WO2016054905A1 - Method for processing data - Google Patents

Method for processing data Download PDF

Info

Publication number
WO2016054905A1
WO2016054905A1 PCT/CN2015/076945 CN2015076945W WO2016054905A1 WO 2016054905 A1 WO2016054905 A1 WO 2016054905A1 CN 2015076945 W CN2015076945 W CN 2015076945W WO 2016054905 A1 WO2016054905 A1 WO 2016054905A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
server
data
client
key
Prior art date
Application number
PCT/CN2015/076945
Other languages
French (fr)
Chinese (zh)
Inventor
谈剑锋
郑建华
Original Assignee
上海众人网络安全技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海众人网络安全技术有限公司 filed Critical 上海众人网络安全技术有限公司
Publication of WO2016054905A1 publication Critical patent/WO2016054905A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to the field of network information security, and more particularly to a data processing method.
  • the object of the present invention is to propose a data processing method capable of implementing network identity authentication, data encryption, and data integrity verification.
  • a data processing method after the client and the server respectively generate a session key required for the session process, the client encrypts the data to be authenticated using a public encryption algorithm and sends the certificate to the server for authentication. Specific steps are as follows:
  • the server After the server receives the first data and the second data, the server performs the first data by using the same session key as the client and a public decryption algorithm corresponding to the common encryption algorithm. Decrypting and restoring to obtain the data to be authenticated; then encrypting the data to be authenticated using the first algorithm built in the server to generate third data;
  • S23 The server compares the generated third data with the received second data, and completes the authentication of the data to be authenticated.
  • the connection relationship is established between the client and the server through the generated session key, that is, each time the data to be authenticated in the client needs to be authenticated by the server, the session key is used for encryption protection, ensuring that the session is secured. While the authentication data is secure during transmission, the integrity of the data to be authenticated is verified.
  • the server can also send an authentication request to the client to implement the above steps.
  • the first algorithm is a hash algorithm.
  • the client before the client encrypts the data to be authenticated and sends the data to the server for authentication, the client further includes:
  • the user registers in the server
  • the user completes identity authentication in the server, and generates the session key required for the session in the client and the server, respectively, and stores the session key separately.
  • the user registers in the server, and the specific steps are as follows:
  • the client obtains the user identifier and the password for uniquely identifying a user, and encrypts the identifier information and the password by using the built-in first algorithm to generate first information, and then the Sending the first information to the server;
  • the client receives the encryption function and the decryption function and stores, and completes registration of the user in the server.
  • the encryption function and the decryption function stored in the client are calculated by the server in combination with the randomly generated key information (the first key and the second key) and the corresponding encryption and decryption algorithm, so each The encryption and decryption functions corresponding to each client are different, and the client does not need to store the key information separately, which effectively solves the problem of key information storage in the client.
  • the specific steps of the user completing the identity authentication in the server are as follows:
  • the client obtains the user identifier, the password, and a first time, and then uses the stored encryption function to encrypt the first time to generate second information, and then the second
  • the information and the stored first information are logically operated; finally, the logical operation result is encrypted by using the encryption function to generate third information, and the user identifier and the third information are sent to the server;
  • the server of S05 receives the user identifier and the third information, and searches for the user identifier in the server, and completes the authentication of the user identifier.
  • the server After the server completes the authentication of the user identifier, the server obtains the second time, and encrypts the second key according to the stored encryption algorithm to generate the fourth information; Decrypting the decryption algorithm and the first key to decrypt the received third information, and performing the logical operation on the decrypted information and the stored first information to obtain the second information; Decoding and restoring the second information by the server using the stored decryption algorithm and the first key to obtain the first time;
  • the server compares the generated first time with the obtained second time, completes authentication of the client by the server, and sends the fourth information to the client.
  • the client receives the fourth information, and decrypts and restores the fourth information by using the stored decryption function to obtain the second time;
  • the client compares the generated second time with the obtained first time, and completes authentication of the server by the client, thereby completing mutual authentication between the server and the client.
  • the authentication between the client and the server is performed by means of mutual authentication, which can effectively prevent the counterfeit attack.
  • the logical operation is an exclusive OR operation.
  • step S07 and step S09 the time difference between the first time and the second time is respectively acquired, and when the time difference is within the preset value, the two-way authentication of the server and the client is completed.
  • the preset value is 2 min to 10 min.
  • the specific steps of respectively generating the session key required for the session in the client and the server, and separately storing the content are as follows:
  • S10 The client inverts the second information to obtain fifth information, and splices the second information and the fifth information to generate sixth information, and then uses the stored encryption function to perform the sixth information. Encrypting the information to generate the session key;
  • S11 The server inverts the generated second information to obtain the fifth information, and splices the second information and the fifth information to generate the sixth information, and then uses the stored The encryption algorithm and the first key encrypt the sixth information to generate the same session key as in the client.
  • the sixth information may also be obtained by splicing using the fifth information and the second information.
  • the encryption and decryption algorithm and the key are used together, and the algorithm and the key are not divided, and the security problem of the key storage is avoided.
  • the encryption and decryption function of the client in the present invention is obtained by the server side combined with the randomly generated key and the encryption and decryption algorithm, so the algorithm of each client is different, and the leakage of a client's security plug-in does not affect the overall security of the system. .
  • the client and the server in the present invention adopt two-way authentication, which can effectively prevent counterfeiting attacks.
  • the client and the server respectively generate the same secret.
  • the key combined with the public encryption algorithm and the decryption algorithm for data encryption transmission, can prevent data leakage, and reduce the problem of key transmission, and can effectively ensure the security of the key.
  • the invention can verify whether the content of the data has been tampered with by checking the integrity of the data, which can prevent repudiation and prevent man-in-the-middle attacks.
  • FIG. 1 is a schematic diagram showing the steps of an embodiment of a data processing method in the present invention.
  • FIG. 1 is a flowchart of a data processing method provided by the present invention.
  • the data processing method provided herein is mainly used by a server to perform authentication on a data to be authenticated in a client while performing integrity on a data to be authenticated. Test.
  • the user Before the authentication, the user first registers in the server and stores the relevant information of the user in the server; then if the data to be authenticated needs to be authenticated, the user first logs in to the client, and the client and the server perform two-way.
  • the same session key is generated in the client and the server respectively to establish a communication between the client and the server, which ensures the security and integrity of the data to be authenticated in the authentication process.
  • the client acquires a user ID uniquely identifies the user and uid pw password, and the password identification information uid and pw built by a first encryption algorithm to generate a first information H M 1, then sends the information to the first server.
  • the user first inputs (eg, through a keyboard, a touch screen, etc.
  • the client sends the user identification uid and the first information M 1 to the server.
  • the user identification uid includes information for uniquely identifying the user.
  • the first key K and the second key K′ are randomly generated in the S02 server, and then the first key K and the built-in encryption algorithm E are used to generate an encryption function E K associated with the first key, combined with the second key.
  • K' and the built-in decryption algorithm D corresponding to the encryption algorithm generate a decryption function D K' associated with the second key, and finally the server sends the encryption function E K and the decryption function D K ' to the client, and will a key K, a second key K ', the encryption algorithms E, decryption algorithms D, and a first user identification information uid M 1 is stored.
  • a symmetric encryption technique to encrypt the first key K and the second key K' respectively.
  • We do not limit the specific forms of the decryption algorithm E and the decryption algorithm D such as can be used. National secret symmetric algorithm 3DES implementation.
  • the S03 client receives the encryption function E K and the decryption function D K ' and stores it to complete the registration of the user in the server.
  • the logical operation here is an exclusive OR operation
  • the result of the logical operation of the first information M 1 and the second information M 2 is M 1 ⁇ M 2
  • the client uses the encryption function E logical operation result M again.
  • the S05 server receives the user identifier uid and the third information M 3 , and searches for a user identifier in the server to complete the authentication of the user identifier.
  • the server side stores a user identification file (denoted as a List), which is a list storing all legal client user identifiers uid.
  • the server After receiving the user identifier uid sent by the client, the server first receives the uid. A judgment is made to determine whether the user identifier uid exists in the user identification file list stored by the server.
  • the S07 server compares the generated first time T ui with the obtained second time T si , completes the server-to-client authentication, and sends the fourth information M 4 to the client.
  • the process of comparing the first time T ui and the second time T si is mainly the time difference between the first time T ui and the second time T si obtained by the server, that is, T si -T ui , if the time difference is smaller than
  • the preset value, T si -T ui ⁇ 10min (the preset value selected in the present invention is 10 min (minutes), which is only a preferred preset value of the present invention, and the specific preset value should be determined according to the network delay).
  • the server authenticates to the client successfully.
  • the preset value of the time difference can also be selected by 2 min, 5 min, etc., and the preset value of the time difference is not specifically limited.
  • the specific preset value should be determined according to the network delay.
  • the S09 client compares the generated second time T si with the obtained first time T ui to complete the client-to-server authentication, thereby completing the mutual authentication between the server and the client. Specifically, the client determines a second time to give the time T si and the first time difference T ui, i.e. T si -T ui, if the time difference is smaller than a preset value, such as, T si -T ui ⁇ 10min (according to the present invention, The preset value is 10 min, which is only a preferred preset value of the present invention, and the specific preset value should be determined according to the network delay. Then, the client successfully authenticates the server, and the following steps are continued. Similar to the step S07, in other embodiments, the preset value of the time difference can also be selected 2 min, 5 min, etc., and the preset value of the time difference is not specifically limited, and the specific preset value should be determined according to the network delay.
  • the session key K i required for the session is generated in the client and the server respectively, and is separately stored. The specific steps are as follows:
  • the splicing using the second information M 2 and the fifth information M 5 to generate M 6 is to expand the 8 bytes (64 bits) of the second information M 2 and the fifth information M 5 into
  • the 16-byte (128-bit) information is extended to meet the needs of symmetric algorithms such as 3DES (key bytes 14-21 bytes) during the operation.
  • 3DES key bytes 14-21 bytes
  • the fifth information M 5 and the second information M 2 may be used for splicing, so that the spliced sixth information M 6 is 8765432112345678, as long as the same splicing method is used in the client and the server.
  • the session key K i used in the client and server is the same during the same authentication process.
  • the purpose of splicing and generating M 6 using the second information M 2 and the fifth information M 5 is the same as that in step S10, and the splicing method is also the same. We will not repeat here to ensure the session generated in the server.
  • the key K i may be the same as the session key K i generated in the client.
  • the same session key K i is generated in the client and the server, and the data encryption transmission is combined with the public encryption algorithm and the decryption algorithm, which can prevent data leakage and reduce the problem of key transmission, and can effectively guarantee the key. Safety.
  • the client encrypts the data to be authenticated using the public encryption algorithm e and sends it to the server for authentication.
  • the client and the server encrypt the authentication data (recorded as M) through the public encryption algorithm e and the session key K i respectively.
  • decrypting the encrypted data to be authenticated M by the public decryption algorithm d and the session key K i the specific steps are as follows:
  • the data to be authenticated M is specifically encrypted: the data to be authenticated M sent by the client.
  • the client encrypts the data to be authenticated M using the session key K i and the public encryption algorithm e to generate first data, that is, e Ki (M).
  • the client uses the first algorithm (ie, the hash algorithm) to calculate the authentication data M to generate the second data, that is, the second data is H(M).
  • the client sends the first data and the second data to the server, ie e Ki (M) + H (M).
  • the decryption of the data to be authenticated M is specifically as follows: the server receives the first data and the second data, ie, e Ki (M)+H(M). The server decrypts the first data e Ki (M), ie, d Ki (e Ki (M)), by using the public decryption algorithm d and the session key K i to obtain a data to be authenticated S (the original data to be authenticated sent by the client M) Make a distinction).
  • the integrity of the data to be authenticated is verified by the first algorithm (ie, the hash algorithm), and the data to be authenticated obtained by the decryption is calculated, that is, H(S).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method for processing data is disclosed in the present invention. The method includes the following steps: a client obtains data to be authenticated, and encrypts the data to be authenticated with a session key stored in the client by an inside public encryption algorithm to generate the first data; then the client encrypts the data to be authenticated by a first inside algorithm to generate the second data; finally the client sends the first data and the second data to a server; after receiving the first data and the second data, the server decrypts the first data by the same session key in the client and by a public decryption algorithm corresponding to the public encryption algorithm, in order to restore and obtain the data to be authenticated; then the data to be authenticated is encrypted by the first algorithm inside the server and the third data is generated; the server compares the generated third data with the received second data, and completes the authentication of the data to be authenticated. The present invention realizes the network identity authentication, data encryption transmission and data integrality verification, and has a better technology prospect.

Description

一种数据处理方法A data processing method 技术领域Technical field
本发明涉及网络信息安全领域,尤其涉及数据处理方法。The present invention relates to the field of network information security, and more particularly to a data processing method.
背景技术Background technique
随着互联网的不断发展,越来越多的人们开始尝试在线交易。然而病毒、黑客、网络钓鱼以及网页仿冒诈骗等恶意威胁,给在线交易的安全性带来了极大的挑战。层出不穷的网络犯罪,引起了人们对网络身份的信任危机,如何在网络交易中认证真实身份,防止身份冒用、网络中传输的信息保密等问题又一次成为人们关注的焦点。With the continuous development of the Internet, more and more people are beginning to try online trading. However, malicious threats such as viruses, hackers, phishing, and phishing scams pose great challenges to the security of online transactions. The endless stream of cybercrime has caused people's trust crisis in network identity. How to authenticate real identity in online transactions, prevent identity fraud, and confidentiality of information transmitted in the network has once again become the focus of attention.
在互联网中进行数据交互存在许多不安全因素,尤其是一些机密数据更易遭到黑客的入侵。因此,数据在进行网络传输前需要先进行身份的认证,防止冒充。数据在传输时,需要采用安全的加密算法进行加密才能保证数据即使被黑客截获,其内容也不会泄露。同时,需要在接收数据时能够对数据进行校验,检查数据是否被篡改,防止中间人冒充。There are many insecurities in data interaction on the Internet, especially if some confidential data is more vulnerable to hackers. Therefore, the data needs to be authenticated before the network is transmitted to prevent impersonation. When data is transmitted, it needs to be encrypted with a secure encryption algorithm to ensure that the data will not be leaked even if it is intercepted by a hacker. At the same time, it is necessary to check the data when receiving data, check whether the data has been tampered with, and prevent the middleman from posing.
发明内容Summary of the invention
本发明的目的,就是提出一种能够实现网络身份认证、数据加密以及数据完整性校验的数据处理方法。The object of the present invention is to propose a data processing method capable of implementing network identity authentication, data encryption, and data integrity verification.
本发明的技术方案包括如下步骤:The technical solution of the present invention includes the following steps:
一种数据处理方法,客户端和服务器中分别生成了进行会话过程所需的会话密钥之后,所述客户端即将待认证数据使用公共加密算法进行加密并发送至所述服务器中进行认证,其具体步骤如下:A data processing method, after the client and the server respectively generate a session key required for the session process, the client encrypts the data to be authenticated using a public encryption algorithm and sends the certificate to the server for authentication. Specific steps are as follows:
S21客户端获取所述待认证数据,且结合存储在客户端中的所述会话密钥使用内置的所述公共加密算法进行加密生成第一数据;随后,所述客户端使用内置的第一算法对所述待认证数据进行加密生成第二数据;最后,所述客户端将所述第一数据和所述第二数据发送至所述服务器; Obtaining, by the S21 client, the to-be-authenticated data, and synthesizing the first data by using the built-in common encryption algorithm in combination with the session key stored in the client; subsequently, the client uses the built-in first algorithm Encrypting the data to be authenticated to generate second data; finally, the client sends the first data and the second data to the server;
S22所述服务器接收到了所述第一数据和所述第二数据之后,使用与所述客户端中相同的会话密钥和与所述公共加密算法对应的公共解密算法对所述第一数据进行解密还原得到所述待认证数据;随后使用内置在所述服务器中的所述第一算法对所述待认证数据进行加密生成第三数据;After the server receives the first data and the second data, the server performs the first data by using the same session key as the client and a public decryption algorithm corresponding to the common encryption algorithm. Decrypting and restoring to obtain the data to be authenticated; then encrypting the data to be authenticated using the first algorithm built in the server to generate third data;
S23所述服务器将生成的第三数据与接收到的所述第二数据进行比对,完成所述待认证数据的认证。S23: The server compares the generated third data with the received second data, and completes the authentication of the data to be authenticated.
在本技术方案中,客户端和服务器之间通过生成的会话密钥建立通联关系,即每次客户端中有待认证的数据需要服务器进行认证时,都使用会话秘钥进行加密保护,保证了待认证数据在传输的过程中的安全性的同时,对待认证数据的完整性进行了校验。这里我们还要说明的是,客户端和服务器之间可以进行双向通信,当服务器和客户算建立了通信关系之后,服务器也可以向客户端中发送认证请求,实现上述步骤。In the technical solution, the connection relationship is established between the client and the server through the generated session key, that is, each time the data to be authenticated in the client needs to be authenticated by the server, the session key is used for encryption protection, ensuring that the session is secured. While the authentication data is secure during transmission, the integrity of the data to be authenticated is verified. Here we also want to explain that the client and the server can communicate in both directions. After the server and the client have established a communication relationship, the server can also send an authentication request to the client to implement the above steps.
优选地,所述第一算法为哈希算法。Preferably, the first algorithm is a hash algorithm.
优选地,所述客户端将待认证数据使用公共加密算法进行加密并发送至所述服务器中进行认证之前,还包括:Preferably, before the client encrypts the data to be authenticated and sends the data to the server for authentication, the client further includes:
用户在所述服务器中进行注册;The user registers in the server;
用户在所述服务器中完成身份认证,并分别在所述客户端和所述服务器中生成进行会话所需的所述会话密钥且分别进行存储。The user completes identity authentication in the server, and generates the session key required for the session in the client and the server, respectively, and stores the session key separately.
优选地,用户在所述服务器中进行注册,其具体步骤如下:Preferably, the user registers in the server, and the specific steps are as follows:
S01所述客户端获取用于唯一标识用户的所述用户标识和所述密码,并通过内置的所述第一算法对所述标识信息和所述密码进行加密生成第一信息,随后将所述第一信息发送至所述服务器;S01, the client obtains the user identifier and the password for uniquely identifying a user, and encrypts the identifier information and the password by using the built-in first algorithm to generate first information, and then the Sending the first information to the server;
S02所述服务器中随机生成第一密钥和第二密钥,随后结合所述第一密钥和内置的加密算法生成一与所述第一密钥关联的加密函数、结合所述第二密钥和内置的与所述加密算法对应的解密算法生成一与所述第二密钥关联的解密函数,最后所述服务器将所述加密函数和所述解密函数发送至所述客户端中,并将所述第一密钥、所述第二密钥、所述加密算法、所述解密算法、所述用户标识以及所述第一信息进行存储; S02 randomly generating a first key and a second key, and then combining the first key and a built-in encryption algorithm to generate an encryption function associated with the first key, combined with the second secret And a built-in decryption algorithm corresponding to the encryption algorithm generates a decryption function associated with the second key, and finally the server sends the encryption function and the decryption function to the client, and And storing the first key, the second key, the encryption algorithm, the decryption algorithm, the user identifier, and the first information;
S03所述客户端接收所述加密函数和所述解密函数并进行存储,完成所述用户在所述服务器中的注册。S03, the client receives the encryption function and the decryption function and stores, and completes registration of the user in the server.
在本技术方案中,客户端中存储的加密函数和解密函数是由服务器结合随机生成的密钥信息(第一密钥和第二密钥)和对应的加解密算法运算得来的,所以每个客户对应的加解密函数都不一样,且客户端中不用单独存储密钥信息,这样有效地解决了客户端中密钥信息存储的问题。In the technical solution, the encryption function and the decryption function stored in the client are calculated by the server in combination with the randomly generated key information (the first key and the second key) and the corresponding encryption and decryption algorithm, so each The encryption and decryption functions corresponding to each client are different, and the client does not need to store the key information separately, which effectively solves the problem of key information storage in the client.
优选地,用户完成在所述服务器中的注册后,用户在所述服务器中完成身份认证的具体步骤如下:Preferably, after the user completes the registration in the server, the specific steps of the user completing the identity authentication in the server are as follows:
S04所述客户端获取所述用户标识、所述密码、以及第一时间,随后使用存储的所述加密函数对所述第一时间进行加密生成第二信息,紧接着将生成的所述第二信息和存储的所述第一信息进行逻辑运算;最后使用所述加密函数对所述逻辑运算结果进行加密生成第三信息,并将所述用户标识和所述第三信息发送至所述服务器;S04, the client obtains the user identifier, the password, and a first time, and then uses the stored encryption function to encrypt the first time to generate second information, and then the second The information and the stored first information are logically operated; finally, the logical operation result is encrypted by using the encryption function to generate third information, and the user identifier and the third information are sent to the server;
S05所述服务器接收所述用户标识和所述第三信息,并在所述服务器中查找所述用户标识,完成所述用户标识的认证;The server of S05 receives the user identifier and the third information, and searches for the user identifier in the server, and completes the authentication of the user identifier.
S06所述服务器完成了所述用户标识的认证之后,随即获取第二时间,并结合所述第二密钥使用存储的所述加密算法对其进行加密生成第四信息;紧接着使用存储的所述解密算法和所述第一密钥对接收的所述第三信息进行解密,并将所述解密信息与存储的所述第一信息进行所述逻辑运算还原得到所述第二信息;最后所述服务器使用存储的所述解密算法和所述第一密钥对所述第二信息进行解密还原得到所述第一时间;After the server completes the authentication of the user identifier, the server obtains the second time, and encrypts the second key according to the stored encryption algorithm to generate the fourth information; Decrypting the decryption algorithm and the first key to decrypt the received third information, and performing the logical operation on the decrypted information and the stored first information to obtain the second information; Decoding and restoring the second information by the server using the stored decryption algorithm and the first key to obtain the first time;
S07所述服务器将生成的所述第一时间和获取的所述第二时间进行比对,完成所述服务器对所述客户端的认证,并将所述第四信息发送至所述客户端;S07, the server compares the generated first time with the obtained second time, completes authentication of the client by the server, and sends the fourth information to the client.
S08所述客户端接收所述第四信息,并使用存储的所述解密函数对所述第四信息进行解密还原得到所述第二时间;S08, the client receives the fourth information, and decrypts and restores the fourth information by using the stored decryption function to obtain the second time;
S09所述客户端将生成的所述第二时间与获取的所述第一时间进行比对,完成所述客户端对所述服务器的认证,从而完成所述服务器与所述客户端的双向认证。 S09, the client compares the generated second time with the obtained first time, and completes authentication of the server by the client, thereby completing mutual authentication between the server and the client.
在本技术方案中,客户端和服务器之间采取的是双向认证的方式分别进行身份的认证,能够有效地防止假冒攻击。In the technical solution, the authentication between the client and the server is performed by means of mutual authentication, which can effectively prevent the counterfeit attack.
优选地,在步骤S04和步骤S06中,所述逻辑运算为异或运算。Preferably, in steps S04 and S06, the logical operation is an exclusive OR operation.
优选地,在步骤S07和步骤S09中,分别获取所述第一时间和所述第二时间的时间差,当所述时间差在预设值内,则完成所述服务器与所述客户端的双向认证。Preferably, in step S07 and step S09, the time difference between the first time and the second time is respectively acquired, and when the time difference is within the preset value, the two-way authentication of the server and the client is completed.
优选地,所述预设值为2min到10min。Preferably, the preset value is 2 min to 10 min.
优选地,用户在所述服务器中完成身份认证之后,分别在所述客户端和所述服务器中生成进行会话所需的所述会话密钥,并分别进行存储的具体步骤如下:Preferably, after the user completes the identity authentication in the server, the specific steps of respectively generating the session key required for the session in the client and the server, and separately storing the content are as follows:
S10所述客户端对所述第二信息进行取反得到第五信息,并将第二信息和所述第五信息进行拼接生成第六信息,随后使用存储的所述加密函数对所述第六信息进行加密生成所述会话密钥;S10: The client inverts the second information to obtain fifth information, and splices the second information and the fifth information to generate sixth information, and then uses the stored encryption function to perform the sixth information. Encrypting the information to generate the session key;
S11所述服务器对生成的所述第二信息进行取反得到所述第五信息,并将所述第二信息和所述第五信息进行拼接生成所述第六信息,随后使用存储的所述加密算法和所述第一密钥对所述第六信息进行加密生成与所述客户端中相同的所述会话密钥。S11: The server inverts the generated second information to obtain the fifth information, and splices the second information and the fifth information to generate the sixth information, and then uses the stored The encryption algorithm and the first key encrypt the sixth information to generate the same session key as in the client.
优选地,在步骤S10和步骤S11中,第六信息还可以使用第五信息和第二信息进行拼接得到。Preferably, in step S10 and step S11, the sixth information may also be obtained by splicing using the fifth information and the second information.
本发明提供的一种数据处理方法能够带来以下至少一种有益效果:A data processing method provided by the present invention can bring at least one of the following beneficial effects:
1、本发明中进行身份认证时采用加解密算法和密钥融合在一起,不分算法和密钥,避开了密钥存储的安全问题。1. In the present invention, when the identity authentication is performed, the encryption and decryption algorithm and the key are used together, and the algorithm and the key are not divided, and the security problem of the key storage is avoided.
2、本发明中客户端的加解密函数是由服务器端结合随机产生的密钥和加解密算法得来的,所以每个客户端的算法不一样,一个客户的安全插件泄露不影响系统的整体安全性。2. The encryption and decryption function of the client in the present invention is obtained by the server side combined with the randomly generated key and the encryption and decryption algorithm, so the algorithm of each client is different, and the leakage of a client's security plug-in does not affect the overall security of the system. .
3、本发明中的客户端与服务器端采取双向认证,能够有效防止假冒攻击。3. The client and the server in the present invention adopt two-way authentication, which can effectively prevent counterfeiting attacks.
4、本发明在进行数据会话过程时,客户端与服务器端分别生成相同的密 钥,结合公用加密算法和解密算法进行数据加密传输,能够防止数据泄露,并且减少密钥传输的问题,能够有效保证密钥的安全。4. When the data session process is performed, the client and the server respectively generate the same secret. The key, combined with the public encryption algorithm and the decryption algorithm for data encryption transmission, can prevent data leakage, and reduce the problem of key transmission, and can effectively ensure the security of the key.
5、本发明通过对数据进行完整性校验,可检验数据的内容是否被篡改,可防抵赖,防止中间人攻击。5. The invention can verify whether the content of the data has been tampered with by checking the integrity of the data, which can prevent repudiation and prevent man-in-the-middle attacks.
附图说明DRAWINGS
下面结合附图和具体实施方式对本发明作进一步详细说明:The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
图1为本发明中数据处理方法实施例的步骤示意图。1 is a schematic diagram showing the steps of an embodiment of a data processing method in the present invention.
具体实施方式detailed description
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来说,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive effort.
如图1所示为本发明提供的数据处理方法流程图,具体来说,这里提供的数据处理方法主要用于服务器对客户端中的待认证数据进行认证的同时对待认证数据的完整性进行校验。在认证之前,首先用户在服务器中进行注册,并将用户的有关信息在服务器中进行存储;随后如果有待认证数据需要进行认证时,则该用户首先登陆客户端,在客户端和服务器进行了双向身份认证之后,分别在客户端和服务器中生成相同的会话密钥,以建立客户端和服务器之间的通联,保证了待认证数据在认证过程中的安全性和完整性。FIG. 1 is a flowchart of a data processing method provided by the present invention. Specifically, the data processing method provided herein is mainly used by a server to perform authentication on a data to be authenticated in a client while performing integrity on a data to be authenticated. Test. Before the authentication, the user first registers in the server and stores the relevant information of the user in the server; then if the data to be authenticated needs to be authenticated, the user first logs in to the client, and the client and the server perform two-way. After the identity authentication, the same session key is generated in the client and the server respectively to establish a communication between the client and the server, which ensures the security and integrity of the data to be authenticated in the authentication process.
首先,我们对用户在服务器中进行注册的过程进行详细描述,其具体步骤如下:First, we describe the process of registering users in the server in detail. The specific steps are as follows:
S01客户端获取用于唯一标识用户的用户标识uid和密码pw,并通过内置的第一算法H对标识信息uid和密码pw进行加密生成第一信息M1,随后将第一信息发送至服务器。具体来说,用户首先在客户端中输入(如通过客户端中的键盘、触摸屏等)用户标识uid和其一一对应的密码pw向服务器进行注册,每个用户具有唯一的用户标识uid和与用户标识对应的密码pw;随后客户端采用第一算法H计算密码pw生成第一信息M1=H(pw),本发明中采用的第一算 法H为哈希算法,如sha1算法;最后,客户端将用户标识uid和第一信息M1发送至服务器。在本法发明中,用户标识uid包括用于唯一标识用户的信息。在这里,我们对第一算法的具体形式不作限定,只要其为一个单相的散列函数,都包括在本发明的内容中。S01 The client acquires a user ID uniquely identifies the user and uid pw password, and the password identification information uid and pw built by a first encryption algorithm to generate a first information H M 1, then sends the information to the first server. Specifically, the user first inputs (eg, through a keyboard, a touch screen, etc. in the client) the user identification uid and its one-to-one corresponding password pw to the server, each user having a unique user identification uid and The password pw corresponding to the user identifier; the client then uses the first algorithm H to calculate the password pw to generate the first information M 1 =H(pw), and the first algorithm H used in the present invention is a hash algorithm, such as the sha1 algorithm; The client sends the user identification uid and the first information M 1 to the server. In the present invention, the user identification uid includes information for uniquely identifying the user. Here, we do not limit the specific form of the first algorithm, as long as it is a single-phase hash function, which is included in the content of the present invention.
S02服务器中随机生成第一密钥K和第二密钥K’,随后结合第一密钥K和内置的加密算法E生成一与第一密钥关联的加密函数EK、结合第二密钥K’和内置的与加密算法对应的解密算法D生成一与第二密钥关联的解密函数DK’,最后服务器将加密函数EK和解密函数DK’发送至客户端中,并将第一密钥K、第二密钥K’、加密算法E、解密算法D、用户标识uid以及第一信息M1进行存储。在具体实施例中,这里我们采用的是对称加密的技术分别对第一密钥K和第二密钥K’加密,我们对解密算法E和解密算法D的具体形式不去限定,如可以使用国密对称算法3DES实现等。The first key K and the second key K′ are randomly generated in the S02 server, and then the first key K and the built-in encryption algorithm E are used to generate an encryption function E K associated with the first key, combined with the second key. K' and the built-in decryption algorithm D corresponding to the encryption algorithm generate a decryption function D K' associated with the second key, and finally the server sends the encryption function E K and the decryption function D K ' to the client, and will a key K, a second key K ', the encryption algorithms E, decryption algorithms D, and a first user identification information uid M 1 is stored. In a specific embodiment, here we use a symmetric encryption technique to encrypt the first key K and the second key K' respectively. We do not limit the specific forms of the decryption algorithm E and the decryption algorithm D, such as can be used. National secret symmetric algorithm 3DES implementation.
S03客户端接收加密函数EK和解密函数DK’并进行存储,完成用户在服务器中的注册。The S03 client receives the encryption function E K and the decryption function D K ' and stores it to complete the registration of the user in the server.
以上可以看出步骤S01到步骤S03即实现了用户在服务器中的注册过程,在这个过程中,客户端中仅存储了加密函数EK和解密函数DK’,其将加密算法E和解密算法D与第一密钥K和第二密钥K’分开来进行存储,有效地解决了密钥信息在客户端中的存储问题。It can be seen from the above steps S01 to S03 that the registration process of the user in the server is realized. In this process, only the encryption function E K and the decryption function D K ' are stored in the client, and the encryption algorithm E and the decryption algorithm are used. D is stored separately from the first key K and the second key K', effectively solving the storage problem of the key information in the client.
随后,我们对用户的登陆认证过程进行详述,具体步骤如下:Subsequently, we will detail the user's login authentication process, the specific steps are as follows:
S04客户端获取用户标识uid、密码pw、以及第一时间Tui,随后使用存储的加密函数E对第一时间Tui进行加密生成第二信息M2=EK(Tui),紧接着将生成的第二信息M1和存储的第一信息M1进行逻辑运算;最后使用加密函数E对逻辑运算结果进行加密生成第三信息M3,并将用户标识uid和第三信息M3发送至服务器。具体来说,这里的逻辑运算为异或运算,第一信息M1和第二信息M2进行了逻辑运算后的结果为M1⊕M2,随后客户端再次使用加密函数E逻辑运算结果M1⊕M2进行加密生成第三信息M3=Ek(M1⊕M2)=Ek(EK(Tui)⊕H(pw))。当然,这里我们对逻辑运算的具体形式也不去做限定,只要其经过上述逻辑运算结果M1⊕M2再与第一信息M1进行相同的逻辑操作能 够还原得到第二信息M2的逻辑运算,都包括在本发明的内容中,如理论上还可以用同或运算。The S04 client obtains the user identifier uid, the password pw, and the first time T ui , and then encrypts the first time T ui using the stored encryption function E to generate the second information M 2 =E K (T ui ), and then The generated second information M 1 and the stored first information M 1 perform a logical operation; finally, the logical operation result is encrypted using the encryption function E to generate the third information M 3 , and the user identifier uid and the third information M 3 are sent to server. Specifically, the logical operation here is an exclusive OR operation, and the result of the logical operation of the first information M 1 and the second information M 2 is M 1 ⊕ M 2 , and then the client uses the encryption function E logical operation result M again. 1 ⊕ M 2 performs encryption to generate third information M 3 = E k (M 1 ⊕ M 2 ) = E k (E K (T ui ) ⊕ H (pw)). Of course, we do not define specific forms of logic operations, as long as it is 2 then the same logical operation with the first information through said M 1 M 1 ⊕M logical operation can be reduced to give the M 2 of the second information logic The operations are all included in the content of the present invention, and theoretically, the same OR operation can also be used.
S05服务器接收用户标识uid和第三信息M3,并在服务器中查找用户标识,完成用户标识的认证。具体来说,服务器端存储有用户标识档案(记为List),是一个存储有所有合法客户端用户标识uid的列表,在服务器接收到客户端发送的用户标识uid之后,首先会对接收到uid进行判断,判断服务器存储的用户标识档案List中是否存在此用户标识uid。如果存在,即uid∈List,则判断此用户为合法用户,用户身份的初步认证成功;若在此过程中,用户身份认证失败,即在用户标识档案List中没有找到该用户标识uid,则该用户为非法用户,立即终止与客户端的通话,并提醒用户。这里,通过增加初步身份认证,提高了网络身份认证的安全性。The S05 server receives the user identifier uid and the third information M 3 , and searches for a user identifier in the server to complete the authentication of the user identifier. Specifically, the server side stores a user identification file (denoted as a List), which is a list storing all legal client user identifiers uid. After receiving the user identifier uid sent by the client, the server first receives the uid. A judgment is made to determine whether the user identifier uid exists in the user identification file list stored by the server. If it exists, that is, uid∈List, it is determined that the user is a legitimate user, and the initial authentication of the user identity is successful; if the user identity authentication fails in the process, that is, the user identifier uid is not found in the user identification file list, then If the user is an illegal user, the user immediately terminates the call with the client and reminds the user. Here, the security of network identity authentication is improved by adding preliminary identity authentication.
S06服务器完成了用户标识uid的认证之后,随即获取第二时间Tsi,并结合第二密钥K’使用存储的加密算法E对其进行加密生成第四信息M4=EK’(Tsi);紧接着使用存储的解密算法D和第一密钥K对接收的第三信息M3=Ek(EK(Tui)⊕H(pw))进行解密,并将解密信息EK(Tui)⊕H(pw)与存储的第一信息M1=H(pw)进行逻辑运算还原得到第二信息M2;最后服务器使用存储的解密算法D和第一密钥K对第二信息M2进行解密还原得到第一时间Tui。具体来说,这里的逻辑运算也为异或运算,与步骤S04中的相同,将解密信息EK(Tui)⊕H(pw)再⊕H(pw)即可得到第二信息M2=EK(Tui),随后再对第二信息M2=EK(Tui)进行解密得到第一时间TuiAfter the S06 server completes the authentication of the user identifier uid, it acquires the second time Tsi and encrypts it with the stored encryption algorithm E in combination with the second key K' to generate the fourth information M 4 =E K' (T si Then, the received third information M 3 =E k (E K (T ui )⊕H(pw)) is decrypted using the stored decryption algorithm D and the first key K, and the decrypted information E K ( T ui )⊕H(pw) is logically restored with the stored first information M 1 =H(pw) to obtain the second information M 2 ; finally the server uses the stored decryption algorithm D and the first key K to the second information M 2 performs decryption and restoration to obtain the first time T ui . Specifically, the logical operation here is also an exclusive OR operation, and the decryption information E K (T ui )⊕H(pw) is further H(pw) to obtain the second information M 2 = as in step S04. E K (T ui ), and then decrypting the second information M 2 =E K (T ui ) to obtain the first time T ui .
S07服务器将生成的第一时间Tui和获取的第二时间Tsi进行比对,完成服务器对客户端的认证,并将第四信息M4发送至客户端。具体来说,第一时间Tui和第二时间Tsi进行比对的过程主要是服务器判断得到的第一时间Tui和第二时间Tsi的时间差,即Tsi-Tui,如果时间差小于预设值,Tsi-Tui<10min(本发明中选取预设值为10min(分钟),仅作为本发明的一个优选的预设值,具体预设值应视网络延时而定),则服务器对客户端认证成功。在其他实施例中,时间差的预设值还可以选定2min、5min等,我们对这个时间差的预设值不作具体限定,具体预设值应视网络延时而定。 The S07 server compares the generated first time T ui with the obtained second time T si , completes the server-to-client authentication, and sends the fourth information M 4 to the client. Specifically, the process of comparing the first time T ui and the second time T si is mainly the time difference between the first time T ui and the second time T si obtained by the server, that is, T si -T ui , if the time difference is smaller than The preset value, T si -T ui <10min (the preset value selected in the present invention is 10 min (minutes), which is only a preferred preset value of the present invention, and the specific preset value should be determined according to the network delay). Then the server authenticates to the client successfully. In other embodiments, the preset value of the time difference can also be selected by 2 min, 5 min, etc., and the preset value of the time difference is not specifically limited. The specific preset value should be determined according to the network delay.
S08客户端接收第四信息M4,并使用存储的解密函数DK对第四信息M4进行解密还原得到第二时间Tsi;即DK(M4)=DK(EK’(Tsi)),得到第二时间TsiThe S08 client receives the fourth information M 4 and decrypts and restores the fourth information M 4 using the stored decryption function D K to obtain a second time T si ; that is, D K (M 4 )=D K (E K' (T Si )), get the second time T si .
S09客户端将生成的第二时间Tsi与获取的第一时间Tui进行比对,完成客户端对服务器的认证,从而完成服务器与客户端的双向认证。具体来说,客户端判断得到的第二时间Tsi和第一时间Tui的时间差,即Tsi-Tui,如果时间差小于预设值,如,Tsi-Tui<10min(本发明中选取预设值为10min,仅作为本发明的一个优选的预设值,具体预设值应视网络延时而定),则客户端对服务器认证成功,继续执行以下步骤。与步骤S07中类似,在其他实施例中,时间差的预设值还可以选定2min、5min等,我们对这个时间差的预设值不作具体限定,具体预设值应视网络延时而定。The S09 client compares the generated second time T si with the obtained first time T ui to complete the client-to-server authentication, thereby completing the mutual authentication between the server and the client. Specifically, the client determines a second time to give the time T si and the first time difference T ui, i.e. T si -T ui, if the time difference is smaller than a preset value, such as, T si -T ui <10min (according to the present invention, The preset value is 10 min, which is only a preferred preset value of the present invention, and the specific preset value should be determined according to the network delay. Then, the client successfully authenticates the server, and the following steps are continued. Similar to the step S07, in other embodiments, the preset value of the time difference can also be selected 2 min, 5 min, etc., and the preset value of the time difference is not specifically limited, and the specific preset value should be determined according to the network delay.
以上步骤S04到步骤S09,完成了客户端和服务器之间的双向认证,有效地防止了不法分子的假冒攻击。In the above steps S04 to S09, the two-way authentication between the client and the server is completed, and the counterfeit attack of the criminals is effectively prevented.
用户在服务器中完成身份认证之后,随即开始分别在客户端和服务器中生成进行会话所需的会话密钥Ki,并分别进行存储,具体步骤如下:After the user completes the identity authentication in the server, the session key K i required for the session is generated in the client and the server respectively, and is separately stored. The specific steps are as follows:
S10客户端对第二信息M2进行取反得到第五信息M5=M2’=EK’(Tui),并将第二信息M2=EK(Tui)和第五信息M5进行拼接生成第六信息M6=M2+M5,随后使用存储的加密函数EK对第六信息M6进行加密生成会话密钥Ki=EK(M2+M5)=EK(EK(Tui)+EK’(Tui))。这里我们要说明的是,使用第二信息M2和第五信息M5进行拼接生成M6的目的在于将8个字节(64位)的第二信息M2和第五信息M5扩展成16个字节(128位)的信息,之所以进行扩展目的是为了满足对称算法如3DES(密钥字节14-21个字节)在运算过程中的需求。具体来说,若第二信息M2为12345678,第五信息M5为87654321,则拼接出来的第六信息M6为1234567887654321。当然,在其他实施例中,也可以使用第五信息M5和第二信息M2进行拼接,这样拼接出来的第六信息M6为8765432112345678,只要客户端和服务器中采用相同的拼接方式即可,保证在同一次认证的过程中,客户端和服务器中使用的会话密钥Ki相同。The S10 client inverts the second information M 2 to obtain the fifth information M 5 =M 2 '=E K '(T ui ), and the second information M 2 =E K (T ui ) and the fifth information M 5 splicing generates a sixth information M 6 =M 2 +M 5 , and then encrypts the sixth information M 6 using the stored encryption function E K to generate a session key K i =E K (M 2 +M 5 )=E K (E K (T ui )+E K '(T ui )). Here, we will explain that the splicing using the second information M 2 and the fifth information M 5 to generate M 6 is to expand the 8 bytes (64 bits) of the second information M 2 and the fifth information M 5 into The 16-byte (128-bit) information is extended to meet the needs of symmetric algorithms such as 3DES (key bytes 14-21 bytes) during the operation. Specifically, if the second information M 2 is 12345678 and the fifth information M 5 is 87654321, the spliced sixth information M 6 is 1234567887654321. Of course, in other embodiments, the fifth information M 5 and the second information M 2 may be used for splicing, so that the spliced sixth information M 6 is 8765432112345678, as long as the same splicing method is used in the client and the server. To ensure that the session key K i used in the client and server is the same during the same authentication process.
S11服务器对第二信息M2进行取反得到第五信息M5=M2’=EK’(Tui),并将第二信息M2=EK(Tui)和第五信息M5进行拼接生成第六信息M6=M2+M5,随后 使用存储的加密算法E和第一密钥K对第六信息M6进行加密生成与客户端中相同的会话密钥Ki=EK(EK(Tui)+EK’(Tui))。这里我们要说明的是,使用第二信息M2和第五信息M5进行拼接生成M6的目的与步骤S10中相同,拼接方式也相同,在此我们不做赘述,保证服务器中生成的会话密钥Ki和客户端中生成的会话密钥Ki相同即可。The S11 server inverts the second information M 2 to obtain the fifth information M 5 =M 2 '=E K '(T ui ), and the second information M 2 =E K (T ui ) and the fifth information M 5 The splicing is performed to generate a sixth information M 6 = M 2 + M 5 , and then the sixth information M 6 is encrypted using the stored encryption algorithm E and the first key K to generate the same session key K i = E in the client. K (E K (T ui )+E K '(T ui )). Here, we will explain that the purpose of splicing and generating M 6 using the second information M 2 and the fifth information M 5 is the same as that in step S10, and the splicing method is also the same. We will not repeat here to ensure the session generated in the server. The key K i may be the same as the session key K i generated in the client.
通过以上步骤在客户端和服务器中生成了相同的会话密钥Ki,结合公用加密算法和解密算法进行数据加密传输,能够防止数据泄露,并且减少密钥传输的问题,能够有效保证密钥的安全。客户端即将待认证数据使用公共加密算法e进行加密并发送至服务器中进行认证,其中,客户端和服务器端分别通过公用加密算法e和会话密钥Ki对待认证数据(记为M)加密,以及,通过公用解密算法d和会话密钥Ki对加密后的待认证数据M解密,具体步骤如下:Through the above steps, the same session key K i is generated in the client and the server, and the data encryption transmission is combined with the public encryption algorithm and the decryption algorithm, which can prevent data leakage and reduce the problem of key transmission, and can effectively guarantee the key. Safety. The client encrypts the data to be authenticated using the public encryption algorithm e and sends it to the server for authentication. The client and the server encrypt the authentication data (recorded as M) through the public encryption algorithm e and the session key K i respectively. And decrypting the encrypted data to be authenticated M by the public decryption algorithm d and the session key K i , the specific steps are as follows:
待认证数据M加密具体为:客户端发送的待认证数据M,首先客户端使用会话密钥Ki和公用加密算法e加密待认证数据M,生成第一数据,即eKi(M)。客户端采用第一算法(即哈希算法)对待认证数据M进行计算生成第二数据,即第二数据为H(M)。客户端向服务器发送第一数据和第二数据,即eKi(M)+H(M)。The data to be authenticated M is specifically encrypted: the data to be authenticated M sent by the client. First, the client encrypts the data to be authenticated M using the session key K i and the public encryption algorithm e to generate first data, that is, e Ki (M). The client uses the first algorithm (ie, the hash algorithm) to calculate the authentication data M to generate the second data, that is, the second data is H(M). The client sends the first data and the second data to the server, ie e Ki (M) + H (M).
待认证数据M解密具体为:服务器接收第一数据和第二数据,即eKi(M)+H(M)。服务器通过公用解密算法d和会话密钥Ki解密第一数据eKi(M),即dKi(eKi(M)),得到一待认证数据S(与客户端发送的原始待认证数据M进行区分)。The decryption of the data to be authenticated M is specifically as follows: the server receives the first data and the second data, ie, e Ki (M)+H(M). The server decrypts the first data e Ki (M), ie, d Ki (e Ki (M)), by using the public decryption algorithm d and the session key K i to obtain a data to be authenticated S (the original data to be authenticated sent by the client M) Make a distinction).
待认证数据M完整性校验:服务器再通过第一算法(即哈希算法)对解密得到的待认证数据S进行计算,即H(S)。服务器将H(S)与接收到的第二数据H(M)进行比对,如果H(S)=H(M)相同,则表示服务器接收到的待认证数据S就是客户端发送的待认证数据M,待认证数据具有完整性,否则待认证数据S不完整,为不合法。The integrity of the data to be authenticated is verified by the first algorithm (ie, the hash algorithm), and the data to be authenticated obtained by the decryption is calculated, that is, H(S). The server compares H(S) with the received second data H(M). If H(S)=H(M) is the same, it indicates that the data to be authenticated received by the server is the one to be authenticated sent by the client. Data M, the data to be authenticated has integrity, otherwise the data to be authenticated S is incomplete and is illegal.
以上对本发明的具体实施例进行了详细描述,但本发明并不限制于以上描述的具体实施例,其只是作为范例。对于本领域技术人员而言,任何对本发明进行的等同修改和替代也都在本发明的范畴之中。因此,在不脱离发明的精神和范围下所做出的均等变换和修改,都应涵盖在本发明的范围内。 The specific embodiments of the present invention have been described in detail above, but the invention is not limited to the specific embodiments described above. Any equivalent modifications and substitutions to the invention are also within the scope of the invention. Accordingly, equivalent changes and modifications may be made without departing from the spirit and scope of the invention.

Claims (10)

  1. 一种数据处理方法,其特征在于,客户端和服务器中分别生成了进行会话过程所需的会话密钥之后,所述客户端即将待认证数据使用公共加密算法进行加密并发送至所述服务器中进行认证,其具体步骤如下:A data processing method, characterized in that after the session key required for the session process is respectively generated in the client and the server, the client encrypts the data to be authenticated using a public encryption algorithm and sends the data to the server. To carry out the certification, the specific steps are as follows:
    S21客户端获取所述待认证数据,且结合存储在客户端中的所述会话密钥使用内置的所述公共加密算法进行加密生成第一数据;随后,所述客户端使用内置的第一算法对所述待认证数据进行加密生成第二数据;最后,所述客户端将所述第一数据和所述第二数据发送至所述服务器;Obtaining, by the S21 client, the to-be-authenticated data, and synthesizing the first data by using the built-in common encryption algorithm in combination with the session key stored in the client; subsequently, the client uses the built-in first algorithm Encrypting the data to be authenticated to generate second data; finally, the client sends the first data and the second data to the server;
    S22所述服务器接收到了所述第一数据和所述第二数据之后,使用与所述客户端中相同的会话密钥和与所述公共加密算法对应的公共解密算法对所述第一数据进行解密还原得到所述待认证数据;随后使用内置在所述服务器中的所述第一算法对所述待认证数据进行加密生成第三数据;After the server receives the first data and the second data, the server performs the first data by using the same session key as the client and a public decryption algorithm corresponding to the common encryption algorithm. Decrypting and restoring to obtain the data to be authenticated; then encrypting the data to be authenticated using the first algorithm built in the server to generate third data;
    S23所述服务器将生成的第三数据与接收到的所述第二数据进行比对,完成所述待认证数据的认证。S23: The server compares the generated third data with the received second data, and completes the authentication of the data to be authenticated.
  2. 如权利要求1所述数据处理方法,其特征在于:所述第一算法为哈希算法。The data processing method according to claim 1, wherein said first algorithm is a hash algorithm.
  3. 如权利要求1或2所述数据处理方法,其特征在于:所述客户端将待认证数据使用公共加密算法进行加密并发送至所述服务器中进行认证之前,还包括:用户在所述服务器中进行注册;The data processing method according to claim 1 or 2, wherein the client encrypts the data to be authenticated and sends the data to the server for authentication, and further includes: the user is in the server. Registering;
    用户在所述服务器中完成身份认证,并分别在所述客户端和所述服务器中生成进行会话所需的所述会话密钥且分别进行存储。The user completes identity authentication in the server, and generates the session key required for the session in the client and the server, respectively, and stores the session key separately.
  4. 如权利要求3所述数据处理方法,其特征在于:用户在所述服务器中进行注册,其具体步骤如下:The data processing method according to claim 3, wherein the user registers in the server, and the specific steps are as follows:
    S01所述客户端获取用于唯一标识用户的所述用户标识和所述密码,并通过内置的所述第一算法对所述标识信息和所述密码进行加密生成第一信息,随 后将所述第一信息发送至所述服务器;S01, the client obtains the user identifier and the password for uniquely identifying a user, and encrypts the identifier information and the password by using the built-in first algorithm to generate first information, And transmitting the first information to the server;
    S02所述服务器中随机生成第一密钥和第二密钥,随后结合所述第一密钥和内置的加密算法生成一与所述第一密钥关联的加密函数、结合所述第二密钥和内置的与所述加密算法对应的解密算法生成一与所述第二密钥关联的解密函数,最后所述服务器将所述加密函数和所述解密函数发送至所述客户端中,并将所述第一密钥、所述第二密钥、所述加密算法、所述解密算法、所述用户标识以及所述第一信息进行存储;S02 randomly generating a first key and a second key, and then combining the first key and a built-in encryption algorithm to generate an encryption function associated with the first key, combined with the second secret And a built-in decryption algorithm corresponding to the encryption algorithm generates a decryption function associated with the second key, and finally the server sends the encryption function and the decryption function to the client, and And storing the first key, the second key, the encryption algorithm, the decryption algorithm, the user identifier, and the first information;
    S03所述客户端接收所述加密函数和所述解密函数并进行存储,完成所述用户在所述服务器中的注册。S03, the client receives the encryption function and the decryption function and stores, and completes registration of the user in the server.
  5. 如权利要求4所述数据处理方法,其特征在于:用户完成在所述服务器中的注册后,用户在所述服务器中完成身份认证的具体步骤如下:The data processing method according to claim 4, wherein the specific steps of the user completing identity authentication in the server after the user completes registration in the server are as follows:
    S04所述客户端获取所述用户标识、所述密码、以及第一时间,随后使用存储的所述加密函数对所述第一时间进行加密生成第二信息,紧接着将生成的所述第二信息和存储的所述第一信息进行逻辑运算;最后使用所述加密函数对所述逻辑运算结果进行加密生成第三信息,并将所述用户标识和所述第三信息发送至所述服务器;S04, the client obtains the user identifier, the password, and a first time, and then uses the stored encryption function to encrypt the first time to generate second information, and then the second The information and the stored first information are logically operated; finally, the logical operation result is encrypted by using the encryption function to generate third information, and the user identifier and the third information are sent to the server;
    S05所述服务器接收所述用户标识和所述第三信息,并在所述服务器中查找所述用户标识,完成所述用户标识的认证;The server of S05 receives the user identifier and the third information, and searches for the user identifier in the server, and completes the authentication of the user identifier.
    S06所述服务器完成了所述用户标识的认证之后,随即获取第二时间,并结合所述第二密钥使用存储的所述加密算法对其进行加密生成第四信息;紧接着使用存储的所述解密算法和所述第一密钥对接收的所述第三信息进行解密,并将所述解密信息与存储的所述第一信息进行所述逻辑运算还原得到所述第二信息;最后所述服务器使用存储的所述解密算法和所述第一密钥对所述第二信息进行解密还原得到所述第一时间;After the server completes the authentication of the user identifier, the server obtains the second time, and encrypts the second key according to the stored encryption algorithm to generate the fourth information; Decrypting the decryption algorithm and the first key to decrypt the received third information, and performing the logical operation on the decrypted information and the stored first information to obtain the second information; Decoding and restoring the second information by the server using the stored decryption algorithm and the first key to obtain the first time;
    S07所述服务器将生成的所述第一时间和获取的所述第二时间进行比对,完成所述服务器对所述客户端的认证,并将所述第四信息发送至所述客户端; S07, the server compares the generated first time with the obtained second time, completes authentication of the client by the server, and sends the fourth information to the client.
    S08所述客户端接收所述第四信息,并使用存储的所述解密函数对所述第四信息进行解密还原得到所述第二时间;S08, the client receives the fourth information, and decrypts and restores the fourth information by using the stored decryption function to obtain the second time;
    S09所述客户端将生成的所述第二时间与获取的所述第一时间进行比对,完成所述客户端对所述服务器的认证,从而完成所述服务器与所述客户端的双向认证。S09, the client compares the generated second time with the obtained first time, and completes authentication of the server by the client, thereby completing mutual authentication between the server and the client.
  6. 如权利要求5所述数据处理方法,其特征在于:在步骤S04和步骤S06中,所述逻辑运算为异或运算。The data processing method according to claim 5, wherein in the step S04 and the step S06, the logical operation is an exclusive OR operation.
  7. 如权利要求5所述数据处理方法,其特征在于:在步骤S07和步骤S09中,分别获取所述第一时间和所述第二时间的时间差,当所述时间差在预设值内,则完成所述服务器与所述客户端的双向认证。The data processing method according to claim 5, wherein in step S07 and step S09, the time difference between the first time and the second time is respectively acquired, and when the time difference is within a preset value, the time difference is completed. Two-way authentication between the server and the client.
  8. 如权利要求7所述数据处理方法,其特征在于:所述预设值为2min到10min。The data processing method according to claim 7, wherein said preset value is 2 min to 10 min.
  9. 如权利要求5或6或7或8所述数据处理方法,其特征在于:用户在所述服务器中完成身份认证之后,分别在所述客户端和所述服务器中生成进行会话所需的所述会话密钥,并分别进行存储的具体步骤如下:The data processing method according to claim 5 or 6 or 7 or 8, wherein after the user completes the identity authentication in the server, the user and the server respectively generate the The specific steps of the session key and storage separately are as follows:
    S10所述客户端对所述第二信息进行取反得到第五信息,并将第二信息和所述第五信息进行拼接生成第六信息,随后使用存储的所述加密函数对所述第六信息进行加密生成所述会话密钥;S10: The client inverts the second information to obtain fifth information, and splices the second information and the fifth information to generate sixth information, and then uses the stored encryption function to perform the sixth information. Encrypting the information to generate the session key;
    S11所述服务器对生成的所述第二信息进行取反得到所述第五信息,并将所述第二信息和所述第五信息进行拼接生成所述第六信息,随后使用存储的所述加密算法和所述第一密钥对所述第六信息进行加密生成与所述客户端中相同的所述会话密钥。S11: The server inverts the generated second information to obtain the fifth information, and splices the second information and the fifth information to generate the sixth information, and then uses the stored The encryption algorithm and the first key encrypt the sixth information to generate the same session key as in the client.
  10. 如权利要求9所述数据处理方法,其特征在于:在步骤S10和步骤S11中,第六信息还可以使用第五信息和第二信息进行拼接得到。 The data processing method according to claim 9, wherein in step S10 and step S11, the sixth information is further spliced using the fifth information and the second information.
PCT/CN2015/076945 2014-10-11 2015-04-20 Method for processing data WO2016054905A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410532214.3 2014-10-11
CN201410532214.3A CN104243494B (en) 2014-10-11 2014-10-11 A kind of data processing method

Publications (1)

Publication Number Publication Date
WO2016054905A1 true WO2016054905A1 (en) 2016-04-14

Family

ID=52230843

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/076945 WO2016054905A1 (en) 2014-10-11 2015-04-20 Method for processing data

Country Status (2)

Country Link
CN (1) CN104243494B (en)
WO (1) WO2016054905A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114599033A (en) * 2022-05-10 2022-06-07 中移(上海)信息通信科技有限公司 Communication authentication processing method and device
CN114826654A (en) * 2022-03-11 2022-07-29 中国互联网络信息中心 Client authentication method and system based on domain name system naming

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243494B (en) * 2014-10-11 2018-01-23 上海众人网络安全技术有限公司 A kind of data processing method
CN105049433B (en) * 2015-07-17 2019-07-30 上海众人网络安全技术有限公司 Markization card number information transmits verification method and system
KR101759136B1 (en) * 2015-11-17 2017-07-31 현대자동차주식회사 Method and apparatus for providing security service for vehicle dedicated data channel in linking between vehicle head unit and external device
CN105207782B (en) * 2015-11-18 2018-09-25 上海爱数信息技术股份有限公司 A kind of auth method based on restful frameworks
CN105512877A (en) * 2016-02-24 2016-04-20 恒宝股份有限公司 Headset with payment function and payment method
CN105827395A (en) * 2016-04-29 2016-08-03 上海斐讯数据通信技术有限公司 Network user authentication method
CN107370711B (en) 2016-05-11 2021-05-11 创新先进技术有限公司 Identity verification method and system and intelligent wearable device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291377A (en) * 2010-06-17 2011-12-21 侯方勇 Data safe transmission method and device
CN102421096A (en) * 2011-12-22 2012-04-18 厦门雅迅网络股份有限公司 Method for safely transmitting data based on wireless network
CN102624740A (en) * 2012-03-30 2012-08-01 奇智软件(北京)有限公司 Data interaction method, client and server
CN104243494A (en) * 2014-10-11 2014-12-24 上海众人科技有限公司 Data processing method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100490375C (en) * 2003-12-01 2009-05-20 中国电子科技集团公司第三十研究所 Strong authentication method based on symmetric encryption algorithm
CN101917270B (en) * 2010-08-03 2012-08-22 中国科学院软件研究所 Weak authentication and key agreement method based on symmetrical password
CN104079413A (en) * 2014-07-14 2014-10-01 上海众人科技有限公司 Enhancement type one-time dynamic password authentication method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291377A (en) * 2010-06-17 2011-12-21 侯方勇 Data safe transmission method and device
CN102421096A (en) * 2011-12-22 2012-04-18 厦门雅迅网络股份有限公司 Method for safely transmitting data based on wireless network
CN102624740A (en) * 2012-03-30 2012-08-01 奇智软件(北京)有限公司 Data interaction method, client and server
CN104243494A (en) * 2014-10-11 2014-12-24 上海众人科技有限公司 Data processing method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826654A (en) * 2022-03-11 2022-07-29 中国互联网络信息中心 Client authentication method and system based on domain name system naming
CN114826654B (en) * 2022-03-11 2023-09-12 中国互联网络信息中心 Client authentication method and system based on domain name system naming
CN114599033A (en) * 2022-05-10 2022-06-07 中移(上海)信息通信科技有限公司 Communication authentication processing method and device
CN114599033B (en) * 2022-05-10 2022-08-16 中移(上海)信息通信科技有限公司 Communication authentication processing method and device

Also Published As

Publication number Publication date
CN104243494B (en) 2018-01-23
CN104243494A (en) 2014-12-24

Similar Documents

Publication Publication Date Title
US11799656B2 (en) Security authentication method and device
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
WO2016054905A1 (en) Method for processing data
US11533297B2 (en) Secure communication channel with token renewal mechanism
US10305688B2 (en) Method, apparatus, and system for cloud-based encryption machine key injection
WO2021073170A1 (en) Method and apparatus for data provision and fusion
EP3324572B1 (en) Information transmission method and mobile device
WO2018127081A1 (en) Method and system for obtaining encryption key
JP2018509117A (en) Method, apparatus and system for identity authentication
CN110048849B (en) Multi-layer protection session key negotiation method
CN104639516A (en) Method, equipment and system for authenticating identities
CN104506515A (en) Firmware protection method and firmware protection device
WO2015158172A1 (en) User identity identification card
CN113225352B (en) Data transmission method and device, electronic equipment and storage medium
US20160182230A1 (en) Secure token-based signature schemes using look-up tables
WO2015161689A1 (en) Data processing method based on negotiation key
CN101588245A (en) A kind of method of authentication, system and memory device
CN110635901B (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
US11438316B2 (en) Sharing encrypted items with participants verification
CN102868531A (en) Networked transaction certification system and method
CN104243493A (en) Network identity authentication method and system
US10122755B2 (en) Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node
CN112487380A (en) Data interaction method, device, equipment and medium
CN105141629A (en) Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords
KR20210153419A (en) Apparatus and method for authenticating device based on certificate using physical unclonable function

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15848317

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15848317

Country of ref document: EP

Kind code of ref document: A1