Language) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).
As an example, executable instructions may be deployed to be executed on one electronic device or on multiple electronic devices located at one site or distributed across multiple sites and interconnected by a communication network.
It should be noted that, in the embodiment of the present application, related data such as query address text is acquired, when the embodiment of the present application is applied to a specific product or technology, permission or consent of a user needs to be obtained, and collection, use and processing of related data need to comply with related laws and regulations and standards of related countries and regions.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and scope of the present application are included in the protection scope of the present application.

Claims (10)

1. A method for encrypted transmission of data, applied to a key manager, the method comprising:
determining a target key in response to a data encryption request which is sent by a data sender and carries data to be encrypted, and encrypting the data to be encrypted based on the target key to obtain encrypted data;
Determining the length of the key identification of the target key and the length of the encrypted data, and carrying out secondary encryption on the encrypted data based on the length of the key identification of the target key and the length of the encrypted data to obtain a target ciphertext;
and sending the target ciphertext to the data sender.
2. The method of claim 1, wherein the target key comprises at least one version, the method further comprising:
determining a version identification of a current version of the target key;
the secondary encryption is performed on the encrypted data based on the length of the key identifier of the target key and the length of the encrypted data to obtain a target ciphertext, and the method comprises the following steps:
And carrying out secondary encryption on the encrypted data by combining the length of the key identifier of the target key, the key identifier, the version identifier and the length of the encrypted data to obtain a target ciphertext.
3. The method of claim 2, wherein the performing the secondary encryption on the encrypted data in combination with the length of the key identifier of the target key, the key identifier, the version identifier, and the length of the encrypted data to obtain the target ciphertext comprises:
serializing the length of the key identifier of the target key, the key identifier, the version identifier, the length of the encrypted data and the encrypted data to obtain a length sequence of the key identifier of the target key, a key identifier sequence, a version identifier sequence, a length sequence of the encrypted data and an encrypted data sequence;
And combining the length sequence of the key identification, the key identification sequence, the version identification sequence, the length sequence of the encrypted data and the encrypted data sequence based on the length of the key identification of the target key and the length of the encrypted data to obtain the target ciphertext.
4. The method of claim 3, wherein combining the length sequence of the key identification, the key identification sequence, the version identification sequence, the length sequence of the encrypted data, and the encrypted data sequence based on the length of the key identification of the target key and the length of the encrypted data to obtain the target ciphertext comprises:
Determining a first position of the key identification length sequence in the target secret, and determining a second position of the key identification sequence in the target secret based on the first position and the key identification length of the target key;
Determining a third location of the version identification sequence in the target secret based on the second location and the length of the key identification of the target key, and determining a fourth location of the length sequence of the encrypted data in the target secret based on the third location and the length of the key identification of the target key;
Determining a fifth location of the encrypted data sequence in the target secret based on the fourth location, a length of a key identification of the target key, and a length of the encrypted data;
And combining the length sequence of the key identification, the key identification sequence, the version identification sequence, the length sequence of the encrypted data and the encrypted data sequence in sequence based on the first position, the second position, the third position, the fourth position and the fifth position to obtain the target ciphertext.
5. The method of claim 1, wherein the determining the target key in response to the data encryption request carrying the data to be encrypted sent by the data sender comprises:
Responding to a data encryption request which is sent by a data sender and carries data to be encrypted, and acquiring a first random number and a second random number;
performing product processing on the first random number and the second random number to obtain a product result, and performing binary conversion on the product result to obtain a conversion result;
And acquiring a third random number with the same bit number as the conversion result as the target key.
6. The method of claim 1, wherein the encrypting the encrypted data based on the length of the key identification of the target key and the length of the encrypted data, after obtaining the target ciphertext, further comprises:
Updating the target key to obtain a new target key;
the new target key and the target key are keys with different versions, the key identifications of the keys with different versions are the same, the version identifications are different, and the corresponding data encryption processes are different;
The data encryption request which is sent by the data sender and carries the new data to be encrypted is responded, the new data to be encrypted is encrypted based on the new target key to obtain new encrypted data, and the new encrypted data is subjected to secondary encryption to obtain a new target ciphertext;
And sending the new target ciphertext to the data sender.
7. The method of claim 6, wherein the new target ciphertext includes a version identification of the new target key, and the new encrypted data; after the new target ciphertext is sent to the data sender, the method further comprises:
Determining a key identification of a new target key corresponding to the new target ciphertext in response to a data decryption request which is sent by a data receiver and carries the new target ciphertext, wherein the new target ciphertext of the data receiver is the new target ciphertext which is sent by the data sender;
Analyzing the new target ciphertext based on the key identification of the new target key corresponding to the new target ciphertext to obtain the version identification of the new target key and the new encrypted data, which are included in the new target ciphertext;
and determining a new target key corresponding to the new target ciphertext based on the version identifier, and decrypting the new encrypted data based on the new target key to obtain the new data to be encrypted.
8. An encrypted transmission apparatus for data, the apparatus being applied to a key manager, the apparatus comprising:
The encryption module is used for responding to a data encryption request which is sent by a data sender and carries data to be encrypted, determining a target key, and encrypting the data to be encrypted based on the target key to obtain encrypted data;
The secondary encryption module is used for determining the length of the key identifier of the target key and the length of the encrypted data, and carrying out secondary encryption on the encrypted data based on the length of the key identifier of the target key and the length of the encrypted data to obtain a target ciphertext;
And the sending module is used for sending the target ciphertext to the data sender.
9. An electronic device, comprising:
A memory for storing executable instructions;
a processor for implementing the encrypted transmission method of data according to any one of claims 1 to 7 when executing executable instructions stored in said memory.
10. A computer readable storage medium storing executable instructions for causing a processor to perform the method of encrypted transmission of data according to any one of claims 1 to 7.
CN202311190675.2A 2023-09-14 2023-09-14 Encryption transmission method, device, equipment and storage medium for data Pending CN117955678A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311190675.2A CN117955678A (en) 2023-09-14 2023-09-14 Encryption transmission method, device, equipment and storage medium for data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311190675.2A CN117955678A (en) 2023-09-14 2023-09-14 Encryption transmission method, device, equipment and storage medium for data

Publications (1)

Publication Number Publication Date
CN117955678A true CN117955678A (en) 2024-04-30

Family

ID=90795027

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311190675.2A Pending CN117955678A (en) 2023-09-14 2023-09-14 Encryption transmission method, device, equipment and storage medium for data

Country Status (1)

Country Link
CN (1) CN117955678A (en)

Similar Documents

Publication Publication Date Title
CN108235806B (en) Method, device and system for safely accessing block chain, storage medium and electronic equipment
CN104852925B (en) Mobile intelligent terminal anti-data-leakage secure storage, backup method
CN110535641B (en) Key management method and apparatus, computer device, and storage medium
US11831753B2 (en) Secure distributed key management system
US20080148062A1 (en) Method for the secure storing of program state data in an electronic device
KR20150059347A (en) Mobile terminal, terminal and method for authentication using security cookie
CN110855616B (en) Digital key generation system
KR102282788B1 (en) Blockchain system for supporting change of plain text data included in transaction
CN115296807B (en) Key generation method, device and equipment for preventing industrial control network viruses
CN107872315B (en) Data processing method and intelligent terminal
CN115348107A (en) Internet of things equipment secure login method and device, computer equipment and storage medium
CN116961973A (en) Data transmission method, device, electronic equipment and computer readable storage medium
CN116204903A (en) Financial data security management method and device, electronic equipment and storage medium
CN115361198A (en) Decryption method, encryption method, device, computer equipment and storage medium
CN117955678A (en) Encryption transmission method, device, equipment and storage medium for data
KR20190111748A (en) Method for generating address information used in transaction of cryptocurrency based on blockchain, electronic apparatus and computer readable recording medium
CN109933994A (en) Data classification storage and device and calculating equipment
CN114879980B (en) Vehicle-mounted application installation method and device, computer equipment and storage medium
CN117714513B (en) Method and system for controlling target equipment based on cloud server
CN115150145B (en) Crowd-sourced device communication method, device, computer device and storage medium
CN118250691B (en) Identification generation verification method, system, device and readable storage medium
CN112637122B (en) Test method, response method and system for access control of communication unit master station
JP2008252353A (en) Remote monitor system and center device
CN118152149A (en) Method and system for operating computer by using mobile equipment
CN116938467A (en) Communication method, system, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination