WO2020155622A1 - Method, device and system for enhancing security of image data transmission, and storage medium - Google Patents

Method, device and system for enhancing security of image data transmission, and storage medium Download PDF

Info

Publication number
WO2020155622A1
WO2020155622A1 PCT/CN2019/103652 CN2019103652W WO2020155622A1 WO 2020155622 A1 WO2020155622 A1 WO 2020155622A1 CN 2019103652 W CN2019103652 W CN 2019103652W WO 2020155622 A1 WO2020155622 A1 WO 2020155622A1
Authority
WO
WIPO (PCT)
Prior art keywords
image data
key
digital
encryption
digital certificate
Prior art date
Application number
PCT/CN2019/103652
Other languages
French (fr)
Chinese (zh)
Inventor
王铭
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020155622A1 publication Critical patent/WO2020155622A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Definitions

  • This application belongs to the field of information security technology, and relates to methods, devices, systems, and storage media for improving the security of image data transmission.
  • PACS Picture Archiving and Communication Systems
  • the main task of the PACS system is to digitalize various medical images (including images produced by nuclear magnetism, CT, ultrasound, various X-ray machines, various infrared instruments, microscopes and other equipment) through various interfaces. Mass storage, when needed, can be quickly transferred back to use under certain authorization, while adding some auxiliary diagnosis management functions.
  • the remote transmission of medical image data of the PACS system is generally transmitted through DICOM (Digital Imaging and Communications in Medicine, medical digital imaging and communication network protocol), because it is in the local area network or VPN private network (Virtual Private Network, virtual private network). Private network), the security of remote data transmission is not high, so under the existing technical conditions, the PACS system cannot guarantee the security when transmitting medical image data to the cloud of the PACS system.
  • DICOM Digital Imaging and Communications in Medicine
  • VPN private network Virtual Private Network, virtual private network. Private network
  • the embodiments of the present application disclose methods, devices, systems and storage media for improving the security of image data transmission, aiming to improve the security of remote transmission of medical image data.
  • An embodiment of the present application discloses a method for improving the security of image data transmission, applied to a terminal of a medical image information system, including: selecting a first message of any length from medical image data to generate an image data summary; Authorize the private key to encrypt the image data digest to obtain a digital signature; encrypt the medical image data with a random key to obtain image encrypted data; to encrypt the random key with the image data public key to obtain an encrypted secret Key; sending the digital signature, the digital certificate, the image encryption data and the encryption key to the cloud of the medical imaging information system.
  • An embodiment of the application discloses a method for improving the security of image data transmission, which is applied to the cloud of a medical image information system, and is characterized in that it includes: receiving a digital certificate, a digital signature, image encryption data, and an encryption key; The digital certificate is validated; when it is verified that the digital certificate is valid, the digital authorization public key in the digital authorization key pair is used to decrypt the digital signature to obtain an image data digest; when the digital authorization is used When the digital authorized public key in the key pair decrypts the digital signature to obtain the image data digest, the image data private key in the image data key pair is used to decrypt the encryption key to obtain a random key When using the image data private key in the image data key pair to decrypt the encryption key to obtain the random key, use the random key to decrypt the image encrypted data to obtain the The medical image data; compare the image data abstract with the medical image data; when the image data abstract is consistent with the corresponding part in the medical image data, confirm that the medical image data passes safety verification.
  • An embodiment of the present application discloses a device for improving the security of image data transmission, which is applied to a terminal of a medical image information system, and includes: an image data summary generating module for selecting a first message of any length from medical image data Generated as an image data digest; a digital signature generation module for encrypting the image data digest with a digitally authorized private key to obtain a digital signature; an image encryption data generating module for encrypting the medical image data with a random key Then obtain the image encrypted data; an encryption key generation module for encrypting the random key with the image data public key to obtain an encryption key; a sending module for sending the digital signature, the digital certificate, and the The image encryption data and the encryption key are sent to the cloud of the medical image information system.
  • An embodiment of the application discloses a device for improving the security of image data transmission, which is applied to the cloud of a medical image information system, and includes: a receiving module for receiving digital certificates, digital signatures, image encryption data, and encryption keys; digital The certificate verification module is used to verify the validity of the digital certificate; the digital certificate decryption module is used to use the digital authorization public key in the digital authorization key pair to give the digital certificate when the digital certificate is valid.
  • an encryption key decryption module for using the image when the digital authorization public key in the digital authorization key pair is used to decrypt the digital signature to obtain the image data digest
  • the image data private key in the data key pair is decrypted to the encryption key to obtain a random key
  • the image encryption data decryption module is used for when using the image data private key in the image data key pair to When the encryption key is decrypted to obtain the random key, the random key is used to decrypt the image encrypted data to obtain the medical image data
  • an image data digest comparison module is used to compare the image data The abstract is compared with the medical image data; when the image data abstract is consistent with the corresponding part in the medical image data, it is confirmed that the medical image data passes the security verification.
  • Some embodiments of the application disclose a medical imaging information system, which includes a cloud and at least one terminal communicatively connected to the cloud; the terminal includes at least one first memory and at least one first processor, the first A first computer program is stored in the memory, and when the first computer program is executed by the first processor, the method for improving the security of image data transmission applied to the terminal is realized.
  • the cloud includes at least one second memory and at least one second processor.
  • a second computer program is stored in the second memory. When the second computer program is executed by the second processor, it is applied to the Cloud-based methods to improve the security of image data transmission.
  • Some embodiments of the present application disclose a computer-readable storage medium having a computer program stored on the computer-readable storage medium, and when the computer program is executed by a processor, the above-mentioned improved image data transmission applied to the terminal is realized A secure method or a method applied to the cloud to improve the security of image data transmission.
  • the method for improving the security of image data transmission applied to the terminal first selects a first message of any length from the medical image data to generate an image data summary, and then privately authorizes the image data.
  • the key encrypts the image data digest to obtain a digital signature, and then encrypts the medical image data with a random key to obtain image encrypted data, and then encrypts the random key with the image data public key to obtain an encrypted key key.
  • FIG. 1 is a schematic diagram of the method for improving the security of image data transmission by the cloud and the terminal of the PACS system in an embodiment of the application;
  • FIG. 2 is a step diagram of a method for improving image data transmission security applied to the terminal in an embodiment of the application
  • FIG. 3 is a schematic diagram of the steps of generating the first message as the image data summary in an embodiment of this application;
  • FIG. 4 is a schematic diagram of a method for improving the security of image data transmission applied to the cloud in an embodiment of the application
  • FIG. 5 is a schematic diagram of the steps of verifying the digital certificate in an embodiment of this application.
  • FIG. 6 is a schematic diagram of the steps of comparing the image data summary with the same parts in the medical image data in an embodiment of the application;
  • FIG. 7 is a schematic diagram of the steps in generating the image data key pair in an embodiment of the application.
  • FIG. 8 is a schematic diagram of an apparatus for improving the security of image data transmission applied to the terminal in an embodiment of the application
  • FIG. 9 is a schematic diagram of the image data summary generating module 10 in an embodiment of the application.
  • FIG. 10 is a schematic diagram of an apparatus for improving the security of image data transmission applied to the cloud in an embodiment of the application
  • FIG. 11 is a schematic diagram of the digital certificate verification module 200 in an embodiment of the application.
  • FIG. 12 is a schematic diagram of the image data summary comparison module 600 in an embodiment of the application.
  • FIG. 13 is a schematic diagram of an apparatus for improving image data transmission security applied to the cloud in another embodiment of the application.
  • FIG. 14 is a schematic diagram of the image data key pair generation module 70 in an embodiment of the application.
  • 15 is a block diagram of the basic structure of the medical imaging information system in an embodiment of the application.
  • the medical imaging information system is specifically a PACS system (Picture Archiving and Communication Systems for short).
  • the PACS system includes at least one terminal for encryption and a cloud for decryption.
  • the cloud of the PACS system generates a digital certificate, a digital authorization key pair, and an image data key pair.
  • the digital authorization key pair includes a digital authorization private key and a digital authorization public key.
  • the image data key pair includes an image data private key and an image data public key.
  • the cloud shares the generated digital certificate, the digital authorization private key, and the image data public key to the terminal. After the medical image data is collected by the image data collecting device, the medical image data is encrypted through the terminal.
  • An embodiment of the present application discloses a method for improving the security of image data transmission, which is applied to a terminal of a medical image information system.
  • FIG. 1 is a schematic diagram of the method for improving the security of image data transmission performed by the cloud and the terminal of the PACS system in an embodiment of the application
  • FIG. 2 is an implementation of the application
  • a step diagram of a method for improving the security of image data transmission applied to the terminal In the example, a step diagram of a method for improving the security of image data transmission applied to the terminal.
  • the method for improving the security of image data transmission includes:
  • Step A1 Select a first message of any length from the medical image data to generate an image data summary.
  • a one-way hash function is used to generate the first message of any length in the medical image data as the image data digest.
  • the first message and the second message mentioned later refer to data units during exchange and transmission in the network, that is, data blocks to be sent by the station at one time.
  • FIG. 3 it is a schematic diagram of the steps of generating the first message as the image data summary in an embodiment of this application.
  • the step of selecting a first message of any length from the medical image data to generate an image data summary includes:
  • Step A11 Fill the first message so that the result of the remainder of 512 for the byte length of the first message is equal to 448.
  • the step of filling the first message includes: filling a 1 and a certain number of 0s after the first message, and stopping the filling of the first message until it is equal to (L-1) ⁇ 512+448. Fill in a message.
  • Step A12 append a second message represented by a 64-bit binary number after the filled first message.
  • the byte length of the second message is exactly an integer multiple of 512.
  • Step A13 Set 4 integer parameters of 32-bit chaining variables.
  • Step A14 The filled first message and the second message are respectively processed with 512 bits as a packet, and each of the packets is subjected to 4 rounds of transformation, using the 4 32-bit link variables as The initial variable calls 4 bit manipulation functions to calculate the first group.
  • (( ⁇ X)&Z); G(X,Y,Z) (X&Z)
  • Step A15 Output the 4 variables calculated by the 4 bit manipulation functions, and use the 4 variables to perform the next grouping operation until the last grouping.
  • the 4 variables corresponding to the last group are used as the image data summary.
  • the 4 variables are the first message and the second message of the fixed length, and finally the fixed length
  • the first message and the second message are the image data digest.
  • Step A2 Encrypt the image data digest with a digital authorized private key to obtain a digital signature (Signature).
  • Step A3 Encrypt the medical image data with a random key (RandomKey) to obtain image encryption data (EncryptData).
  • the random key (RandomKey) can either encrypt the medical image data or decrypt the encrypted image data.
  • Step A4 Encrypt the random key (RandomKey) with the image data public key to obtain an encryption key (EncryptKey).
  • n the product of two unequal prime numbers p and q
  • e an integer, ⁇ (n)>e>1, and e and ⁇ (n ) Is relatively prime
  • ⁇ (n) refers to the Euler function of n
  • (n, e) is the public key of the image data; when m ⁇ n, the random key is encrypted in sections.
  • Step A5 Send the digital signature, the digital certificate, the image encryption data and the encryption key to the cloud of the medical image information system.
  • the method for improving the security of image data transmission applied to the terminal first selects a first message of any length from the medical image data to generate an image data summary, and then privately authorizes the image data.
  • the key encrypts the image data digest to obtain a digital signature, and then encrypts the medical image data with a random key to obtain image encrypted data, and then encrypts the random key with the image data public key to obtain an encrypted key key.
  • An embodiment of the present application discloses a method for improving the security of image data transmission, which is applied to the cloud of a medical image information system.
  • 1 and 4 are schematic diagrams of a method for improving the security of image data transmission applied to the cloud in an embodiment of the application.
  • the method for improving the security of image data transmission includes:
  • S1 Receive digital certificate, digital signature, image encryption data and encryption key.
  • the digital certificate, the digital signature, the image encryption data, and the encryption key are provided by the terminal of the PACS system, and transmitted to the cloud of the PACS system through the network. Wherein, the digital certificate is stored in the terminal.
  • the digital signature is obtained by encrypting the image data digest with the digital authorized private key provided by the cloud.
  • the image encryption data is obtained by encrypting the medical image data with a random key.
  • the encryption key is obtained by encrypting the random key with the image data public key provided by the cloud.
  • the way for the cloud to generate the digital certificate includes:
  • the KEYTOOL tool is a key and certificate management tool, which can manage the generation and installation of keys and digital certificates in a JAVA environment;
  • the digital certificate is directly generated through JAVA code.
  • the principle of directly generating the digital certificate by JAVA code is similar to the principle of generating the digital certificate by the KEYTOOL tool;
  • this is a schematic diagram of the steps of verifying the digital certificate described in an embodiment of this application.
  • the step of verifying the validity of the digital certificate includes:
  • the step of using the image data private key in the image data key pair to decrypt the encryption key includes: applying the image data private key and a decryption formula to decrypt the cipher text of the encryption key.
  • FIG. 6 is a schematic diagram of the steps of comparing the image data summary with the same parts in the medical image data in an embodiment of the application.
  • the step of comparing the image data summary with the medical image data includes:
  • S62 Split the part of the medical image data used to generate the image data summary and import the second data list.
  • S63 Compare the first data list and the second data list to determine whether the first data list and the second data list are consistent. When the first data list and the second data list are consistent, the safety of the medical image data is verified.
  • the method for improving the security of image data transmission further includes generating the image data key pair.
  • the image data key pair includes an image data private key and an image data public key.
  • FIG. 7 it is a schematic diagram of the steps in generating the image data key pair described in an embodiment of this application.
  • the step of generating the image data key pair includes:
  • S76 Encapsulate n and e into image data public keys (n, e), and n and d into image data private keys (n, d).
  • S77 Send the image data public key (n, e) to the terminal that encrypts the plain text of the encryption key.
  • the digital authorization key pair can also be generated.
  • the received digital certificate is first verified, so the terminal with invalid digital certificate can be excluded, and the access of the terminal with invalid digital certificate can be denied.
  • the digital authorization public key in the digital authorization key pair is used to decrypt the digital signature. Further, when the digital authorization public key in the digital authorization key pair is used to decrypt the digital signature to obtain the image data digest, the image data private key in the image data key pair is used for the encryption key Decrypt. When the image data private key in the image data key pair is used to decrypt the encryption key to obtain a random key, the random key is used to decrypt the image encrypted data.
  • the medical image data is obtained; the image data abstract is compared with the medical image data; the image data abstract is compared with the medical image data.
  • the safety of the medical image data is verified. Therefore, the forgery of the digital signature can be fully prevented, which is beneficial to improve the security of the medical image data in the remote transmission process.
  • An embodiment of the present application discloses a device for improving the security of image data transmission, which is applied to a terminal of a medical image information system.
  • FIG. 8 it is a schematic diagram of an apparatus for improving the security of image data transmission applied to the terminal in an embodiment of the application.
  • the device for improving the security of image data transmission includes:
  • the image data abstract generation module 10 is used to select a first message of any length from the medical image data to generate an image data abstract.
  • the digital signature generating module 20 is used for encrypting the image data digest with a digital authorized private key to obtain a digital signature.
  • the image encryption data generation module 30 is used for encrypting the medical image data with a random key to obtain image encryption data.
  • the encryption key generation module 40 is used to encrypt the random key by the image data public key to obtain an encryption key.
  • the sending module 50 is configured to send the digital signature, the digital certificate, the image encryption data, and the encryption key to the cloud of the medical image information system.
  • FIG. 9 is a schematic diagram of the image data summary generating module 10 in an embodiment of the application.
  • the image data summary generating module 10 includes:
  • the first packet filling submodule 11 is configured to fill the first packet so that the result of the remainder of 512 in the byte length of the first packet is equal to 448.
  • the second message appending submodule 12 is configured to append a second message represented by a 64-bit binary number after the filled first message.
  • the integer parameter setting submodule 13 is used to set the integer parameters of four 32-bit link variables.
  • the packet processing sub-module 14 is configured to process the filled first message and the second message with 512 bits as a group, and each of the groups is subjected to 4 rounds of transformation, and the 4
  • the 32-bit link variable is the starting variable and calls 4 bit operation functions to calculate the first group.
  • the image data summary output sub-module 15 is used to output the 4 variables calculated by the 4 bit manipulation functions, and use the 4 variables to perform the next grouping operation until the last grouping; divide the last grouping The corresponding 4 variables are used as the image data summary.
  • An embodiment of the present application discloses a device for improving the security of image data transmission, which is applied to the cloud of a medical image information system.
  • FIG. 10 it is a schematic diagram of an apparatus for improving the security of image data transmission applied to the cloud in an embodiment of the application.
  • the device for improving the security of image data transmission includes:
  • the receiving module 100 is used to receive digital certificates, digital signatures, image encryption data, and encryption keys.
  • the digital certificate verification module 200 is used to verify the validity of the digital certificate.
  • the digital certificate decryption module 300 is configured to use the digital authorized public key in the digital authorized key pair to decrypt the digital signature when it is verified that the digital certificate is valid, so as to obtain an image data digest.
  • the encryption key decryption module 400 is configured to use the image data in the image data key pair when using the digital authorization public key in the digital authorization key pair to decrypt the digital signature to obtain the image data digest
  • the private key decrypts the encryption key to obtain a random key.
  • the image encryption data decryption module 500 is used for when the image data private key in the image data key pair is used to decrypt the encryption key to obtain the random key, the random key is used for the The image encryption data is decrypted to obtain the medical image data.
  • the image data summary comparison module 600 is used to compare the image data summary with the medical image data; when the image data summary is consistent with the corresponding part in the medical image data, confirm the medical image The image data passed the security verification.
  • the encryption key decryption module 400 uses the image data private key and a decryption formula to decrypt the cipher text of the encryption key.
  • FIG. 11 is a schematic diagram of the digital certificate verification module 200 in an embodiment of this application.
  • the digital certificate verification module 200 includes:
  • the certificate chain verification sub-module 201 is used to verify the credibility of the certificate chain of the digital certificate.
  • the revocation verification submodule 202 is configured to verify whether the digital certificate is revoked when the certificate chain of the digital certificate is trusted.
  • the validity period verification submodule 203 is configured to verify whether the digital certificate is within the validity period when the digital certificate is not revoked.
  • the domain name verification submodule 204 is configured to verify whether the domain name of the digital certificate matches the current access domain name when the digital certificate is within the validity period. When the domain name of the digital certificate matches the current access domain name, it is confirmed that the digital certificate passes the validity verification.
  • FIG. 12 it is a schematic diagram of the image data summary comparison module 600 in an embodiment of the application.
  • the image data summary comparison module 600 includes:
  • the first data list sub-module 601 is used to split the image data summary and import the first data list.
  • the second data list sub-module 602 is used to split the part of the medical image data used to generate the image data summary and import the second data list.
  • the data list comparison sub-module 603 is configured to compare the first data list and the second data list to determine whether the first data list and the second data list are consistent.
  • FIG. 13 is a schematic diagram of an apparatus for improving the security of image data transmission applied to the cloud in another embodiment of the application.
  • the device for improving the security of image data transmission further includes an image data key pair generation module 700.
  • the image data key pair generation module 700 is used to generate the image data key pair.
  • the image data key pair includes an image data private key and an image data public key.
  • FIG. 14 it is a schematic diagram of the image data key pair generation module 70 in an embodiment of this application.
  • the image data key pair generation module 700 includes:
  • the prime number selection submodule 701 is used to randomly select two unequal prime numbers p and q.
  • the prime number product calculation sub-module 702 is used to calculate the product n of p and q.
  • the Euler function calculation sub-module 703 is used to calculate the Euler function ⁇ (n) of n.
  • the integer selection sub-module 704 is used to randomly select an integer e, where ⁇ (n)>e>1, and e and ⁇ (n) are relatively prime.
  • the modular inverse element calculation sub-module 705 is used to calculate the modular inverse element d of e to ⁇ (n).
  • the encapsulation sub-module 706 is used to encapsulate n and e into image data public keys (n, e), and n and d into image data private keys (n, d).
  • the sending sub-module 707 is configured to send the image data public key (n, e) to the terminal that encrypts the plaintext of the encryption key.
  • FIG. 15 is a block diagram of the basic structure of the medical imaging information system in an embodiment of the application.
  • the medical imaging information system includes a cloud and at least one terminal communicatively connected to the cloud.
  • the terminal includes at least one first memory 801 and at least one first processor 802.
  • a first computer program is stored in the first memory 801, and the first computer program is implemented when executed by the first processor 802. A method for improving the security of image data transmission applied to the terminal.
  • the terminal receives and sends data through the first network interface 803.
  • the cloud includes at least one second memory 804 and at least one second processor 805.
  • a second computer program is stored in the second memory 804, and the second computer program is executed when the second processor 805 is executed.
  • the cloud receives and sends data through the second network interface 806.
  • FIG. 15 only shows the medical imaging information system with components 801-806, but it should be understood that it is not required to implement all the components shown, and more or fewer components may be implemented instead. .
  • the cloud and terminal here can automatically perform numerical calculation and/or information processing equipment according to pre-set or stored instructions.
  • the hardware includes but is not limited to microprocessors, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Programmable Gate Array (Field-Programmable Gate Array, FPGA), Digital Processor (Digital Signal Processor, DSP), embedded equipment, etc.
  • Both the first memory 801 and the second memory 804 include at least one type of readable storage medium, and the readable storage medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.) ), random access memory (RAM), static random access memory (SRAM), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), programmable read only memory (PROM), magnetic memory, magnetic disk , CD, etc.
  • both the first memory 801 and the second memory 804 may be internal storage units, such as the hard disk or memory.
  • both the first memory 801 and the second memory 804 may also be external storage devices, such as plug-in hard disks, Smart Media Card (SMC), and Secure Digital (Secure Digital). , SD) card, flash card (Flash Card), etc.
  • the first memory 801 and the second memory 804 may both include an internal storage unit and an external storage device.
  • the first memory 801 and the second memory 804 are generally used to store operating systems and various application software.
  • the first memory 801 is used to store image data transmission enhancements applied to the terminal.
  • the program code of the secure method, and the second memory 804 is used to store the program code of the method for improving the security of image data transmission applied to the cloud.
  • both the first memory 801 and the second memory 804 can be used to temporarily store various types of data that have been output or will be output.
  • the first processor 802 and the second processor 805 may be a central processing unit (CPU), a controller, a microcontroller, a microprocessor, or other data processing chips.
  • the first processor 802 is configured to run the program code or process data stored in the first memory 801, for example, run the program code of the method for improving the security of image data transmission applied to the terminal.
  • the second processor 805 is configured to run the program code or process data stored in the second memory 804, for example, run the program code of the method for improving the security of image data transmission applied to the cloud.
  • An embodiment of the present application discloses a computer-readable storage medium having a computer program stored on the computer-readable storage medium, and when the computer program is executed by a processor, the above-mentioned improved image data transmission applied to the terminal is realized A secure method or a method applied to the cloud to improve the security of image data transmission.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Measuring And Recording Apparatus For Diagnosis (AREA)
  • Medical Treatment And Welfare Office Work (AREA)

Abstract

The present invention relates to the technical field of information security, and more particularly, relates to a method, device and system for enhancing security of image data transmission, and a storage medium. The method comprises: selecting, from medical image data, a first packet of any length to generate an image data summary; using a digital authorization private key to encrypt the image data summary to obtain a digital signature; using a random key to encrypt the medical image data to obtain encrypted image data; using an image data public key to encrypt the random key to obtain an encrypted key; and sending the digital signature, a digital certificate, the encrypted image data and the encrypted key to a cloud terminal of a medical image information system. The method facilitates enhancing the security of remotely transmitting medical image data.

Description

提高影像数据传输安全的方法、装置、系统及存储介质Method, device, system and storage medium for improving image data transmission security
【交叉引用】【cross reference】
本申请以2019年1月28日提交的申请号为2019100820696,名称为“提高影像数据传输安全的方法、装置、系统及存储介质”的中国发明专利申请为基础,并要求其优先权。This application is based on the Chinese invention patent application filed on January 28, 2019, with the application number 2019100820696, titled "Methods, Devices, Systems and Storage Media for Improving the Security of Image Data Transmission", and claims priority.
【技术领域】【Technical Field】
本申请属于信息安全技术领域,涉及提高影像数据传输安全的方法、装置、系统及存储介质。This application belongs to the field of information security technology, and relates to methods, devices, systems, and storage media for improving the security of image data transmission.
【背景技术】【Background technique】
PACS(医学影像信息系统简称,Picture Archiving and Communication Systems)系统主要应用在医院影像科室的系统。PACS系统主要的任务就是把日常产生的各种医学影像(包括核磁,CT,超声,各种X光机,各种红外仪、显微仪等设备产生的图像)通过各种接口以数字化的方式海量保存起来,当需要的时候在一定的授权下能够很快的调回使用,同时增加一些辅助诊断管理功能。PACS (Picture Archiving and Communication Systems) system is mainly used in the system of hospital imaging department. The main task of the PACS system is to digitalize various medical images (including images produced by nuclear magnetism, CT, ultrasound, various X-ray machines, various infrared instruments, microscopes and other equipment) through various interfaces. Mass storage, when needed, can be quickly transferred back to use under certain authorization, while adding some auxiliary diagnosis management functions.
现有的技术条件下,PACS系统的医学影像数据的远程传输一般通过DICOM(Digital Imaging and Communications in Medicine,医学数字成像和通信网络协议)传输,由于处于局域网内或VPN专线(Virtual Private Network,虚拟专用网络),数据远程传输的安全性不高,因此现有的技术条件下PACS系统无法保证向PACS系统的云端传输医学影像数据时的安全性。Under the existing technical conditions, the remote transmission of medical image data of the PACS system is generally transmitted through DICOM (Digital Imaging and Communications in Medicine, medical digital imaging and communication network protocol), because it is in the local area network or VPN private network (Virtual Private Network, virtual private network). Private network), the security of remote data transmission is not high, so under the existing technical conditions, the PACS system cannot guarantee the security when transmitting medical image data to the cloud of the PACS system.
【发明内容】[Content of the invention]
本申请实施例公开了提高影像数据传输安全的方法、装置、系统及存储介质,旨在提高医学影像数据的远程传输的安全性。The embodiments of the present application disclose methods, devices, systems and storage media for improving the security of image data transmission, aiming to improve the security of remote transmission of medical image data.
本申请的一实施例公开了一种提高影像数据传输安全的方法,应用于医学影像信息系统的终端,包括:从医学影像数据中选择任意长度的第一报文生成为影像数据摘要;通过数字授权私钥给所述影像数据摘要进行加密得到数字签名;通过随机密钥给所述医学影像数据进行加密后得到影像加密数据;通过影像数据公钥给所述随机密钥进行加密后得到加密密钥;将所述数字签名、所述数字证书、所述影像加密数据以及所述加密密钥发送至所述医学影像信息系统的云端。An embodiment of the present application discloses a method for improving the security of image data transmission, applied to a terminal of a medical image information system, including: selecting a first message of any length from medical image data to generate an image data summary; Authorize the private key to encrypt the image data digest to obtain a digital signature; encrypt the medical image data with a random key to obtain image encrypted data; to encrypt the random key with the image data public key to obtain an encrypted secret Key; sending the digital signature, the digital certificate, the image encryption data and the encryption key to the cloud of the medical imaging information system.
本申请的一实施例公开了一种提高影像数据传输安全的方法,应用于医学影像信息系统的云端,其特征在于,包括:接收数字证书、数字签名、影像加密数据以及加密密钥;对所述数字证书进行有效性验证;在验证得出所述数字证书有效时,使用数字授权密钥对中的数字授权公钥给所述数字签名解密,以获得影像数据摘要;当使用所述数字授权密钥对中的所述数字授权公钥给所述数字签名解密得到所述影像数据摘要时,使用影像数据密钥对中的影像数据私钥给所述加密密钥解密,以获得随机密钥;当使用所述影像数据密钥对中的所述影像数据私钥给所述加密密钥解密得到所述随机密钥时,使用所述随机密钥给所述影像加密数据解密,以获得所述医学影像数据;将所述影像数据摘要与所述医学影像数据中进行比对;在所述影像数据摘要与所述医学影像数据中对应的部分一致时,确认所述医学影像数据通过安全性验证。An embodiment of the application discloses a method for improving the security of image data transmission, which is applied to the cloud of a medical image information system, and is characterized in that it includes: receiving a digital certificate, a digital signature, image encryption data, and an encryption key; The digital certificate is validated; when it is verified that the digital certificate is valid, the digital authorization public key in the digital authorization key pair is used to decrypt the digital signature to obtain an image data digest; when the digital authorization is used When the digital authorized public key in the key pair decrypts the digital signature to obtain the image data digest, the image data private key in the image data key pair is used to decrypt the encryption key to obtain a random key When using the image data private key in the image data key pair to decrypt the encryption key to obtain the random key, use the random key to decrypt the image encrypted data to obtain the The medical image data; compare the image data abstract with the medical image data; when the image data abstract is consistent with the corresponding part in the medical image data, confirm that the medical image data passes safety verification.
本申请的一实施例公开了一种提高影像数据传输安全的装置,应用于医学影像信息系统 的终端,包括:影像数据摘要生成模块,用于从医学影像数据中选择任意长度的第一报文生成为影像数据摘要;数字签名生成模块,用于通过数字授权私钥给所述影像数据摘要进行加密得到数字签名;影像加密数据生成模块,用于通过随机密钥给所述医学影像数据进行加密后得到影像加密数据;加密密钥生成模块,用于通过影像数据公钥给所述随机密钥进行加密后得到加密密钥;发送模块,用于将所述数字签名、所述数字证书、所述影像加密数据以及所述加密密钥发送至所述医学影像信息系统的云端。An embodiment of the present application discloses a device for improving the security of image data transmission, which is applied to a terminal of a medical image information system, and includes: an image data summary generating module for selecting a first message of any length from medical image data Generated as an image data digest; a digital signature generation module for encrypting the image data digest with a digitally authorized private key to obtain a digital signature; an image encryption data generating module for encrypting the medical image data with a random key Then obtain the image encrypted data; an encryption key generation module for encrypting the random key with the image data public key to obtain an encryption key; a sending module for sending the digital signature, the digital certificate, and the The image encryption data and the encryption key are sent to the cloud of the medical image information system.
本申请的一实施例公开了一种提高影像数据传输安全的装置,应用于医学影像信息系统的云端,包括:接收模块,用于接收数字证书、数字签名、影像加密数据以及加密密钥;数字证书验证模块,用于对所述数字证书进行有效性验证;数字证书解密模块,用于在验证得出所述数字证书有效时,使用数字授权密钥对中的数字授权公钥给所述数字签名解密,以获得影像数据摘要;加密密钥解密模块,用于当使用所述数字授权密钥对中的所述数字授权公钥给所述数字签名解密得到所述影像数据摘要时,使用影像数据密钥对中的影像数据私钥给所述加密密钥解密,以获得随机密钥;影像加密数据解密模块,用于当使用所述影像数据密钥对中的所述影像数据私钥给所述加密密钥解密得到所述随机密钥时,使用所述随机密钥给所述影像加密数据解密,以获得所述医学影像数据;影像数据摘要比对模块,用于将所述影像数据摘要与所述医学影像数据中进行比对;在所述影像数据摘要与所述医学影像数据中对应的部分一致时,确认所述医学影像数据通过安全性验证。An embodiment of the application discloses a device for improving the security of image data transmission, which is applied to the cloud of a medical image information system, and includes: a receiving module for receiving digital certificates, digital signatures, image encryption data, and encryption keys; digital The certificate verification module is used to verify the validity of the digital certificate; the digital certificate decryption module is used to use the digital authorization public key in the digital authorization key pair to give the digital certificate when the digital certificate is valid. Signature decryption to obtain an image data digest; an encryption key decryption module for using the image when the digital authorization public key in the digital authorization key pair is used to decrypt the digital signature to obtain the image data digest The image data private key in the data key pair is decrypted to the encryption key to obtain a random key; the image encryption data decryption module is used for when using the image data private key in the image data key pair to When the encryption key is decrypted to obtain the random key, the random key is used to decrypt the image encrypted data to obtain the medical image data; an image data digest comparison module is used to compare the image data The abstract is compared with the medical image data; when the image data abstract is consistent with the corresponding part in the medical image data, it is confirmed that the medical image data passes the security verification.
本申请的一些实施例公开了一种医学影像信息系统,包括云端以及与所述云端通信连接的至少一个终端;所述终端包括至少一个第一存储器和至少一个第一处理器,所述第一存储器中存储有第一计算机程序,所述第一计算机程序被所述第一处理器执行时实现应用于所述终端的提高影像数据传输安全的方法。Some embodiments of the application disclose a medical imaging information system, which includes a cloud and at least one terminal communicatively connected to the cloud; the terminal includes at least one first memory and at least one first processor, the first A first computer program is stored in the memory, and when the first computer program is executed by the first processor, the method for improving the security of image data transmission applied to the terminal is realized.
所述云端包括至少一个第二存储器和至少一个第二处理器,所述第二存储器中存储有第二计算机程序,所述第二计算机程序被所述第二处理器执行时实现应用于所述云端的提高影像数据传输安全的方法。The cloud includes at least one second memory and at least one second processor. A second computer program is stored in the second memory. When the second computer program is executed by the second processor, it is applied to the Cloud-based methods to improve the security of image data transmission.
本申请的一些实施例公开了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现上述应用于所述终端的提高影像数据传输安全的方法或者应用于所述云端的提高影像数据传输安全的方法。Some embodiments of the present application disclose a computer-readable storage medium having a computer program stored on the computer-readable storage medium, and when the computer program is executed by a processor, the above-mentioned improved image data transmission applied to the terminal is realized A secure method or a method applied to the cloud to improve the security of image data transmission.
与现有技术相比,本申请公开的技术方案主要有以下有益效果:Compared with the prior art, the technical solution disclosed in this application mainly has the following beneficial effects:
在本申请的实施例中,所述应用于所述终端的提高影像数据传输安全的方法首先从所述医学影像数据中选择任意长度的第一报文生成为影像数据摘要,然后通过数字授权私钥给所述影像数据摘要进行加密得到数字签名,然后通过随机密钥给所述医学影像数据进行加密后得到影像加密数据,然后通过影像数据公钥给所述随机密钥进行加密后得到加密密钥。通过设置上述的多重加密的步骤,有利于提高所述医学影像数据在远程传输过程中的安全性,有利于提高所述医学影像数据在远程传输过程中的安全性。In the embodiment of the present application, the method for improving the security of image data transmission applied to the terminal first selects a first message of any length from the medical image data to generate an image data summary, and then privately authorizes the image data. The key encrypts the image data digest to obtain a digital signature, and then encrypts the medical image data with a random key to obtain image encrypted data, and then encrypts the random key with the image data public key to obtain an encrypted key key. By setting the above-mentioned multiple encryption steps, it is beneficial to improve the security of the medical image data during the remote transmission process, and is beneficial to improve the security of the medical image data during the remote transmission process.
【附图说明】【Explanation of drawings】
为了更清楚地说明本申请实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其它的附图。In order to explain the technical solutions of the embodiments of the present application more clearly, the following will briefly introduce the drawings needed in the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, without creative labor, other drawings can be obtained from these drawings.
图1为本申请的一实施例中所述PACS系统的所述云端和所述终端分别执行提高影像数据传输安全的方法的示意图;FIG. 1 is a schematic diagram of the method for improving the security of image data transmission by the cloud and the terminal of the PACS system in an embodiment of the application;
图2为本申请的一实施例中应用于所述终端的提高影像数据传输安全的方法的步骤图;2 is a step diagram of a method for improving image data transmission security applied to the terminal in an embodiment of the application;
图3,为本申请的一实施例中将所述第一报文生成为所述影像数据摘要的步骤示意图;FIG. 3 is a schematic diagram of the steps of generating the first message as the image data summary in an embodiment of this application;
图4为本申请的一实施例中一种应用于所述云端的提高影像数据传输安全的方法的示意图;4 is a schematic diagram of a method for improving the security of image data transmission applied to the cloud in an embodiment of the application;
图5为本申请的一实施例中所述对所述数字证书进行验证的步骤示意图;FIG. 5 is a schematic diagram of the steps of verifying the digital certificate in an embodiment of this application;
图6为本申请的一实施例中所述将所述影像数据摘要与所述医学影像数据中相同的部分 进行比对的步骤示意图;FIG. 6 is a schematic diagram of the steps of comparing the image data summary with the same parts in the medical image data in an embodiment of the application;
图7为本申请的一实施例中所述生成所述影像数据密钥对中的步骤示意图;FIG. 7 is a schematic diagram of the steps in generating the image data key pair in an embodiment of the application;
图8为本申请的一实施例中应用于所述终端的提高影像数据传输安全的装置的示意图;8 is a schematic diagram of an apparatus for improving the security of image data transmission applied to the terminal in an embodiment of the application;
图9为本申请的一实施例中所述影像数据摘要生成模块10的示意图;FIG. 9 is a schematic diagram of the image data summary generating module 10 in an embodiment of the application;
图10为本申请的一实施例中应用于所述云端的提高影像数据传输安全的装置的示意图;10 is a schematic diagram of an apparatus for improving the security of image data transmission applied to the cloud in an embodiment of the application;
图11为本申请的一实施例中所述数字证书验证模块200的示意图;FIG. 11 is a schematic diagram of the digital certificate verification module 200 in an embodiment of the application;
图12为本申请的一实施例中所述影像数据摘要比对模块600的示意图;FIG. 12 is a schematic diagram of the image data summary comparison module 600 in an embodiment of the application;
图13为本申请的另一实施例中应用于所述云端的提高影像数据传输安全的装置的示意图;FIG. 13 is a schematic diagram of an apparatus for improving image data transmission security applied to the cloud in another embodiment of the application;
图14为本申请的一实施例中所述影像数据密钥对生成模块70的示意图;FIG. 14 is a schematic diagram of the image data key pair generation module 70 in an embodiment of the application;
图15为本申请的一实施例中医学影像信息系统的基本结构框图。15 is a block diagram of the basic structure of the medical imaging information system in an embodiment of the application.
【具体实施方式】【detailed description】
为了便于理解本申请,下面将参照相关附图对本申请进行更全面的描述。附图中给出了本申请的较佳实施例。但是,本申请可以以许多不同的形式来实现,并不限于本文所描述的实施例。相反地,提供这些实施例的目的是使对本申请的公开内容的理解更加透彻全面。In order to facilitate the understanding of the application, the application will be described in a more comprehensive manner with reference to the relevant drawings. The preferred embodiments of the application are shown in the drawings. However, this application can be implemented in many different forms and is not limited to the embodiments described herein. On the contrary, the purpose of providing these embodiments is to make the understanding of the disclosure of this application more thorough and comprehensive.
除非另有定义,本文所使用的所有的技术和科学术语与属于本申请的技术领域的技术人员通常理解的含义相同。本文中在本申请的说明书中所使用的术语只是为了描述具体的实施例的目的,不是旨在于限制本申请。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by those skilled in the technical field of this application. The terms used in the specification of the application herein are only for the purpose of describing specific embodiments, and are not intended to limit the application.
在本申请的实施例中,医学影像信息系统具体为PACS系统(医学影像信息系统简称,Picture Archiving and Communication Systems)。所述PACS系统包括至少一个用于加密的终端和用于解密的云端。所述PACS系统的所述云端生成数字证书、数字授权密钥对以及影像数据密钥对。所述数字授权密钥对包括数字授权私钥和数字授权公钥。所述影像数据密钥对包括影像数据私钥和影像数据公钥。所述云端将生成的所述数字证书、所述数字授权私钥以及所述影像数据公钥分享给所述终端。在影像数据采集设备采集到医学影像数据后,通过所述终端给所述医学影像数据进行加密。In the embodiment of this application, the medical imaging information system is specifically a PACS system (Picture Archiving and Communication Systems for short). The PACS system includes at least one terminal for encryption and a cloud for decryption. The cloud of the PACS system generates a digital certificate, a digital authorization key pair, and an image data key pair. The digital authorization key pair includes a digital authorization private key and a digital authorization public key. The image data key pair includes an image data private key and an image data public key. The cloud shares the generated digital certificate, the digital authorization private key, and the image data public key to the terminal. After the medical image data is collected by the image data collecting device, the medical image data is encrypted through the terminal.
本申请的一实施例公开一种提高影像数据传输安全的方法,应用于医学影像信息系统的终端。An embodiment of the present application discloses a method for improving the security of image data transmission, which is applied to a terminal of a medical image information system.
参考图1和图2,其中图1为本申请的一实施例中所述PACS系统的所述云端和所述终端分别执行提高影像数据传输安全的方法的示意图,图2为本申请的一实施例中应用于所述终端的提高影像数据传输安全的方法的步骤图。1 and FIG. 2, where FIG. 1 is a schematic diagram of the method for improving the security of image data transmission performed by the cloud and the terminal of the PACS system in an embodiment of the application, and FIG. 2 is an implementation of the application In the example, a step diagram of a method for improving the security of image data transmission applied to the terminal.
如图1中所示意的,所述提高影像数据传输安全的方法包括:As shown in Fig. 1, the method for improving the security of image data transmission includes:
步骤A1:从医学影像数据中选择任意长度的第一报文生成为影像数据摘要。Step A1: Select a first message of any length from the medical image data to generate an image data summary.
具体而言,应用单向哈希函数将所述医学影像数据中所述任意长度的第一报文生成为所述影像数据摘要。所述第一报文和后文中提到的第二报文均是指网络中交换与传输时的数据单元,即站点一次性要发送的数据块。Specifically, a one-way hash function is used to generate the first message of any length in the medical image data as the image data digest. The first message and the second message mentioned later refer to data units during exchange and transmission in the network, that is, data blocks to be sent by the station at one time.
参考图3,为本申请的一实施例中将所述第一报文生成为所述影像数据摘要的步骤示意图。Referring to FIG. 3, it is a schematic diagram of the steps of generating the first message as the image data summary in an embodiment of this application.
如图3中所示意的,在本申请的实施例中,所述从医学影像数据中选择任意长度的第一报文生成为影像数据摘要的步骤包括:As shown in FIG. 3, in the embodiment of the present application, the step of selecting a first message of any length from the medical image data to generate an image data summary includes:
步骤A11:对所述第一报文进行填充,使所述第一报文的字节长度对512求余的结果等于448。Step A11: Fill the first message so that the result of the remainder of 512 for the byte length of the first message is equal to 448.
在选择的任意长度的所述第一报文的字节长度对512求余的结果等于448时,所述第一报文的字节长度将被扩展至(L-1)×512+448,即(L-1)×64+56个字节(Bytes),L指字 节长度。When the byte length of the first message of any length selected is equal to 448, the byte length of the first message will be expanded to (L-1)×512+448, That is (L-1)×64+56 bytes (Bytes), L refers to the byte length.
所述对所述第一报文进行填充步骤包括:在所述第一报文的后面填充一个1和一定数量的0,直到等于(L-1)×512+448时才停止对所述第一报文进行填充。The step of filling the first message includes: filling a 1 and a certain number of 0s after the first message, and stopping the filling of the first message until it is equal to (L-1)×512+448. Fill in a message.
步骤A12:在填充后的所述第一报文后面附加一个以64位二进制数表示的第二报文。Step A12: append a second message represented by a 64-bit binary number after the filled first message.
经过步骤A11和步骤A12处理后,所述第一报文和所述第二报文字节长度=(L-1)×512+448+64=L×512,即所述第一报文和所述第二报文的字节长度恰好是512的整数倍。After processing in steps A11 and A12, the byte length of the first message and the second message = (L-1)×512+448+64=L×512, that is, the first message and The byte length of the second message is exactly an integer multiple of 512.
步骤A13:设置4个32位链接变量(Chaining Variable)的整数参数。Step A13: Set 4 integer parameters of 32-bit chaining variables.
在本申请的实施例中,所述4个32位链接变量的整数参分别为:A=0x01234567,B=0x89abcdef,C=0xfedcba98,D=0x76543210。In the embodiment of the application, the integer parameters of the four 32-bit link variables are: A=0x01234567, B=0x89abcdef, C=0xfedcba98, D=0x76543210.
步骤A14:把填充后的所述第一报文和所述第二报文分别以512位为一个分组进行处理,每一个所述分组进行4轮变换,以所述4个32位链接变量为起始变量调用4个位操作函数对第一分组进行计算。Step A14: The filled first message and the second message are respectively processed with 512 bits as a packet, and each of the packets is subjected to 4 rounds of transformation, using the 4 32-bit link variables as The initial variable calls 4 bit manipulation functions to calculate the first group.
需要调用的所述4个位操作函数包括:F(X,Y,Z)=(X&Y)|((~X)&Z);G(X,Y,Z)=(X&Z)|(Y&(~Z));H(X,Y,Z)=X^Y^Z;I(X,Y,Z)=Y^(X|(~Z))。The 4 bit manipulation functions that need to be called include: F(X, Y, Z)=(X&Y)|((~X)&Z); G(X,Y,Z)=(X&Z)|(Y&(~ Z)); H(X, Y, Z)=X^Y^Z; I(X,Y,Z)=Y^(X|(~Z)).
步骤A15:输出由所述4个位操作函数计算得到的4个变量,以所述4个变量进行下一分组的运算,直到最后一个分组。将所述最后一个分组对应的4个变量作为所述影像数据摘要。Step A15: Output the 4 variables calculated by the 4 bit manipulation functions, and use the 4 variables to perform the next grouping operation until the last grouping. The 4 variables corresponding to the last group are used as the image data summary.
如果以所述4个变量进行的分组的运算已经是最后一个分组,则所述4个变量为所述固定长度的所述第一报文和所述第二报文,最终以所述固定长度的所述第一报文和所述第二报文为所述影像数据摘要。If the grouping operation performed with the 4 variables is the last grouping, the 4 variables are the first message and the second message of the fixed length, and finally the fixed length The first message and the second message are the image data digest.
步骤A2:通过数字授权私钥给所述影像数据摘要进行加密得到数字签名(Signature)。Step A2: Encrypt the image data digest with a digital authorized private key to obtain a digital signature (Signature).
步骤A3:通过随机密钥(RandomKey)给所述医学影像数据进行加密后得到影像加密数据(EncryptData)。所述随机密钥(RandomKey)既可以对所述医学影像数据进行加密,也可以对所述影像加密数据进行解密。Step A3: Encrypt the medical image data with a random key (RandomKey) to obtain image encryption data (EncryptData). The random key (RandomKey) can either encrypt the medical image data or decrypt the encrypted image data.
步骤A4:通过影像数据公钥给所述随机密钥(RandomKey)进行加密后得到加密密钥(EncryptKey)。Step A4: Encrypt the random key (RandomKey) with the image data public key to obtain an encryption key (EncryptKey).
使用所述影像数据公钥和加密公式m e=c(mod n)对所述随机密钥进行加密获得所述加密密钥;c为所述加密密钥的密文,m为对所述加密密钥的密文解密后得到的所述加密密钥的明文,n为两个不相等的质数p和q的乘积,e为整数,φ(n)>e>1,且e与φ(n)互质,φ(n)指的是n的欧拉函数,(n,e)为所述影像数据公钥;当m≧n时,对所述随机密钥进行分段加密。 Use the image data public key and the encryption formula m e = c (mod n) to encrypt the random key to obtain the encryption key; c is the cipher text of the encryption key, and m is the encryption The plaintext of the encryption key obtained after decrypting the ciphertext of the key, n is the product of two unequal prime numbers p and q, e is an integer, φ(n)>e>1, and e and φ(n ) Is relatively prime, φ(n) refers to the Euler function of n, (n, e) is the public key of the image data; when m≧n, the random key is encrypted in sections.
步骤A5:将所述数字签名、所述数字证书、所述影像加密数据以及所述加密密钥发送至所述医学影像信息系统的云端。Step A5: Send the digital signature, the digital certificate, the image encryption data and the encryption key to the cloud of the medical image information system.
在本申请的实施例中,所述应用于所述终端的提高影像数据传输安全的方法首先从所述医学影像数据中选择任意长度的第一报文生成为影像数据摘要,然后通过数字授权私钥给所述影像数据摘要进行加密得到数字签名,然后通过随机密钥给所述医学影像数据进行加密后得到影像加密数据,然后通过影像数据公钥给所述随机密钥进行加密后得到加密密钥。通过设置上述的多重加密的步骤,有利于提高所述医学影像数据在远程传输过程中的安全性。In the embodiment of the present application, the method for improving the security of image data transmission applied to the terminal first selects a first message of any length from the medical image data to generate an image data summary, and then privately authorizes the image data. The key encrypts the image data digest to obtain a digital signature, and then encrypts the medical image data with a random key to obtain image encrypted data, and then encrypts the random key with the image data public key to obtain an encrypted key key. By setting the above-mentioned multiple encryption steps, it is beneficial to improve the security of the medical image data in the remote transmission process.
本申请的一实施例公开一种提高影像数据传输安全的方法,应用于医学影像信息系统的云端。An embodiment of the present application discloses a method for improving the security of image data transmission, which is applied to the cloud of a medical image information system.
参考图1和图4,为本申请的一实施例中一种应用于所述云端的提高影像数据传输安全的方法的示意图。1 and 4 are schematic diagrams of a method for improving the security of image data transmission applied to the cloud in an embodiment of the application.
如图4中所示意的,在本申请的实施例中,所述提高影像数据传输安全的方法包括:As shown in FIG. 4, in an embodiment of the present application, the method for improving the security of image data transmission includes:
S1:接收数字证书、数字签名、影像加密数据以及加密密钥。S1: Receive digital certificate, digital signature, image encryption data and encryption key.
所述数字证书、所述数字签名、所述影像加密数据以及所述加密密钥由所述PACS系统的所述终端提供,并通过网络传输给所述PACS系统的云端。其中,所述数字证书存储在所 述终端。所述数字签名由所述云端提供的数字授权私钥给影像数据摘要进行加密后获得。所述影像加密数据由随机密钥给医学影像数据进行加密后获得。所述加密密钥由所述云端提供的影像数据公钥给所述随机密钥进行加密后获得。The digital certificate, the digital signature, the image encryption data, and the encryption key are provided by the terminal of the PACS system, and transmitted to the cloud of the PACS system through the network. Wherein, the digital certificate is stored in the terminal. The digital signature is obtained by encrypting the image data digest with the digital authorized private key provided by the cloud. The image encryption data is obtained by encrypting the medical image data with a random key. The encryption key is obtained by encrypting the random key with the image data public key provided by the cloud.
在本申请的实施例中,所述云端生成所述数字证书的方式包括:In the embodiment of the present application, the way for the cloud to generate the digital certificate includes:
利用KEYTOOL工具生成所述数字证书。所述KEYTOOL工具是个密钥和证书管理工具,可以在JAVA环境下管理密钥和数字证书证书的生成与安装;Use the KEYTOOL tool to generate the digital certificate. The KEYTOOL tool is a key and certificate management tool, which can manage the generation and installation of keys and digital certificates in a JAVA environment;
通过JAVA代码直接生成所述数字证书。JAVA代码直接生成所述数字证书的原理与所述KEYTOOL工具生成所述数字证书的原理类似;The digital certificate is directly generated through JAVA code. The principle of directly generating the digital certificate by JAVA code is similar to the principle of generating the digital certificate by the KEYTOOL tool;
应用网络在线工具获取数字证书。Use network online tools to obtain digital certificates.
S2:对所述数字证书进行有效性验证。S2: Perform validity verification on the digital certificate.
参考图5,为本申请的一实施例中所述对所述数字证书进行验证的步骤示意图。Referring to FIG. 5, this is a schematic diagram of the steps of verifying the digital certificate described in an embodiment of this application.
如图5中所示意的,在本申请的实施例中,所述对所述数字证书进行有效性验证的步骤包括:As shown in Figure 5, in the embodiment of the present application, the step of verifying the validity of the digital certificate includes:
S21:验证所述数字证书的证书链的可信性。S21: Verify the credibility of the certificate chain of the digital certificate.
S22:在所述数字证书的证书链可信时,验证所述数字证书是否被吊销。S22: When the certificate chain of the digital certificate is trusted, verify whether the digital certificate is revoked.
S23:在所述数字证书没有被吊销时,验证所述数字证书是否在有效期内。S23: When the digital certificate is not revoked, verify whether the digital certificate is within the validity period.
S24:在所述数字证书处于所述有效期内时,验证所述数字证书的域名是否与当前的访问域名相匹配;当所述数字证书的域名与当前的访问域名相匹配时,确认所述数字证书通过有效性验证。S24: When the digital certificate is within the validity period, verify whether the domain name of the digital certificate matches the current access domain name; when the domain name of the digital certificate matches the current access domain name, confirm the number The certificate passes the validity verification.
S3:在验证得出所述数字证书有效时,使用数字授权密钥对中的数字授权公钥给所述数字签名解密,以获得影像数据摘要。S3: When it is verified that the digital certificate is valid, use the digital authorization public key in the digital authorization key pair to decrypt the digital signature to obtain an image data digest.
S4:当使用所述数字授权密钥对中的所述数字授权公钥给所述数字签名解密得到所述影像数据摘要时,使用影像数据密钥对中的影像数据私钥给所述加密密钥解密,以获得随机密钥。S4: When using the digital authorization public key in the digital authorization key pair to decrypt the digital signature to obtain the image data digest, use the image data private key in the image data key pair to give the encryption key Decrypt the key to obtain a random key.
所述使用影像数据密钥对中的影像数据私钥给所述加密密钥解密的步骤包括:应用所述影像数据私钥和解密公式对所述加密密钥的密文解密。所述解密公式为c d=m(mod n),其中(n,d)为所述影像数据私钥,c为所述加密密钥的密文,m为对所述加密密钥的密文解密后得到的所述加密密钥的明文。 The step of using the image data private key in the image data key pair to decrypt the encryption key includes: applying the image data private key and a decryption formula to decrypt the cipher text of the encryption key. The decryption formula is c d = m(mod n), where (n, d) is the private key of the image data, c is the cipher text of the encryption key, and m is the cipher text of the encryption key The plaintext of the encryption key obtained after decryption.
S5:当使用所述影像数据密钥对中的所述影像数据私钥给所述加密密钥解密得到所述随机密钥时,使用所述随机密钥给所述影像加密数据解密,以获得所述医学影像数据。S5: When using the image data private key in the image data key pair to decrypt the encryption key to obtain the random key, use the random key to decrypt the image encrypted data to obtain The medical imaging data.
S6:将所述影像数据摘要与所述医学影像数据中进行比对。在所述影像数据摘要与所述医学影像数据中对应的部分一致时,确认所述医学影像数据通过安全性验证。S6: Compare the image data summary with the medical image data. When the image data summary is consistent with the corresponding part in the medical image data, it is confirmed that the medical image data passes the security verification.
参考图6,为本申请的一实施例中所述将所述影像数据摘要与所述医学影像数据中相同的部分进行比对的步骤示意图。Refer to FIG. 6, which is a schematic diagram of the steps of comparing the image data summary with the same parts in the medical image data in an embodiment of the application.
如图6中所示意的,在本申请的一些实施例中,所述将所述影像数据摘要与所述医学影像数据中进行比对的步骤包括:As shown in FIG. 6, in some embodiments of the present application, the step of comparing the image data summary with the medical image data includes:
S61:对所述影像数据摘要进行拆分并导入第一数据列表。S61: Split the image data summary and import the first data list.
S62:对所述医学影像数据中用于生成影像数据摘要的部分进行拆分并导入第二数据列表。S62: Split the part of the medical image data used to generate the image data summary and import the second data list.
S63:将所述第一数据列表和所述第二数据列表中进行比对,以判断所述第一数据列表和所述第二数据列表是否一致。在所述第一数据列表和所述第二数据列表一致时,所述医学影像数据的安全性通过验证。S63: Compare the first data list and the second data list to determine whether the first data list and the second data list are consistent. When the first data list and the second data list are consistent, the safety of the medical image data is verified.
所述提高影像数据传输安全的方法还包括生成所述影像数据密钥对。所述影像数据密钥对包括影像数据私钥和影像数据公钥。The method for improving the security of image data transmission further includes generating the image data key pair. The image data key pair includes an image data private key and an image data public key.
参考图7,为本申请的一实施例中所述生成所述影像数据密钥对中的步骤示意图。Referring to FIG. 7, it is a schematic diagram of the steps in generating the image data key pair described in an embodiment of this application.
如图7中所示意的,所述生成所述影像数据密钥对的步骤包括:As shown in FIG. 7, the step of generating the image data key pair includes:
S71:随机选择两个不相等的质数p和q。S71: Randomly select two unequal prime numbers p and q.
S72:计算p和q的乘积n。S72: Calculate the product n of p and q.
S73:计算n的欧拉函数φ(n)。S73: Calculate the Euler function φ(n) of n.
S74:随机选择一个整数e,其中φ(n)>e>1,且e与φ(n)互质。S74: Randomly select an integer e, where φ(n)>e>1, and e and φ(n) are relatively prime.
S75:计算e对于φ(n)的模反元素d。S75: Calculate the modular inverse element d of e to φ(n).
S76:将n和e封装成影像数据公钥(n,e),n和d封装成影像数据私钥(n,d)。S76: Encapsulate n and e into image data public keys (n, e), and n and d into image data private keys (n, d).
S77:将所述影像数据公钥(n,e)发送给对所述加密密钥的明文进行加密的终端。S77: Send the image data public key (n, e) to the terminal that encrypts the plain text of the encryption key.
举例而言,随机选择两个不相等的质数47和59。47与59的乘积为43×57=2773。For example, two unequal prime numbers 47 and 59 are randomly selected. The product of 47 and 59 is 43×57=2773.
计算欧拉函数的公式为φ(n)=n(1-1/p)(1-1/q),根据所述欧拉函数的公式计算φ(2773),φ(2773)=2773×(1-1/47)(1-1/59)=(47-1)(59-1)=2668。The formula for calculating Euler function is φ(n)=n(1-1/p)(1-1/q), according to the formula of Euler function, φ(2773) is calculated, φ(2773)=2773×( 1-1/47)(1-1/59)=(47-1)(59-1)=2668.
在1与2668之间随机选择一个整数e=63,2668>63>1,并且63与2668互质。然后计算63对于2668的模反元素d,根据公式
Figure PCTCN2019103652-appb-000001
有63d-1=2668k,由欧几里得扩展公式计算得d=847。影像数据公钥(n,e)=(2773,63),影像数据私钥(n,d)=(2773,847)。
Randomly select an integer e=63 between 1 and 2668, 2668>63>1, and 63 and 2668 are relatively prime. Then calculate the inverse element d of 63 for 2668, according to the formula
Figure PCTCN2019103652-appb-000001
There is 63d-1=2668k, and d=847 calculated by the Euclidean expansion formula. The image data public key (n, e) = (2773, 63), and the image data private key (n, d) = (2773, 847).
参照上述方法,还可以生成所述数字授权密钥对。With reference to the above method, the digital authorization key pair can also be generated.
在本申请的实施例中,首先对接收到的所述数字证书进行验证,因此可以排除所述数字证书无效的终端,进而可以拒绝所述数字证书无效的终端的访问。In the embodiment of the present application, the received digital certificate is first verified, so the terminal with invalid digital certificate can be excluded, and the access of the terminal with invalid digital certificate can be denied.
其次,在验证得出所述数字证书有效时,使用数字授权密钥对中的数字授权公钥给所述数字签名解密。进一步地,当使用所述数字授权密钥对中的所述数字授权公钥给所述数字签名解密得到影像数据摘要时,使用影像数据密钥对中的影像数据私钥给所述加密密钥解密。当使用所述影像数据密钥对中的所述影像数据私钥给所述加密密钥解密得到随机密钥时,使用所述随机密钥给所述影像加密数据解密。通过设置上述的多重解密的步骤,有利于提高所述医学影像数据在远程传输过程中的安全性。Secondly, when it is verified that the digital certificate is valid, the digital authorization public key in the digital authorization key pair is used to decrypt the digital signature. Further, when the digital authorization public key in the digital authorization key pair is used to decrypt the digital signature to obtain the image data digest, the image data private key in the image data key pair is used for the encryption key Decrypt. When the image data private key in the image data key pair is used to decrypt the encryption key to obtain a random key, the random key is used to decrypt the image encrypted data. By setting the above-mentioned multiple decryption steps, it is beneficial to improve the security of the medical image data in the remote transmission process.
再者,当使用所述随机密钥给所述影像加密数据解密成功时得到所述医学影像数据;将所述影像数据摘要与所述医学影像数据进行比对;在所述影像数据摘要与所述医学影像数据中对应的部分一致时,所述医学影像数据的安全性通过验证。因此能够充分防止伪造所述数字签名,有利于提高所述医学影像数据在远程传输过程中的安全性。Furthermore, when the random key is used to decrypt the image encrypted data successfully, the medical image data is obtained; the image data abstract is compared with the medical image data; the image data abstract is compared with the medical image data. When the corresponding parts in the medical image data are consistent, the safety of the medical image data is verified. Therefore, the forgery of the digital signature can be fully prevented, which is beneficial to improve the security of the medical image data in the remote transmission process.
本申请的一实施例公开了一种提高影像数据传输安全的装置,应用于医学影像信息系统的终端。An embodiment of the present application discloses a device for improving the security of image data transmission, which is applied to a terminal of a medical image information system.
参考图8,为本申请的一实施例中应用于所述终端的提高影像数据传输安全的装置的示意图。Referring to FIG. 8, it is a schematic diagram of an apparatus for improving the security of image data transmission applied to the terminal in an embodiment of the application.
如图8中所示意的,所述提高影像数据传输安全的装置包括:As shown in FIG. 8, the device for improving the security of image data transmission includes:
影像数据摘要生成模块10,用于从所述医学影像数据中选择任意长度的第一报文生成为影像数据摘要。The image data abstract generation module 10 is used to select a first message of any length from the medical image data to generate an image data abstract.
数字签名生成模块20,用于通过数字授权私钥给所述影像数据摘要进行加密得到数字签名。The digital signature generating module 20 is used for encrypting the image data digest with a digital authorized private key to obtain a digital signature.
影像加密数据生成模块30,用于通过随机密钥给所述医学影像数据进行加密后得到影像加密数据。The image encryption data generation module 30 is used for encrypting the medical image data with a random key to obtain image encryption data.
加密密钥生成模块40,用于通过影像数据公钥给所述随机密钥进行加密后得到加密密钥。The encryption key generation module 40 is used to encrypt the random key by the image data public key to obtain an encryption key.
发送模块50,用于将所述数字签名、所述数字证书、所述影像加密数据以及所述加密密钥发送至所述医学影像信息系统的云端。The sending module 50 is configured to send the digital signature, the digital certificate, the image encryption data, and the encryption key to the cloud of the medical image information system.
参考图9,为本申请的一实施例中所述影像数据摘要生成模块10的示意图。Refer to FIG. 9, which is a schematic diagram of the image data summary generating module 10 in an embodiment of the application.
在本申请的一些实施例中,所述影像数据摘要生成模块10包括:In some embodiments of the present application, the image data summary generating module 10 includes:
第一报文填充子模块11,用于对所述第一报文进行填充,使所述第一报文的字节长度对512求余的结果等于448。The first packet filling submodule 11 is configured to fill the first packet so that the result of the remainder of 512 in the byte length of the first packet is equal to 448.
第二报文附加子模块12,用于在填充后的所述第一报文后面附加一个以64位二进制数表示的第二报文。The second message appending submodule 12 is configured to append a second message represented by a 64-bit binary number after the filled first message.
整数参数设置子模块13,用于设置4个32位链接变量的整数参数。The integer parameter setting submodule 13 is used to set the integer parameters of four 32-bit link variables.
分组处理子模块14,用于把填充后的所述第一报文和所述第二报文分别以512位为一个分组进行处理,每一个所述分组进行4轮变换,以所述4个32位链接变量为起始变量调用4个位操作函数对第一分组进行计算。The packet processing sub-module 14 is configured to process the filled first message and the second message with 512 bits as a group, and each of the groups is subjected to 4 rounds of transformation, and the 4 The 32-bit link variable is the starting variable and calls 4 bit operation functions to calculate the first group.
影像数据摘要输出子模块15,用于输出由所述4个位操作函数计算得到的4个变量,以所述4个变量进行下一分组的运算,直到最后一个分组;将所述最后一个分组对应的4个变量作为所述影像数据摘要。The image data summary output sub-module 15 is used to output the 4 variables calculated by the 4 bit manipulation functions, and use the 4 variables to perform the next grouping operation until the last grouping; divide the last grouping The corresponding 4 variables are used as the image data summary.
在本申请的一些实施例中,所述加密密钥生成模块40使用所述影像数据公钥和加密公式m e=c(mod n)对所述随机密钥进行加密获得所述加密密钥;c为所述加密密钥的密文,m为对所述加密密钥的密文解密后得到的所述加密密钥的明文,n为两个不相等的质数p和q的乘积,e为整数,φ(n)>e>1,且e与φ(n)互质,φ(n)指的是n的欧拉函数,(n,e)为所述影像数据公钥;当m≧n时,对所述随机密钥进行分段加密。 In some embodiments of the present application, the encryption key generation module 40 uses the image data public key and an encryption formula me = c (mod n) to encrypt the random key to obtain the encryption key; c is the ciphertext of the encryption key, m is the plaintext of the encryption key obtained after decrypting the ciphertext of the encryption key, n is the product of two unequal prime numbers p and q, and e is Integer, φ(n)>e>1, and e and φ(n) are relatively prime, φ(n) refers to the Euler function of n, (n, e) is the public key of the image data; when m≧ When n, the random key is encrypted in segments.
本申请的一实施例公开了一种提高影像数据传输安全的装置,应用于医学影像信息系统的云端。An embodiment of the present application discloses a device for improving the security of image data transmission, which is applied to the cloud of a medical image information system.
参考图10,为本申请的一实施例中应用于所述云端的提高影像数据传输安全的装置的示意图。Referring to FIG. 10, it is a schematic diagram of an apparatus for improving the security of image data transmission applied to the cloud in an embodiment of the application.
如图10中所示意的,所述提高影像数据传输安全的装置包括:As shown in FIG. 10, the device for improving the security of image data transmission includes:
接收模块100,用于接收数字证书、数字签名、影像加密数据以及加密密钥。The receiving module 100 is used to receive digital certificates, digital signatures, image encryption data, and encryption keys.
数字证书验证模块200,用于对所述数字证书进行有效性验证。The digital certificate verification module 200 is used to verify the validity of the digital certificate.
数字证书解密模块300,用于在验证得出所述数字证书有效时,使用数字授权密钥对中的数字授权公钥给所述数字签名解密,以获得影像数据摘要。The digital certificate decryption module 300 is configured to use the digital authorized public key in the digital authorized key pair to decrypt the digital signature when it is verified that the digital certificate is valid, so as to obtain an image data digest.
加密密钥解密模块400,用于当使用所述数字授权密钥对中的所述数字授权公钥给所述数字签名解密得到所述影像数据摘要时,使用影像数据密钥对中的影像数据私钥给所述加密密钥解密,以获得随机密钥。The encryption key decryption module 400 is configured to use the image data in the image data key pair when using the digital authorization public key in the digital authorization key pair to decrypt the digital signature to obtain the image data digest The private key decrypts the encryption key to obtain a random key.
影像加密数据解密模块500,用于当使用所述影像数据密钥对中的所述影像数据私钥给所述加密密钥解密得到所述随机密钥时,使用所述随机密钥给所述影像加密数据解密,以获得所述医学影像数据。The image encryption data decryption module 500 is used for when the image data private key in the image data key pair is used to decrypt the encryption key to obtain the random key, the random key is used for the The image encryption data is decrypted to obtain the medical image data.
影像数据摘要比对模块600,用于将所述影像数据摘要与所述医学影像数据中进行比对;在所述影像数据摘要与所述医学影像数据中对应的部分一致时,确认所述医学影像数据通过安全性验证。The image data summary comparison module 600 is used to compare the image data summary with the medical image data; when the image data summary is consistent with the corresponding part in the medical image data, confirm the medical image The image data passed the security verification.
在本申请的一些实施例中,所述加密密钥解密模块400应用所述影像数据私钥和解密公式对所述加密密钥的密文解密。所述解密公式为c d=m(mod n),其中(n,d)为所述影像数据私钥,c为所述加密密钥的密文,m为对所述加密密钥的密文解密后得到的所述加密密钥的明文。 In some embodiments of the present application, the encryption key decryption module 400 uses the image data private key and a decryption formula to decrypt the cipher text of the encryption key. The decryption formula is c d = m(mod n), where (n, d) is the private key of the image data, c is the cipher text of the encryption key, and m is the cipher text of the encryption key The plaintext of the encryption key obtained after decryption.
参考图11,为本申请的一实施例中所述数字证书验证模块200的示意图。Refer to FIG. 11, which is a schematic diagram of the digital certificate verification module 200 in an embodiment of this application.
如图11中所示意的,在本申请的一些实施例中,所述数字证书验证模块200包括:As shown in FIG. 11, in some embodiments of the present application, the digital certificate verification module 200 includes:
证书链验证子模块201,用于验证所述数字证书的证书链的可信性。The certificate chain verification sub-module 201 is used to verify the credibility of the certificate chain of the digital certificate.
吊销验证子模块202,用于在所述数字证书的证书链可信时,验证所述数字证书是否被吊销。The revocation verification submodule 202 is configured to verify whether the digital certificate is revoked when the certificate chain of the digital certificate is trusted.
有效期验证子模块203,用于在所述数字证书没有被吊销时,验证所述数字证书是否在有效期内。The validity period verification submodule 203 is configured to verify whether the digital certificate is within the validity period when the digital certificate is not revoked.
域名验证子模块204,用于在所述数字证书处于所述有效期内时,验证所述数字证书的域名是否与当前的访问域名相匹配。当所述数字证书的域名与当前的访问域名相匹配时,确认所述数字证书通过有效性验证。The domain name verification submodule 204 is configured to verify whether the domain name of the digital certificate matches the current access domain name when the digital certificate is within the validity period. When the domain name of the digital certificate matches the current access domain name, it is confirmed that the digital certificate passes the validity verification.
参考图12,为本申请的一实施例中所述影像数据摘要比对模块600的示意图。Referring to FIG. 12, it is a schematic diagram of the image data summary comparison module 600 in an embodiment of the application.
如图12中所示意的,在本申请的一些实施例中,所述影像数据摘要比对模块600包括:As shown in FIG. 12, in some embodiments of the present application, the image data summary comparison module 600 includes:
第一数据列表子模块601,用于对所述影像数据摘要进行拆分并导入第一数据列表。The first data list sub-module 601 is used to split the image data summary and import the first data list.
第二数据列表子模块602,用于对所述医学影像数据中用于生成影像数据摘要的部分进行拆分并导入第二数据列表。The second data list sub-module 602 is used to split the part of the medical image data used to generate the image data summary and import the second data list.
数据列表比对子模块603,用于将所述第一数据列表和所述第二数据列表中进行比对,以判断所述第一数据列表和所述第二数据列表是否一致。The data list comparison sub-module 603 is configured to compare the first data list and the second data list to determine whether the first data list and the second data list are consistent.
参考图13,为本申请的另一实施例中应用于所述云端的提高影像数据传输安全的装置的示意图。Refer to FIG. 13, which is a schematic diagram of an apparatus for improving the security of image data transmission applied to the cloud in another embodiment of the application.
如图13中所示意的,所述提高影像数据传输安全的装置还包括影像数据密钥对生成模块700。所述影像数据密钥对生成模块700用于生成所述影像数据密钥对。所述影像数据密钥对包括影像数据私钥和影像数据公钥。As shown in FIG. 13, the device for improving the security of image data transmission further includes an image data key pair generation module 700. The image data key pair generation module 700 is used to generate the image data key pair. The image data key pair includes an image data private key and an image data public key.
参考图14,为本申请的一实施例中所述影像数据密钥对生成模块70的示意图。Referring to FIG. 14, it is a schematic diagram of the image data key pair generation module 70 in an embodiment of this application.
如图14中所示意的,在本申请的一些实施例中,所述影像数据密钥对生成模块700包括:As shown in FIG. 14, in some embodiments of the present application, the image data key pair generation module 700 includes:
质数选择子模块701,用于随机选择两个不相等的质数p和q。The prime number selection submodule 701 is used to randomly select two unequal prime numbers p and q.
质数乘积计算子模块702,用于计算p和q的乘积n。The prime number product calculation sub-module 702 is used to calculate the product n of p and q.
欧拉函数计算子模块703,用于计算n的欧拉函数φ(n)。The Euler function calculation sub-module 703 is used to calculate the Euler function φ(n) of n.
整数选择子模块704,用于随机选择一个整数e,其中φ(n)>e>1,且e与φ(n)互质。The integer selection sub-module 704 is used to randomly select an integer e, where φ(n)>e>1, and e and φ(n) are relatively prime.
模反元素计算子模块705,用于计算e对于φ(n)的模反元素d。The modular inverse element calculation sub-module 705 is used to calculate the modular inverse element d of e to φ(n).
封装子模块706,用于将n和e封装成影像数据公钥(n,e),n和d封装成影像数据私钥(n,d)。The encapsulation sub-module 706 is used to encapsulate n and e into image data public keys (n, e), and n and d into image data private keys (n, d).
发送子模块707,用于将所述影像数据公钥(n,e)发送给对所述加密密钥的明文进行加密的终端。The sending sub-module 707 is configured to send the image data public key (n, e) to the terminal that encrypts the plaintext of the encryption key.
本申请的一些实施例公开了一种医学影像信息系统。请参考图15,为本申请的一实施例中医学影像信息系统的基本结构框图。Some embodiments of the application disclose a medical imaging information system. Please refer to FIG. 15, which is a block diagram of the basic structure of the medical imaging information system in an embodiment of the application.
如图15中所示意的,所述医学影像信息系统包括云端以及与所述云端通信连接的至少一个终端。所述终端包括至少一个第一存储器801和至少一个第一处理器802,所述第一存储器801中存储有第一计算机程序,所述第一计算机程序被所述第一处理器802执行时实现应用于所述终端的提高影像数据传输安全的方法。所述终端通过第一网络接口803接收和发送数据。As shown in FIG. 15, the medical imaging information system includes a cloud and at least one terminal communicatively connected to the cloud. The terminal includes at least one first memory 801 and at least one first processor 802. A first computer program is stored in the first memory 801, and the first computer program is implemented when executed by the first processor 802. A method for improving the security of image data transmission applied to the terminal. The terminal receives and sends data through the first network interface 803.
所述云端包括至少一个第二存储器804和至少一个第二处理器805,所述第二存储器804中存储有第二计算机程序,所述第二计算机程序被所述第二处理器805执行时实现应用于所述云端的提高影像数据传输安全的方法。所述云端通过第二网络接口806接收和发送数据。The cloud includes at least one second memory 804 and at least one second processor 805. A second computer program is stored in the second memory 804, and the second computer program is executed when the second processor 805 is executed. A method for improving the security of image data transmission applied to the cloud. The cloud receives and sends data through the second network interface 806.
需要指出的是,图15中仅示出了具有组件801-806的医学影像信息系统,但是应理解的是,并不要求实施所有示出的组件,可以替代的实施更多或者更少的组件。本技术领域技术人员应当理解,这里的云端和终端能够按照事先设定或存储的指令,自动进行数值计算和/或信息处理的设备,其硬件包括但不限于微处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程门阵列(Field-Programmable Gate Array,FPGA)、数字处理器(Digital Signal Processor,DSP)、嵌入式设备等。It should be pointed out that FIG. 15 only shows the medical imaging information system with components 801-806, but it should be understood that it is not required to implement all the components shown, and more or fewer components may be implemented instead. . Those skilled in the art should understand that the cloud and terminal here can automatically perform numerical calculation and/or information processing equipment according to pre-set or stored instructions. The hardware includes but is not limited to microprocessors, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Programmable Gate Array (Field-Programmable Gate Array, FPGA), Digital Processor (Digital Signal Processor, DSP), embedded equipment, etc.
所述第一存储器801和所述第二存储器804都至少包括一种类型的可读存储介质,所述可读存储介质包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘等。在一些实施例中,所述第一存储器801和所述第二存储器804都可以是内部存储单元,例如该硬盘或内存。在另一些实施例中,所述第一存储器801和所述第二存储器804也都可以是外部存储设备,例如插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。当然,所述第一存储器801和所述第二存储器804可以都包括内部存储单元和外部存储设备。本实施例中,所述第一存储器801和所述第二存储器804通常用于存储操作系统和各类应用软件,例如所述第一存储器801用于存储应用于所述终端 的提高影像数据传输安全的方法的程序代码,所述第二存储器804用于存储应用于所述云端的提高影像数据传输安全的方法的程序代码。此外,所述第一存储器801和所述第二存储器804都可以用于暂时地存储已经输出或者将要输出的各类数据。Both the first memory 801 and the second memory 804 include at least one type of readable storage medium, and the readable storage medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.) ), random access memory (RAM), static random access memory (SRAM), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), programmable read only memory (PROM), magnetic memory, magnetic disk , CD, etc. In some embodiments, both the first memory 801 and the second memory 804 may be internal storage units, such as the hard disk or memory. In other embodiments, both the first memory 801 and the second memory 804 may also be external storage devices, such as plug-in hard disks, Smart Media Card (SMC), and Secure Digital (Secure Digital). , SD) card, flash card (Flash Card), etc. Of course, the first memory 801 and the second memory 804 may both include an internal storage unit and an external storage device. In this embodiment, the first memory 801 and the second memory 804 are generally used to store operating systems and various application software. For example, the first memory 801 is used to store image data transmission enhancements applied to the terminal. The program code of the secure method, and the second memory 804 is used to store the program code of the method for improving the security of image data transmission applied to the cloud. In addition, both the first memory 801 and the second memory 804 can be used to temporarily store various types of data that have been output or will be output.
所述第一处理器802和所述第二处理器805在一些实施例中可以是中央处理器(Central Processing Unit,CPU)、控制器、微控制器、微处理器、或其他数据处理芯片。在本实施例中,所述第一处理器802用于运行所述第一存储器801中存储的程序代码或者处理数据,例如运行上述应用于所述终端的提高影像数据传输安全的方法的程序代码。所述第二处理器805用于运行所述第二存储器804中存储的程序代码或者处理数据,例如运行上述应用于所述云端的提高影像数据传输安全的方法的程序代码。In some embodiments, the first processor 802 and the second processor 805 may be a central processing unit (CPU), a controller, a microcontroller, a microprocessor, or other data processing chips. In this embodiment, the first processor 802 is configured to run the program code or process data stored in the first memory 801, for example, run the program code of the method for improving the security of image data transmission applied to the terminal. . The second processor 805 is configured to run the program code or process data stored in the second memory 804, for example, run the program code of the method for improving the security of image data transmission applied to the cloud.
本申请的一实施例公开了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现上述应用于所述终端的提高影像数据传输安全的方法或者应用于所述云端的提高影像数据传输安全的方法。An embodiment of the present application discloses a computer-readable storage medium having a computer program stored on the computer-readable storage medium, and when the computer program is executed by a processor, the above-mentioned improved image data transmission applied to the terminal is realized A secure method or a method applied to the cloud to improve the security of image data transmission.
最后应说明的是,显然以上所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例,附图中给出了本申请的较佳实施例,但并不限制本申请的专利范围。本申请可以以许多不同的形式来实现,相反地,提供这些实施例的目的是使对本申请的公开内容的理解更加透彻全面。尽管参照前述实施例对本申请进行了详细的说明,对于本领域的技术人员来而言,其依然可以对前述各具体实施方式所记载的技术方案进行修改,或者对其中部分技术特征进行等效替换。凡是利用本申请说明书及附图内容所做的等效结构,直接或间接运用在其他相关的技术领域,均同理在本申请专利保护范围之内。Finally, it should be noted that, obviously, the embodiments described above are only a part of the embodiments of this application, not all of them. The drawings show the preferred embodiments of this application, but do not limit the patents of this application. range. This application can be implemented in many different forms. On the contrary, the purpose of providing these examples is to make the understanding of the disclosure of this application more thorough and comprehensive. Although the application has been described in detail with reference to the foregoing embodiments, for those skilled in the art, it is still possible for those skilled in the art to modify the technical solutions described in the foregoing specific embodiments, or equivalently replace some of the technical features. . All equivalent structures made by using the contents of the description and drawings of this application, directly or indirectly used in other related technical fields, are similarly within the scope of patent protection of this application.

Claims (20)

  1. 一种提高影像数据传输安全的方法,应用于医学影像信息系统的终端,其特征在于,包括:A method for improving the security of image data transmission, applied to a terminal of a medical image information system, is characterized in that it includes:
    从医学影像数据中选择任意长度的第一报文生成为影像数据摘要;Select the first message of any length from the medical image data to generate the image data summary;
    通过数字授权私钥给所述影像数据摘要进行加密得到数字签名;Encrypting the image data digest with a digital authorized private key to obtain a digital signature;
    通过随机密钥给所述医学影像数据进行加密后得到影像加密数据;Encrypt the medical image data by a random key to obtain image encrypted data;
    通过影像数据公钥给所述随机密钥进行加密后得到加密密钥;The random key is encrypted by the image data public key to obtain an encryption key;
    将所述数字签名、所述数字证书、所述影像加密数据以及所述加密密钥发送至所述医学影像信息系统的云端。The digital signature, the digital certificate, the image encryption data, and the encryption key are sent to the cloud of the medical image information system.
  2. 根据权利要求1所述提高影像数据传输安全的方法,其特征在于,所述从医学影像数据中选择任意长度的第一报文生成为影像数据摘要的步骤包括:The method for improving the security of image data transmission according to claim 1, wherein the step of selecting a first message of any length from medical image data to generate an image data summary comprises:
    对所述第一报文进行填充,使所述第一报文的字节长度对512求余的结果等于448;Pad the first message so that the result of the remainder of 512 for the byte length of the first message is equal to 448;
    在填充后的所述第一报文后面附加一个以64位二进制数表示的第二报文;Append a second message represented by a 64-bit binary number after the filled first message;
    设置4个32位链接变量的整数参数;Set 4 integer parameters of 32-bit link variables;
    把填充后的所述第一报文和所述第二报文分别以512位为一个分组进行处理,每一个所述分组进行4轮变换,以所述4个32位链接变量为起始变量调用4个位操作函数对第一分组进行计算;The filled first message and the second message are respectively processed with 512 bits as a packet, and each of the packets is subjected to 4 rounds of transformation, with the 4 32-bit link variables as the starting variables Call 4 bit manipulation functions to calculate the first group;
    输出由所述4个位操作函数计算得到的4个变量,以所述4个变量进行下一分组的运算,直到最后一个分组;Output 4 variables calculated by the 4 bit manipulation functions, and use the 4 variables to perform the next grouping operation until the last grouping;
    将所述最后一个分组对应的4个变量作为所述影像数据摘要。The 4 variables corresponding to the last group are used as the image data summary.
  3. 根据权利要求1所述提高影像数据传输安全的方法,其特征在于,所述通过影像数据公钥给所述随机密钥进行加密后得到加密密钥的步骤包括:The method for improving the security of image data transmission according to claim 1, wherein the step of encrypting the random key with the image data public key to obtain an encryption key comprises:
    使用所述影像数据公钥和加密公式m e=c(mod n)对所述随机密钥进行加密获得所述加密密钥; Encrypting the random key using the image data public key and an encryption formula me = c(mod n) to obtain the encryption key;
    c为所述加密密钥的密文,m为对所述加密密钥的密文解密后得到的所述加密密钥的明文,n为两个不相等的质数的乘积,e为整数,φ(n)>e>1,且e与φ(n)互质,φ(n)指的是n的欧拉函数,(n,e)为所述影像数据公钥;c is the ciphertext of the encryption key, m is the plaintext of the encryption key obtained after decrypting the ciphertext of the encryption key, n is the product of two unequal prime numbers, e is an integer, φ (n)>e>1, and e and φ(n) are relatively prime, φ(n) refers to the Euler function of n, and (n, e) is the public key of the image data;
    当m≧n时,对所述随机密钥进行分段加密。When m≧n, the random key is encrypted in segments.
  4. 一种提高影像数据传输安全的方法,应用于医学影像信息系统的云端,其特征在于,包括:A method for improving the security of image data transmission, applied to the cloud of a medical image information system, is characterized in that it includes:
    接收数字证书、数字签名、影像加密数据以及加密密钥;Receive digital certificates, digital signatures, image encryption data and encryption keys;
    对所述数字证书进行有效性验证;Verify the validity of the digital certificate;
    在验证得出所述数字证书有效时,使用数字授权密钥对中的数字授权公钥给所述数字签名解密,以获得影像数据摘要;When it is verified that the digital certificate is valid, use the digital authorized public key in the digital authorized key pair to decrypt the digital signature to obtain an image data digest;
    当使用所述数字授权密钥对中的所述数字授权公钥给所述数字签名解密得到所述影像数据摘要时,使用影像数据密钥对中的影像数据私钥给所述加密密钥解密,以获得随机密钥;When using the digital authorization public key in the digital authorization key pair to decrypt the digital signature to obtain the image data digest, use the image data private key in the image data key pair to decrypt the encryption key To get a random key;
    当使用所述影像数据密钥对中的所述影像数据私钥给所述加密密钥解密得到所述随机密钥时,使用所述随机密钥给所述影像加密数据解密,以获得所述医学影像数据;When the image data private key in the image data key pair is used to decrypt the encryption key to obtain the random key, the random key is used to decrypt the image encrypted data to obtain the Medical imaging data;
    将所述影像数据摘要与所述医学影像数据中进行比对;在所述影像数据摘要与所述医学影像数据中对应的部分一致时,确认所述医学影像数据通过安全性验证。The image data abstract is compared with the medical image data; when the image data abstract is consistent with the corresponding part in the medical image data, it is confirmed that the medical image data passes the security verification.
  5. 根据权利要求4所述提高影像数据传输安全的方法,其特征在于,所述对所述数字证书进行有效性验证的步骤包括:The method for improving the security of image data transmission according to claim 4, wherein the step of verifying the validity of the digital certificate comprises:
    验证所述数字证书的证书链的可信性;Verify the credibility of the certificate chain of the digital certificate;
    在所述数字证书的证书链可信时,验证所述数字证书是否被吊销;When the certificate chain of the digital certificate is trusted, verifying whether the digital certificate is revoked;
    在所述数字证书没有被吊销时,验证所述数字证书是否在有效期内;When the digital certificate is not revoked, verifying whether the digital certificate is within the validity period;
    在所述数字证书处于所述有效期内时,验证所述数字证书的域名是否与当前的访问域名相匹配;When the digital certificate is within the validity period, verify whether the domain name of the digital certificate matches the current access domain name;
    当所述数字证书的域名与当前的访问域名相匹配时,确认所述数字证书通过有效性验证。When the domain name of the digital certificate matches the current access domain name, it is confirmed that the digital certificate passes the validity verification.
  6. 根据权利要求4所述提高影像数据传输安全的方法,其特征在于,所述将所述影像数据摘要与所述医学影像数据中进行比对的步骤包括:The method for improving the security of image data transmission according to claim 4, wherein the step of comparing the image data summary with the medical image data comprises:
    对所述影像数据摘要进行拆分并导入第一数据列表;Split the image data summary and import the first data list;
    对所述医学影像数据中用于生成影像数据摘要的部分进行拆分并导入第二数据列表;Splitting the part of the medical image data used to generate the image data summary and importing the second data list;
    将所述第一数据列表和所述第二数据列表中进行比对,以判断所述第一数据列表和所述第二数据列表是否一致。The first data list and the second data list are compared to determine whether the first data list and the second data list are consistent.
  7. 一种提高影像数据传输安全的装置,应用于医学影像信息系统的终端,其特征在于,包括:A device for improving the security of image data transmission, applied to a terminal of a medical image information system, characterized in that it includes:
    影像数据摘要生成模块,用于从医学影像数据中选择任意长度的第一报文生成为影像数据摘要;The image data summary generating module is used to select the first message of any length from the medical image data to generate the image data summary;
    数字签名生成模块,用于通过数字授权私钥给所述影像数据摘要进行加密得到数字签名;A digital signature generating module, which is used to encrypt the image data digest with a digital authorized private key to obtain a digital signature;
    影像加密数据生成模块,用于通过随机密钥给所述医学影像数据进行加密后得到影像加密数据;An image encryption data generation module, used for encrypting the medical image data by a random key to obtain image encryption data;
    加密密钥生成模块,用于通过影像数据公钥给所述随机密钥进行加密后得到加密密钥;Encryption key generation module, used for encrypting the random key by the image data public key to obtain an encryption key;
    发送模块,用于将所述数字签名、所述数字证书、所述影像加密数据以及所述加密密钥发送至所述医学影像信息系统的云端。The sending module is used to send the digital signature, the digital certificate, the image encryption data, and the encryption key to the cloud of the medical image information system.
  8. 根据权利要求7所述的提高影像数据传输安全的装置,其特征在于,所述影像数据摘要生成模块进一步包括:The device for improving the security of image data transmission according to claim 7, wherein the image data summary generating module further comprises:
    第一报文填充子模块,用于对所述第一报文进行填充,使所述第一报文的字节长度对512求余的结果等于448;The first packet filling submodule is used to fill the first packet so that the result of the remainder of 512 for the byte length of the first packet is equal to 448;
    第二报文附加子模块,用于在填充后的所述第一报文后面附加一个以64位二进制数表示的第二报文;The second message appending submodule is used to append a second message represented by a 64-bit binary number after the filled first message;
    整数参数设置子模块,用于设置4个32位链接变量的整数参数;Integer parameter setting sub-module, used to set the integer parameters of 4 32-bit link variables;
    分组处理子模块,用于把填充后的所述第一报文和所述第二报文分别以512位为一个分组进行处理,每一个所述分组进行4轮变换,以所述4个32位链接变量为起始变量调用4个位操作函数对第一分组进行计算;The packet processing sub-module is used to process the filled first packet and the second packet with 512 bits as a packet, and each packet is subjected to 4 rounds of transformation, using the 4 32 The bit link variable is the starting variable and calls 4 bit manipulation functions to calculate the first group;
    影像数据摘要输出子模块,用于输出由所述4个位操作函数计算得到的4个变量,以所述4个变量进行下一分组的运算,直到最后一个分组。The image data summary output sub-module is used to output 4 variables calculated by the 4 bit manipulation functions, and use the 4 variables to perform the next grouping operation until the last grouping.
  9. 根据权利要求7所述的提高影像数据传输安全的装置,其特征在于,所述加密密钥生成模块使用所述影像数据公钥和加密公式m e=c(mod n)对所述随机密钥进行加密获得所述加密密钥;c为所述加密密钥的密文,m为对所述加密密钥的密文解密后得到的所述加密密钥的明文,n为两个不相等的质数p和q的乘积,e为整数,φ(n)>e>1,且e与φ(n)互质,φ(n)指的是n的欧拉函数,(n,e)为所述影像数据公钥;当m≧n时,对所述随机密钥进行分段加密。 The device for improving the security of image data transmission according to claim 7, wherein the encryption key generation module uses the image data public key and the encryption formula me = c(mod n) to compare the random key Encryption is performed to obtain the encryption key; c is the cipher text of the encryption key, m is the plain text of the encryption key obtained after decrypting the cipher text of the encryption key, and n is two unequal The product of prime numbers p and q, e is an integer, φ(n)>e>1, and e and φ(n) are relatively prime, φ(n) refers to the Euler function of n, and (n, e) is the result The image data public key; when m≧n, the random key is encrypted in sections.
  10. 一种提高影像数据传输安全的装置,应用于医学影像信息系统的云端,其特征在于,包括:A device for improving the security of image data transmission, applied to the cloud of a medical image information system, is characterized in that it includes:
    接收模块,用于接收数字证书、数字签名、影像加密数据以及加密密钥;The receiving module is used to receive digital certificates, digital signatures, image encryption data and encryption keys;
    数字证书验证模块,用于对所述数字证书进行有效性验证;The digital certificate verification module is used to verify the validity of the digital certificate;
    数字证书解密模块,用于在验证得出所述数字证书有效时,使用数字授权密钥对中的数字授权公钥给所述数字签名解密,以获得影像数据摘要;The digital certificate decryption module is used to decrypt the digital signature by using the digital authorization public key in the digital authorization key pair to obtain the image data digest when the digital certificate is verified to be valid;
    加密密钥解密模块,用于当使用所述数字授权密钥对中的所述数字授权公钥给所述数字 签名解密得到所述影像数据摘要时,使用影像数据密钥对中的影像数据私钥给所述加密密钥解密,以获得随机密钥;The encryption key decryption module is configured to use the image data in the image data key pair to privately use the image data in the image data key pair when using the digital authorization public key in the digital authorization key pair to decrypt the digital signature to obtain the image data digest. Key to decrypt the encryption key to obtain a random key;
    影像加密数据解密模块,用于当使用所述影像数据密钥对中的所述影像数据私钥给所述加密密钥解密得到所述随机密钥时,使用所述随机密钥给所述影像加密数据解密,以获得所述医学影像数据;The image encryption data decryption module is configured to use the random key for the image when the image data private key in the image data key pair is used to decrypt the encryption key to obtain the random key. Decrypt the encrypted data to obtain the medical image data;
    影像数据摘要比对模块,用于将所述影像数据摘要与所述医学影像数据中进行比对;在所述影像数据摘要与所述医学影像数据中对应的部分一致时,确认所述医学影像数据通过安全性验证。The image data summary comparison module is used to compare the image data summary with the medical image data; when the image data summary is consistent with the corresponding part in the medical image data, confirm the medical image The data passes security verification.
  11. 根据权利要求10所述的提高影像数据传输安全的装置,其特征在于,所述数字证书验证模块进一步包括:The device for improving the security of image data transmission according to claim 10, wherein the digital certificate verification module further comprises:
    证书链验证子模块,用于验证所述数字证书的证书链的可信性;The certificate chain verification sub-module is used to verify the credibility of the certificate chain of the digital certificate;
    吊销验证子模块,用于在所述数字证书的证书链可信时,验证所述数字证书是否被吊销;The revocation verification sub-module is used to verify whether the digital certificate is revoked when the certificate chain of the digital certificate is trusted;
    有效期验证子模块,用于在所述数字证书没有被吊销时,验证所述数字证书是否在有效期内;The validity period verification submodule is used to verify whether the digital certificate is within the validity period when the digital certificate is not revoked;
    域名验证子模块,用于在所述数字证书处于所述有效期内时,验证所述数字证书的域名是否与当前的访问域名相匹配,当所述数字证书的域名与当前的访问域名相匹配时,确认所述数字证书通过有效性验证。The domain name verification sub-module is used to verify whether the domain name of the digital certificate matches the current access domain name when the digital certificate is within the validity period, and when the domain name of the digital certificate matches the current access domain name To confirm that the digital certificate passes the validity verification.
  12. 根据权利要求10所述的提高影像数据传输安全的装置,其特征在于,所述影像数据摘要比对模块进一步包括:The device for improving the security of image data transmission according to claim 10, wherein the image data summary comparison module further comprises:
    第一数据列表子模块,用于对所述影像数据摘要进行拆分并导入第一数据列表;The first data list submodule is used to split the image data summary and import the first data list;
    第二数据列表子模块,用于对所述医学影像数据中用于生成影像数据摘要的部分进行拆分并导入第二数据列表;The second data list submodule is used to split the part of the medical image data used to generate the image data summary and import the second data list;
    数据列表比对子模块,用于将所述第一数据列表和所述第二数据列表中进行比对,以判断所述第一数据列表和所述第二数据列表是否一致。The data list comparison sub-module is configured to compare the first data list and the second data list to determine whether the first data list and the second data list are consistent.
  13. 根据权利要求10所述的提高影像数据传输安全的装置,其特征在于,所述装置进一步包括影像数据密钥对生成模块,用于生成所述影像数据密钥对,所述影像数据密钥对包括影像数据私钥和影像数据公钥。The device for improving the security of image data transmission according to claim 10, wherein the device further comprises an image data key pair generation module for generating the image data key pair, the image data key pair Including image data private key and image data public key.
  14. 根据权利要求13所述的提高影像数据传输安全的装置,其特征在于,所述影像数据密钥对生成模块进一步包括:The device for improving the security of image data transmission according to claim 13, wherein the image data key pair generation module further comprises:
    质数选择子模块,用于随机选择两个不相等的质数p和q;Prime number selection submodule, used to randomly select two unequal prime numbers p and q;
    质数乘积计算子模块,用于计算p和q的乘积n;Prime number product calculation sub-module, used to calculate the product n of p and q;
    欧拉函数计算子模块,用于计算n的欧拉函数φ(n);Euler function calculation sub-module, used to calculate the Euler function φ(n) of n;
    整数选择子模块,用于随机选择一个整数e,其中φ(n)>e>1,且e与φ(n)互质;Integer selection submodule, used to randomly select an integer e, where φ(n)>e>1, and e and φ(n) are relatively prime;
    模反元素计算子模块,用于计算e对于φ(n)的模反元素d;The modular inverse element calculation sub-module is used to calculate the modular inverse element d of e to φ(n);
    封装子模块,用于将n和e封装成影像数据公钥(n,e),n和d封装成影像数据私钥(n,d);Encapsulation sub-module for encapsulating n and e into image data public keys (n, e), and n and d into image data private keys (n, d);
    发送子模块,用于将所述影像数据公钥(n,e)发送给对所述加密密钥的明文进行加密的终端。The sending sub-module is used to send the image data public key (n, e) to the terminal that encrypts the plain text of the encryption key.
  15. 一种医学影像信息系统,其特征在于,包括云端以及与所述云端通信连接的至少一个终端;A medical imaging information system, characterized by comprising a cloud and at least one terminal communicatively connected with the cloud;
    所述终端包括至少一个第一存储器和至少一个第一处理器,所述第一存储器中存储有第一计算机程序,所述第一计算机程序被所述第一处理器执行时实现如下步骤:The terminal includes at least one first memory and at least one first processor, the first memory stores a first computer program, and when the first computer program is executed by the first processor, the following steps are implemented:
    从医学影像数据中选择任意长度的第一报文生成为影像数据摘要;Select the first message of any length from the medical image data to generate the image data summary;
    通过数字授权私钥给所述影像数据摘要进行加密得到数字签名;Encrypting the image data digest with a digital authorized private key to obtain a digital signature;
    通过随机密钥给所述医学影像数据进行加密后得到影像加密数据;Encrypt the medical image data by a random key to obtain image encrypted data;
    通过影像数据公钥给所述随机密钥进行加密后得到加密密钥;The random key is encrypted by the image data public key to obtain an encryption key;
    将所述数字签名、所述数字证书、所述影像加密数据以及所述加密密钥发送至所述医学影像信息系统的云端;Sending the digital signature, the digital certificate, the image encryption data, and the encryption key to the cloud of the medical image information system;
    所述云端包括至少一个第二存储器和至少一个第二处理器,所述第二存储器中存储有第二计算机程序,所述第二计算机程序被所述第二处理器执行时实现如下步骤:The cloud includes at least one second memory and at least one second processor, and a second computer program is stored in the second memory. When the second computer program is executed by the second processor, the following steps are implemented:
    接收数字证书、数字签名、影像加密数据以及加密密钥;Receive digital certificates, digital signatures, image encryption data and encryption keys;
    对所述数字证书进行有效性验证;Verify the validity of the digital certificate;
    在验证得出所述数字证书有效时,使用数字授权密钥对中的数字授权公钥给所述数字签名解密,以获得影像数据摘要;When it is verified that the digital certificate is valid, use the digital authorized public key in the digital authorized key pair to decrypt the digital signature to obtain an image data digest;
    当使用所述数字授权密钥对中的所述数字授权公钥给所述数字签名解密得到所述影像数据摘要时,使用影像数据密钥对中的影像数据私钥给所述加密密钥解密,以获得随机密钥;When using the digital authorization public key in the digital authorization key pair to decrypt the digital signature to obtain the image data digest, use the image data private key in the image data key pair to decrypt the encryption key To get a random key;
    当使用所述影像数据密钥对中的所述影像数据私钥给所述加密密钥解密得到所述随机密钥时,使用所述随机密钥给所述影像加密数据解密,以获得所述医学影像数据;When the image data private key in the image data key pair is used to decrypt the encryption key to obtain the random key, the random key is used to decrypt the image encrypted data to obtain the Medical imaging data;
    将所述影像数据摘要与所述医学影像数据中进行比对;在所述影像数据摘要与所述医学影像数据中对应的部分一致时,确认所述医学影像数据通过安全性验证。The image data abstract is compared with the medical image data; when the image data abstract is consistent with the corresponding part in the medical image data, it is confirmed that the medical image data passes the security verification.
  16. 根据权利要求15所述的医学影像信息系统,其特征在于,所述第一计算机程序被所述第一处理器执行时还可以实现如下步骤:The medical imaging information system according to claim 15, wherein the following steps can be further implemented when the first computer program is executed by the first processor:
    对所述第一报文进行填充,使所述第一报文的字节长度对512求余的结果等于448;Pad the first message so that the result of the remainder of 512 for the byte length of the first message is equal to 448;
    在填充后的所述第一报文后面附加一个以64位二进制数表示的第二报文;Append a second message represented by a 64-bit binary number after the filled first message;
    设置4个32位链接变量的整数参数;Set 4 integer parameters of 32-bit link variables;
    把填充后的所述第一报文和所述第二报文分别以512位为一个分组进行处理,每一个所述分组进行4轮变换,以所述4个32位链接变量为起始变量调用4个位操作函数对第一分组进行计算;The filled first message and the second message are respectively processed with 512 bits as a packet, and each of the packets is subjected to 4 rounds of transformation, with the 4 32-bit link variables as the starting variables Call 4 bit manipulation functions to calculate the first group;
    输出由所述4个位操作函数计算得到的4个变量,以所述4个变量进行下一分组的运算,直到最后一个分组;Output 4 variables calculated by the 4 bit manipulation functions, and use the 4 variables to perform the next grouping operation until the last grouping;
    将所述最后一个分组对应的4个变量作为所述影像数据摘要。The 4 variables corresponding to the last group are used as the image data summary.
  17. 根据权利要求15所述的医学影像信息系统,其特征在于,所述第二计算机程序被所述第二处理器执行时进一步实现如下步骤:The medical imaging information system according to claim 15, wherein the second computer program further implements the following steps when being executed by the second processor:
    验证所述数字证书的证书链的可信性;Verify the credibility of the certificate chain of the digital certificate;
    在所述数字证书的证书链可信时,验证所述数字证书是否被吊销;When the certificate chain of the digital certificate is trusted, verifying whether the digital certificate is revoked;
    在所述数字证书没有被吊销时,验证所述数字证书是否在有效期内;When the digital certificate is not revoked, verifying whether the digital certificate is within the validity period;
    在所述数字证书处于所述有效期内时,验证所述数字证书的域名是否与当前的访问域名相匹配;When the digital certificate is within the validity period, verify whether the domain name of the digital certificate matches the current access domain name;
    当所述数字证书的域名与当前的访问域名相匹配时,确认所述数字证书通过有效性验证。When the domain name of the digital certificate matches the current access domain name, it is confirmed that the digital certificate passes the validity verification.
  18. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如下步骤:A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the following steps are implemented:
    从医学影像数据中选择任意长度的第一报文生成为影像数据摘要;Select the first message of any length from the medical image data to generate the image data summary;
    通过数字授权私钥给所述影像数据摘要进行加密得到数字签名;Encrypting the image data digest with a digital authorized private key to obtain a digital signature;
    通过随机密钥给所述医学影像数据进行加密后得到影像加密数据;Encrypt the medical image data by a random key to obtain image encrypted data;
    通过影像数据公钥给所述随机密钥进行加密后得到加密密钥;The random key is encrypted by the image data public key to obtain an encryption key;
    将所述数字签名、所述数字证书、所述影像加密数据以及所述加密密钥发送至所述医学影像信息系统的云端。The digital signature, the digital certificate, the image encryption data, and the encryption key are sent to the cloud of the medical image information system.
  19. 根据权利要求18所述的计算机可读存储介质,其特征在于,所述计算机程序被处理器执行时进一步实现如下步骤:The computer-readable storage medium according to claim 18, wherein the computer program further implements the following steps when being executed by a processor:
    对所述第一报文进行填充,使所述第一报文的字节长度对512求余的结果等于448;Pad the first message so that the result of the remainder of 512 for the byte length of the first message is equal to 448;
    在填充后的所述第一报文后面附加一个以64位二进制数表示的第二报文;Append a second message represented by a 64-bit binary number after the filled first message;
    设置4个32位链接变量的整数参数;Set 4 integer parameters of 32-bit link variables;
    把填充后的所述第一报文和所述第二报文分别以512位为一个分组进行处理,每一个所述分组进行4轮变换,以所述4个32位链接变量为起始变量调用4个位操作函数对第一分组进行计算;The filled first message and the second message are respectively processed with 512 bits as a packet, and each of the packets is subjected to 4 rounds of transformation, with the 4 32-bit link variables as the starting variables Call 4 bit manipulation functions to calculate the first group;
    输出由所述4个位操作函数计算得到的4个变量,以所述4个变量进行下一分组的运算,直到最后一个分组;Output 4 variables calculated by the 4 bit manipulation functions, and use the 4 variables to perform the next grouping operation until the last grouping;
    将所述最后一个分组对应的4个变量作为所述影像数据摘要。The 4 variables corresponding to the last group are used as the image data summary.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如下步骤:A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the following steps are implemented:
    接收数字证书、数字签名、影像加密数据以及加密密钥;Receive digital certificates, digital signatures, image encryption data and encryption keys;
    对所述数字证书进行有效性验证;Verify the validity of the digital certificate;
    在验证得出所述数字证书有效时,使用数字授权密钥对中的数字授权公钥给所述数字签名解密,以获得影像数据摘要;When it is verified that the digital certificate is valid, use the digital authorized public key in the digital authorized key pair to decrypt the digital signature to obtain an image data digest;
    当使用所述数字授权密钥对中的所述数字授权公钥给所述数字签名解密得到所述影像数据摘要时,使用影像数据密钥对中的影像数据私钥给所述加密密钥解密,以获得随机密钥;When using the digital authorization public key in the digital authorization key pair to decrypt the digital signature to obtain the image data digest, use the image data private key in the image data key pair to decrypt the encryption key To get a random key;
    当使用所述影像数据密钥对中的所述影像数据私钥给所述加密密钥解密得到所述随机密钥时,使用所述随机密钥给所述影像加密数据解密,以获得所述医学影像数据;When the image data private key in the image data key pair is used to decrypt the encryption key to obtain the random key, the random key is used to decrypt the image encrypted data to obtain the Medical imaging data;
    将所述影像数据摘要与所述医学影像数据中进行比对;在所述影像数据摘要与所述医学影像数据中对应的部分一致时,确认所述医学影像数据通过安全性验证。The image data abstract is compared with the medical image data; when the image data abstract is consistent with the corresponding part in the medical image data, it is confirmed that the medical image data passes the security verification.
PCT/CN2019/103652 2019-01-28 2019-08-30 Method, device and system for enhancing security of image data transmission, and storage medium WO2020155622A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910082069.6A CN109981282A (en) 2019-01-28 2019-01-28 Improve method, apparatus, system and the storage medium of image data transmission safety
CN201910082069.6 2019-01-28

Publications (1)

Publication Number Publication Date
WO2020155622A1 true WO2020155622A1 (en) 2020-08-06

Family

ID=67076827

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/103652 WO2020155622A1 (en) 2019-01-28 2019-08-30 Method, device and system for enhancing security of image data transmission, and storage medium

Country Status (2)

Country Link
CN (1) CN109981282A (en)
WO (1) WO2020155622A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116405304A (en) * 2023-04-19 2023-07-07 联桥科技有限公司 Communication encryption method, system, terminal and storage medium
CN117936039A (en) * 2024-03-21 2024-04-26 成都科玛奇信息科技有限责任公司 High-speed transmission method of medical image data
CN118039084A (en) * 2024-02-29 2024-05-14 蓝网科技股份有限公司 Medical image encryption method, device, equipment and storage medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981282A (en) * 2019-01-28 2019-07-05 平安科技(深圳)有限公司 Improve method, apparatus, system and the storage medium of image data transmission safety
CN111597569A (en) * 2020-05-15 2020-08-28 中国人民解放军空军勤务学院 Image data output method and system, computer equipment and storage medium
CN112073453B (en) * 2020-07-21 2023-06-27 重庆市中迪医疗信息科技股份有限公司 Medical image cloud processing method, system and medium
CN111917756B (en) * 2020-07-27 2022-05-27 杭州叙简科技股份有限公司 Encryption system and encryption method of law enforcement recorder based on public key routing
CN115001663A (en) * 2022-06-02 2022-09-02 中国银行股份有限公司 Data encryption method and device, computer equipment and storage medium
CN116108214B (en) * 2023-02-24 2024-02-06 中科星图数字地球合肥有限公司 Remote sensing image data processing method and device, computer equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141426A (en) * 2015-08-17 2015-12-09 北京幺正科技有限公司 Industrial control equipment security authentication method, server and client
US20170116375A1 (en) * 2015-10-21 2017-04-27 Konica Minolta, Inc. Medical information management system and management server
CN107995143A (en) * 2016-10-25 2018-05-04 中国电信股份有限公司 Medical imaging treating method and apparatus
CN108269610A (en) * 2018-01-18 2018-07-10 成都博睿德科技有限公司 Data reliability verifying method based on cloud computing
CN109005184A (en) * 2018-08-17 2018-12-14 上海小蚁科技有限公司 File encrypting method and device, storage medium, terminal
CN109981282A (en) * 2019-01-28 2019-07-05 平安科技(深圳)有限公司 Improve method, apparatus, system and the storage medium of image data transmission safety

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8488834B2 (en) * 2007-11-15 2013-07-16 Certifi-Media Inc. Method for making an assured image
KR101720268B1 (en) * 2015-10-26 2017-03-27 (주)아이알엠 Medical Imaging Cloud Database Building and Reading Method for Protecting Patient Information
CN106131080A (en) * 2016-08-30 2016-11-16 沈阳东软医疗系统有限公司 The method and device of transmission medical image data
KR20180080883A (en) * 2017-01-05 2018-07-13 한국전자통신연구원 System for providing health information having authentication data and operating method thereof
CN107241196A (en) * 2017-06-30 2017-10-10 杰创智能科技股份有限公司 Digital signature method and system based on block chain technology
CN109243548A (en) * 2018-08-22 2019-01-18 广东工业大学 A kind of medical data platform based on block chain technology

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141426A (en) * 2015-08-17 2015-12-09 北京幺正科技有限公司 Industrial control equipment security authentication method, server and client
US20170116375A1 (en) * 2015-10-21 2017-04-27 Konica Minolta, Inc. Medical information management system and management server
CN107995143A (en) * 2016-10-25 2018-05-04 中国电信股份有限公司 Medical imaging treating method and apparatus
CN108269610A (en) * 2018-01-18 2018-07-10 成都博睿德科技有限公司 Data reliability verifying method based on cloud computing
CN109005184A (en) * 2018-08-17 2018-12-14 上海小蚁科技有限公司 File encrypting method and device, storage medium, terminal
CN109981282A (en) * 2019-01-28 2019-07-05 平安科技(深圳)有限公司 Improve method, apparatus, system and the storage medium of image data transmission safety

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116405304A (en) * 2023-04-19 2023-07-07 联桥科技有限公司 Communication encryption method, system, terminal and storage medium
CN118039084A (en) * 2024-02-29 2024-05-14 蓝网科技股份有限公司 Medical image encryption method, device, equipment and storage medium
CN117936039A (en) * 2024-03-21 2024-04-26 成都科玛奇信息科技有限责任公司 High-speed transmission method of medical image data
CN117936039B (en) * 2024-03-21 2024-05-31 成都科玛奇信息科技有限责任公司 High-speed transmission method of medical image data

Also Published As

Publication number Publication date
CN109981282A (en) 2019-07-05

Similar Documents

Publication Publication Date Title
WO2020155622A1 (en) Method, device and system for enhancing security of image data transmission, and storage medium
CN111740828B (en) Key generation method, device and equipment and encryption and decryption method
CN109347627B (en) Data encryption and decryption method and device, computer equipment and storage medium
US10050955B2 (en) Efficient start-up for secured connections and related services
US8458461B2 (en) Methods and apparatus for performing authentication and decryption
CA2590989C (en) Protocol and method for client-server mutual authentication using event-based otp
US6058188A (en) Method and apparatus for interoperable validation of key recovery information in a cryptographic system
US7688975B2 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
EP3476078B1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
EP3387576B1 (en) Apparatus and method for certificate enrollment
US6640303B1 (en) System and method for encryption using transparent keys
JP7059282B2 (en) Network devices and trusted third-party devices
US20180013832A1 (en) Health device, gateway device and method for securing protocol using the same
CN113408013A (en) Encryption and decryption chip framework with multiple algorithm rules mixed
CN111181944B (en) Communication system, information distribution method, device, medium, and apparatus
CN106534077B (en) A kind of identifiable proxy re-encryption system and method based on symmetric cryptography
CN112737783B (en) Decryption method and device based on SM2 elliptic curve
CN116866029A (en) Random number encryption data transmission method, device, computer equipment and storage medium
US7436966B2 (en) Secure approach to send data from one system to another
CN114785527B (en) Data transmission method, device, equipment and storage medium
US7415110B1 (en) Method and apparatus for the generation of cryptographic keys
JPH08204701A (en) Electronic mail cipher communication system and cipher communication method
JPS63176043A (en) Secret information communicating system
CN115549987B (en) Mixed encryption method based on data security privacy protection
CN115879136B (en) Cloud data protection method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19913003

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 22.09.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19913003

Country of ref document: EP

Kind code of ref document: A1