WO2020215572A1 - Authentication communication method and device, storage medium, and computer device - Google Patents

Authentication communication method and device, storage medium, and computer device Download PDF

Info

Publication number
WO2020215572A1
WO2020215572A1 PCT/CN2019/103531 CN2019103531W WO2020215572A1 WO 2020215572 A1 WO2020215572 A1 WO 2020215572A1 CN 2019103531 W CN2019103531 W CN 2019103531W WO 2020215572 A1 WO2020215572 A1 WO 2020215572A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
encryption key
encryption
node
key
Prior art date
Application number
PCT/CN2019/103531
Other languages
French (fr)
Chinese (zh)
Inventor
李海斌
叶大栋
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020215572A1 publication Critical patent/WO2020215572A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • This application relates to the technical field of secure communication, and in particular to a method, device, storage medium, and computer equipment for authenticating communication.
  • a method for authenticating communication includes: performing identity authentication on a target node, and after passing the identity authentication, determining a dynamic encryption key agreed with the target node, and the dynamic encryption key
  • the key includes multiple levels of encryption keys; to determine the target data to be transmitted, according to the encryption keys of all levels of the dynamic encryption key, in the order from the encryption key of the lowest level to the encryption key of the highest level Perform multiple encryption processing on the target data in sequence, and generate final encrypted data after the encryption processing process ends; send the encrypted data to the server.
  • a device for authenticating communication including: an encryption key determining module, configured to perform identity authentication on a target node, and after passing the identity authentication, determine the dynamic encryption agreed with the target node
  • the dynamic encryption key includes multiple levels of encryption keys; the encryption processing module is used to determine the target data that needs to be transmitted, according to the encryption keys of all levels of the dynamic encryption key, according to the lowest level
  • the sequence from the encryption key to the top-level encryption key performs multiple encryption processing on the target data, and generates the final encrypted data after the encryption processing process ends; the sending module is used to send the encrypted data To the server.
  • a method for authenticating communication including: performing identity authentication on a target node, agreeing on a dynamic encryption key with the target node after the authentication is passed, and generating a corresponding dynamic decryption key,
  • the dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys; the encrypted data sent by the target node is obtained, and the encrypted data is based on the dynamic Encryption key, data determined after multiple encryption processing is performed on the target data in the order from the encryption key of the lowest level to the encryption key of the highest level; according to the dynamic decryption corresponding to the dynamic encryption key
  • the decryption keys of all levels of the key are used to decrypt the encrypted data in sequence from the decryption key at the top level to the decryption key at the bottom level, until the target obtained after the decryption process is determined data.
  • a device for authenticating communication including: a decryption key determination module, configured to perform identity authentication on a target node, and agree on a dynamic encryption key with the target node after the authentication is passed, and Generate a corresponding dynamic decryption key, the dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys; the acquisition module is used to acquire the encrypted data sent by the target node , The encrypted data is data determined based on the multi-level dynamic encryption key, and the target data is encrypted for multiple times in the order from the encryption key at the bottom level to the encryption key at the top level; The decryption processing module is used to analyze the decryption keys of all levels of the dynamic decryption key corresponding to the dynamic encryption key in the order from the decryption key at the top level to the decryption key at the bottom level.
  • the encrypted data is decrypted several times in sequence until the target data obtained after the end of the decryption process is determined.
  • a computer-readable storage medium having computer-readable instructions stored thereon, and when the computer-readable instructions are executed by a processor, the steps of authenticating communication are realized.
  • a computer device including a memory, a processor, and computer-readable instructions stored in the memory and executable on the processor. When the processor executes the computer-readable instructions Steps to achieve authentication communication.
  • the target node when the target node needs to access the server, the target node is first authenticated, and after the identity authentication is passed, it can be explained that the target node is legal
  • the two parties agree on a multi-level dynamic key, so that the target node can encrypt the target data to be transmitted based on the multi-level dynamic key, and transmit the encrypted target data, thereby improving data security.
  • the identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure. Segmenting the target data and encrypting the target sub-data of each segment can improve the security of the data.
  • multi-layer encryption of the sub-data through a dynamic encryption key in the form of a binary tree can improve the security of each target sub-data and greatly improve the overall security of the data.
  • the check information in the form of a binary tree can quickly determine which target sub-data has not been completely received by the server. At this time, there is no need to retransmit all the target data, but only the abnormal target sub-data can be retransmitted. That is, so that network resources can be saved and retransmission efficiency can be improved.
  • FIG. 1 is a schematic flowchart of a method for authenticating communication according to an embodiment of the application
  • FIG. 2 is a schematic diagram of a dynamic encryption process in the form of a binary tree provided by an embodiment of the application;
  • FIG. 3 is a schematic flowchart of another method for authenticating communication according to an embodiment of the application.
  • FIG. 4 is a schematic diagram of a dynamic decryption process in a binary tree form provided by an embodiment of the application
  • FIG. 5 is a schematic structural diagram of a device for authenticating communication provided by an embodiment of this application.
  • FIG. 6 is a schematic structural diagram of another device for authenticating communication provided by an embodiment of the application.
  • FIG. 7 is a schematic structural diagram of a computer device for executing an authentication communication method provided by an embodiment of the application.
  • An embodiment of the present application provides a method for authenticating communication. As shown in FIG. 1, the method includes: Step 101: Perform identity authentication on a target node, and after passing the identity authentication, determine a dynamic encryption key agreed upon with the target node, The dynamic encryption key includes multiple levels of encryption keys.
  • the identity authentication process between the target node and the server is first performed, that is, the server judges whether the target node is a legitimate node, or the target node can also judge Whether the server is a legitimate server.
  • the target node may specifically be a proxy server, or other servers, or other node devices in the network.
  • the server of the cluster needs to authenticate the target node first, and only allow transmission between the two after passing the verification.
  • the target node's self-signature or CA (Certification Authority) signature can be used to verify the target node.
  • the server uses the public key signed by the CA to verify the signature on the CA signature certificate. If the verification is passed, the signature is valid. After the identity authentication is passed, a dynamic key for data transmission can be set between the two, and the dynamic key management mechanism makes password attacks more difficult.
  • a dynamic encryption key is agreed between the target node and the server, so that the target node can perform encryption processing on the data to be transmitted through the dynamic encryption key.
  • the dynamic encryption key includes multiple levels of encryption keys, and each level can also contain one or more encryption keys, and multiple multiple levels of encryption keys can implement multiple encryption processing of data to improve security . Step 102: Determine the target data to be transmitted.
  • the target data is encrypted for multiple times in sequence from the encryption key of the lowest level to the encryption key of the top level. , And generate the final encrypted data after the end of the encryption process.
  • Step 103 Send the encrypted data to the server.
  • the target data can be encrypted according to the dynamic encryption key.
  • the dynamic encryption key is configured for dynamic management and is configured by dynamic encryption. The key management mechanism makes password attacks more difficult, and data communication transmission is more secure.
  • the dynamic encryption key is a multi-level encryption key. When generating encrypted data, the target data is sequentially encrypted in the order from the encryption key at the bottom level to the encryption key at the top level.
  • the dynamic encryption key is a three-level encryption key
  • first use the first-level encryption key that is, the lowest-level encryption key
  • second-level encryption key to encrypt the first-level encryption result again to generate the second-level encryption result
  • third-level encryption key that is, the top-level encryption key
  • the target data can be divided into multiple sub-data, and different encryption keys are used for encryption processing for different sub-data, so that the difficulty of cracking the encrypted data can be further increased, and the security of the data can be further improved.
  • the embodiment of the application provides a method for authenticating communication.
  • the target node needs to access the server, the target node is first authenticated. After the identity authentication is passed, it can be explained that the target node is a legal node, and the two parties agree on multiple levels
  • the dynamic key enables the target node to perform multi-level encryption processing on the target data to be transmitted based on the dynamic key, and transmit the encrypted target data, thereby improving data security.
  • the identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure.
  • the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key includes: m leaf encryption keys n node encryption keys And 1 root encryption key among them, Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ⁇ [1,m]; u represents the number of the node encryption key, and n u represents the number of node encryption keys at the u-th level, j u ⁇ [1, n u ].
  • the dynamic encryption key is a multi-layer binary tree structure, with a total of L layers.
  • the bottom layer is the leaf encryption key (that is, the encryption key of the lowest level).
  • the key is explained at 4 levels.
  • a 3-level node encryption key (ie, n 3 2) and a root encryption key (ie, the top-level encryption key).
  • the superscript a represents the number of levels
  • the subscript b represents the order of the encryption key, namely Represents the b-th encryption key of the a-th level, in the form of "encryption key ab" in Figure 2, that is, the leaf encryption key 11 in Figure 2 represents the leaf encryption key
  • Leaf encryption key 12 represents the leaf encryption key
  • Node encryption key 21 represents the node encryption key
  • step 102 "encrypting the target data multiple times in sequence, and generating the final encrypted data after the end of the encryption process" includes: Step A1: segmenting the target data, and determining the segmented m targets Subdata i ⁇ [1,m]; where, Represents the b-th encrypted sub-data after the a-time encryption process.
  • the target data is divided into m target sub-data In this way, different target sub-data can be encrypted with different processes, that is, different target sub-data can be encrypted with different encryption keys.
  • the number of target sub-data can be determined based on the number of leaf encryption keys of the dynamic encryption key, that is, both are m; or, the number of target sub-data is less than the number of leaf encryption keys in the dynamic encryption key That is, in addition to the m leaf encryption keys, the dynamic encryption key may also include other unused leaf encryption keys.
  • 6 target sub-data are taken as an example.
  • the "target sub-data ab" in the figure represents the b-th encrypted sub-data after a-time encryption processing, namely the target sub-data 01 represents the target sub-data
  • the target sub-data 02 represents the target sub-data And so on.
  • Step A2 According to the leaf encryption key of the first level Target sub-data Perform encryption processing to determine the corresponding leaf encrypted sub-data Determine the encryption key corresponding to the same next level node Two leaf encryption keys with j 2 ⁇ [1,n 2 ]; encrypt the two leaf keys with Corresponding leaf encrypted sub-data with As a group, according to the node encryption key Encrypt sub-data of a group of leaves with Perform encryption again to determine the encryption key with the node Corresponding node encrypted child data If there is no sub-data encrypted with the leaf in the current level Have the same encryption key for the next level node The other leaves of the encryption sub-data are directly based on the node encryption key Encrypt the sub-data of the leaf Perform encryption processing.
  • the target sub-data is encrypted by the leaf encryption key.
  • the leaf encryption key Target sub-data Perform encryption processing to generate encrypted encrypted sub-data
  • the "encrypted sub-data ab" in Figure 2 refers to the b-th encrypted sub-data after a-time encryption processing, that is, the encrypted sub-data 11 is the first encrypted sub-data after one encryption processing.
  • Data, namely leaf encrypted sub-data Encrypted sub-data 12 represents leaf encrypted sub-data And so on.
  • the two encryption keys may correspond to the same encryption key at the upper level, that is, two leaf encryption keys with May correspond to the same upper-level node encryption key
  • the leaf encryption key 11 and the leaf encryption key 12 both correspond to the same node encryption key 21, the leaf encryption key 13 and the leaf encryption key 14 both correspond to the same node encryption key 22, etc.; Yes, the node encryption key 21 and the node encryption key 22 also correspond to the same upper-level node encryption key 31.
  • the target sub-data is encrypted by the leaf encryption key of the first layer
  • the next encryption is continued by the node encryption key of the second layer.
  • the encrypted sub-data 11 and the encrypted sub-data 12 generated by encrypting the leaf encryption key 11 and the leaf encryption key 12 are used as a set.
  • the encrypted sub-data 11 and the encrypted sub-data 12 can be string Connect as a whole to form an encrypted sub-data, and then use the node encryption key 21 to perform the encryption process again, thereby generating encrypted sub-data 21 after twice encryption, that is, the node encrypted sub-data
  • encrypted sub-data 13 and encrypted sub-data 14 are encrypted by node encryption key 22 to generate encrypted sub-data 22, namely node encrypted sub-data
  • the encrypted sub-data 15 is used as a set of data alone, and the next-level node encryption key 23 is directly used This encrypted sub-data 15 is encrypted again.
  • step A2 if there is no subdata encrypted with the node in the current level Have the same encryption key for the next level node Other nodes encrypt sub-data, directly according to the node encryption key Encrypt child data of node Perform encryption again. As shown in FIG.
  • Step A4 Repeat the above re-encryption process until the determined node encryption key at the upper level is the root encryption key So far and will be based on the root encryption key Data determined after encryption As the final encrypted data.
  • the process of combining two encrypted sub-data into a group for encryption is repeated until the encryption process reaches the top level of the dynamic encryption key, that is, the root encryption key should be passed Perform the last encryption process. At this time, it will be based on the root encryption key Data determined after encryption As the final encrypted data.
  • the root encryption key 41 performs the fourth encryption process on the encrypted sub-data 31 and the encrypted sub-data 32 to generate the final encrypted sub-data 41, which is the final encrypted target data.
  • the target data is segmented, and the target sub-data of each segment is respectively encrypted, which can improve data security.
  • a dynamic encryption key in the form of a binary tree two adjacent sub-data can be re-encrypted as a group until the final layer of encryption is completed with the root encryption key; the dynamic encryption key in the form of a binary tree Multi-layer encryption of the data can improve the security of each target sub-data and greatly improve the overall security of the data.
  • the method further includes: Step B1: While performing the encryption process to generate the corresponding encrypted sub-data, determine the verification information of the encrypted sub-data, and encrypt all the verification information according to the dynamic encryption
  • Step B2 Send the total verification information to the server.
  • the verification information of the encrypted sub-data is also determined.
  • the encrypted sub-data can be represented in the form of a binary tree
  • all verification information can also be represented in the form of a binary tree, that is, the total verification information in the form of a binary tree that is the same as the dynamic encryption key can be generated.
  • the total verification information can be sent to the server side, so that the server can verify the received target data through the total verification information to determine the integrity of the data.
  • the hash value of the encrypted sub-data can be used as the verification information
  • the verification information can also be a verification code, a verification field, a digital signature, and the like.
  • the embodiment of the application provides a method for authenticating communication. When the target node needs to access the server, the target node is first authenticated.
  • the target node is a legal node, and the two parties agree on multiple levels
  • the dynamic key enables the target node to perform multi-level encryption processing on the target data to be transmitted based on the dynamic key, and transmit the encrypted target data, thereby improving data security.
  • the identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure. Segmenting the target data and encrypting the target sub-data of each segment can improve the security of the data.
  • multi-layer encryption of the sub-data through a dynamic encryption key in the form of a binary tree can improve the security of each target sub-data and greatly improve the overall security of the data.
  • the total verification information is sent to the server side, so that the server can verify the received target data through the total verification information, so that the server can determine the integrity of the target data.
  • another embodiment of the present application also provides a method for authenticating communication.
  • the method is applied to the server side.
  • the method includes: Step 301: Perform identity authentication on the target node. After passing, the dynamic encryption key is agreed with the target node, and the corresponding dynamic decryption key is generated; the dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys.
  • the identity authentication process between the target node and the server is first performed, that is, the server judges whether the target node is a legitimate node, or the target node can also judge Whether the server is a legitimate server.
  • the server of the cluster needs to authenticate the target node first, and only allow transmission between the two after passing the authentication.
  • the target node's self-signature or CA (Certification Authority) signature can be used to verify the target node.
  • CA signature the server uses the public key signed by the CA to verify the signature on the CA signature certificate. If the verification is passed, the signature is valid.
  • a dynamic key for data transmission can be set between the two, and the dynamic key management mechanism makes password attacks more difficult.
  • a multi-level dynamic encryption key is agreed between the target node and the server; and the server, as the data receiver, saves the multi-level dynamic decryption key corresponding to the dynamic encryption key.
  • the server may perform decryption processing based on the dynamic decryption key to obtain corresponding plaintext data, that is, target data.
  • Step 302 Obtain the encrypted data sent by the target node.
  • the encrypted data is based on a multi-level dynamic encryption key.
  • the target data is encrypted for multiple times in the order from the encryption key of the lowest level to the encryption key of the top level.
  • Step 303 According to the decryption keys of all levels of the dynamic decryption key corresponding to the dynamic encryption key, the encrypted data is decrypted multiple times in sequence from the decryption key of the top level to the decryption key of the bottom level. Process until the target data obtained after the end of the decryption process is determined.
  • the server can perform decryption processing based on the dynamic decryption key to determine the decrypted target data.
  • the dynamic decryption key and the dynamic encryption key have a one-to-one correspondence.
  • the dynamic key management mechanism makes the password attack more difficult, and the security of data communication transmission is higher.
  • the dynamic encryption key is a multi-level encryption key.
  • the target data is sequentially encrypted in the order from the encryption key at the bottom level to the encryption key at the top level.
  • the encrypted data when the encrypted data needs to be decrypted, the encrypted data is decrypted multiple times in the order from the decryption key of the top level to the decryption key of the bottom level, thereby generating the decrypted target data.
  • the dynamic encryption key is a 3-level encryption key
  • the corresponding dynamic decryption key is also a 3-level decryption key.
  • the encrypted data needs to be decrypted, first use the third-level decryption key (that is, the top-level decryption key) to decrypt the encrypted data to generate the first decryption result (corresponding to the above-mentioned second-level decryption key) Encryption result); then use the decryption key of the second level to decrypt the first decryption result again to generate the second decryption result (corresponding to the encryption result of the first level above); finally use the decryption of the first level
  • the key that is, the decryption key at the lowest level decrypts the second decryption result to generate a third decryption result, and the third decryption result is the target data determined after the encrypted data is decrypted.
  • the embodiment of the present application provides a method for authenticating communication.
  • the server first authenticates the target node. After the identity authentication is passed, it can be explained that the target node is a legal node, and the two parties agree on a dynamic
  • the key enables the target node to encrypt the target data to be transmitted based on the dynamic key, and transmit the encrypted target data; the server can correctly decrypt based on the corresponding dynamic decryption key to determine the decrypted target data , Realize the safe transmission of data, thereby improving data security.
  • the identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure.
  • target node in the embodiment of the present application is the side that sends data
  • server is the side that receives the data.
  • the target node can also perform the process of steps 301-303, or the process of steps 101-103, that is, the server can also send encrypted data to the target node, and the encrypted data is performed through a dynamic encryption mechanism Encrypted.
  • the dynamic encryption key is a set of encryption keys in the form of a binary tree
  • the dynamic encryption key includes: m leaf encryption keys n node encryption keys And 1 root encryption key among them, Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ⁇ [1,m]; u represents the number of the node encryption key, and n u represents the number of node encryption keys at the u-th level, j u ⁇ [1, n u ]. See Figure 2 for a form of dynamic encryption key.
  • the dynamic decryption key is a set of decryption keys in the same binary tree form as the dynamic encryption key, and the dynamic decryption key includes: m leaf decryption keys n node decryption keys And 1 root decryption key among them, Represents the b-th decryption key of the a-th level.
  • the leaf encryption key and the leaf decryption key There is a one-to-one correspondence between the leaf encryption key and the leaf decryption key, the node encryption key and the node decryption key, and the root encryption key and the root decryption key. .
  • one form of the dynamic decryption key is shown in Figure 4.
  • the dynamic decryption key has a multi-layered binary tree structure, which is the same as the dynamic encryption key.
  • the dynamic decryption key also has L layers.
  • the top layer is the root decryption key (that is, the top-level decryption key).
  • the bottom layer is the leaf decryption key (that is, the decryption key of the lowest level).
  • the dynamic decryption key is 4 layers for illustration.
  • the superscript a represents the number of levels
  • the subscript b represents the order of the decryption key, namely Represents the b-th decryption key of the a-th level, in the form of "decryption key ab" in Figure 4, that is, the leaf decryption key 11 in Figure 4 represents the leaf decryption key
  • Leaf decryption key 12 represents the leaf decryption key
  • Node decryption key 21 represents the node decryption key
  • step 301 decrypt the encrypted data multiple times in sequence until the target data obtained after the end of the decryption process is determined” specifically includes: Step C1: According to the root decryption key Encrypted data Perform decryption processing to determine the encrypted sub-data of the next two nodes with among them, Indicates the b-th encrypted sub-data after La times of decryption processing; at the same time determine the encrypted sub-data of two nodes with Corresponding two node decryption keys with In the embodiment of this application, contrary to the process of encrypting the target data based on the dynamic encryption key, in this embodiment, the encrypted data is first decrypted according to the root decryption key.
  • the encrypted sub-data 41 (ie, encrypted data) is decrypted by the root decryption key 41, thereby generating the next two-node encrypted sub-data with (Ie, encrypted sub-data 31 and encrypted sub-data 32 in Figure 4), and the two nodes encrypt the sub-data with Corresponding two node decryption keys with (Ie node decryption keys 31 and 32 in Figure 4).
  • Step C2 Decrypt the key according to the node Encrypt the sub-data of the corresponding node Perform decryption processing to determine the next level of one or two nodes to encrypt sub-data; according to the node decryption key Encrypt the sub-data of the corresponding node Perform decryption processing to determine one or two node encryption sub-data of the next level; determine the next level node decryption key corresponding to the next level node encryption sub-data, and continue to encrypt the corresponding node according to the node decryption key The sub-data is decrypted. In the embodiment of this application, whenever a node is determined to encrypt sub-data (such as or ), it can be determined to decrypt the node encrypted sub-data.
  • the number of the next-level node encrypted sub-data determined is one or two, depending on the specific structure of the encrypted data Depends. For example, as shown in Figure 4, after the encrypted sub-data 31 is decrypted, the encrypted sub-data 21 and the encrypted sub-data 22 of the next layer can be determined; while the encrypted sub-data 32 can be decrypted, only one encrypted sub-data can be determined. Data, that is, encrypted sub-data 23.
  • Step C3 Repeat the above decryption process until the node decryption key at the next level determined is the leaf decryption key And decrypt the key based on the leaf Encrypt the sub-data of the corresponding leaf Perform decryption processing to determine m decrypted target sub-data According to all target sub-data Generate the final target data.
  • the encrypted data is decrypted layer by layer using the layered dynamic decryption key until the decryption key is based on the leaf.
  • unencrypted data is generated, namely the target sub-data
  • the target data sent by the target node can be finally determined.
  • the dynamic decryption key in the same binary tree form as the dynamic encryption key is used to decrypt the multi-layer encrypted encrypted data, so that the encrypted data can be decrypted layer by layer until the final target data is determined.
  • the method further includes a data verification process.
  • the process includes: Step D1: Receive total verification information sent by the target node, and the total verification information is a plurality of verification information according to Dynamically decrypt the information generated in the form of a binary tree with the same key.
  • the target node when generating encrypted sub-data (including leaf encrypted sub-data and node encrypted sub-data), also determines the verification information of the encrypted sub-data.
  • the encrypted sub-data can be represented in the form of a binary tree
  • all verification information can also be represented in the form of a binary tree; and the dynamic encryption key and the dynamic decryption key have the same binary tree structure, That is, the target node can generate total verification information in the form of a binary tree that is the same as the dynamic decryption key.
  • Step D2 Determine the temporary verification information of the received encrypted data, and determine whether the verification information corresponding to the encrypted data in the total verification information is consistent with the temporary verification information of the encrypted data.
  • Step D3 If the two are inconsistent, use the encrypted data as abnormal encrypted data, determine the temporary verification information of the encrypted sub-data, and encrypt the temporary verification of the sub-data according to the verification information corresponding to the encrypted sub-data in the total verification information. Whether the verification information is consistent; the encrypted sub-data with temporary verification information that is inconsistent with the total verification information is regarded as the abnormal encrypted sub-data.
  • the received target data can be verified through the total verification information to determine the integrity of the data. Specifically, first determine whether the top-level verification information in the total verification information (that is, the verification information corresponding to the total encrypted data) is consistent with the encrypted data verification information (that is, the temporary verification information) received by the server.
  • the encrypted data received by the server matches the verification information transmitted by the target node. At this time, it can indicate that the server has completely received the encrypted data sent by the target node.
  • the temporary verification information is the verification information of the encrypted data received by the local server or the verification information of the encrypted sub-data determined after the decryption process. If the two are inconsistent, it means that the server has not completely received the data sent by the target node. At this time, the encrypted data is regarded as abnormal encrypted data. According to the verification information in the form of a binary tree, it is possible to quickly determine which target subdata the server has not received completely. . Specifically, the encrypted data received by the server can be decrypted into one or two next-level encrypted sub-data.
  • Step D4 While performing the decryption process on the abnormally encrypted sub-data, while generating the corresponding next-level encrypted sub-data, continue to determine the temporary verification information of the next-level encrypted sub-data, and the next level has the same
  • the encrypted sub-data of the temporary verification information with inconsistent total verification information is regarded as the abnormal encrypted sub-data.
  • Step D5 Repeat the above process until the abnormal leaf encrypted sub-data is determined, and the target sub-data corresponding to the abnormal leaf encrypted sub-data is obtained again, until the correct target sub-data is obtained.
  • normal decryption processing can be performed on the encrypted sub-data that is not abnormal according to the above steps C1-C3.
  • the temporary verification information of the encrypted sub-data of the next level generated by decryption is also determined, and the temporary verification information of the next level is determined based on the total verification information.
  • the verification information is correct, and the encrypted sub-data corresponding to the incorrect temporary verification information is also regarded as the abnormal encrypted sub-data.
  • the above process of judging the abnormal encrypted sub-data based on the verification information can be repeated until the abnormal leaf encrypted sub-data is determined, so that it can determine which data is abnormal from the root cause. For example, referring to FIG. 4, if the encrypted sub-data 31 is abnormal data and the encrypted sub-data 32 is normal data, that is, the verification information of the encrypted sub-data 32 is correct, then the encrypted sub-data 32 can be subsequently decrypted normally Processing, so as to finally determine the correct target sub-data 05 and 06; and for the abnormal encrypted sub-data 31, it is necessary to determine which of the decrypted encrypted sub-data 21 and 22 is abnormal data, or both are abnormal data.
  • the leaf encrypted sub-data ie, encrypted sub-data 11-14
  • the transmitted target data when the transmitted target data is abnormal, it is not necessary to retransmit all the target data, and only the abnormal target sub-data may be retransmitted, thereby saving network resources and improving retransmission efficiency.
  • the target sub-data 03 transmitted by the target node is abnormal, based on the total verification information, it can be determined that the path "encrypted sub-data 41 ⁇ encrypted sub-data 31 ⁇ encrypted sub-data 22 ⁇ encrypted sub-data 13" is abnormal. It can be determined that the target sub-data 03 transmitted to the local server is abnormal, and the target sub-data 03 needs to be retransmitted. At the same time, according to the check information in the form of a binary tree, it can be quickly determined which target sub-data has not been completely received by the server.
  • the encryption and decryption of 6 target sub-data is realized through four-layer dynamic keys; if one of the target sub-data is abnormal, a binary tree form of correction is used. It can be judged which target sub-data is abnormal through 4 verifications; and if it is only judged by the verification information of the encrypted data of the 6 target sub-data (ie, the leaf encrypted sub-data), it needs to judge 6 times at most Only then can it be determined which target subdata is abnormal. When there are more target sub-data, the judgment efficiency based on the binary tree form verification information is higher.
  • the embodiment of the present application provides a method for authenticating communication.
  • the server first authenticates the target node. After the identity authentication is passed, it can be explained that the target node is a legal node, and the two parties agree on a dynamic
  • the key enables the target node to encrypt the target data to be transmitted based on the dynamic key, and transmit the encrypted target data; the server can correctly decrypt based on the corresponding dynamic decryption key to determine the decrypted target data , Realize the safe transmission of data, thereby improving data security.
  • the identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure.
  • the security of each target sub-data can be improved, and the overall security of the data can be greatly improved.
  • the check information in the form of a binary tree can quickly determine which target sub-data has not been completely received by the server. At this time, there is no need to retransmit all the target data, but only the abnormal target sub-data can be retransmitted. That is, so that network resources can be saved and retransmission efficiency can be improved.
  • the process of the authentication communication method is described in detail above, and the method can also be implemented by a corresponding device. The structure and function of the device are described in detail below.
  • An apparatus for authenticating communication includes: an encryption key determining module 51, configured to perform identity authentication on a target node, and after passing the identity authentication, determine an agreement with the target node
  • the dynamic encryption key includes multiple levels of encryption keys
  • the encryption processing module 52 is used to determine the target data that needs to be transmitted, according to the encryption keys of all levels of the dynamic encryption key, From the encryption key at the lowest level to the encryption key at the top level, the target data is encrypted multiple times in sequence, and the final encrypted data is generated after the encryption process is over; the sending module 53 is used to transfer The encrypted data is sent to the server.
  • the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key includes: m leaf encryption keys n node encryption keys And 1 root encryption key among them, Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ⁇ [1, m]; u represents the number of the node encryption key, and n u represents the number of node encryption keys at the u-th level, j u ⁇ [1, n u ]; the encryption processing module 52 is specifically configured to: perform segmentation processing on the target data, and determine the segmented m Target subdata i ⁇ [1,m]; where, Represents the b-th encrypted sub-data after a-time encryption processing; according to the leaf encryption key of the first level Target sub-data Perform encryption processing to determine the corresponding leaf encrypted sub-data Determine the encryption key corresponding to the same next level node Two leaf encryption keys with j 2 ⁇
  • the device further includes: a verification information generation module; the verification information generation module is used to determine the verification of the encrypted sub-data while executing the encryption processing to generate the corresponding encrypted sub-data. And generate total verification information according to the binary tree form same as the dynamic encryption key; the sending module 53 is also configured to send the total verification information to the server.
  • the verification information generation module is used to determine the verification of the encrypted sub-data while executing the encryption processing to generate the corresponding encrypted sub-data. And generate total verification information according to the binary tree form same as the dynamic encryption key; the sending module 53 is also configured to send the total verification information to the server.
  • the target node After the identity authentication is passed, the target node can be explained as a legal node, and the two parties agree on a dynamic secret
  • the key enables the target node to encrypt the target data to be transmitted based on the dynamic key, and transmit the encrypted target data, thereby improving data security.
  • the identity verification mechanism can prevent the attacks of false connections and the deception of untrusted agent nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure. Segmenting the target data and encrypting the target sub-data of each segment can improve the security of the data.
  • multi-layer encryption of the sub-data through a dynamic encryption key in the form of a binary tree can improve the security of each target sub-data and greatly improve the overall security of the data.
  • an embodiment of the present application also provides a device for authenticating communication.
  • the device includes: a decryption key determining module 61, which is used to authenticate the target node's identity, and communicate with all users after the authentication is passed.
  • the target node agrees on a dynamic encryption key and generates a corresponding dynamic decryption key, the dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys; acquisition module 62.
  • the target node Used to obtain encrypted data sent by the target node, where the encrypted data is based on the multi-level dynamic encryption key, and the target data is compared in the order from the encryption key at the bottom level to the encryption key at the top level.
  • the data is determined after multiple encryption processing; the decryption processing module 63 is used for decryption keys of all levels according to the dynamic decryption key corresponding to the dynamic encryption key, according to the decryption key from the top level to The decryption key of the lowest level sequentially decrypts the encrypted data multiple times in sequence until the target data obtained after the decryption process is determined.
  • the dynamic encryption key is a set of encryption keys in the form of a binary tree
  • the dynamic encryption key includes: m leaf encryption keys n node encryption keys And 1 root encryption key among them, Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ⁇ [1, m]; u represents the number of the node encryption key, and n u represents the number of node encryption keys at the u-th level, j u ⁇ [1, n u ]; the dynamic decryption key is a set of decryption keys in the same binary tree form as the dynamic encryption key, and
  • the dynamic decryption key includes: m leaf decryption keys n node decryption keys And 1 root decryption key among them, Represents the b-th decryption key of the a-th level, the leaf encryption key and the leaf decryption key, the node encryption key and the node
  • the device further includes: a verification module; the verification module is configured to receive total verification information sent by the target node, where the total verification information is a plurality of verification information according to Information generated in the form of a binary tree that is the same as the dynamic decryption key; determine the temporary verification information of the received encrypted data, and determine the verification information corresponding to the encrypted data in the total verification information and the Whether the temporary verification information of the encrypted data is consistent; if the two are inconsistent, the encrypted data is regarded as abnormal encrypted data, the temporary verification information of the encrypted sub-data is determined, and the total verification information is compared with all The verification information corresponding to the encrypted sub-data is the same as the temporary verification information of the encrypted sub-data; the encrypted sub-data with the temporary verification information inconsistent with the total verification information is regarded as the abnormal encrypted sub-data; When the abnormal encrypted sub-data executes the decryption process to generate the corresponding next-level encrypted sub-data, continue to determine the temporary verification information of the next-level encrypted sub-data
  • the embodiment of the present application provides a device for authenticating communication.
  • the server first authenticates the target node. After the identity authentication is passed, it can be explained that the target node is a legitimate node, and the two parties agree on a dynamic
  • the key enables the target node to encrypt the target data to be transmitted based on the dynamic key, and transmit the encrypted target data; the server can correctly decrypt based on the corresponding dynamic decryption key to determine the decrypted target data , Realize the safe transmission of data, thereby improving data security.
  • the identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure.
  • the security of each target sub-data can be improved, and the overall security of the data can be greatly improved.
  • the check information in the form of a binary tree can quickly determine which target sub-data has not been completely received by the server. At this time, there is no need to retransmit all the target data, but only the abnormal target sub-data can be retransmitted. That is, network resources can be saved and the retransmission efficiency can be improved.
  • An embodiment of the present application also provides a computer storage medium that stores computer-executable instructions, which contains a program for executing the above-mentioned authentication communication method, and the computer-executable instructions can execute any of the above-mentioned method embodiments Method in.
  • the computer storage medium may be any available medium or data storage device that the computer can access, including but not limited to magnetic storage (such as floppy disk, hard disk, magnetic tape, magneto-optical disk (MO), etc.), optical storage (such as CD, DVD, BD, HVD, etc.), and semiconductor memory (such as ROM, EPROM, EEPROM, non-volatile memory (NAND FLASH), solid state drive (SSD)), etc.
  • magnetic storage such as floppy disk, hard disk, magnetic tape, magneto-optical disk (MO), etc.
  • optical storage such as CD, DVD, BD, HVD, etc.
  • semiconductor memory such as ROM, EPROM, EEPROM, non-volatile memory (NAND FLASH), solid state
  • the computer device 1100 may be a host server with computing capabilities, a personal computer PC, or a portable computer or terminal that can be carried.
  • the specific embodiment of the present application does not limit the specific implementation of the computer device.
  • the computer device 1100 includes at least one processor (processor) 1110, a communication interface (Communications Interface) 1120, a memory (memory array) 1130, and a bus 1140.
  • the processor 1110, the communication interface 1120, and the memory 1130 communicate with each other through the bus 1140.
  • the communication interface 1120 is used to communicate with network elements, where the network elements include, for example, a virtual machine management center and shared storage.
  • the processor 1110 is used to execute programs.
  • the processor 1110 may be a central processing unit CPU, or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application.
  • the memory 1130 is used for executable instructions.
  • the memory 1130 may include a high-speed RAM memory, or may also include a non-volatile memory (non-volatile memory), for example, at least one disk memory.
  • the memory 1130 may also be a memory array.
  • the memory 1130 may also be divided into blocks, and the blocks may be combined into a virtual volume according to certain rules.
  • the instructions stored in the memory 1130 may be executed by the processor 1110, so that the processor 1110 can execute the method in any of the foregoing method embodiments.

Abstract

The application provides an authentication communication method and device, a storage medium, and a computer device, the method comprising: determining multi-level dynamic encryption keys agreed with a server after successfully completing identity authentication of a target node; determining target data requiring transmission, sequentially performing multiple encryption on the target data using the dynamic encryption keys in a sequence from the lowest-level encryption key to the highest-level encryption key, and generating encrypted data; and sending the encrypted data to the server. In the method, an identity authentication mechanism is adopted to avoid attacks on sham links and prevent deception by untrusted agent nodes. Moreover, a multi-level dynamic key management mechanism renders password attacks extremely difficult, thus increasing security.

Description

一种认证通信的方法、装置、存储介质及计算机设备Method, device, storage medium and computer equipment for authenticating communication
本申请要求与2019年4月25日提交中国专利局、申请号为2019103411499、申请名称为“一种认证通信的方法、装置、存储介质及计算机设备”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of the Chinese patent application filed on April 25, 2019 with the Chinese Patent Office, the application number is 2019103411499, and the application name is "a method, device, storage medium and computer equipment for authenticating communication", and its entire contents Incorporated in the application by reference.
技术领域Technical field
本申请涉及安全通信技术领域,特别涉及一种认证通信的方法、装置、存储介质及计算机设备。This application relates to the technical field of secure communication, and in particular to a method, device, storage medium, and computer equipment for authenticating communication.
背景技术Background technique
目前,在集群进行增加或扩容时,需要添加新的主机或代理服务器,现有方法添加运行的新主机进行安全认证加密,则必须手动部署适用于平台的代理和守护程序软件包,为主机发出新的证书;通讯采用静态密钥,易被破解攻击;服务器和集群中主机未经验证而通信,通信数据易被窃取和篡改;而修改配置文件时,集群需要中断,然后使主机联机,这样会对业务造成影响。At present, when adding or expanding the cluster, it is necessary to add a new host or proxy server. In the existing method to add a new host running for security authentication and encryption, it is necessary to manually deploy the agent and daemon software package suitable for the platform to issue the host New certificate; the communication uses a static key, which is easy to be cracked and attacked; the server and the host in the cluster communicate without verification, and the communication data is easy to be stolen and tampered with; and when the configuration file is modified, the cluster needs to be interrupted, and then the host is online. Will affect the business.
发明内容Summary of the invention
为解决上述技术问题,本申请提供一种认证通信的方法、装置、存储介质及计算机设备。根据本申请的第一个方面,提供一种认证通信的方法,包括:对目标节点进行身份认证,在通过身份认证后,确定与所述目标节点约定的动态加密密钥,所述动态加密密钥包括多个层级的加密密钥;确定需要传输的目标数据,根据所述动态加密密钥所有层级的加密密钥,按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对所述目标数据依次进行多次加密处理,并在加密处理过程结束后生成最终的加密数据;将所述加密数据发送至所述服务器。根据本申请的第二个方面,提供一种认证通信的装置,包括:加密密钥确定模块,用于对目标节点进行身份认证,在通过身份认证后,确定与所述目标节点约定的动态加密密钥,所述动态加密密钥包括多个层级的加密密钥;加密处理模块,用于确定需要传输的目标数据,根据所述动态加密密钥所有层级的加密密钥,按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对所述目标数据依次进行多次加密处理,并在加密处理过程结束后生成最终的加密数据;发送模块,用于将所述加密数据发送至所述服务器。根据本申请的第三个方面,提供一种认证通信的方法,包括:对目标节点进行身份认证,在认证通过后与所述目标节点约定动态加密密钥,并生成相应的动态解密密钥,所述动态加密密钥包括多个层级的加密密钥,所述动态解密密钥包括多个层级的解密密钥;获取目标节点发送的加密数据,所述加密数据为基于多层级的所述动态加密密钥、按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据进行多次加密处理后所确定的数据;根据与所述动态加密密钥相对应的动态解密密钥所有层级的解密密钥,按照从最顶层级的解密密钥至最底层级的解密密钥的顺序对所述加密数据依次进行多次解密处理,直至确定解密处理过程结束后得到的目标数据。根据本申请的第四个方面,提供一种认证通信的装置,包括:解密密钥确定模块,用于对目标节点进行身份认证,在认证通过后与所述目标节点约定动态加密密钥,并生成相应的动态解密密钥,所述动态加密密钥包括多个层级的加密密钥,所述动态解密密钥包括多个层级的解密密钥;获取模块,用于获取目标节点发送的加密数据,所述加密数据为基于多层级的所述动态加密密钥、按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据进行多次加密处理后所确定的数据;解密处理模块,用于根据与所述动态加密密钥相对应的动态解密密钥所有层级的解密密钥,按照从最顶层级的解密密钥至最底层级的解密密钥的顺 序对所述加密数据依次进行多次解密处理,直至确定解密处理过程结束后得到的目标数据。根据本申请的第五个方面,提供一种计算机可读存储介质,其上存储有计算机可读指令,该计算机可读指令被处理器执行时实现认证通信的步骤。根据本申请的第六个方面,提供一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机可读指令,所述处理器执行所述计算机可读指令时实现认证通信的步骤。To solve the above technical problems, this application provides a method, device, storage medium and computer equipment for authenticating communication. According to the first aspect of the present application, a method for authenticating communication is provided, which includes: performing identity authentication on a target node, and after passing the identity authentication, determining a dynamic encryption key agreed with the target node, and the dynamic encryption key The key includes multiple levels of encryption keys; to determine the target data to be transmitted, according to the encryption keys of all levels of the dynamic encryption key, in the order from the encryption key of the lowest level to the encryption key of the highest level Perform multiple encryption processing on the target data in sequence, and generate final encrypted data after the encryption processing process ends; send the encrypted data to the server. According to a second aspect of the present application, there is provided a device for authenticating communication, including: an encryption key determining module, configured to perform identity authentication on a target node, and after passing the identity authentication, determine the dynamic encryption agreed with the target node The dynamic encryption key includes multiple levels of encryption keys; the encryption processing module is used to determine the target data that needs to be transmitted, according to the encryption keys of all levels of the dynamic encryption key, according to the lowest level The sequence from the encryption key to the top-level encryption key performs multiple encryption processing on the target data, and generates the final encrypted data after the encryption processing process ends; the sending module is used to send the encrypted data To the server. According to a third aspect of the present application, a method for authenticating communication is provided, including: performing identity authentication on a target node, agreeing on a dynamic encryption key with the target node after the authentication is passed, and generating a corresponding dynamic decryption key, The dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys; the encrypted data sent by the target node is obtained, and the encrypted data is based on the dynamic Encryption key, data determined after multiple encryption processing is performed on the target data in the order from the encryption key of the lowest level to the encryption key of the highest level; according to the dynamic decryption corresponding to the dynamic encryption key The decryption keys of all levels of the key are used to decrypt the encrypted data in sequence from the decryption key at the top level to the decryption key at the bottom level, until the target obtained after the decryption process is determined data. According to a fourth aspect of the present application, there is provided a device for authenticating communication, including: a decryption key determination module, configured to perform identity authentication on a target node, and agree on a dynamic encryption key with the target node after the authentication is passed, and Generate a corresponding dynamic decryption key, the dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys; the acquisition module is used to acquire the encrypted data sent by the target node , The encrypted data is data determined based on the multi-level dynamic encryption key, and the target data is encrypted for multiple times in the order from the encryption key at the bottom level to the encryption key at the top level; The decryption processing module is used to analyze the decryption keys of all levels of the dynamic decryption key corresponding to the dynamic encryption key in the order from the decryption key at the top level to the decryption key at the bottom level. The encrypted data is decrypted several times in sequence until the target data obtained after the end of the decryption process is determined. According to a fifth aspect of the present application, there is provided a computer-readable storage medium having computer-readable instructions stored thereon, and when the computer-readable instructions are executed by a processor, the steps of authenticating communication are realized. According to a sixth aspect of the present application, there is provided a computer device including a memory, a processor, and computer-readable instructions stored in the memory and executable on the processor. When the processor executes the computer-readable instructions Steps to achieve authentication communication.
本申请实施例提供的一种认证通信的方法、装置、存储介质及计算机设备,在目标节点需要接入服务器时,首先对目标节点进行身份认证,在身份认证通过后即可说明目标节点是合法的节点,且双方约定多层级的动态密钥,使得目标节点可以将待传输的目标数据基于该多层级的动态密钥进行加密处理,并传输加密后的目标数据,从而提高数据安全性。身份验证机制可以防止伪连接的攻击,可以防止不受信任的代理节点的欺骗;且动态密钥管理机制使得密码攻击变得异常困难,安全性更高。对目标数据进行分段处理,分别对每一段的目标子数据进行加密,可以提高数据的安全性。同时,通过二叉树形式的动态加密密钥对子数据进行多层加密,可以提高每一个目标子数据的安全性,且可以大大提高数据整体的安全性。在传输的目标数据异常时,根据二叉树形式的校验信息可以快速确定服务器没有完整地接收到哪一个目标子数据,此时不需要重新传输全部的目标数据,可以只重新传输异常的目标子数据即可,从而也可以节约网络资源,提高重传效率。本申请的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本申请而了解。本申请的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。下面通过附图和实施例,对本申请的技术方案做进一步的详细描述。In the method, device, storage medium and computer equipment for authenticating communication provided by the embodiments of the application, when the target node needs to access the server, the target node is first authenticated, and after the identity authentication is passed, it can be explained that the target node is legal The two parties agree on a multi-level dynamic key, so that the target node can encrypt the target data to be transmitted based on the multi-level dynamic key, and transmit the encrypted target data, thereby improving data security. The identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure. Segmenting the target data and encrypting the target sub-data of each segment can improve the security of the data. At the same time, multi-layer encryption of the sub-data through a dynamic encryption key in the form of a binary tree can improve the security of each target sub-data and greatly improve the overall security of the data. When the transmitted target data is abnormal, the check information in the form of a binary tree can quickly determine which target sub-data has not been completely received by the server. At this time, there is no need to retransmit all the target data, but only the abnormal target sub-data can be retransmitted. That is, so that network resources can be saved and retransmission efficiency can be improved. Other features and advantages of the present application will be described in the following description, and partly become obvious from the description, or understood by implementing the present application. The purpose and other advantages of this application can be realized and obtained through the structure specified in the written description, claims, and drawings. The technical solutions of the present application will be further described in detail below through the drawings and embodiments.
附图说明Description of the drawings
附图用来提供对本申请的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本申请,并不构成对本申请的限制。在附图中:The accompanying drawings are used to provide a further understanding of the application, and constitute a part of the specification. Together with the embodiments of the application, they are used to explain the application, and do not constitute a limitation to the application. In the attached picture:
图1为本申请实施例提供的一种认证通信的方法流程示意图;FIG. 1 is a schematic flowchart of a method for authenticating communication according to an embodiment of the application;
图2为本申请实施例提供的一种二叉树形式动态加密过程的示意图;2 is a schematic diagram of a dynamic encryption process in the form of a binary tree provided by an embodiment of the application;
图3为本申请实施例提供的另一种认证通信的方法流程示意图;FIG. 3 is a schematic flowchart of another method for authenticating communication according to an embodiment of the application;
图4为本申请实施例提供的一种二叉树形式动态解密过程的示意图;4 is a schematic diagram of a dynamic decryption process in a binary tree form provided by an embodiment of the application;
图5为本申请实施例提供的一种认证通信的装置的结构示意图;FIG. 5 is a schematic structural diagram of a device for authenticating communication provided by an embodiment of this application;
图6为本申请实施例提供的另一种认证通信的装置的结构示意图;6 is a schematic structural diagram of another device for authenticating communication provided by an embodiment of the application;
图7为本申请实施例提供的一种用于执行认证通信方法的计算机设备的结构示意图。FIG. 7 is a schematic structural diagram of a computer device for executing an authentication communication method provided by an embodiment of the application.
具体实施方式Detailed ways
以下结合附图对本申请的优选实施例进行说明,应当理解,此处所描述的优选实施例仅用于说明和解释本申请,并不用于限定本申请。本申请实施例提供的一种认证通信的方法,参见图1所示,该方法包括:步骤101:对目标节点进行身份认证,在通过身份认证后,确定与目标节点约定的动态加密密钥,动态加密密钥包括多个层级的加密密钥。本申请实施例中,当目标节点需要接入服务器并向服务器发送数据时,目标节点与服务器之间首先进行身份认证的过程,即服务器判断目标节点是否是合法的节点,或者目标节点也可以判断服务器是否是合法的服务器。其中,目标节点具体可以为代理服务器,或其他 服务器,也可以为网络中的其他节点设备。当目标节点需要接入集群网络时,集群的服务器需要首先对该目标节点进行身份验证,验证通过后才允许二者之间进行传输。具体的,可以使用目标节点的自签名或CA(Certification Authority)签名对目标节点进行验证。以CA签名为例,服务器利用CA签名的公钥对CA签名证书上的签字进行验证,验证通过则说明签名有效。在身份认证通过后,二者之间即可设置用于传输数据的动态密钥,以动态密钥管理机制使得密码攻击变得更加困难。具体的,目标节点与服务器之间约定动态加密密钥,使得目标节点通过该动态加密密钥可以对待传输的数据进行加密处理。其中,动态加密密钥包括多个层级的加密密钥,且每个层级还可以包含一个或多个加密密钥,多个多层级的加密密钥实现对数据的多次加密处理,提高安全性。步骤102:确定需要传输的目标数据,根据动态加密密钥所有层级的加密密钥,按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据依次进行多次加密处理,并在加密处理过程结束后生成最终的加密数据。步骤103:将加密数据发送至服务器。本申请实施例中,当目标节点需要将待传输的目标数据发送至服务器时,即可根据该动态加密密钥对目标数据进行加密处理,该动态加密密钥为动态管理配置的,通过动态密钥管理机制使得密码攻击变得更加困难,数据通信传输的安全性更高。同时,动态加密密钥为多层级的加密密钥,在生成加密数据时按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据依次进行加密处理。例如,动态加密密钥为3层级的加密密钥,则首先利用第一层级的加密密钥(即最底层级的加密密钥)对目标数据进行加密处理,生成第一层级的加密结果;之后再利用第二层级的加密密钥对该第一层级的加密结果再次进行加密处理,生成第二层级的加密结果;最后再利用第三层级的加密密钥(即最顶层级的加密密钥)对该第二层级的加密结果进行加密处理,生成第三层级的加密结果,该第三层级的加密结果即为目标数据最后生成的加密数据。可选的,可以将该目标数据分为多个子数据,对于不同的子数据分别使用不同的加密密钥进行加密处理,从而可以进一步增加破解加密数据的难度,进一步提高数据的安全性。本申请实施例提供的一种认证通信的方法,在目标节点需要接入服务器时,首先对目标节点进行身份认证,在身份认证通过后即可说明目标节点是合法的节点,且双方约定多层级的动态密钥,使得目标节点可以将待传输的目标数据基于该动态密钥进行多层级的加密处理,并传输加密后的目标数据,从而提高数据安全性。身份验证机制可以防止伪连接的攻击,可以防止不受信任的代理节点的欺骗;且动态密钥管理机制使得密码攻击变得异常困难,安全性更高。The preferred embodiments of the present application will be described below with reference to the accompanying drawings. It should be understood that the preferred embodiments described here are only used to illustrate and explain the present application, and are not used to limit the present application. An embodiment of the present application provides a method for authenticating communication. As shown in FIG. 1, the method includes: Step 101: Perform identity authentication on a target node, and after passing the identity authentication, determine a dynamic encryption key agreed upon with the target node, The dynamic encryption key includes multiple levels of encryption keys. In the embodiment of this application, when the target node needs to access the server and send data to the server, the identity authentication process between the target node and the server is first performed, that is, the server judges whether the target node is a legitimate node, or the target node can also judge Whether the server is a legitimate server. Among them, the target node may specifically be a proxy server, or other servers, or other node devices in the network. When the target node needs to access the cluster network, the server of the cluster needs to authenticate the target node first, and only allow transmission between the two after passing the verification. Specifically, the target node's self-signature or CA (Certification Authority) signature can be used to verify the target node. Taking CA signature as an example, the server uses the public key signed by the CA to verify the signature on the CA signature certificate. If the verification is passed, the signature is valid. After the identity authentication is passed, a dynamic key for data transmission can be set between the two, and the dynamic key management mechanism makes password attacks more difficult. Specifically, a dynamic encryption key is agreed between the target node and the server, so that the target node can perform encryption processing on the data to be transmitted through the dynamic encryption key. Among them, the dynamic encryption key includes multiple levels of encryption keys, and each level can also contain one or more encryption keys, and multiple multiple levels of encryption keys can implement multiple encryption processing of data to improve security . Step 102: Determine the target data to be transmitted. According to the encryption keys of all levels of the dynamic encryption key, the target data is encrypted for multiple times in sequence from the encryption key of the lowest level to the encryption key of the top level. , And generate the final encrypted data after the end of the encryption process. Step 103: Send the encrypted data to the server. In the embodiment of this application, when the target node needs to send the target data to be transmitted to the server, the target data can be encrypted according to the dynamic encryption key. The dynamic encryption key is configured for dynamic management and is configured by dynamic encryption. The key management mechanism makes password attacks more difficult, and data communication transmission is more secure. At the same time, the dynamic encryption key is a multi-level encryption key. When generating encrypted data, the target data is sequentially encrypted in the order from the encryption key at the bottom level to the encryption key at the top level. For example, if the dynamic encryption key is a three-level encryption key, first use the first-level encryption key (that is, the lowest-level encryption key) to encrypt the target data to generate the first-level encryption result; Then use the second-level encryption key to encrypt the first-level encryption result again to generate the second-level encryption result; finally use the third-level encryption key (that is, the top-level encryption key) Encryption processing is performed on the encryption result of the second level to generate the encryption result of the third level, and the encryption result of the third level is the last encrypted data generated by the target data. Optionally, the target data can be divided into multiple sub-data, and different encryption keys are used for encryption processing for different sub-data, so that the difficulty of cracking the encrypted data can be further increased, and the security of the data can be further improved. The embodiment of the application provides a method for authenticating communication. When the target node needs to access the server, the target node is first authenticated. After the identity authentication is passed, it can be explained that the target node is a legal node, and the two parties agree on multiple levels The dynamic key enables the target node to perform multi-level encryption processing on the target data to be transmitted based on the dynamic key, and transmit the encrypted target data, thereby improving data security. The identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure.
本申请另一实施例提供一种认证通信的方法,该方法包括上述实施例中的步骤101-103,其实现原理以及技术效果参见图1对应的实施例。同时,本申请实施例中,动态加密密钥为二叉树形式的加密密钥集合,动态加密密钥包括:m个叶子加密密钥
Figure PCTCN2019103531-appb-000001
n个节点加密密钥
Figure PCTCN2019103531-appb-000002
和1个根加密密钥
Figure PCTCN2019103531-appb-000003
其中,
Figure PCTCN2019103531-appb-000004
表示第a层级的第b个加密密钥,L为动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
Figure PCTCN2019103531-appb-000005
n u表示第u层级的节点加密密钥的数量,j u∈[1,n u]。具体的,参见图2所示,动态加密密钥为多层的二叉树形式结构,共L层,其最底层为叶子加密密钥(即最底层级的加密密钥),图2中以动态加密密钥是4层予以说明,该动态加密密钥共6个叶子加密密钥(即m=6),3个位于第2层级的节点加密密钥(即n 2=3),2个位于第3层级的节点加密密钥(即n 3=2)以及 1个根加密密钥(即最顶层级的加密密钥)。该动态加密密钥共3+2=5个节点加密密钥(即n=5)。同时,本申请实施例中,
Figure PCTCN2019103531-appb-000006
的的上标a表示层级数,下标b表示加密密钥的顺位,即
Figure PCTCN2019103531-appb-000007
表示第a层级的第b个加密密钥,图2中以“加密密钥ab”的形式表示,即图2中的叶子加密密钥11表示叶子加密密钥
Figure PCTCN2019103531-appb-000008
叶子加密密钥12表示叶子加密密钥
Figure PCTCN2019103531-appb-000009
节点加密密钥21表示节点加密密钥
Figure PCTCN2019103531-appb-000010
根加密密钥41表示根加密密钥
Figure PCTCN2019103531-appb-000011
(即L=4),以此类推。具体的,步骤102“对目标数据依次进行多次加密处理,并在加密处理过程结束后生成最终的加密数据”包括:步骤A1:对目标数据进行分段处理,确定分段后的m个目标子数据
Figure PCTCN2019103531-appb-000012
i∈[1,m];其中,
Figure PCTCN2019103531-appb-000013
表示进行过a次加密处理后的第b个加密子数据。本申请实施例中,通过将目标数据分为m个目标子数据
Figure PCTCN2019103531-appb-000014
的方式,可以对不同的目标子数据进行不同的加密处理过程,即用不同的加密密钥对不同的目标子数据进行加密。其中,可以基于动态加密密钥的叶子加密密钥的数量来确定目标子数据的数量,即二者均是m;或者,目标子数据的数量少于动态加密密钥中叶子加密密钥的数量,即动态加密密钥中除了包括m个叶子加密密钥之外,还可以包括其他未被使用的叶子加密密钥。具体的,参见图2所示,图2中以6个目标子数据为例,图中的“目标子数据ab”表示进行过a次加密处理后的第b个加密子数据,即目标子数据01表示的是目标子数据
Figure PCTCN2019103531-appb-000015
目标子数据02表示的是目标子数据
Figure PCTCN2019103531-appb-000016
以此类推。同时,由于目标子数据还未进行过加密处理,即a=0,目标子数据也是经过0次加密处理的加密子数据,即未加密的数据。步骤A2:根据第一层级的叶子加密密钥
Figure PCTCN2019103531-appb-000017
分别对相应的目标子数据
Figure PCTCN2019103531-appb-000018
进行加密处理,确定相应的叶子加密子数据
Figure PCTCN2019103531-appb-000019
确定对应相同的下一层级节点加密密钥
Figure PCTCN2019103531-appb-000020
的两个叶子加密密钥
Figure PCTCN2019103531-appb-000021
Figure PCTCN2019103531-appb-000022
j 2∈[1,n 2];将两个叶子加密密钥
Figure PCTCN2019103531-appb-000023
Figure PCTCN2019103531-appb-000024
所对应的叶子加密子数据
Figure PCTCN2019103531-appb-000025
Figure PCTCN2019103531-appb-000026
作为一组,根据节点加密密钥
Figure PCTCN2019103531-appb-000027
对一组的叶子加密子数据
Figure PCTCN2019103531-appb-000028
Figure PCTCN2019103531-appb-000029
再次进行加密处理,确定与节点加密密钥
Figure PCTCN2019103531-appb-000030
对应的节点加密子数据
Figure PCTCN2019103531-appb-000031
若在当前层级中不存在与叶子加密子数据
Figure PCTCN2019103531-appb-000032
具有相同的下一层级节点加密密钥
Figure PCTCN2019103531-appb-000033
的其他叶子加密子数据,则直接根据节点加密密钥
Figure PCTCN2019103531-appb-000034
对叶子加密子数据
Figure PCTCN2019103531-appb-000035
进行加密处理。本申请实施例中,目标子数据由叶子加密密钥进行加密。具体的,如图2所示,叶子加密密钥
Figure PCTCN2019103531-appb-000036
分别对相应的目标子数据
Figure PCTCN2019103531-appb-000037
进行加密处理,进而生成加密后的加密子数据
Figure PCTCN2019103531-appb-000038
同样的,图2中的“加密子数据ab”指的是进行过a次加密处理后的第b个加密子数据,即加密子数据11为进行过1次加密处理后的第一个加密子数据,即叶子加密子数据
Figure PCTCN2019103531-appb-000039
加密子数据12表示叶子加密子数据
Figure PCTCN2019103531-appb-000040
以此类推。同时,由于本申请实施例中的动态加密密钥为二叉树形式,故两个加密密钥可能对应上一级相同的加密密钥,即两个叶子加密密钥
Figure PCTCN2019103531-appb-000041
Figure PCTCN2019103531-appb-000042
可能对应同一个上一级的节点加密密钥
Figure PCTCN2019103531-appb-000043
如图2所示,叶子加密密钥11和叶子加密密钥12均对应同一个节点加密密钥21,叶子加密密钥 13和叶子加密密钥14均对应同一个节点加密密钥22等;同样的,节点加密密钥21和节点加密密钥22也对应同一个上一级的节点加密密钥31。本申请实施例中,在通过第一层的叶子加密密钥对目标子数据进行加密之后,之后继续通过第二层的节点加密密钥进行下一次的加密。具体的,将具有相同上一级节点加密密钥
Figure PCTCN2019103531-appb-000044
的两个叶子加密密钥
Figure PCTCN2019103531-appb-000045
Figure PCTCN2019103531-appb-000046
所对应的叶子加密子数据
Figure PCTCN2019103531-appb-000047
Figure PCTCN2019103531-appb-000048
作为一组,利用该节点加密密钥
Figure PCTCN2019103531-appb-000049
对叶子加密子数据
Figure PCTCN2019103531-appb-000050
Figure PCTCN2019103531-appb-000051
进行加密处理,从而实现对目标子数据的第二次加密处理。具体的,参见图2所示,将叶子加密密钥11和叶子加密密钥12加密生成的加密子数据11和加密子数据12作为一组,具体可以将加密子数据11和加密子数据12串接为一个整体,形成一个加密子数据,之后利用节点加密密钥21再次进行加密处理,从而生成经过两次加密后的加密子数据21,即节点加密子数据
Figure PCTCN2019103531-appb-000052
同样的,加密子数据13和加密子数据14经节点加密密钥22进行加密处理后生成加密子数据22,即节点加密子数据
Figure PCTCN2019103531-appb-000053
同时,若当前层级中不存在与叶子加密子数据
Figure PCTCN2019103531-appb-000054
具有相同的下一层级节点加密密钥
Figure PCTCN2019103531-appb-000055
的其他叶子加密子数据,则说明不存在其他的叶子加密子数据可以与该叶子加密子数据
Figure PCTCN2019103531-appb-000056
组成一组进行后续的再次加密处理过程,此时可以将该叶子加密子数据
Figure PCTCN2019103531-appb-000057
单独作为一组,即直接根据节点加密密钥
Figure PCTCN2019103531-appb-000058
对叶子加密子数据
Figure PCTCN2019103531-appb-000059
进行加密处理。如图2所示,若不存在目标子数据06和叶子加密密钥16,即不存在加密子数据16,则加密子数据15单独作为一组数据,直接由下一级的节点加密密钥23对该加密子数据15进行再次加密处理。步骤A3:确定与节点加密子数据
Figure PCTCN2019103531-appb-000060
对应相同的下一层级节点加密密钥
Figure PCTCN2019103531-appb-000061
的相邻的节点加密子数据
Figure PCTCN2019103531-appb-000062
以及与节点加密密钥
Figure PCTCN2019103531-appb-000063
对应的节点加密子数据
Figure PCTCN2019103531-appb-000064
其中,j` 2=j 2+1或j` 2=j 2-1;根据下一层级的节点加密密钥
Figure PCTCN2019103531-appb-000065
对一组的节点加密子数据
Figure PCTCN2019103531-appb-000066
Figure PCTCN2019103531-appb-000067
再次进行加密处理,确定与节点加密密钥
Figure PCTCN2019103531-appb-000068
对应的节点加密子数据
Figure PCTCN2019103531-appb-000069
若当前层级中不存在与节点加密子数据
Figure PCTCN2019103531-appb-000070
具有相同的下一层级节点加密密钥
Figure PCTCN2019103531-appb-000071
的其他节点加密子数据,则直接根据节点加密密钥
Figure PCTCN2019103531-appb-000072
对节点加密子数据
Figure PCTCN2019103531-appb-000073
再次进行加密处理。 Another embodiment of the present application provides a method for authenticating communication. The method includes steps 101-103 in the foregoing embodiment. For the implementation principle and technical effect, refer to the embodiment corresponding to FIG. 1. Meanwhile, in this embodiment of the application, the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key includes: m leaf encryption keys
Figure PCTCN2019103531-appb-000001
n node encryption keys
Figure PCTCN2019103531-appb-000002
And 1 root encryption key
Figure PCTCN2019103531-appb-000003
among them,
Figure PCTCN2019103531-appb-000004
Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i∈[1,m]; u represents the number of the node encryption key, and
Figure PCTCN2019103531-appb-000005
n u represents the number of node encryption keys at the u-th level, j u ∈ [1, n u ]. Specifically, as shown in Figure 2, the dynamic encryption key is a multi-layer binary tree structure, with a total of L layers. The bottom layer is the leaf encryption key (that is, the encryption key of the lowest level). The key is explained at 4 levels. The dynamic encryption key has 6 leaf encryption keys (ie m = 6), 3 node encryption keys at the second level (ie n 2 = 3), and 2 at the first level. A 3-level node encryption key (ie, n 3 = 2) and a root encryption key (ie, the top-level encryption key). The dynamic encryption key has a total of 3+2=5 node encryption keys (that is, n=5). Meanwhile, in the embodiments of this application,
Figure PCTCN2019103531-appb-000006
The superscript a represents the number of levels, and the subscript b represents the order of the encryption key, namely
Figure PCTCN2019103531-appb-000007
Represents the b-th encryption key of the a-th level, in the form of "encryption key ab" in Figure 2, that is, the leaf encryption key 11 in Figure 2 represents the leaf encryption key
Figure PCTCN2019103531-appb-000008
Leaf encryption key 12 represents the leaf encryption key
Figure PCTCN2019103531-appb-000009
Node encryption key 21 represents the node encryption key
Figure PCTCN2019103531-appb-000010
Root encryption key 41 represents the root encryption key
Figure PCTCN2019103531-appb-000011
(Ie L=4), and so on. Specifically, step 102 "encrypting the target data multiple times in sequence, and generating the final encrypted data after the end of the encryption process" includes: Step A1: segmenting the target data, and determining the segmented m targets Subdata
Figure PCTCN2019103531-appb-000012
i∈[1,m]; where,
Figure PCTCN2019103531-appb-000013
Represents the b-th encrypted sub-data after the a-time encryption process. In the embodiment of the present application, the target data is divided into m target sub-data
Figure PCTCN2019103531-appb-000014
In this way, different target sub-data can be encrypted with different processes, that is, different target sub-data can be encrypted with different encryption keys. Among them, the number of target sub-data can be determined based on the number of leaf encryption keys of the dynamic encryption key, that is, both are m; or, the number of target sub-data is less than the number of leaf encryption keys in the dynamic encryption key That is, in addition to the m leaf encryption keys, the dynamic encryption key may also include other unused leaf encryption keys. Specifically, refer to Figure 2. In Figure 2, 6 target sub-data are taken as an example. The "target sub-data ab" in the figure represents the b-th encrypted sub-data after a-time encryption processing, namely the target sub-data 01 represents the target sub-data
Figure PCTCN2019103531-appb-000015
The target sub-data 02 represents the target sub-data
Figure PCTCN2019103531-appb-000016
And so on. At the same time, since the target sub-data has not undergone encryption processing, that is, a=0, the target sub-data is also encrypted sub-data that has undergone 0 encryption processing, that is, unencrypted data. Step A2: According to the leaf encryption key of the first level
Figure PCTCN2019103531-appb-000017
Target sub-data
Figure PCTCN2019103531-appb-000018
Perform encryption processing to determine the corresponding leaf encrypted sub-data
Figure PCTCN2019103531-appb-000019
Determine the encryption key corresponding to the same next level node
Figure PCTCN2019103531-appb-000020
Two leaf encryption keys
Figure PCTCN2019103531-appb-000021
with
Figure PCTCN2019103531-appb-000022
j 2 ∈[1,n 2 ]; encrypt the two leaf keys
Figure PCTCN2019103531-appb-000023
with
Figure PCTCN2019103531-appb-000024
Corresponding leaf encrypted sub-data
Figure PCTCN2019103531-appb-000025
with
Figure PCTCN2019103531-appb-000026
As a group, according to the node encryption key
Figure PCTCN2019103531-appb-000027
Encrypt sub-data of a group of leaves
Figure PCTCN2019103531-appb-000028
with
Figure PCTCN2019103531-appb-000029
Perform encryption again to determine the encryption key with the node
Figure PCTCN2019103531-appb-000030
Corresponding node encrypted child data
Figure PCTCN2019103531-appb-000031
If there is no sub-data encrypted with the leaf in the current level
Figure PCTCN2019103531-appb-000032
Have the same encryption key for the next level node
Figure PCTCN2019103531-appb-000033
The other leaves of the encryption sub-data are directly based on the node encryption key
Figure PCTCN2019103531-appb-000034
Encrypt the sub-data of the leaf
Figure PCTCN2019103531-appb-000035
Perform encryption processing. In the embodiment of this application, the target sub-data is encrypted by the leaf encryption key. Specifically, as shown in Figure 2, the leaf encryption key
Figure PCTCN2019103531-appb-000036
Target sub-data
Figure PCTCN2019103531-appb-000037
Perform encryption processing to generate encrypted encrypted sub-data
Figure PCTCN2019103531-appb-000038
Similarly, the "encrypted sub-data ab" in Figure 2 refers to the b-th encrypted sub-data after a-time encryption processing, that is, the encrypted sub-data 11 is the first encrypted sub-data after one encryption processing. Data, namely leaf encrypted sub-data
Figure PCTCN2019103531-appb-000039
Encrypted sub-data 12 represents leaf encrypted sub-data
Figure PCTCN2019103531-appb-000040
And so on. At the same time, since the dynamic encryption key in the embodiment of the application is in the form of a binary tree, the two encryption keys may correspond to the same encryption key at the upper level, that is, two leaf encryption keys
Figure PCTCN2019103531-appb-000041
with
Figure PCTCN2019103531-appb-000042
May correspond to the same upper-level node encryption key
Figure PCTCN2019103531-appb-000043
As shown in Figure 2, the leaf encryption key 11 and the leaf encryption key 12 both correspond to the same node encryption key 21, the leaf encryption key 13 and the leaf encryption key 14 both correspond to the same node encryption key 22, etc.; Yes, the node encryption key 21 and the node encryption key 22 also correspond to the same upper-level node encryption key 31. In the embodiment of the present application, after the target sub-data is encrypted by the leaf encryption key of the first layer, the next encryption is continued by the node encryption key of the second layer. Specifically, it will have the same upper-level node encryption key
Figure PCTCN2019103531-appb-000044
Two leaf encryption keys
Figure PCTCN2019103531-appb-000045
with
Figure PCTCN2019103531-appb-000046
Corresponding leaf encrypted sub-data
Figure PCTCN2019103531-appb-000047
with
Figure PCTCN2019103531-appb-000048
As a group, use the node encryption key
Figure PCTCN2019103531-appb-000049
Encrypt the sub-data of the leaf
Figure PCTCN2019103531-appb-000050
with
Figure PCTCN2019103531-appb-000051
Encryption processing is performed to implement the second encryption processing for the target sub-data. Specifically, referring to FIG. 2, the encrypted sub-data 11 and the encrypted sub-data 12 generated by encrypting the leaf encryption key 11 and the leaf encryption key 12 are used as a set. Specifically, the encrypted sub-data 11 and the encrypted sub-data 12 can be string Connect as a whole to form an encrypted sub-data, and then use the node encryption key 21 to perform the encryption process again, thereby generating encrypted sub-data 21 after twice encryption, that is, the node encrypted sub-data
Figure PCTCN2019103531-appb-000052
Similarly, encrypted sub-data 13 and encrypted sub-data 14 are encrypted by node encryption key 22 to generate encrypted sub-data 22, namely node encrypted sub-data
Figure PCTCN2019103531-appb-000053
At the same time, if there is no sub-data encrypted with the leaf in the current level
Figure PCTCN2019103531-appb-000054
Have the same encryption key for the next level node
Figure PCTCN2019103531-appb-000055
Other leaf encrypted sub-data, it means that there is no other leaf encrypted sub-data that can be encrypted with this leaf
Figure PCTCN2019103531-appb-000056
Form a group for the subsequent re-encryption process, at this time the leaf can be encrypted sub-data
Figure PCTCN2019103531-appb-000057
As a group alone, that is, directly based on the node encryption key
Figure PCTCN2019103531-appb-000058
Encrypt the sub-data of the leaf
Figure PCTCN2019103531-appb-000059
Perform encryption processing. As shown in Figure 2, if the target sub-data 06 and the leaf encryption key 16 do not exist, that is, the encrypted sub-data 16 does not exist, the encrypted sub-data 15 is used as a set of data alone, and the next-level node encryption key 23 is directly used This encrypted sub-data 15 is encrypted again. Step A3: Determine the sub-data encrypted with the node
Figure PCTCN2019103531-appb-000060
Corresponding to the same next-level node encryption key
Figure PCTCN2019103531-appb-000061
Encrypted child data of neighboring nodes
Figure PCTCN2019103531-appb-000062
And the node encryption key
Figure PCTCN2019103531-appb-000063
Corresponding node encrypted child data
Figure PCTCN2019103531-appb-000064
Among them, j` 2 =j 2 +1 or j` 2 =j 2 -1; according to the node encryption key of the next level
Figure PCTCN2019103531-appb-000065
Encrypt child data for a group of nodes
Figure PCTCN2019103531-appb-000066
with
Figure PCTCN2019103531-appb-000067
Perform encryption again to determine the encryption key with the node
Figure PCTCN2019103531-appb-000068
Corresponding node encrypted child data
Figure PCTCN2019103531-appb-000069
If there is no sub-data encrypted with the node in the current level
Figure PCTCN2019103531-appb-000070
Have the same encryption key for the next level node
Figure PCTCN2019103531-appb-000071
Other nodes encrypt sub-data, directly according to the node encryption key
Figure PCTCN2019103531-appb-000072
Encrypt child data of node
Figure PCTCN2019103531-appb-000073
Perform encryption again.
本申请实施例中,在根据第二层级的节点加密密钥进行加密处理、进而确定节点加密子数据
Figure PCTCN2019103531-appb-000074
之后,与上述步骤A2类似,继续将节点加密子数据
Figure PCTCN2019103531-appb-000075
两两一组进行下一次的加密处理。具体的,将相邻的两个节点加密子数据
Figure PCTCN2019103531-appb-000076
Figure PCTCN2019103531-appb-000077
作为一组;其中,j` 2=j 2+1或j` 2=j 2-1,具体根据实际情况而定。在确定成组的两个节点加密子数据
Figure PCTCN2019103531-appb-000078
Figure PCTCN2019103531-appb-000079
后,即可基于相对应的下一层级的节点加密密钥
Figure PCTCN2019103531-appb-000080
进行加密处理,从而可以确定节点加密子数据
Figure PCTCN2019103531-appb-000081
具体的,参见图2所示,对于加密子数据22,其具有相邻的加密子数据21和加密子数据23,但是只有加密子数据21与该加密子数据22对应相同的下一层级的节点加密密钥,即节点加密密钥31;故,此时将加密子数据21和加密子数据22作为一组,基于 节点加密密钥31进行第三次加密处理,生成加密子数据31。同样的,与步骤A2中类似,若在当前层级中不存在与节点加密子数据
Figure PCTCN2019103531-appb-000082
具有相同的下一层级节点加密密钥
Figure PCTCN2019103531-appb-000083
的其他节点加密子数据,则直接根据节点加密密钥
Figure PCTCN2019103531-appb-000084
对节点加密子数据
Figure PCTCN2019103531-appb-000085
再次进行加密处理。参见图2所示,不存在与加密子数据23成为一组的其他加密子数据,故直接根据节点加密密钥32对该加密子数据23进行加密处理,生成加密子数据32。步骤A4:重复上述再次加密处理的过程,直至所确定的上一级的节点加密密钥为根加密密钥
Figure PCTCN2019103531-appb-000086
为止,并将根据根加密密钥
Figure PCTCN2019103531-appb-000087
进行加密处理后所确定的数据
Figure PCTCN2019103531-appb-000088
作为最终的加密数据。本申请实施例中,通过重复上述将两个加密子数据合为一组进行加密的处理过程,直至加密处理过程到达动态加密密钥的最上层级,即应该需要通过根加密密钥
Figure PCTCN2019103531-appb-000089
进行最后一次的加密处理,此时,将根据根加密密钥
Figure PCTCN2019103531-appb-000090
进行加密处理后所确定的数据
Figure PCTCN2019103531-appb-000091
作为最终的加密数据。如图2所示,根加密密钥41对加密子数据31和加密子数据32进行第四次加密处理,生成最终的加密子数据41,该加密子数据41即为目标数据最终加密后的加密数据。本申请实施例中,对目标数据进行分段处理,分别对每一段的目标子数据进行加密,可以提高数据的安全性。同时,采用二叉树形式的动态加密密钥,可以将相邻的两个子数据作为一组进行再次加密,直至利用根加密密钥完成最后一层的加密处理;通过二叉树形式的动态加密密钥对子数据进行多层加密,可以提高每一个目标子数据的安全性,且可以大大提高数据整体的安全性。 In the embodiment of the present application, the encryption process is performed according to the second-level node encryption key, and then the node encryption sub-data is determined
Figure PCTCN2019103531-appb-000074
After that, similar to the above step A2, continue to encrypt the node data
Figure PCTCN2019103531-appb-000075
Perform the next encryption process in pairs. Specifically, encrypt the sub-data of two adjacent nodes
Figure PCTCN2019103531-appb-000076
with
Figure PCTCN2019103531-appb-000077
As a group; among them, j` 2 =j 2 +1 or j` 2 =j 2 -1, depending on the actual situation. Encrypt the sub-data at the two nodes that determine the group
Figure PCTCN2019103531-appb-000078
with
Figure PCTCN2019103531-appb-000079
Then, it can be based on the corresponding next-level node encryption key
Figure PCTCN2019103531-appb-000080
Encryption processing, which can determine the node encrypted sub-data
Figure PCTCN2019103531-appb-000081
Specifically, referring to FIG. 2, for the encrypted sub-data 22, it has adjacent encrypted sub-data 21 and encrypted sub-data 23, but only the encrypted sub-data 21 and the encrypted sub-data 22 correspond to the same next-level node The encryption key is the node encryption key 31; therefore, at this time, the encrypted sub-data 21 and the encrypted sub-data 22 are used as a set, and the third encryption process is performed based on the node encryption key 31 to generate the encrypted sub-data 31. Similarly, similar to step A2, if there is no subdata encrypted with the node in the current level
Figure PCTCN2019103531-appb-000082
Have the same encryption key for the next level node
Figure PCTCN2019103531-appb-000083
Other nodes encrypt sub-data, directly according to the node encryption key
Figure PCTCN2019103531-appb-000084
Encrypt child data of node
Figure PCTCN2019103531-appb-000085
Perform encryption again. As shown in FIG. 2, there is no other encrypted sub-data that forms a group with the encrypted sub-data 23, so the encrypted sub-data 23 is directly encrypted according to the node encryption key 32 to generate the encrypted sub-data 32. Step A4: Repeat the above re-encryption process until the determined node encryption key at the upper level is the root encryption key
Figure PCTCN2019103531-appb-000086
So far and will be based on the root encryption key
Figure PCTCN2019103531-appb-000087
Data determined after encryption
Figure PCTCN2019103531-appb-000088
As the final encrypted data. In the embodiment of this application, the process of combining two encrypted sub-data into a group for encryption is repeated until the encryption process reaches the top level of the dynamic encryption key, that is, the root encryption key should be passed
Figure PCTCN2019103531-appb-000089
Perform the last encryption process. At this time, it will be based on the root encryption key
Figure PCTCN2019103531-appb-000090
Data determined after encryption
Figure PCTCN2019103531-appb-000091
As the final encrypted data. As shown in Figure 2, the root encryption key 41 performs the fourth encryption process on the encrypted sub-data 31 and the encrypted sub-data 32 to generate the final encrypted sub-data 41, which is the final encrypted target data. data. In the embodiment of the present application, the target data is segmented, and the target sub-data of each segment is respectively encrypted, which can improve data security. At the same time, using a dynamic encryption key in the form of a binary tree, two adjacent sub-data can be re-encrypted as a group until the final layer of encryption is completed with the root encryption key; the dynamic encryption key in the form of a binary tree Multi-layer encryption of the data can improve the security of each target sub-data and greatly improve the overall security of the data.
在上述实施例的基础上,该方法还包括:步骤B1:在执行加密处理过程生成相应的加密子数据的同时,确定加密子数据的校验信息,并将所有的校验信息按照与动态加密密钥相同的二叉树形式生成总校验信息。步骤B2:将总校验信息发送至服务器。本申请实施例中,在生成加密子数据(包括叶子加密子数据和节点加密子数据)的同时,还确定该加密子数据的校验信息。同时,如图2所示,由于加密子数据可以由二叉树形式表示,故所有的校验信息也可以以二叉树形式来表示,即可以生成与动态加密密钥相同的二叉树形式的总校验信息,之后可以再将该总校验信息发送至服务器侧,使得服务器通过该总校验信息可以对接收到的目标数据进行校验,以确定数据的完整性。具体的,可以将加密子数据的hash值作为校验信息,校验信息也可以校验码、校验字段、数字签名等。本申请实施例提供的一种认证通信的方法,在目标节点需要接入服务器时,首先对目标节点进行身份认证,在身份认证通过后即可说明目标节点是合法的节点,且双方约定多层级的动态密钥,使得目标节点可以将待传输的目标数据基于该动态密钥进行多层级的加密处理,并传输加密后的目标数据,从而提高数据安全性。身份验证机制可以防止伪连接的攻击,可以防止不受信任的代理节点的欺骗;且动态密钥管理机制使得密码攻击变得异常困难,安全性更高。对目标数据进行分段处理,分别对每一段的目标子数据进行加密,可以提高数据的安全性。同时,通过二叉树形式的动态加密密钥对子数据进行多层加密,可以提高每一个目标子数据的安全性,且可以大大提高数据整体的安全性。将该总校验信息发送至服务器侧,使得服务器通过该总校验信息可以对接收到的目标数据进行校验,方便服务器确定目标数据的完整性。On the basis of the foregoing embodiment, the method further includes: Step B1: While performing the encryption process to generate the corresponding encrypted sub-data, determine the verification information of the encrypted sub-data, and encrypt all the verification information according to the dynamic encryption The binary tree form with the same key generates total verification information. Step B2: Send the total verification information to the server. In the embodiment of the present application, while generating encrypted sub-data (including leaf encrypted sub-data and node encrypted sub-data), the verification information of the encrypted sub-data is also determined. At the same time, as shown in Figure 2, since the encrypted sub-data can be represented in the form of a binary tree, all verification information can also be represented in the form of a binary tree, that is, the total verification information in the form of a binary tree that is the same as the dynamic encryption key can be generated. Afterwards, the total verification information can be sent to the server side, so that the server can verify the received target data through the total verification information to determine the integrity of the data. Specifically, the hash value of the encrypted sub-data can be used as the verification information, and the verification information can also be a verification code, a verification field, a digital signature, and the like. The embodiment of the application provides a method for authenticating communication. When the target node needs to access the server, the target node is first authenticated. After the identity authentication is passed, it can be explained that the target node is a legal node, and the two parties agree on multiple levels The dynamic key enables the target node to perform multi-level encryption processing on the target data to be transmitted based on the dynamic key, and transmit the encrypted target data, thereby improving data security. The identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure. Segmenting the target data and encrypting the target sub-data of each segment can improve the security of the data. At the same time, multi-layer encryption of the sub-data through a dynamic encryption key in the form of a binary tree can improve the security of each target sub-data and greatly improve the overall security of the data. The total verification information is sent to the server side, so that the server can verify the received target data through the total verification information, so that the server can determine the integrity of the target data.
基于同样的发明构思,本申请另一实施例还提供一种认证通信的方法,该方法应用于服务器侧,参见图3所示,该方法包括:步骤301:对目标节点进行身份认证,在认证通过后与目标节点约定动态加密密钥,并生成相应的动态解密密钥;动态加密密钥包括多个层级的加密密钥,动态解密密钥包括多个 层级的解密密钥。本申请实施例中,当目标节点需要接入服务器并向服务器发送数据时,目标节点与服务器之间首先进行身份认证的过程,即服务器判断目标节点是否是合法的节点,或者目标节点也可以判断服务器是否是合法的服务器。集群的服务器需要首先对该目标节点进行身份验证,验证通过后才允许二者之间进行传输。具体的,可以使用目标节点的自签名或CA(Certification Authority)签名对目标节点进行验证。以CA签名为例,服务器利用CA签名的公钥对CA签名证书上的签字进行验证,验证通过则说明签名有效。在身份认证通过后,二者之间即可设置用于传输数据的动态密钥,以动态密钥管理机制使得密码攻击变得更加困难。具体的,目标节点与服务器之间约定多层级的动态加密密钥;且服务器作为数据的接收方,保存与该动态加密密钥相对应的多层级的动态解密密钥。当服务器接收到目标节点通过该动态加密密钥进行加密处理后的加密数据时,服务器可以基于该动态解密密钥进行解密处理,获得相应的明文数据,即目标数据。步骤302:获取目标节点发送的加密数据,加密数据为基于多层级的动态加密密钥、按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据进行多次加密处理后所确定的数据。步骤303:根据与动态加密密钥相对应的动态解密密钥所有层级的解密密钥,按照从最顶层级的解密密钥至最底层级的解密密钥的顺序对加密数据依次进行多次解密处理,直至确定解密处理过程结束后得到的目标数据。Based on the same inventive concept, another embodiment of the present application also provides a method for authenticating communication. The method is applied to the server side. As shown in FIG. 3, the method includes: Step 301: Perform identity authentication on the target node. After passing, the dynamic encryption key is agreed with the target node, and the corresponding dynamic decryption key is generated; the dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys. In the embodiment of this application, when the target node needs to access the server and send data to the server, the identity authentication process between the target node and the server is first performed, that is, the server judges whether the target node is a legitimate node, or the target node can also judge Whether the server is a legitimate server. The server of the cluster needs to authenticate the target node first, and only allow transmission between the two after passing the authentication. Specifically, the target node's self-signature or CA (Certification Authority) signature can be used to verify the target node. Taking CA signature as an example, the server uses the public key signed by the CA to verify the signature on the CA signature certificate. If the verification is passed, the signature is valid. After the identity authentication is passed, a dynamic key for data transmission can be set between the two, and the dynamic key management mechanism makes password attacks more difficult. Specifically, a multi-level dynamic encryption key is agreed between the target node and the server; and the server, as the data receiver, saves the multi-level dynamic decryption key corresponding to the dynamic encryption key. When the server receives the encrypted data encrypted by the target node through the dynamic encryption key, the server may perform decryption processing based on the dynamic decryption key to obtain corresponding plaintext data, that is, target data. Step 302: Obtain the encrypted data sent by the target node. The encrypted data is based on a multi-level dynamic encryption key. The target data is encrypted for multiple times in the order from the encryption key of the lowest level to the encryption key of the top level. The data determined afterwards. Step 303: According to the decryption keys of all levels of the dynamic decryption key corresponding to the dynamic encryption key, the encrypted data is decrypted multiple times in sequence from the decryption key of the top level to the decryption key of the bottom level. Process until the target data obtained after the end of the decryption process is determined.
本申请实施例中,在获取到目标节点发送的加密数据后,服务器即可基于该动态解密密钥进行解密处理,从而确定解密后的目标数据。其中,该动态解密密钥与动态加密密钥是一一对应的,通过动态密钥管理机制使得密码攻击变得更加困难,数据通信传输的安全性更高。同时,动态加密密钥为多层级的加密密钥,在生成加密数据时按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据依次进行加密处理。相应的,在需要对加密数据进行解密时,按照从最顶层级的解密密钥至最底层级的解密密钥的顺序对加密数据依次进行多次解密处理,从而生成解密后的目标数据。例如,动态加密密钥为3层级的加密密钥,相应的动态解密密钥也为3层的解密密钥。当需要对加密数据进行解密时,则首先利用第三层级的解密密钥(即最顶层级的解密密钥)对该加密数据进行解密处理,生成第一解密结果(对应上述的第二层级的加密结果);之后再利用第二层级的解密密钥对该第一解密结果再次进行解密处理,生成第二解密结果(对应上述的第一层级的加密结果);最后再利用第一层级的解密密钥(即最底层级的解密密钥)对该第二解密结果进行解密处理,生成第三解密结果,该第三解密结果即为加密数据解密后确定的目标数据。本申请实施例提供的一种认证通信的方法,在目标节点需要接入服务器时,服务器首先对目标节点进行身份认证,在身份认证通过后即可说明目标节点是合法的节点,且双方约定动态密钥,使得目标节点可以将待传输的目标数据基于该动态密钥进行加密处理,并传输加密后的目标数据;服务器基于相应的动态解密密钥可以正确地进行解密,确定解密后的目标数据,实现数据的安全传输,从而提高数据安全性。身份验证机制可以防止伪连接的攻击,可以防止不受信任的代理节点的欺骗;且动态密钥管理机制使得密码攻击变得异常困难,安全性更高。需要说明的是,本申请实施例中的“目标节点”为发送数据的一侧,“服务器”为接收数据的一侧。本领域技术人员可以理解,目标节点也可以执行步骤301-303的过程,也可以执行步骤101-103的过程,即服务器也可以向目标节点发送加密数据,且该加密数据是通过动态加密机制进行加密的。在上述实施例的基础上,动态加密密钥为二叉树形式的加密密钥集合,动态加密密钥包括:m个叶子加密密钥
Figure PCTCN2019103531-appb-000092
n个节点加密密钥
Figure PCTCN2019103531-appb-000093
和1个根加密密钥
Figure PCTCN2019103531-appb-000094
其中,
Figure PCTCN2019103531-appb-000095
表示第a层级的第b个加密密钥,L为动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
Figure PCTCN2019103531-appb-000096
n u表示第u层级的节点加密密钥的数量,j u∈[1,n u]。动态加密密钥的一种形式参见图2所示。动态解密密钥为与动态加密密钥具有相同的二叉树形式的解密密钥集合,且动态解密密钥包括:m个叶子解密密钥
Figure PCTCN2019103531-appb-000097
n个节点解密密钥
Figure PCTCN2019103531-appb-000098
和1个根解密密钥
Figure PCTCN2019103531-appb-000099
其中,
Figure PCTCN2019103531-appb-000100
表示第a层级的第b个解密密钥,叶子加密密钥与叶子解密密钥、节点加密密钥与节点解密密钥、根加密密钥与根解密密钥之间均是一一对应的关系。其中,动态解密密钥的一种形式参见图4所示。同时,动态解密密钥为多层的二叉树形式结构,与动态加密密钥相同,动态解密密钥也共L层,其最上层为根解密密钥(即最顶层级的解密密钥),最底层为叶子解密密钥(即最底层级的解密密钥),图2中以动态解密密钥是4层予以说明,该动态解密密钥共6个叶子解密密钥(即m=6),3个位于第2层级的节点解密密钥(即n 2=3),2个位于第3层级的节点解密密钥(即n 3=2)以及1个根解密密钥。该动态解密密钥共3+2=5个节点解密密钥(即n=5)。同时,本申请实施例中
Figure PCTCN2019103531-appb-000101
的上标a表示层级数,下标b表示解密密钥的顺位,即
Figure PCTCN2019103531-appb-000102
表示第a层级的第b个解密密钥,图4中以“解密密钥ab”的形式表示,即图4中的叶子解密密钥11表示叶子解密密钥
Figure PCTCN2019103531-appb-000103
叶子解密密钥12表示叶子解密密钥
Figure PCTCN2019103531-appb-000104
节点解密密钥21表示节点解密密钥
Figure PCTCN2019103531-appb-000105
根解密密钥41表示根解密密钥
Figure PCTCN2019103531-appb-000106
(即L=4),以此类推。上述步骤301“对加密数据依次进行多次解密处理,直至确定解密处理过程结束后得到的目标数据”具体包括:步骤C1:根据根解密密钥
Figure PCTCN2019103531-appb-000107
对加密数据
Figure PCTCN2019103531-appb-000108
进行解密处理,确定下一层级的两个节点加密子数据
Figure PCTCN2019103531-appb-000109
Figure PCTCN2019103531-appb-000110
其中,
Figure PCTCN2019103531-appb-000111
表示进行过L-a次解密处理后的第b个加密子数据;同时确定两个节点加密子数据
Figure PCTCN2019103531-appb-000112
Figure PCTCN2019103531-appb-000113
所对应的两个节点解密密钥
Figure PCTCN2019103531-appb-000114
Figure PCTCN2019103531-appb-000115
本申请实施例中,与基于动态加密密钥对目标数据进行加密的过程相反,本实施例中首先根据根解密密钥对加密数据进行解密处理。如图4所示,由根解密密钥41对加密子数据41(即加密数据)进行解密处理,从而生成下一层级的两个节点加密子数据
Figure PCTCN2019103531-appb-000116
Figure PCTCN2019103531-appb-000117
(即图4中的加密子数据31和加密子数据32),且两个节点加密子数据
Figure PCTCN2019103531-appb-000118
Figure PCTCN2019103531-appb-000119
所对应的两个节点解密密钥
Figure PCTCN2019103531-appb-000120
Figure PCTCN2019103531-appb-000121
(即图4中的节点解密密钥31和32)。步骤C2:根据节点解密密钥
Figure PCTCN2019103531-appb-000122
对相应的节点加密子数据
Figure PCTCN2019103531-appb-000123
进行解密处理,确定下一层级的一个或两个节点加密子数据;根据节点解密密钥
Figure PCTCN2019103531-appb-000124
对相应的节点加密子数据
Figure PCTCN2019103531-appb-000125
进行解密处理,确定下一层级的一个或两个节点加密子数据;并确定下一层级的节点加密子数据对应的下一层级的节点解密密钥,继续根据节点解密密钥对相应的节点加密子数据进行解密处理。本申请实施例中,每当确定一个节点加密子数据(比如
Figure PCTCN2019103531-appb-000126
Figure PCTCN2019103531-appb-000127
)后,即可确定对节点加密子数据进行解密处理,每个节点加密子数据解密后所确定的下一层级的节点加密子数据的个数为一个或两个,具体根据加密数据的具体结构而定。例如,如图4所示,对加密子数据31进行解密处理 后,可以确定下一层的加密子数据21和加密子数据22;而对加密子数据32进行解密处理,只能确定一个加密子数据,即加密子数据23。步骤C3:重复上述解密处理的过程,直至所确定的下一级的节点解密密钥为叶子解密密钥
Figure PCTCN2019103531-appb-000128
并基于叶子解密密钥
Figure PCTCN2019103531-appb-000129
对相应的叶子加密子数据
Figure PCTCN2019103531-appb-000130
进行解密处理,确定m个解密后的目标子数据
Figure PCTCN2019103531-appb-000131
根据所有的目标子数据
Figure PCTCN2019103531-appb-000132
生成最终的目标数据。本申请实施例中,与加密过程类似,在基于二叉树形式的动态解密密钥时,利用分层级的动态解密密钥一层层地对加密数据进行解密,直至基于叶子解密密钥
Figure PCTCN2019103531-appb-000133
进行最后一步解密处理后生成不加密的数据,即目标子数据
Figure PCTCN2019103531-appb-000134
进而可以最终确定目标节点所发送的目标数据。采用与动态加密密钥相同二叉树形式的动态解密密钥对多层加密的加密数据进行解密处理,从而可以分层级地一层层地对加密数据进行解密,直至最终确定目标数据。通过二叉树形式的动态加密密钥和动态解密密钥,可以提高每一个目标子数据的安全性,且可以大大提高数据整体的安全性。 In the embodiment of the present application, after obtaining the encrypted data sent by the target node, the server can perform decryption processing based on the dynamic decryption key to determine the decrypted target data. Among them, the dynamic decryption key and the dynamic encryption key have a one-to-one correspondence. The dynamic key management mechanism makes the password attack more difficult, and the security of data communication transmission is higher. At the same time, the dynamic encryption key is a multi-level encryption key. When generating encrypted data, the target data is sequentially encrypted in the order from the encryption key at the bottom level to the encryption key at the top level. Correspondingly, when the encrypted data needs to be decrypted, the encrypted data is decrypted multiple times in the order from the decryption key of the top level to the decryption key of the bottom level, thereby generating the decrypted target data. For example, the dynamic encryption key is a 3-level encryption key, and the corresponding dynamic decryption key is also a 3-level decryption key. When the encrypted data needs to be decrypted, first use the third-level decryption key (that is, the top-level decryption key) to decrypt the encrypted data to generate the first decryption result (corresponding to the above-mentioned second-level decryption key) Encryption result); then use the decryption key of the second level to decrypt the first decryption result again to generate the second decryption result (corresponding to the encryption result of the first level above); finally use the decryption of the first level The key (that is, the decryption key at the lowest level) decrypts the second decryption result to generate a third decryption result, and the third decryption result is the target data determined after the encrypted data is decrypted. The embodiment of the present application provides a method for authenticating communication. When the target node needs to access the server, the server first authenticates the target node. After the identity authentication is passed, it can be explained that the target node is a legal node, and the two parties agree on a dynamic The key enables the target node to encrypt the target data to be transmitted based on the dynamic key, and transmit the encrypted target data; the server can correctly decrypt based on the corresponding dynamic decryption key to determine the decrypted target data , Realize the safe transmission of data, thereby improving data security. The identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure. It should be noted that the "target node" in the embodiment of the present application is the side that sends data, and the "server" is the side that receives the data. Those skilled in the art can understand that the target node can also perform the process of steps 301-303, or the process of steps 101-103, that is, the server can also send encrypted data to the target node, and the encrypted data is performed through a dynamic encryption mechanism Encrypted. On the basis of the foregoing embodiment, the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key includes: m leaf encryption keys
Figure PCTCN2019103531-appb-000092
n node encryption keys
Figure PCTCN2019103531-appb-000093
And 1 root encryption key
Figure PCTCN2019103531-appb-000094
among them,
Figure PCTCN2019103531-appb-000095
Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i∈[1,m]; u represents the number of the node encryption key, and
Figure PCTCN2019103531-appb-000096
n u represents the number of node encryption keys at the u-th level, j u ∈ [1, n u ]. See Figure 2 for a form of dynamic encryption key. The dynamic decryption key is a set of decryption keys in the same binary tree form as the dynamic encryption key, and the dynamic decryption key includes: m leaf decryption keys
Figure PCTCN2019103531-appb-000097
n node decryption keys
Figure PCTCN2019103531-appb-000098
And 1 root decryption key
Figure PCTCN2019103531-appb-000099
among them,
Figure PCTCN2019103531-appb-000100
Represents the b-th decryption key of the a-th level. There is a one-to-one correspondence between the leaf encryption key and the leaf decryption key, the node encryption key and the node decryption key, and the root encryption key and the root decryption key. . Among them, one form of the dynamic decryption key is shown in Figure 4. At the same time, the dynamic decryption key has a multi-layered binary tree structure, which is the same as the dynamic encryption key. The dynamic decryption key also has L layers. The top layer is the root decryption key (that is, the top-level decryption key). The bottom layer is the leaf decryption key (that is, the decryption key of the lowest level). In Figure 2, the dynamic decryption key is 4 layers for illustration. The dynamic decryption key has a total of 6 leaf decryption keys (ie m=6), Three node decryption keys at the second level (ie n 2 =3), two node decryption keys at the third level (ie n 3 = 2), and one root decryption key. The dynamic decryption key has a total of 3+2=5 node decryption keys (that is, n=5). At the same time, in the embodiments of this application
Figure PCTCN2019103531-appb-000101
The superscript a represents the number of levels, and the subscript b represents the order of the decryption key, namely
Figure PCTCN2019103531-appb-000102
Represents the b-th decryption key of the a-th level, in the form of "decryption key ab" in Figure 4, that is, the leaf decryption key 11 in Figure 4 represents the leaf decryption key
Figure PCTCN2019103531-appb-000103
Leaf decryption key 12 represents the leaf decryption key
Figure PCTCN2019103531-appb-000104
Node decryption key 21 represents the node decryption key
Figure PCTCN2019103531-appb-000105
Root decryption key 41 represents the root decryption key
Figure PCTCN2019103531-appb-000106
(Ie L=4), and so on. The above step 301 "decrypt the encrypted data multiple times in sequence until the target data obtained after the end of the decryption process is determined" specifically includes: Step C1: According to the root decryption key
Figure PCTCN2019103531-appb-000107
Encrypted data
Figure PCTCN2019103531-appb-000108
Perform decryption processing to determine the encrypted sub-data of the next two nodes
Figure PCTCN2019103531-appb-000109
with
Figure PCTCN2019103531-appb-000110
among them,
Figure PCTCN2019103531-appb-000111
Indicates the b-th encrypted sub-data after La times of decryption processing; at the same time determine the encrypted sub-data of two nodes
Figure PCTCN2019103531-appb-000112
with
Figure PCTCN2019103531-appb-000113
Corresponding two node decryption keys
Figure PCTCN2019103531-appb-000114
with
Figure PCTCN2019103531-appb-000115
In the embodiment of this application, contrary to the process of encrypting the target data based on the dynamic encryption key, in this embodiment, the encrypted data is first decrypted according to the root decryption key. As shown in Figure 4, the encrypted sub-data 41 (ie, encrypted data) is decrypted by the root decryption key 41, thereby generating the next two-node encrypted sub-data
Figure PCTCN2019103531-appb-000116
with
Figure PCTCN2019103531-appb-000117
(Ie, encrypted sub-data 31 and encrypted sub-data 32 in Figure 4), and the two nodes encrypt the sub-data
Figure PCTCN2019103531-appb-000118
with
Figure PCTCN2019103531-appb-000119
Corresponding two node decryption keys
Figure PCTCN2019103531-appb-000120
with
Figure PCTCN2019103531-appb-000121
(Ie node decryption keys 31 and 32 in Figure 4). Step C2: Decrypt the key according to the node
Figure PCTCN2019103531-appb-000122
Encrypt the sub-data of the corresponding node
Figure PCTCN2019103531-appb-000123
Perform decryption processing to determine the next level of one or two nodes to encrypt sub-data; according to the node decryption key
Figure PCTCN2019103531-appb-000124
Encrypt the sub-data of the corresponding node
Figure PCTCN2019103531-appb-000125
Perform decryption processing to determine one or two node encryption sub-data of the next level; determine the next level node decryption key corresponding to the next level node encryption sub-data, and continue to encrypt the corresponding node according to the node decryption key The sub-data is decrypted. In the embodiment of this application, whenever a node is determined to encrypt sub-data (such as
Figure PCTCN2019103531-appb-000126
or
Figure PCTCN2019103531-appb-000127
), it can be determined to decrypt the node encrypted sub-data. After each node encrypted sub-data is decrypted, the number of the next-level node encrypted sub-data determined is one or two, depending on the specific structure of the encrypted data Depends. For example, as shown in Figure 4, after the encrypted sub-data 31 is decrypted, the encrypted sub-data 21 and the encrypted sub-data 22 of the next layer can be determined; while the encrypted sub-data 32 can be decrypted, only one encrypted sub-data can be determined. Data, that is, encrypted sub-data 23. Step C3: Repeat the above decryption process until the node decryption key at the next level determined is the leaf decryption key
Figure PCTCN2019103531-appb-000128
And decrypt the key based on the leaf
Figure PCTCN2019103531-appb-000129
Encrypt the sub-data of the corresponding leaf
Figure PCTCN2019103531-appb-000130
Perform decryption processing to determine m decrypted target sub-data
Figure PCTCN2019103531-appb-000131
According to all target sub-data
Figure PCTCN2019103531-appb-000132
Generate the final target data. In the embodiment of this application, similar to the encryption process, when the dynamic decryption key is based on the binary tree form, the encrypted data is decrypted layer by layer using the layered dynamic decryption key until the decryption key is based on the leaf.
Figure PCTCN2019103531-appb-000133
After the last step of decryption, unencrypted data is generated, namely the target sub-data
Figure PCTCN2019103531-appb-000134
In turn, the target data sent by the target node can be finally determined. The dynamic decryption key in the same binary tree form as the dynamic encryption key is used to decrypt the multi-layer encrypted encrypted data, so that the encrypted data can be decrypted layer by layer until the final target data is determined. Through the dynamic encryption key and the dynamic decryption key in the form of a binary tree, the security of each target sub-data can be improved, and the overall security of the data can be greatly improved.
在上述实施例的基础上,该方法还包括数据校验的过程,具体的,该过程包括:步骤D1:接收目标节点发送的总校验信息,总校验信息为多个校验信息按照与动态解密密钥相同的二叉树形式所生成的信息。本申请实施例中,目标节点在生成加密子数据(包括叶子加密子数据和节点加密子数据)的同时,还确定该加密子数据的校验信息。同时,如图2所示,由于加密子数据可以由二叉树形式表示,故所有的校验信息也可以以二叉树形式来表示;且动态加密密钥与动态解密密钥具有相同的二叉树形式的结构,即可以目标节点可以生成与动态解密密钥相同的二叉树形式的总校验信息。其中,目标节点在将加密后的数据(即经过根加密密钥加密后的数据)发送至本地服务器时,目标节点同时还将树结构的总校验信息发送至本地服务器;或者目标节点将树结构的总校验信息发送至专门用于存储校验信息的中间服务器,本地服务器从该中间服务器获取相应的校验信息。其中,该中间服务器为可信的数据源。步骤D2:确定接收到的加密数据的临时校验信息,并判断总校验信息中与加密数据所对应的校验信息与加密数据的临时校验信息是否一致。步骤D3:若二者不一致,将加密数据作为异常加密数据,在确定加密子数据的临时校验信息,并根据总校验信息中与加密子数据所对应的校验信息加密子数据的临时校验信息是否一致;将具有与总校验信息不一致的临时校验信息的加密子数据作为异常加密子数据。本申请实施例中,通过总校验信息可以对接收到的目标数据进行校验,以确定数据的完整性。具体的,首先判断总校验信息中最上层的校验信息(即总的加密数据对应的校验信息)与服务器接收到的加密数据校验信息(即临时校验信息)是否一致,若二者一致,则说明服务器接收到的加密数据与目标节点传输的校验信息是相匹配的,此时可以说明服务器完整地接收到了目标节点发送的加密数据。其中,该临时校验信息为本地服务器接收到的加密数据的校验信息、或解密处理后所确定的加密子数据的校验信息。若二者不一致,则说明服务器没有完整地接收到目标节点发送的数据,此时将加密数据作为异常加密数据,根据二叉树形式的校验信息可以快速确定服务器没有完整地接收到哪一个目标子数据。具体的,服务器接收到的加密数据可以被解密为一个或两个下一层级的加密子数据,由于该加密数据是异常的,则解密后确定的加密子数据中一定存在至少一个也是异常的数据,即异常加密子数据。参见图4所示,若加密子数据41为异常数据,则对异常的加密子数据41进行解密处理后生成的加密子数据31和32中一定存在至少一个也是异常的数据。步骤D4:在对异常加密子数据执行解密处理过程中生成相应的下一层级的加密子数据的同时, 继续确定下一层级的加密子数据的临时校验信息,并将下一层级中具有与总校验信息不一致的临时校验信息的加密子数据作为异常加密子数据。步骤D5:重复上述过程,直至确定异常的叶子加密子数据,并重新获取与异常的叶子加密子数据对应的目标子数据,直至获取到正确的目标子数据。本申请实施例中,对不异常的加密子数据按照上述步骤C1-C3进行正常的解密处理即可。对于异常加密子数据,在按照上述解密过程进行解密处理的同时,还确定解密生成的下一层级的加密子数据的临时校验信息,并继续根据该总校验信息判断下一层级的临时校验信息是否正确,并将不正确的临时校验信息所对应的加密子数据也作为异常加密子数据。之后即可重复上述基于校验信息判断异常加密子数据的过程,直至确定异常的叶子加密子数据,从而可以从根源上确定哪个数据异常。例如,参见图4所示,若加密子数据31为异常数据,加密子数据32为正常数据,即加密子数据32的校验信息是正确的,则后续可对加密子数据32进行正常的解密处理,从而最终确定正确的目标子数据05和06;而对于异常的加密子数据31,需要再确定解密后的加密子数据21和22中哪一个是异常的数据,或者两个都是异常的数据。之后继续判断,直至确定叶子加密子数据(即加密子数据11~14)中哪个是异常的(比如数据错误、被篡改、漏传等)。在确定异常的叶子加密子数据后,即可确定哪个目标子数据是异常的,从而可以指示目标节点重新将该目标子数据发送至服务器,使得服务器可以接收到正确的目标子数据。本申请实施例中,在传输的目标数据异常时,不需要重新传输全部的目标数据,可以只重新传输异常的目标子数据,从而可以节约网络资源,提高重传效率。例如目标节点传输的目标子数据03异常时,则基于总校验信息可以确定“加密子数据41→加密子数据31→加密子数据22→加密子数据13”这一路径存在异常,此时即可确定传输至本地服务器的目标子数据03存在异常,需要重新传输目标子数据03。同时,根据二叉树形式的校验信息可以快速确定服务器没有完整地接收到哪一个目标子数据。例如,如图4所示,通过四层的动态密钥实现对6个目标子数据(最多可以8个目标子数据)的加解密处理;若其中的一个目标子数据异常,采用二叉树形式的校验信息,通过4次验证即可判断出哪一个目标子数据异常;而若只是通过6个目标子数据的加密数据(即叶子加密子数据)的校验信息进行判断,则最多需要判断6次才可以确定哪个目标子数据异常。当目标子数据越多时,基于二叉树形式校验信息的判断效率越高。On the basis of the foregoing embodiment, the method further includes a data verification process. Specifically, the process includes: Step D1: Receive total verification information sent by the target node, and the total verification information is a plurality of verification information according to Dynamically decrypt the information generated in the form of a binary tree with the same key. In the embodiment of the present application, the target node, when generating encrypted sub-data (including leaf encrypted sub-data and node encrypted sub-data), also determines the verification information of the encrypted sub-data. At the same time, as shown in Figure 2, since the encrypted sub-data can be represented in the form of a binary tree, all verification information can also be represented in the form of a binary tree; and the dynamic encryption key and the dynamic decryption key have the same binary tree structure, That is, the target node can generate total verification information in the form of a binary tree that is the same as the dynamic decryption key. Among them, when the target node sends the encrypted data (that is, the data encrypted by the root encryption key) to the local server, the target node also sends the total verification information of the tree structure to the local server; or the target node sends the tree The total verification information of the structure is sent to an intermediate server dedicated to storing the verification information, and the local server obtains the corresponding verification information from the intermediate server. Among them, the intermediate server is a trusted data source. Step D2: Determine the temporary verification information of the received encrypted data, and determine whether the verification information corresponding to the encrypted data in the total verification information is consistent with the temporary verification information of the encrypted data. Step D3: If the two are inconsistent, use the encrypted data as abnormal encrypted data, determine the temporary verification information of the encrypted sub-data, and encrypt the temporary verification of the sub-data according to the verification information corresponding to the encrypted sub-data in the total verification information. Whether the verification information is consistent; the encrypted sub-data with temporary verification information that is inconsistent with the total verification information is regarded as the abnormal encrypted sub-data. In the embodiment of the present application, the received target data can be verified through the total verification information to determine the integrity of the data. Specifically, first determine whether the top-level verification information in the total verification information (that is, the verification information corresponding to the total encrypted data) is consistent with the encrypted data verification information (that is, the temporary verification information) received by the server. If they are consistent, it means that the encrypted data received by the server matches the verification information transmitted by the target node. At this time, it can indicate that the server has completely received the encrypted data sent by the target node. Wherein, the temporary verification information is the verification information of the encrypted data received by the local server or the verification information of the encrypted sub-data determined after the decryption process. If the two are inconsistent, it means that the server has not completely received the data sent by the target node. At this time, the encrypted data is regarded as abnormal encrypted data. According to the verification information in the form of a binary tree, it is possible to quickly determine which target subdata the server has not received completely. . Specifically, the encrypted data received by the server can be decrypted into one or two next-level encrypted sub-data. Since the encrypted data is abnormal, there must be at least one abnormal data in the encrypted sub-data determined after decryption. , That is, abnormally encrypted sub-data. Referring to FIG. 4, if the encrypted sub-data 41 is abnormal data, the encrypted sub-data 31 and 32 generated after decrypting the abnormal encrypted sub-data 41 must have at least one abnormal data. Step D4: While performing the decryption process on the abnormally encrypted sub-data, while generating the corresponding next-level encrypted sub-data, continue to determine the temporary verification information of the next-level encrypted sub-data, and the next level has the same The encrypted sub-data of the temporary verification information with inconsistent total verification information is regarded as the abnormal encrypted sub-data. Step D5: Repeat the above process until the abnormal leaf encrypted sub-data is determined, and the target sub-data corresponding to the abnormal leaf encrypted sub-data is obtained again, until the correct target sub-data is obtained. In the embodiment of the present application, normal decryption processing can be performed on the encrypted sub-data that is not abnormal according to the above steps C1-C3. For the abnormal encrypted sub-data, while performing the decryption process according to the above-mentioned decryption process, the temporary verification information of the encrypted sub-data of the next level generated by decryption is also determined, and the temporary verification information of the next level is determined based on the total verification information. The verification information is correct, and the encrypted sub-data corresponding to the incorrect temporary verification information is also regarded as the abnormal encrypted sub-data. After that, the above process of judging the abnormal encrypted sub-data based on the verification information can be repeated until the abnormal leaf encrypted sub-data is determined, so that it can determine which data is abnormal from the root cause. For example, referring to FIG. 4, if the encrypted sub-data 31 is abnormal data and the encrypted sub-data 32 is normal data, that is, the verification information of the encrypted sub-data 32 is correct, then the encrypted sub-data 32 can be subsequently decrypted normally Processing, so as to finally determine the correct target sub-data 05 and 06; and for the abnormal encrypted sub-data 31, it is necessary to determine which of the decrypted encrypted sub-data 21 and 22 is abnormal data, or both are abnormal data. Then continue to judge until it is determined which of the leaf encrypted sub-data (ie, encrypted sub-data 11-14) is abnormal (such as data error, tampering, missed transmission, etc.). After determining the abnormal leaf encrypted sub-data, it can be determined which target sub-data is abnormal, so that the target node can be instructed to resend the target sub-data to the server, so that the server can receive the correct target sub-data. In the embodiment of the present application, when the transmitted target data is abnormal, it is not necessary to retransmit all the target data, and only the abnormal target sub-data may be retransmitted, thereby saving network resources and improving retransmission efficiency. For example, when the target sub-data 03 transmitted by the target node is abnormal, based on the total verification information, it can be determined that the path "encrypted sub-data 41→encrypted sub-data 31→encrypted sub-data 22→encrypted sub-data 13" is abnormal. It can be determined that the target sub-data 03 transmitted to the local server is abnormal, and the target sub-data 03 needs to be retransmitted. At the same time, according to the check information in the form of a binary tree, it can be quickly determined which target sub-data has not been completely received by the server. For example, as shown in Figure 4, the encryption and decryption of 6 target sub-data (up to 8 target sub-data) is realized through four-layer dynamic keys; if one of the target sub-data is abnormal, a binary tree form of correction is used. It can be judged which target sub-data is abnormal through 4 verifications; and if it is only judged by the verification information of the encrypted data of the 6 target sub-data (ie, the leaf encrypted sub-data), it needs to judge 6 times at most Only then can it be determined which target subdata is abnormal. When there are more target sub-data, the judgment efficiency based on the binary tree form verification information is higher.
本申请实施例提供的一种认证通信的方法,在目标节点需要接入服务器时,服务器首先对目标节点进行身份认证,在身份认证通过后即可说明目标节点是合法的节点,且双方约定动态密钥,使得目标节点可以将待传输的目标数据基于该动态密钥进行加密处理,并传输加密后的目标数据;服务器基于相应的动态解密密钥可以正确地进行解密,确定解密后的目标数据,实现数据的安全传输,从而提高数据安全性。身份验证机制可以防止伪连接的攻击,可以防止不受信任的代理节点的欺骗;且动态密钥管理机制使得密码攻击变得异常困难,安全性更高。通过二叉树形式的动态加密密钥和动态解密密钥,可以提高每一个目标子数据的安全性,且可以大大提高数据整体的安全性。在传输的目标数据异常时,根据二叉树形式的校验信息可以快速确定服务器没有完整地接收到哪一个目标子数据,此时不需要重新传输全部的目标数据,可以只重新传输异常的目标子数据即可,从而也可以节约网络资源,提高重传效率。以上详细介绍了认证通信的方法流程,该方法也可以通过相应的装置实现,下面详细介绍该装置的结构和功能。本申请实施例提供的一种认证通信的装置,参见图5所示,包括:加密密钥确定模块51,用于对目标节点进行身份认证,在通过身份认证后,确定与所述目标节点约定的动态加密密钥,所述动态加密 密钥包括多个层级的加密密钥;加密处理模块52,用于确定需要传输的目标数据,根据所述动态加密密钥所有层级的加密密钥,按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对所述目标数据依次进行多次加密处理,并在加密处理过程结束后生成最终的加密数据;发送模块53,用于将所述加密数据发送至所述服务器。在上述实施例的基础上,所述动态加密密钥为二叉树形式的加密密钥集合,所述动态加密密钥包括:m个叶子加密密钥
Figure PCTCN2019103531-appb-000135
n个节点加密密钥
Figure PCTCN2019103531-appb-000136
和1个根加密密钥
Figure PCTCN2019103531-appb-000137
其中,
Figure PCTCN2019103531-appb-000138
表示第a层级的第b个加密密钥,L为所述动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
Figure PCTCN2019103531-appb-000139
n u表示第u层级的节点加密密钥的数量,j u∈[1,n u];所述加密处理模块52具体用于:对所述目标数据进行分段处理,确定分段后的m个目标子数据
Figure PCTCN2019103531-appb-000140
i∈[1,m];其中,
Figure PCTCN2019103531-appb-000141
表示进行过a次加密处理后的第b个加密子数据;根据第一层级的所述叶子加密密钥
Figure PCTCN2019103531-appb-000142
分别对相应的目标子数据
Figure PCTCN2019103531-appb-000143
进行加密处理,确定相应的叶子加密子数据
Figure PCTCN2019103531-appb-000144
确定对应相同的下一层级节点加密密钥
Figure PCTCN2019103531-appb-000145
的两个叶子加密密钥
Figure PCTCN2019103531-appb-000146
Figure PCTCN2019103531-appb-000147
j 2∈[1,n 2];将两个叶子加密密钥
Figure PCTCN2019103531-appb-000148
Figure PCTCN2019103531-appb-000149
所对应的叶子加密子数据
Figure PCTCN2019103531-appb-000150
Figure PCTCN2019103531-appb-000151
作为一组,根据节点加密密钥
Figure PCTCN2019103531-appb-000152
对一组的叶子加密子数据
Figure PCTCN2019103531-appb-000153
Figure PCTCN2019103531-appb-000154
再次进行加密处理,确定与节点加密密钥
Figure PCTCN2019103531-appb-000155
对应的节点加密子数据
Figure PCTCN2019103531-appb-000156
若在当前层级中不存在与叶子加密子数据
Figure PCTCN2019103531-appb-000157
具有相同的下一层级节点加密密钥
Figure PCTCN2019103531-appb-000158
的其他叶子加密子数据,则直接根据节点加密密钥
Figure PCTCN2019103531-appb-000159
对叶子加密子数据
Figure PCTCN2019103531-appb-000160
进行加密处理;确定与节点加密子数据
Figure PCTCN2019103531-appb-000161
对应相同的下一层级节点加密密钥
Figure PCTCN2019103531-appb-000162
的相邻的节点加密子数据
Figure PCTCN2019103531-appb-000163
以及与节点加密密钥
Figure PCTCN2019103531-appb-000164
对应的节点加密子数据
Figure PCTCN2019103531-appb-000165
其中,j` 2=j 2+1或j` 2=j 2-1;根据下一层级的节点加密密钥
Figure PCTCN2019103531-appb-000166
对一组的节点加密子数据
Figure PCTCN2019103531-appb-000167
Figure PCTCN2019103531-appb-000168
再次进行加密处理,确定与节点加密密钥
Figure PCTCN2019103531-appb-000169
对应的节点加密子数据
Figure PCTCN2019103531-appb-000170
若在当前层级中不存在与节点加密子数据
Figure PCTCN2019103531-appb-000171
具有相同的下一层级节点加密密钥
Figure PCTCN2019103531-appb-000172
的其他节点加密子数据,则直接根据节点加密密钥
Figure PCTCN2019103531-appb-000173
对节点加密子数据
Figure PCTCN2019103531-appb-000174
再次进行加密处理;重复上述再次加密处理的过程,直至所确定的上一级的节点加密密钥为所述根加密密钥
Figure PCTCN2019103531-appb-000175
为止,并将根据所述根加密密钥
Figure PCTCN2019103531-appb-000176
进行加密处理后所确定的数据
Figure PCTCN2019103531-appb-000177
作为最终的加密数据。在上述实施例的基础上,该装置还包括:校验信息生成模块;所述校验信息生成模块用于在执行加密处理过程生成相应的加密子数据的同时,确定所述加密子数据的校验信息,并将所有的校验信息按照与所述动态加密密钥相同的二叉树形式生成总校验信息;所述发送模块53还用于将所述总校验信息发送至所述服务器。本申请实施例提供的一种认证通信的装置,在目标节点需要接入服务器时,首先对目标节点进行身份认证,在身份认证通过后即可说明目标节点是合法的节点,且双方约定动态密钥,使得目 标节点可以将待传输的目标数据基于该动态密钥进行加密处理,并传输加密后的目标数据,从而提高数据安全性。身份验证机制可以防止伪连接的攻击,可以防止不受信任的代理节点的欺骗;且动态密钥管理机制使得密码攻击变得异常困难,安全性更高。对目标数据进行分段处理,分别对每一段的目标子数据进行加密,可以提高数据的安全性。同时,通过二叉树形式的动态加密密钥对子数据进行多层加密,可以提高每一个目标子数据的安全性,且可以大大提高数据整体的安全性。将该总校验信息发送至服务器侧,使得服务器通过该总校验信息可以对接收到的目标数据进行校验,方便服务器确定目标数据的完整性。基于同样的发明构思,本申请实施例也提供了一种认证通信的装置,参见图6所示,包括:解密密钥确定模块61,用于对目标节点进行身份认证,在认证通过后与所述目标节点约定动态加密密钥,并生成相应的动态解密密钥,所述动态加密密钥包括多个层级的加密密钥,所述动态解密密钥包括多个层级的解密密钥;获取模块62,用于获取目标节点发送的加密数据,所述加密数据为基于多层级的所述动态加密密钥、按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据进行多次加密处理后所确定的数据;解密处理模块63,用于根据与所述动态加密密钥相对应的动态解密密钥所有层级的解密密钥,按照从最顶层级的解密密钥至最底层级的解密密钥的顺序对所述加密数据依次进行多次解密处理,直至确定解密处理过程结束后得到的目标数据。 The embodiment of the present application provides a method for authenticating communication. When the target node needs to access the server, the server first authenticates the target node. After the identity authentication is passed, it can be explained that the target node is a legal node, and the two parties agree on a dynamic The key enables the target node to encrypt the target data to be transmitted based on the dynamic key, and transmit the encrypted target data; the server can correctly decrypt based on the corresponding dynamic decryption key to determine the decrypted target data , Realize the safe transmission of data, thereby improving data security. The identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure. Through the dynamic encryption key and the dynamic decryption key in the form of a binary tree, the security of each target sub-data can be improved, and the overall security of the data can be greatly improved. When the transmitted target data is abnormal, the check information in the form of a binary tree can quickly determine which target sub-data has not been completely received by the server. At this time, there is no need to retransmit all the target data, but only the abnormal target sub-data can be retransmitted. That is, so that network resources can be saved and retransmission efficiency can be improved. The process of the authentication communication method is described in detail above, and the method can also be implemented by a corresponding device. The structure and function of the device are described in detail below. An apparatus for authenticating communication provided by an embodiment of the present application, as shown in FIG. 5, includes: an encryption key determining module 51, configured to perform identity authentication on a target node, and after passing the identity authentication, determine an agreement with the target node The dynamic encryption key includes multiple levels of encryption keys; the encryption processing module 52 is used to determine the target data that needs to be transmitted, according to the encryption keys of all levels of the dynamic encryption key, From the encryption key at the lowest level to the encryption key at the top level, the target data is encrypted multiple times in sequence, and the final encrypted data is generated after the encryption process is over; the sending module 53 is used to transfer The encrypted data is sent to the server. On the basis of the foregoing embodiment, the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key includes: m leaf encryption keys
Figure PCTCN2019103531-appb-000135
n node encryption keys
Figure PCTCN2019103531-appb-000136
And 1 root encryption key
Figure PCTCN2019103531-appb-000137
among them,
Figure PCTCN2019103531-appb-000138
Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ∈ [1, m]; u represents the number of the node encryption key, and
Figure PCTCN2019103531-appb-000139
n u represents the number of node encryption keys at the u-th level, j u ∈[1, n u ]; the encryption processing module 52 is specifically configured to: perform segmentation processing on the target data, and determine the segmented m Target subdata
Figure PCTCN2019103531-appb-000140
i∈[1,m]; where,
Figure PCTCN2019103531-appb-000141
Represents the b-th encrypted sub-data after a-time encryption processing; according to the leaf encryption key of the first level
Figure PCTCN2019103531-appb-000142
Target sub-data
Figure PCTCN2019103531-appb-000143
Perform encryption processing to determine the corresponding leaf encrypted sub-data
Figure PCTCN2019103531-appb-000144
Determine the encryption key corresponding to the same next level node
Figure PCTCN2019103531-appb-000145
Two leaf encryption keys
Figure PCTCN2019103531-appb-000146
with
Figure PCTCN2019103531-appb-000147
j 2 ∈[1,n 2 ]; encrypt the two leaf keys
Figure PCTCN2019103531-appb-000148
with
Figure PCTCN2019103531-appb-000149
Corresponding leaf encrypted sub-data
Figure PCTCN2019103531-appb-000150
with
Figure PCTCN2019103531-appb-000151
As a group, according to the node encryption key
Figure PCTCN2019103531-appb-000152
Encrypt sub-data of a group of leaves
Figure PCTCN2019103531-appb-000153
with
Figure PCTCN2019103531-appb-000154
Perform encryption again to determine the encryption key with the node
Figure PCTCN2019103531-appb-000155
Corresponding node encrypted child data
Figure PCTCN2019103531-appb-000156
If there is no sub-data encrypted with the leaf in the current level
Figure PCTCN2019103531-appb-000157
Have the same encryption key for the next level node
Figure PCTCN2019103531-appb-000158
The other leaves encrypt sub-data directly according to the node encryption key
Figure PCTCN2019103531-appb-000159
Encrypt the sub-data of the leaf
Figure PCTCN2019103531-appb-000160
Encryption processing; confirm to encrypt child data with node
Figure PCTCN2019103531-appb-000161
Corresponding to the same next-level node encryption key
Figure PCTCN2019103531-appb-000162
Encrypted child data of neighboring nodes
Figure PCTCN2019103531-appb-000163
And the node encryption key
Figure PCTCN2019103531-appb-000164
Corresponding node encrypted child data
Figure PCTCN2019103531-appb-000165
Among them, j` 2 =j 2 +1 or j` 2 =j 2 -1; according to the node encryption key of the next level
Figure PCTCN2019103531-appb-000166
Encrypt child data for a group of nodes
Figure PCTCN2019103531-appb-000167
with
Figure PCTCN2019103531-appb-000168
Perform encryption again to determine the encryption key with the node
Figure PCTCN2019103531-appb-000169
Corresponding node encrypted child data
Figure PCTCN2019103531-appb-000170
If there is no sub-data encrypted with the node in the current level
Figure PCTCN2019103531-appb-000171
Have the same encryption key for the next level node
Figure PCTCN2019103531-appb-000172
Other nodes encrypt sub-data, directly according to the node encryption key
Figure PCTCN2019103531-appb-000173
Encrypt child data of node
Figure PCTCN2019103531-appb-000174
Perform encryption again; repeat the above-mentioned re-encryption process until the determined upper-level node encryption key is the root encryption key
Figure PCTCN2019103531-appb-000175
So far and will be based on the root encryption key
Figure PCTCN2019103531-appb-000176
Data determined after encryption
Figure PCTCN2019103531-appb-000177
As the final encrypted data. On the basis of the above-mentioned embodiment, the device further includes: a verification information generation module; the verification information generation module is used to determine the verification of the encrypted sub-data while executing the encryption processing to generate the corresponding encrypted sub-data. And generate total verification information according to the binary tree form same as the dynamic encryption key; the sending module 53 is also configured to send the total verification information to the server. In the device for authenticating communication provided by the embodiment of the application, when the target node needs to access the server, the target node is first authenticated. After the identity authentication is passed, the target node can be explained as a legal node, and the two parties agree on a dynamic secret The key enables the target node to encrypt the target data to be transmitted based on the dynamic key, and transmit the encrypted target data, thereby improving data security. The identity verification mechanism can prevent the attacks of false connections and the deception of untrusted agent nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure. Segmenting the target data and encrypting the target sub-data of each segment can improve the security of the data. At the same time, multi-layer encryption of the sub-data through a dynamic encryption key in the form of a binary tree can improve the security of each target sub-data and greatly improve the overall security of the data. The total verification information is sent to the server side, so that the server can verify the received target data through the total verification information, so that the server can determine the integrity of the target data. Based on the same inventive concept, an embodiment of the present application also provides a device for authenticating communication. As shown in FIG. 6, the device includes: a decryption key determining module 61, which is used to authenticate the target node's identity, and communicate with all users after the authentication is passed. The target node agrees on a dynamic encryption key and generates a corresponding dynamic decryption key, the dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys; acquisition module 62. Used to obtain encrypted data sent by the target node, where the encrypted data is based on the multi-level dynamic encryption key, and the target data is compared in the order from the encryption key at the bottom level to the encryption key at the top level. The data is determined after multiple encryption processing; the decryption processing module 63 is used for decryption keys of all levels according to the dynamic decryption key corresponding to the dynamic encryption key, according to the decryption key from the top level to The decryption key of the lowest level sequentially decrypts the encrypted data multiple times in sequence until the target data obtained after the decryption process is determined.
在上述实施例的基础上,所述动态加密密钥为二叉树形式的加密密钥集合,所述动态加密密钥包括:m个叶子加密密钥
Figure PCTCN2019103531-appb-000178
n个节点加密密钥
Figure PCTCN2019103531-appb-000179
和1个根加密密钥
Figure PCTCN2019103531-appb-000180
其中,
Figure PCTCN2019103531-appb-000181
表示第a层级的第b个加密密钥,L为所述动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
Figure PCTCN2019103531-appb-000182
n u表示第u层级的节点加密密钥的数量,j u∈[1,n u];所述动态解密密钥为与所述动态加密密钥具有相同的二叉树形式的解密密钥集合,且所述动态解密密钥包括:m个叶子解密密钥
Figure PCTCN2019103531-appb-000183
n个节点解密密钥
Figure PCTCN2019103531-appb-000184
和1个根解密密钥
Figure PCTCN2019103531-appb-000185
其中,
Figure PCTCN2019103531-appb-000186
表示第a层级的第b个解密密钥,所述叶子加密密钥与所述叶子解密密钥、所述节点加密密钥与所述节点解密密钥、所述根加密密钥与所述根解密密钥之间均是一一对应的关系;所述解密处理模块63具体用于:根据所述根解密密钥
Figure PCTCN2019103531-appb-000187
对所述加密数据
Figure PCTCN2019103531-appb-000188
进行解密处理,确定下一层级的两个节点加密子数据
Figure PCTCN2019103531-appb-000189
Figure PCTCN2019103531-appb-000190
其中,
Figure PCTCN2019103531-appb-000191
表示进行过L-a次解密处理后的第b个加密子数据;同时确定两个节点加密子数据
Figure PCTCN2019103531-appb-000192
Figure PCTCN2019103531-appb-000193
所对应的两个节点解密密钥
Figure PCTCN2019103531-appb-000194
Figure PCTCN2019103531-appb-000195
根据节点解密密钥
Figure PCTCN2019103531-appb-000196
对相应的节点加密子数据
Figure PCTCN2019103531-appb-000197
进行解密处理,确定下一层级的一个或两个节点加密子数据;根据节点解密密钥
Figure PCTCN2019103531-appb-000198
对相应的节点加密子数据
Figure PCTCN2019103531-appb-000199
进行解密处理,确定下一层级的一个或两个节点加密子数据;并确定下一层级的节点加密子数据对应的下一层级的节点解密密钥,继续根据节点解密密钥对相应的节点加密子数据进行解密处理;重复上述解密处理的过程,直至所确定的下一级的节点解密密钥为叶子解密密钥
Figure PCTCN2019103531-appb-000200
并基于叶子解密密钥
Figure PCTCN2019103531-appb-000201
对相应的叶子加密子数据
Figure PCTCN2019103531-appb-000202
进行 解密处理,确定m个解密后的目标子数据
Figure PCTCN2019103531-appb-000203
根据所有的目标子数据
Figure PCTCN2019103531-appb-000204
生成最终的目标数据。在上述实施例的基础上,该装置还包括:校验模块;所述校验模块用于:接收所述目标节点发送的总校验信息,所述总校验信息为多个校验信息按照与所述动态解密密钥相同的二叉树形式所生成的信息;确定接收到的加密数据的临时校验信息,并判断所述总校验信息中与所述加密数据所对应的校验信息与所述加密数据的临时校验信息是否一致;若二者不一致,将所述加密数据作为异常加密数据,在确定所述加密子数据的临时校验信息,并根据所述总校验信息中与所述加密子数据所对应的校验信息所述加密子数据的临时校验信息是否一致;将具有与总校验信息不一致的临时校验信息的加密子数据作为异常加密子数据;在对所述异常加密子数据执行解密处理过程中生成相应的下一层级的加密子数据的同时,继续确定下一层级的加密子数据的临时校验信息,并将下一层级中具有与总校验信息不一致的临时校验信息的加密子数据作为异常加密子数据;重复上述过程,直至确定异常的叶子加密子数据,并重新获取与异常的叶子加密子数据对应的目标子数据,直至获取到正确的目标子数据。本申请实施例提供的一种认证通信的装置,在目标节点需要接入服务器时,服务器首先对目标节点进行身份认证,在身份认证通过后即可说明目标节点是合法的节点,且双方约定动态密钥,使得目标节点可以将待传输的目标数据基于该动态密钥进行加密处理,并传输加密后的目标数据;服务器基于相应的动态解密密钥可以正确地进行解密,确定解密后的目标数据,实现数据的安全传输,从而提高数据安全性。身份验证机制可以防止伪连接的攻击,可以防止不受信任的代理节点的欺骗;且动态密钥管理机制使得密码攻击变得异常困难,安全性更高。通过二叉树形式的动态加密密钥和动态解密密钥,可以提高每一个目标子数据的安全性,且可以大大提高数据整体的安全性。在传输的目标数据异常时,根据二叉树形式的校验信息可以快速确定服务器没有完整地接收到哪一个目标子数据,此时不需要重新传输全部的目标数据,可以只重新传输异常的目标子数据即可,从而也可以节约网络资源,提高重传效率。 On the basis of the foregoing embodiment, the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key includes: m leaf encryption keys
Figure PCTCN2019103531-appb-000178
n node encryption keys
Figure PCTCN2019103531-appb-000179
And 1 root encryption key
Figure PCTCN2019103531-appb-000180
among them,
Figure PCTCN2019103531-appb-000181
Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ∈ [1, m]; u represents the number of the node encryption key, and
Figure PCTCN2019103531-appb-000182
n u represents the number of node encryption keys at the u-th level, j u ∈[1, n u ]; the dynamic decryption key is a set of decryption keys in the same binary tree form as the dynamic encryption key, and The dynamic decryption key includes: m leaf decryption keys
Figure PCTCN2019103531-appb-000183
n node decryption keys
Figure PCTCN2019103531-appb-000184
And 1 root decryption key
Figure PCTCN2019103531-appb-000185
among them,
Figure PCTCN2019103531-appb-000186
Represents the b-th decryption key of the a-th level, the leaf encryption key and the leaf decryption key, the node encryption key and the node decryption key, the root encryption key and the root There is a one-to-one correspondence between the decryption keys; the decryption processing module 63 is specifically configured to: according to the root decryption key
Figure PCTCN2019103531-appb-000187
To the encrypted data
Figure PCTCN2019103531-appb-000188
Perform decryption processing to determine the encrypted sub-data of the next two nodes
Figure PCTCN2019103531-appb-000189
with
Figure PCTCN2019103531-appb-000190
among them,
Figure PCTCN2019103531-appb-000191
Indicates the b-th encrypted sub-data after La times of decryption processing; at the same time determine the encrypted sub-data of two nodes
Figure PCTCN2019103531-appb-000192
with
Figure PCTCN2019103531-appb-000193
Corresponding two node decryption keys
Figure PCTCN2019103531-appb-000194
with
Figure PCTCN2019103531-appb-000195
Decrypt the key according to the node
Figure PCTCN2019103531-appb-000196
Encrypt the sub-data of the corresponding node
Figure PCTCN2019103531-appb-000197
Perform decryption processing to determine the next level of one or two nodes to encrypt sub-data; according to the node decryption key
Figure PCTCN2019103531-appb-000198
Encrypt the sub-data of the corresponding node
Figure PCTCN2019103531-appb-000199
Perform decryption processing to determine one or two node encryption sub-data of the next level; determine the next level node decryption key corresponding to the next level node encryption sub-data, and continue to encrypt the corresponding node according to the node decryption key The sub-data is decrypted; the above decryption process is repeated until the node decryption key at the next level determined is the leaf decryption key
Figure PCTCN2019103531-appb-000200
And decrypt the key based on the leaf
Figure PCTCN2019103531-appb-000201
Encrypt the sub-data of the corresponding leaf
Figure PCTCN2019103531-appb-000202
Perform decryption processing to determine m decrypted target sub-data
Figure PCTCN2019103531-appb-000203
According to all target sub-data
Figure PCTCN2019103531-appb-000204
Generate the final target data. On the basis of the foregoing embodiment, the device further includes: a verification module; the verification module is configured to receive total verification information sent by the target node, where the total verification information is a plurality of verification information according to Information generated in the form of a binary tree that is the same as the dynamic decryption key; determine the temporary verification information of the received encrypted data, and determine the verification information corresponding to the encrypted data in the total verification information and the Whether the temporary verification information of the encrypted data is consistent; if the two are inconsistent, the encrypted data is regarded as abnormal encrypted data, the temporary verification information of the encrypted sub-data is determined, and the total verification information is compared with all The verification information corresponding to the encrypted sub-data is the same as the temporary verification information of the encrypted sub-data; the encrypted sub-data with the temporary verification information inconsistent with the total verification information is regarded as the abnormal encrypted sub-data; When the abnormal encrypted sub-data executes the decryption process to generate the corresponding next-level encrypted sub-data, continue to determine the temporary verification information of the next-level encrypted sub-data, and the next level has inconsistency with the total verification information The encrypted sub-data of the temporary verification information is used as the abnormal encrypted sub-data; the above process is repeated until the abnormal leaf encrypted sub-data is determined, and the target sub-data corresponding to the abnormal leaf encrypted sub-data is obtained again until the correct target is obtained Sub data. The embodiment of the present application provides a device for authenticating communication. When the target node needs to access the server, the server first authenticates the target node. After the identity authentication is passed, it can be explained that the target node is a legitimate node, and the two parties agree on a dynamic The key enables the target node to encrypt the target data to be transmitted based on the dynamic key, and transmit the encrypted target data; the server can correctly decrypt based on the corresponding dynamic decryption key to determine the decrypted target data , Realize the safe transmission of data, thereby improving data security. The identity verification mechanism can prevent the attacks of false connections and the deception of untrusted proxy nodes; and the dynamic key management mechanism makes password attacks extremely difficult and more secure. Through the dynamic encryption key and the dynamic decryption key in the form of a binary tree, the security of each target sub-data can be improved, and the overall security of the data can be greatly improved. When the transmitted target data is abnormal, the check information in the form of a binary tree can quickly determine which target sub-data has not been completely received by the server. At this time, there is no need to retransmit all the target data, but only the abnormal target sub-data can be retransmitted. That is, network resources can be saved and the retransmission efficiency can be improved.
本申请实施例还提供了一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令,其包含用于执行上述认证通信的方法的程序,该计算机可执行指令可执行上述任意方法实施例中的方法。其中,所述计算机存储介质可以是计算机能够存取的任何可用介质或数据存储设备,包括但不限于磁性存储器(例如软盘、硬盘、磁带、磁光盘(MO)等)、光学存储器(例如CD、DVD、BD、HVD等)、以及半导体存储器(例如ROM、EPROM、EEPROM、非易失性存储器(NAND FLASH)、固态硬盘(SSD))等。图7示出了本申请的另一个实施例的一种计算机设备的结构框图。所述计算机设备1100可以是具备计算能力的主机服务器、个人计算机PC、或者可携带的便携式计算机或终端等。本申请具体实施例并不对计算机设备的具体实现做限定。该计算机设备1100包括至少一个处理器(processor)1110、通信接口(Communications Interface)1120、存储器(memory array)1130和总线1140。其中,处理器1110、通信接口1120、以及存储器1130通过总线1140完成相互间的通信。通信接口1120用于与网元通信,其中网元包括例如虚拟机管理中心、共享存储等。处理器1110用于执行程序。处理器1110可能是一个中央处理器CPU,或者是专用集成电路ASIC(Application Specific Integrated Circuit),或者是被配置成实施本申请实施例的一个或多个集成电路。存储器1130用于可执行的指令。存储器1130可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。存储器1130也可以是存储器阵列。存储器1130还可能被分块,并且所述块可按一定的规则组合成虚拟卷。存储器1130存储的 指令可被处理器1110执行,以使处理器1110能够执行上述任意方法实施例中的方法。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。An embodiment of the present application also provides a computer storage medium that stores computer-executable instructions, which contains a program for executing the above-mentioned authentication communication method, and the computer-executable instructions can execute any of the above-mentioned method embodiments Method in. Wherein, the computer storage medium may be any available medium or data storage device that the computer can access, including but not limited to magnetic storage (such as floppy disk, hard disk, magnetic tape, magneto-optical disk (MO), etc.), optical storage (such as CD, DVD, BD, HVD, etc.), and semiconductor memory (such as ROM, EPROM, EEPROM, non-volatile memory (NAND FLASH), solid state drive (SSD)), etc. Fig. 7 shows a structural block diagram of a computer device according to another embodiment of the present application. The computer device 1100 may be a host server with computing capabilities, a personal computer PC, or a portable computer or terminal that can be carried. The specific embodiment of the present application does not limit the specific implementation of the computer device. The computer device 1100 includes at least one processor (processor) 1110, a communication interface (Communications Interface) 1120, a memory (memory array) 1130, and a bus 1140. Among them, the processor 1110, the communication interface 1120, and the memory 1130 communicate with each other through the bus 1140. The communication interface 1120 is used to communicate with network elements, where the network elements include, for example, a virtual machine management center and shared storage. The processor 1110 is used to execute programs. The processor 1110 may be a central processing unit CPU, or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application. The memory 1130 is used for executable instructions. The memory 1130 may include a high-speed RAM memory, or may also include a non-volatile memory (non-volatile memory), for example, at least one disk memory. The memory 1130 may also be a memory array. The memory 1130 may also be divided into blocks, and the blocks may be combined into a virtual volume according to certain rules. The instructions stored in the memory 1130 may be executed by the processor 1110, so that the processor 1110 can execute the method in any of the foregoing method embodiments. Obviously, those skilled in the art can make various changes and modifications to the application without departing from the spirit and scope of the application. In this way, if these modifications and variations of this application fall within the scope of the claims of this application and their equivalent technologies, this application also intends to include these modifications and variations.

Claims (20)

  1. 一种认证通信的方法,包括:A method of authenticating communication includes:
    对目标节点进行身份认证,在通过身份认证后,确定与所述目标节点约定的动态加密密钥,所述动态加密密钥包括多个层级的加密密钥;确定需要传输的目标数据,根据所述动态加密密钥所有层级的加密密钥,按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对所述目标数据依次进行多次加密处理,并在加密处理过程结束后生成最终的加密数据;将所述加密数据发送至所述服务器。Perform identity authentication on the target node. After passing the identity authentication, determine the dynamic encryption key agreed upon with the target node. The dynamic encryption key includes multiple levels of encryption keys; determine the target data to be transmitted according to all The encryption keys of all levels of the dynamic encryption key are sequentially encrypted for multiple times on the target data in the order from the encryption key of the lowest level to the encryption key of the top level, and after the end of the encryption process Generate final encrypted data; send the encrypted data to the server.
  2. 根据权利要求1所述的方法,所述动态加密密钥为二叉树形式的加密密钥集合,所述动态加密密钥包括:m个叶子加密密钥
    Figure PCTCN2019103531-appb-100001
    n个节点加密密钥
    Figure PCTCN2019103531-appb-100002
    和1个根加密密钥
    Figure PCTCN2019103531-appb-100003
    其中,
    Figure PCTCN2019103531-appb-100004
    表示第a层级的第b个加密密钥,L为所述动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
    Figure PCTCN2019103531-appb-100005
    n u表示第u层级的节点加密密钥的数量,j u∈[1,n u];所述对所述目标数据依次进行多次加密处理,并在加密处理过程结束后生成最终的加密数据,包括:对所述目标数据进行分段处理,确定分段后的m个目标子数据
    Figure PCTCN2019103531-appb-100006
    i∈[1,m];其中,
    Figure PCTCN2019103531-appb-100007
    表示进行过a次加密处理后的第b个加密子数据;根据第一层级的所述叶子加密密钥
    Figure PCTCN2019103531-appb-100008
    分别对相应的目标子数据
    Figure PCTCN2019103531-appb-100009
    进行加密处理,确定相应的叶子加密子数据
    Figure PCTCN2019103531-appb-100010
    确定对应相同的下一层级节点加密密钥
    Figure PCTCN2019103531-appb-100011
    的两个叶子加密密钥
    Figure PCTCN2019103531-appb-100012
    Figure PCTCN2019103531-appb-100013
    j 2∈[1,n 2];将两个叶子加密密钥
    Figure PCTCN2019103531-appb-100014
    Figure PCTCN2019103531-appb-100015
    所对应的叶子加密子数据
    Figure PCTCN2019103531-appb-100016
    Figure PCTCN2019103531-appb-100017
    作为一组,根据节点加密密钥
    Figure PCTCN2019103531-appb-100018
    对一组的叶子加密子数据
    Figure PCTCN2019103531-appb-100019
    Figure PCTCN2019103531-appb-100020
    再次进行加密处理,确定与节点加密密钥
    Figure PCTCN2019103531-appb-100021
    对应的节点加密子数据
    Figure PCTCN2019103531-appb-100022
    若在当前层级中不存在与叶子加密子数据
    Figure PCTCN2019103531-appb-100023
    具有相同的下一层级节点加密密钥
    Figure PCTCN2019103531-appb-100024
    的其他叶子加密子数据,则直接根据节点加密密钥
    Figure PCTCN2019103531-appb-100025
    对叶子加密子数据
    Figure PCTCN2019103531-appb-100026
    进行加密处理;确定与节点加密子数据
    Figure PCTCN2019103531-appb-100027
    对应相同的下一层级节点加密密钥
    Figure PCTCN2019103531-appb-100028
    的相邻的节点加密子数据
    Figure PCTCN2019103531-appb-100029
    以及与节点加密密钥
    Figure PCTCN2019103531-appb-100030
    对应的节点加密子数据
    Figure PCTCN2019103531-appb-100031
    其中,j` 2=j 2+1或j` 2=j 2-1;根据下一层级的节点加密密钥
    Figure PCTCN2019103531-appb-100032
    对一组的节点加密子数据
    Figure PCTCN2019103531-appb-100033
    Figure PCTCN2019103531-appb-100034
    再次进行加密处理,确定与节点加密密钥
    Figure PCTCN2019103531-appb-100035
    对应的节点加密子数据
    Figure PCTCN2019103531-appb-100036
    若在当前层级中不存在与节点加密子数据
    Figure PCTCN2019103531-appb-100037
    具有相同的下一层级节点加密密钥
    Figure PCTCN2019103531-appb-100038
    的其他节点加密子数据,则直接根据节点加密密钥
    Figure PCTCN2019103531-appb-100039
    对节点加密子数据
    Figure PCTCN2019103531-appb-100040
    再次进行加密处理;     The method according to claim 1, wherein the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key comprises: m leaf encryption keys
    Figure PCTCN2019103531-appb-100001
    n node encryption keys
    Figure PCTCN2019103531-appb-100002
    And 1 root encryption key
    Figure PCTCN2019103531-appb-100003
    among them,
    Figure PCTCN2019103531-appb-100004
    Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ∈ [1, m]; u represents the number of the node encryption key, and
    Figure PCTCN2019103531-appb-100005
    n u represents the number of node encryption keys at the u-th level, j u ∈ [1, n u ]; the target data is sequentially encrypted for multiple times, and the final encrypted data is generated after the encryption process is over , Including: performing segmentation processing on the target data, and determining m target subdata after segmentation
    Figure PCTCN2019103531-appb-100006
    i∈[1,m]; where,
    Figure PCTCN2019103531-appb-100007
    Represents the b-th encrypted sub-data after a-time encryption processing; according to the leaf encryption key of the first level
    Figure PCTCN2019103531-appb-100008
    Target sub-data
    Figure PCTCN2019103531-appb-100009
    Perform encryption processing to determine the corresponding leaf encrypted sub-data
    Figure PCTCN2019103531-appb-100010
    Determine the encryption key corresponding to the same next level node
    Figure PCTCN2019103531-appb-100011
    Two leaf encryption keys
    Figure PCTCN2019103531-appb-100012
    with
    Figure PCTCN2019103531-appb-100013
    j 2 ∈[1,n 2 ]; encrypt the two leaf keys
    Figure PCTCN2019103531-appb-100014
    with
    Figure PCTCN2019103531-appb-100015
    Corresponding leaf encrypted sub-data
    Figure PCTCN2019103531-appb-100016
    with
    Figure PCTCN2019103531-appb-100017
    As a group, according to the node encryption key
    Figure PCTCN2019103531-appb-100018
    Encrypt sub-data of a group of leaves
    Figure PCTCN2019103531-appb-100019
    with
    Figure PCTCN2019103531-appb-100020
    Perform encryption again to determine the encryption key with the node
    Figure PCTCN2019103531-appb-100021
    Corresponding node encrypted child data
    Figure PCTCN2019103531-appb-100022
    If there is no sub-data encrypted with the leaf in the current level
    Figure PCTCN2019103531-appb-100023
    Have the same encryption key for the next level node
    Figure PCTCN2019103531-appb-100024
    The other leaves of the encryption sub-data are directly based on the node encryption key
    Figure PCTCN2019103531-appb-100025
    Encrypt the sub-data of the leaf
    Figure PCTCN2019103531-appb-100026
    Encryption processing; confirm to encrypt child data with node
    Figure PCTCN2019103531-appb-100027
    Corresponding to the same next-level node encryption key
    Figure PCTCN2019103531-appb-100028
    Encrypted child data of neighboring nodes
    Figure PCTCN2019103531-appb-100029
    And the node encryption key
    Figure PCTCN2019103531-appb-100030
    Corresponding node encrypted child data
    Figure PCTCN2019103531-appb-100031
    Among them, j` 2 =j 2 +1 or j` 2 =j 2 -1; according to the node encryption key of the next level
    Figure PCTCN2019103531-appb-100032
    Encrypt child data for a group of nodes
    Figure PCTCN2019103531-appb-100033
    with
    Figure PCTCN2019103531-appb-100034
    Perform encryption again to determine the encryption key with the node
    Figure PCTCN2019103531-appb-100035
    Corresponding node encrypted child data
    Figure PCTCN2019103531-appb-100036
    If there is no sub-data encrypted with the node in the current level
    Figure PCTCN2019103531-appb-100037
    Have the same encryption key for the next level node
    Figure PCTCN2019103531-appb-100038
    Other nodes encrypt sub-data, directly according to the node encryption key
    Figure PCTCN2019103531-appb-100039
    Encrypt child data of node
    Figure PCTCN2019103531-appb-100040
    Perform encryption again;
    重复上述再次加密处理的过程,直至所确定的上一级的节点加密密钥为所述根加密密钥
    Figure PCTCN2019103531-appb-100041
    为止,并将根据所述根加密密钥
    Figure PCTCN2019103531-appb-100042
    进行加密处理后所确定的数据
    Figure PCTCN2019103531-appb-100043
    作为最终的加密数据。     Repeat the above re-encryption process until the determined node encryption key of the upper level is the root encryption key
    Figure PCTCN2019103531-appb-100041
    So far and will be based on the root encryption key
    Figure PCTCN2019103531-appb-100042
    Data determined after encryption
    Figure PCTCN2019103531-appb-100043
    As the final encrypted data.
  3. 根据权利要求2所述的方法,还包括:在执行加密处理过程生成相应的加密子数据的同时,确定所述加密子数据的校验信息,并将所有的校验信息按照与所述动态加密密钥相同的二叉树形式生成总校验信息;将所述总校验信息发送至所述服务器。The method according to claim 2, further comprising: determining the verification information of the encrypted sub-data while performing the encryption process to generate the corresponding encrypted sub-data, and combining all the verification information with the dynamic encryption The binary tree form with the same key generates total verification information; and the total verification information is sent to the server.
  4. 一种认证通信的方法,包括:对目标节点进行身份认证,在认证通过后与所述目标节点约定动态加密密钥,并生成相应的动态解密密钥,所述动态加密密钥包括多个层级的加密密钥,所述动态解密密钥包括多个层级的解密密钥;获取目标节点发送的加密数据,所述加密数据为基于多层级的所述动态加密密钥、按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据进行多次加密处理后所确定的数据;根据与所述动态加密密钥相对应的动态解密密钥所有层级的解密密钥,按照从最顶层级的解密密钥至最底层级的解密密钥的顺序对所述加密数据依次进行多次解密处理,直至确定解密处理过程结束后得到的目标数据。A method for authenticating communication includes: performing identity authentication on a target node, agreeing on a dynamic encryption key with the target node after the authentication is passed, and generating a corresponding dynamic decryption key, the dynamic encryption key including multiple levels The dynamic decryption key includes multiple levels of decryption keys; the encrypted data sent by the target node is obtained, and the encrypted data is based on the dynamic encryption key of multiple levels, according to the lowest level The sequence from the encryption key to the encryption key of the top level is the data determined after multiple encryption processing of the target data; according to the decryption keys of all levels of the dynamic decryption key corresponding to the dynamic encryption key, From the decryption key at the top level to the decryption key at the bottom level, the encrypted data is decrypted multiple times in sequence until the target data obtained after the decryption process is determined.
  5. 根据权利要求4所述的方法,所述动态加密密钥为二叉树形式的加密密钥集合,所述动态加密密钥包括:m个叶子加密密钥
    Figure PCTCN2019103531-appb-100044
    n个节点加密密钥
    Figure PCTCN2019103531-appb-100045
    和1个根加密密钥
    Figure PCTCN2019103531-appb-100046
    其中,
    Figure PCTCN2019103531-appb-100047
    表示第a层级的第b个加密密钥,L为所述动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
    Figure PCTCN2019103531-appb-100048
    n u表示第u层级的节点加密密钥的数量,j u∈[1,n u];所述动态解密密钥为与所述动态加密密钥具有相同的二叉树形式的解密密钥集合,且所述动态解密密钥包括:m个叶子解密密钥
    Figure PCTCN2019103531-appb-100049
    n个节点解密密钥
    Figure PCTCN2019103531-appb-100050
    和1个根解密密钥
    Figure PCTCN2019103531-appb-100051
    其中,
    Figure PCTCN2019103531-appb-100052
    表示第a层级的第b个解密密钥,所述叶子加密密钥与所述叶子解密密钥、所述节点加密密钥与所述节点解密密钥、所述根加密密钥与所述根解密密钥之间均是一一对应的关系;所述对所述加密数据依次进行多次解密处理,直至确定解密处理过程结束后得到的目标数据,包括:根据所述根解密密钥
    Figure PCTCN2019103531-appb-100053
    对所述加密数据
    Figure PCTCN2019103531-appb-100054
    进行解密处理,确定下一层级的两个节点加密子数据
    Figure PCTCN2019103531-appb-100055
    Figure PCTCN2019103531-appb-100056
    其中,
    Figure PCTCN2019103531-appb-100057
    表示进行过L-a次解密处理后的第b个加密子数据;同时确定两个节点加密子数据
    Figure PCTCN2019103531-appb-100058
    Figure PCTCN2019103531-appb-100059
    所对应的两个节点解密密钥
    Figure PCTCN2019103531-appb-100060
    Figure PCTCN2019103531-appb-100061
    根据节点解密密钥
    Figure PCTCN2019103531-appb-100062
    对相应的节点加密子数据
    Figure PCTCN2019103531-appb-100063
    进行解密处理,确定下一层级的一个或两个节点加密子数据;根据节点解密密钥
    Figure PCTCN2019103531-appb-100064
    对相应的节点加密子数据
    Figure PCTCN2019103531-appb-100065
    进行解密处理,确定下一层级的一个或两个节点加密子数据;并确定下一层级的节点加密子数据对应的下一层级的节点解密密钥,继续根据节点解密密钥对相应的节点加密子数据进行解密处理;     The method according to claim 4, wherein the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key comprises: m leaf encryption keys
    Figure PCTCN2019103531-appb-100044
    n node encryption keys
    Figure PCTCN2019103531-appb-100045
    And 1 root encryption key
    Figure PCTCN2019103531-appb-100046
    among them,
    Figure PCTCN2019103531-appb-100047
    Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ∈ [1, m]; u represents the number of the node encryption key, and
    Figure PCTCN2019103531-appb-100048
    n u represents the number of node encryption keys at the u-th level, j u ∈[1, n u ]; the dynamic decryption key is a set of decryption keys in the same binary tree form as the dynamic encryption key, and The dynamic decryption key includes: m leaf decryption keys
    Figure PCTCN2019103531-appb-100049
    n node decryption keys
    Figure PCTCN2019103531-appb-100050
    And 1 root decryption key
    Figure PCTCN2019103531-appb-100051
    among them,
    Figure PCTCN2019103531-appb-100052
    Represents the b-th decryption key of the a-th level, the leaf encryption key and the leaf decryption key, the node encryption key and the node decryption key, the root encryption key and the root There is a one-to-one correspondence between the decryption keys; the step of decrypting the encrypted data multiple times in sequence until the target data obtained after the end of the decrypting process is determined includes: according to the root decryption key
    Figure PCTCN2019103531-appb-100053
    To the encrypted data
    Figure PCTCN2019103531-appb-100054
    Perform decryption processing to determine the encrypted sub-data of the next two nodes
    Figure PCTCN2019103531-appb-100055
    with
    Figure PCTCN2019103531-appb-100056
    among them,
    Figure PCTCN2019103531-appb-100057
    Indicates the b-th encrypted sub-data after La times of decryption processing; at the same time determine the encrypted sub-data of two nodes
    Figure PCTCN2019103531-appb-100058
    with
    Figure PCTCN2019103531-appb-100059
    Corresponding two node decryption keys
    Figure PCTCN2019103531-appb-100060
    with
    Figure PCTCN2019103531-appb-100061
    Decrypt the key according to the node
    Figure PCTCN2019103531-appb-100062
    Encrypt the sub-data of the corresponding node
    Figure PCTCN2019103531-appb-100063
    Perform decryption processing to determine the next level of one or two nodes to encrypt sub-data; according to the node decryption key
    Figure PCTCN2019103531-appb-100064
    Encrypt the sub-data of the corresponding node
    Figure PCTCN2019103531-appb-100065
    Perform decryption processing to determine one or two node encryption sub-data of the next level; determine the next level node decryption key corresponding to the next level node encryption sub-data, and continue to encrypt the corresponding node according to the node decryption key The sub-data is decrypted;
    重复上述解密处理的过程,直至所确定的下一级的节点解密密钥为叶子解密密钥
    Figure PCTCN2019103531-appb-100066
    并基于叶子解密密钥
    Figure PCTCN2019103531-appb-100067
    对相应的叶子加密子数据
    Figure PCTCN2019103531-appb-100068
    进行解密处理,确定m个解密后的目标子数据
    Figure PCTCN2019103531-appb-100069
    根据所有的目标子数据
    Figure PCTCN2019103531-appb-100070
    生成最终的目标数据。     Repeat the above decryption process until the node decryption key at the next level determined is the leaf decryption key
    Figure PCTCN2019103531-appb-100066
    And decrypt the key based on the leaf
    Figure PCTCN2019103531-appb-100067
    Encrypt the sub-data of the corresponding leaf
    Figure PCTCN2019103531-appb-100068
    Perform decryption processing to determine m decrypted target sub-data
    Figure PCTCN2019103531-appb-100069
    According to all target sub-data
    Figure PCTCN2019103531-appb-100070
    Generate the final target data.
  6. 根据权利要求5所述的方法,还包括:接收所述目标节点发送的总校验信息,所述总校验信息为 多个校验信息按照与所述动态解密密钥相同的二叉树形式所生成的信息;确定接收到的加密数据的临时校验信息,并判断所述总校验信息中与所述加密数据所对应的校验信息与所述加密数据的临时校验信息是否一致;若二者不一致,将所述加密数据作为异常加密数据,在确定所述加密子数据的临时校验信息,并根据所述总校验信息中与所述加密子数据所对应的校验信息所述加密子数据的临时校验信息是否一致;将具有与总校验信息不一致的临时校验信息的加密子数据作为异常加密子数据;在对所述异常加密子数据执行解密处理过程中生成相应的下一层级的加密子数据的同时,继续确定下一层级的加密子数据的临时校验信息,并将下一层级中具有与总校验信息不一致的临时校验信息的加密子数据作为异常加密子数据;The method according to claim 5, further comprising: receiving total verification information sent by the target node, the total verification information being a plurality of verification information generated in the same binary tree form as the dynamic decryption key的信息; Determine the temporary verification information of the received encrypted data, and determine whether the verification information corresponding to the encrypted data in the total verification information is consistent with the temporary verification information of the encrypted data; if two If they are inconsistent, the encrypted data is regarded as abnormal encrypted data, the temporary verification information of the encrypted sub-data is determined, and the encryption is performed according to the verification information corresponding to the encrypted sub-data in the total verification information. Whether the temporary verification information of the sub-data is consistent; the encrypted sub-data with the temporary verification information that is inconsistent with the total verification information is regarded as the abnormal encrypted sub-data; the corresponding download is generated during the decryption process of the abnormal encrypted sub-data While encrypting the sub-data of one level, continue to determine the temporary verification information of the encrypted sub-data of the next level, and use the encrypted sub-data of the next level with temporary verification information that is inconsistent with the total verification information as the abnormal encryption sub-data data;
    重复上述过程,直至确定异常的叶子加密子数据,并重新获取与异常的叶子加密子数据对应的目标子数据,直至获取到正确的目标子数据。The above process is repeated until the abnormal leaf encrypted sub-data is determined, and the target sub-data corresponding to the abnormal leaf encrypted sub-data is obtained again until the correct target sub-data is obtained.
  7. 一种认证通信的装置,包括:加密密钥确定模块,用于对目标节点进行身份认证,在通过身份认证后,确定与所述目标节点约定的动态加密密钥,所述动态加密密钥包括多个层级的加密密钥;加密处理模块,用于确定需要传输的目标数据,根据所述动态加密密钥所有层级的加密密钥,按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对所述目标数据依次进行多次加密处理,并在加密处理过程结束后生成最终的加密数据;发送模块,用于将所述加密数据发送至所述服务器。A device for authenticating communication, comprising: an encryption key determining module, used to perform identity authentication on a target node, and after passing the identity authentication, determine a dynamic encryption key agreed upon with the target node, the dynamic encryption key including Multiple levels of encryption keys; encryption processing module, used to determine the target data to be transmitted, according to the encryption keys of all levels of the dynamic encryption key, according to the encryption key from the lowest level to the top level encryption The sequence of the keys performs multiple encryption processing on the target data in turn, and generates final encrypted data after the encryption processing process ends; the sending module is used to send the encrypted data to the server.
  8. 根据权利要求7所述的装置,所述动态加密密钥为二叉树形式的加密密钥集合,所述动态加密密钥包括:m个叶子加密密钥
    Figure PCTCN2019103531-appb-100071
    n个节点加密密钥
    Figure PCTCN2019103531-appb-100072
    和1个根加密密钥
    Figure PCTCN2019103531-appb-100073
    其中,
    Figure PCTCN2019103531-appb-100074
    表示第a层级的第b个加密密钥,L为所述动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
    Figure PCTCN2019103531-appb-100075
    n u表示第u层级的节点加密密钥的数量,j u∈[1,n u]。     The apparatus according to claim 7, wherein the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key comprises: m leaf encryption keys
    Figure PCTCN2019103531-appb-100071
    n node encryption keys
    Figure PCTCN2019103531-appb-100072
    And 1 root encryption key
    Figure PCTCN2019103531-appb-100073
    among them,
    Figure PCTCN2019103531-appb-100074
    Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i∈[1,m]; u represents the number of the node encryption key, and
    Figure PCTCN2019103531-appb-100075
    n u represents the number of node encryption keys at the u-th level, j u ∈ [1, n u ].
  9. 根据权利要求8所述的装置,还包括:校验信息生成模块;所述校验信息生成模块,用于在执行加密处理过程生成相应的加密子数据的同时,确定所述加密子数据的校验信息,并将所有的校验信息按照与所述动态加密密钥相同的二叉树形式生成总校验信息;所述发送模块,还用于将所述总校验信息发送至所述服务器。The apparatus according to claim 8, further comprising: a verification information generating module; the verification information generating module is configured to determine the verification of the encrypted sub-data while performing the encryption processing to generate the corresponding encrypted sub-data And generate total verification information according to the binary tree form same as the dynamic encryption key; the sending module is also used to send the total verification information to the server.
  10. 一种认证通信的装置,包括:解密密钥确定模块,用于对目标节点进行身份认证,在认证通过后与所述目标节点约定动态加密密钥,并生成相应的动态解密密钥,所述动态加密密钥包括多个层级的加密密钥,所述动态解密密钥包括多个层级的解密密钥;获取模块,用于获取目标节点发送的加密数据,所述加密数据为基于多层级的所述动态加密密钥、按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据进行多次加密处理后所确定的数据;解密处理模块,用于根据与所述动态加密密钥相对应的动态解密密钥所有层级的解密密钥,按照从最顶层级的解密密钥至最底层级的解密密钥的顺序对所述加密数据依次进行多次解密处理,直至确定解密处理过程结束后得到的目标数据。A device for authenticating communication includes: a decryption key determination module, which is used to authenticate a target node, agree on a dynamic encryption key with the target node after the authentication is passed, and generate a corresponding dynamic decryption key. The dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys; the acquisition module is used to acquire the encrypted data sent by the target node, and the encrypted data is based on multiple levels. The dynamic encryption key is the data determined after the target data is encrypted for multiple times in the order from the encryption key at the bottom level to the encryption key at the top level; the decryption processing module is used for The decryption keys of all levels of the dynamic decryption key corresponding to the dynamic encryption key are decrypted multiple times in sequence from the decryption key of the top level to the decryption key of the bottom level, until Determine the target data obtained after the decryption process is over.
  11. 根据权利要求10所述的装置,所述动态加密密钥为二叉树形式的加密密钥集合,所述动态加密密钥包括:m个叶子加密密钥
    Figure PCTCN2019103531-appb-100076
    n个节点加密密钥
    Figure PCTCN2019103531-appb-100077
    和1个根加密密钥
    Figure PCTCN2019103531-appb-100078
    其中,
    Figure PCTCN2019103531-appb-100079
    表示第a层 级的第b个加密密钥,L为所述动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
    Figure PCTCN2019103531-appb-100080
    n u表示第u层级的节点加密密钥的数量,j u∈[1,n u];所述动态解密密钥为与所述动态加密密钥具有相同的二叉树形式的解密密钥集合,且所述动态解密密钥包括:m个叶子解密密钥
    Figure PCTCN2019103531-appb-100081
    n个节点解密密钥
    Figure PCTCN2019103531-appb-100082
    和1个根解密密钥
    Figure PCTCN2019103531-appb-100083
    其中,
    Figure PCTCN2019103531-appb-100084
    表示第a层级的第b个解密密钥,所述叶子加密密钥与所述叶子解密密钥、所述节点加密密钥与所述节点解密密钥、所述根加密密钥与所述根解密密钥之间均是一一对应的关系。     The device according to claim 10, wherein the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key comprises: m leaf encryption keys
    Figure PCTCN2019103531-appb-100076
    n node encryption keys
    Figure PCTCN2019103531-appb-100077
    And 1 root encryption key
    Figure PCTCN2019103531-appb-100078
    among them,
    Figure PCTCN2019103531-appb-100079
    Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ∈ [1, m]; u represents the number of the node encryption key, and
    Figure PCTCN2019103531-appb-100080
    n u represents the number of node encryption keys at the u-th level, j u ∈[1, n u ]; the dynamic decryption key is a set of decryption keys in the same binary tree form as the dynamic encryption key, and The dynamic decryption key includes: m leaf decryption keys
    Figure PCTCN2019103531-appb-100081
    n node decryption keys
    Figure PCTCN2019103531-appb-100082
    And 1 root decryption key
    Figure PCTCN2019103531-appb-100083
    among them,
    Figure PCTCN2019103531-appb-100084
    Represents the b-th decryption key of the a-th level, the leaf encryption key and the leaf decryption key, the node encryption key and the node decryption key, the root encryption key and the root There is a one-to-one correspondence between the decryption keys.
  12. 根据权利要求11所述的装置,还包括:校验模块,用于接收所述目标节点发送的总校验信息,所述总校验信息为多个校验信息按照与所述动态解密密钥相同的二叉树形式所生成的信息;确定接收到的加密数据的临时校验信息,并判断所述总校验信息中与所述加密数据所对应的校验信息与所述加密数据的临时校验信息是否一致;若二者不一致,将所述加密数据作为异常加密数据,在确定所述加密子数据的临时校验信息,并根据所述总校验信息中与所述加密子数据所对应的校验信息所述加密子数据的临时校验信息是否一致;将具有与总校验信息不一致的临时校验信息的加密子数据作为异常加密子数据;在对所述异常加密子数据执行解密处理过程中生成相应的下一层级的加密子数据的同时,继续确定下一层级的加密子数据的临时校验信息,并将下一层级中具有与总校验信息不一致的临时校验信息的加密子数据作为异常加密子数据;The apparatus according to claim 11, further comprising: a check module, configured to receive total check information sent by the target node, the total check information being a plurality of check information according to the dynamic decryption key Information generated in the same binary tree form; determine the temporary verification information of the received encrypted data, and determine the verification information corresponding to the encrypted data in the total verification information and the temporary verification of the encrypted data Whether the information is consistent; if the two are inconsistent, the encrypted data is regarded as abnormal encrypted data, and the temporary verification information of the encrypted sub-data is determined, and based on the total verification information corresponding to the encrypted sub-data Check whether the temporary check information of the encrypted sub-data is consistent with the check information; use the encrypted sub-data with temporary check information that is inconsistent with the total check information as the abnormal encrypted sub-data; perform decryption processing on the abnormal encrypted sub-data While generating the corresponding next-level encrypted sub-data in the process, continue to determine the temporary verification information of the next-level encrypted sub-data, and encrypt the temporary verification information in the next level that is inconsistent with the total verification information Sub-data is regarded as abnormal encrypted sub-data;
    重复上述过程,直至确定异常的叶子加密子数据,并重新获取与异常的叶子加密子数据对应的目标子数据,直至获取到正确的目标子数据。The above process is repeated until the abnormal leaf encrypted sub-data is determined, and the target sub-data corresponding to the abnormal leaf encrypted sub-data is obtained again until the correct target sub-data is obtained.
  13. 一种存储有计算机可读指令的非易失性可读存储介质,所述计算机可读指令被一个或多个处理器执行时实现认证通信的方法,包括:对目标节点进行身份认证,在通过身份认证后,确定与所述目标节点约定的动态加密密钥,所述动态加密密钥包括多个层级的加密密钥;确定需要传输的目标数据,根据所述动态加密密钥所有层级的加密密钥,按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对所述目标数据依次进行多次加密处理,并在加密处理过程结束后生成最终的加密数据;将所述加密数据发送至所述服务器。A non-volatile readable storage medium storing computer readable instructions. The method for implementing authentication communication when the computer readable instructions are executed by one or more processors includes: performing identity authentication on a target node, and After identity authentication, determine the dynamic encryption key agreed with the target node, the dynamic encryption key includes multiple levels of encryption keys; determine the target data that needs to be transmitted, and encrypt all levels according to the dynamic encryption key Key, the target data is encrypted multiple times in sequence from the encryption key at the bottom level to the encryption key at the top level, and the final encrypted data is generated after the encryption process is over; The encrypted data is sent to the server.
  14. 根据权利要求1所述的非易失性可读存储介质,所述计算机可读指令被所述处理器执行时实现所述动态加密密钥为二叉树形式的加密密钥集合,所述动态加密密钥包括:m个叶子加密密钥
    Figure PCTCN2019103531-appb-100085
    n个节点加密密钥
    Figure PCTCN2019103531-appb-100086
    和1个根加密密钥
    Figure PCTCN2019103531-appb-100087
    其中,
    Figure PCTCN2019103531-appb-100088
    表示第a层级的第b个加密密钥,L为所述动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
    Figure PCTCN2019103531-appb-100089
    n u表示第u层级的节点加密密钥的数量,j u∈[1,n u]。     The non-volatile readable storage medium of claim 1, when the computer-readable instructions are executed by the processor, the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key The key includes: m leaf encryption keys
    Figure PCTCN2019103531-appb-100085
    n node encryption keys
    Figure PCTCN2019103531-appb-100086
    And 1 root encryption key
    Figure PCTCN2019103531-appb-100087
    among them,
    Figure PCTCN2019103531-appb-100088
    Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i∈[1,m]; u represents the number of the node encryption key, and
    Figure PCTCN2019103531-appb-100089
    n u represents the number of node encryption keys at the u-th level, j u ∈[1, n u ].
  15. 一种存储有计算机可读指令的非易失性可读存储介质,所述计算机可读指令被一个或多个处理器执行时实现认证通信的方法,包括:对目标节点进行身份认证,在认证通过后与所述目标节点约定动 态加密密钥,并生成相应的动态解密密钥,所述动态加密密钥包括多个层级的加密密钥,所述动态解密密钥包括多个层级的解密密钥;获取目标节点发送的加密数据,所述加密数据为基于多层级的所述动态加密密钥、按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据进行多次加密处理后所确定的数据;根据与所述动态加密密钥相对应的动态解密密钥所有层级的解密密钥,按照从最顶层级的解密密钥至最底层级的解密密钥的顺序对所述加密数据依次进行多次解密处理,直至确定解密处理过程结束后得到的目标数据。A non-volatile readable storage medium storing computer readable instructions. The method for realizing authentication communication when the computer readable instructions are executed by one or more processors includes: performing identity authentication on a target node, and After passing, the dynamic encryption key is agreed with the target node, and a corresponding dynamic decryption key is generated. The dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys. Key; Obtain the encrypted data sent by the target node, the encrypted data is based on the multi-level dynamic encryption key, the target data is multiplied in order from the encryption key at the bottom level to the encryption key at the top level Data determined after the second encryption processing; according to the decryption keys of all levels of the dynamic decryption key corresponding to the dynamic encryption key, in the order from the decryption key of the top level to the decryption key of the bottom level The encrypted data is decrypted multiple times in sequence until the target data obtained after the end of the decryption process is determined.
  16. 根据权利要求15所述的非易失性可读存储介质,所述计算机可读指令被所述处理器执行时实现所述动态加密密钥为二叉树形式的加密密钥集合,所述动态加密密钥包括:m个叶子加密密钥
    Figure PCTCN2019103531-appb-100090
    n个节点加密密钥
    Figure PCTCN2019103531-appb-100091
    和1个根加密密钥
    Figure PCTCN2019103531-appb-100092
    其中,
    Figure PCTCN2019103531-appb-100093
    表示第a层级的第b个加密密钥,L为所述动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
    Figure PCTCN2019103531-appb-100094
    n u表示第u层级的节点加密密钥的数量,j u∈[1,n u];所述动态解密密钥为与所述动态加密密钥具有相同的二叉树形式的解密密钥集合,且所述动态解密密钥包括:m个叶子解密密钥
    Figure PCTCN2019103531-appb-100095
    n个节点解密密钥
    Figure PCTCN2019103531-appb-100096
    和1个根解密密钥
    Figure PCTCN2019103531-appb-100097
    其中,
    Figure PCTCN2019103531-appb-100098
    表示第a层级的第b个解密密钥,所述叶子加密密钥与所述叶子解密密钥、所述节点加密密钥与所述节点解密密钥、所述根加密密钥与所述根解密密钥之间均是一一对应的关系。     The non-volatile readable storage medium according to claim 15, wherein when the computer-readable instructions are executed by the processor, the dynamic encryption key is a set of encryption keys in the form of a binary tree, and the dynamic encryption key The key includes: m leaf encryption keys
    Figure PCTCN2019103531-appb-100090
    n node encryption keys
    Figure PCTCN2019103531-appb-100091
    And 1 root encryption key
    Figure PCTCN2019103531-appb-100092
    among them,
    Figure PCTCN2019103531-appb-100093
    Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ∈ [1, m]; u represents the number of the node encryption key, and
    Figure PCTCN2019103531-appb-100094
    n u represents the number of node encryption keys at the u-th level, j u ∈[1, n u ]; the dynamic decryption key is a set of decryption keys in the same binary tree form as the dynamic encryption key, and The dynamic decryption key includes: m leaf decryption keys
    Figure PCTCN2019103531-appb-100095
    n node decryption keys
    Figure PCTCN2019103531-appb-100096
    And 1 root decryption key
    Figure PCTCN2019103531-appb-100097
    among them,
    Figure PCTCN2019103531-appb-100098
    Represents the b-th decryption key of the a-th level, the leaf encryption key and the leaf decryption key, the node encryption key and the node decryption key, the root encryption key and the root There is a one-to-one correspondence between the decryption keys.
  17. 一种计算机设备,包括存储器和处理器,所述存储器存储有计算机可读指令,所述处理器执行所述计算机可读指令时实现认证通信的方法,包括:对目标节点进行身份认证,在通过身份认证后,确定与所述目标节点约定的动态加密密钥,所述动态加密密钥包括多个层级的加密密钥;确定需要传输的目标数据,根据所述动态加密密钥所有层级的加密密钥,按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对所述目标数据依次进行多次加密处理,并在加密处理过程结束后生成最终的加密数据;将所述加密数据发送至所述服务器。A computer device includes a memory and a processor. The memory stores computer-readable instructions. The method for implementing authentication communication when the processor executes the computer-readable instructions includes: performing identity authentication on a target node, and After identity authentication, determine the dynamic encryption key agreed with the target node, the dynamic encryption key includes multiple levels of encryption keys; determine the target data that needs to be transmitted, and encrypt all levels according to the dynamic encryption key Key, the target data is encrypted multiple times in sequence from the encryption key at the bottom level to the encryption key at the top level, and the final encrypted data is generated after the encryption process is over; The encrypted data is sent to the server.
  18. 根据权利要求17所述的计算机设备,所述计算机可读指令被所述处理器执行时实现所述动态加密密钥为二叉树形式的加密密钥集合,所述动态加密密钥包括:m个叶子加密密钥
    Figure PCTCN2019103531-appb-100099
    n个节点加密密钥
    Figure PCTCN2019103531-appb-100100
    和1个根加密密钥
    Figure PCTCN2019103531-appb-100101
    其中,
    Figure PCTCN2019103531-appb-100102
    表示第a层级的第b个加密密钥,L为所述动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
    Figure PCTCN2019103531-appb-100103
    n u表示第u层级的节点加密密钥的数量,j u∈[1,n u]。     The computer device according to claim 17, wherein when the computer-readable instructions are executed by the processor, the dynamic encryption key is a set of encryption keys in the form of a binary tree, the dynamic encryption key comprising: m leaves Encryption key
    Figure PCTCN2019103531-appb-100099
    n node encryption keys
    Figure PCTCN2019103531-appb-100100
    And 1 root encryption key
    Figure PCTCN2019103531-appb-100101
    among them,
    Figure PCTCN2019103531-appb-100102
    Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ∈ [1, m]; u represents the number of the node encryption key, and
    Figure PCTCN2019103531-appb-100103
    n u represents the number of node encryption keys at the u-th level, j u ∈ [1, n u ].
  19. 一种计算机设备,包括存储器和处理器,所述存储器存储有计算机可读指令,所述处理器执行所述计算机可读指令时实现认证通信的方法,包括:对目标节点进行身份认证,在认证通过后与所述目标节点约定动态加密密钥,并生成相应的动态解密密钥,所述动态加密密钥包括多个层级的加密密钥,所述动态解密密钥包括多个层级的解密密钥;获取目标节点发送的加密数据,所述加密数据为基于多层 级的所述动态加密密钥、按照从最底层级的加密密钥至最顶层级的加密密钥的顺序对目标数据进行多次加密处理后所确定的数据;根据与所述动态加密密钥相对应的动态解密密钥所有层级的解密密钥,按照从最顶层级的解密密钥至最底层级的解密密钥的顺序对所述加密数据依次进行多次解密处理,直至确定解密处理过程结束后得到的目标数据。A computer device includes a memory and a processor. The memory stores computer-readable instructions. The method for implementing authentication communication when the processor executes the computer-readable instructions includes: performing identity authentication on a target node, and After passing, the dynamic encryption key is agreed with the target node, and a corresponding dynamic decryption key is generated. The dynamic encryption key includes multiple levels of encryption keys, and the dynamic decryption key includes multiple levels of decryption keys. Key; Obtain the encrypted data sent by the target node, the encrypted data is based on the multi-level dynamic encryption key, the target data is multiplied in order from the encryption key at the bottom level to the encryption key at the top level Data determined after the second encryption processing; according to the decryption keys of all levels of the dynamic decryption key corresponding to the dynamic encryption key, in the order from the decryption key of the top level to the decryption key of the bottom level The encrypted data is decrypted multiple times in sequence until the target data obtained after the end of the decryption process is determined.
  20. 根据权利要求19所述的计算机设备,所述计算机可读指令被所述处理器执行时实现所述动态加密密钥为二叉树形式的加密密钥集合,所述动态加密密钥包括:m个叶子加密密钥
    Figure PCTCN2019103531-appb-100104
    n个节点加密密钥
    Figure PCTCN2019103531-appb-100105
    和1个根加密密钥
    Figure PCTCN2019103531-appb-100106
    其中,
    Figure PCTCN2019103531-appb-100107
    表示第a层级的第b个加密密钥,L为所述动态加密密钥的总层级数,i∈[1,m];u表示节点加密密钥所在的层级数,且
    Figure PCTCN2019103531-appb-100108
    n u表示第u层级的节点加密密钥的数量,j u∈[1,n u];所述动态解密密钥为与所述动态加密密钥具有相同的二叉树形式的解密密钥集合,且所述动态解密密钥包括:m个叶子解密密钥
    Figure PCTCN2019103531-appb-100109
    n个节点解密密钥
    Figure PCTCN2019103531-appb-100110
    和1个根解密密钥
    Figure PCTCN2019103531-appb-100111
    其中,
    Figure PCTCN2019103531-appb-100112
    表示第a层级的第b个解密密钥,所述叶子加密密钥与所述叶子解密密钥、所述节点加密密钥与所述节点解密密钥、所述根加密密钥与所述根解密密钥之间均是一一对应的关系。     The computer device according to claim 19, when the computer-readable instructions are executed by the processor, the dynamic encryption key is a set of encryption keys in the form of a binary tree, the dynamic encryption key comprising: m leaves Encryption key
    Figure PCTCN2019103531-appb-100104
    n node encryption keys
    Figure PCTCN2019103531-appb-100105
    And 1 root encryption key
    Figure PCTCN2019103531-appb-100106
    among them,
    Figure PCTCN2019103531-appb-100107
    Represents the b-th encryption key of the a-th level, L is the total number of levels of the dynamic encryption key, i ∈ [1, m]; u represents the number of the node encryption key, and
    Figure PCTCN2019103531-appb-100108
    n u represents the number of node encryption keys at the u-th level, j u ∈[1, n u ]; the dynamic decryption key is a set of decryption keys in the same binary tree form as the dynamic encryption key, and The dynamic decryption key includes: m leaf decryption keys
    Figure PCTCN2019103531-appb-100109
    n node decryption keys
    Figure PCTCN2019103531-appb-100110
    And 1 root decryption key
    Figure PCTCN2019103531-appb-100111
    among them,
    Figure PCTCN2019103531-appb-100112
    Represents the b-th decryption key of the a-th level, the leaf encryption key and the leaf decryption key, the node encryption key and the node decryption key, the root encryption key and the root There is a one-to-one correspondence between the decryption keys.
PCT/CN2019/103531 2019-04-25 2019-08-30 Authentication communication method and device, storage medium, and computer device WO2020215572A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910341149.9 2019-04-25
CN201910341149.9A CN110213228B (en) 2019-04-25 2019-04-25 Method, device, storage medium and computer equipment for authenticating communication

Publications (1)

Publication Number Publication Date
WO2020215572A1 true WO2020215572A1 (en) 2020-10-29

Family

ID=67786476

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/103531 WO2020215572A1 (en) 2019-04-25 2019-08-30 Authentication communication method and device, storage medium, and computer device

Country Status (2)

Country Link
CN (1) CN110213228B (en)
WO (1) WO2020215572A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110944009B (en) * 2019-12-13 2022-03-18 武汉理工光科股份有限公司 Data dynamic encryption communication method and system based on two-wire system communication
CN111698241B (en) * 2020-06-09 2021-05-28 亚特智物联技术(广东)有限公司 Internet of things cloud platform system, verification method and data management method
CN112152802B (en) * 2020-09-09 2023-06-20 深圳市欢太科技有限公司 Data encryption method, electronic device and computer storage medium
CN114978564B (en) * 2021-04-20 2023-07-14 中移互联网有限公司 Data transmission method and device based on multiple encryption

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101621661A (en) * 2008-06-30 2010-01-06 北京中星微电子有限公司 Audio-video encryption and decryption transmission system
US20100183150A1 (en) * 2009-01-19 2010-07-22 The Industry & Academic Cooperation In Chungnam National University(Iac) Shared key management method, shared key generating method and message communication method for scada system, and recording medium
CN102725737A (en) * 2009-12-04 2012-10-10 密码研究公司 V erifiable, leak-resistant encryption and decryption
CN108235022A (en) * 2018-01-29 2018-06-29 苏州南尔材料科技有限公司 A kind of computer video data processing method

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4424465B2 (en) * 2003-06-09 2010-03-03 ソニー株式会社 Information device, information server, and information processing program
WO2008026184A2 (en) * 2006-08-31 2008-03-06 Koninklijke Philips Electronics N.V. Method of key management
CN101150395B (en) * 2006-09-22 2010-05-12 中国科学院声学研究所 A L4 encryption method of double group of encrypted authorization management system
CN101883115B (en) * 2010-06-25 2013-04-17 北京交通大学 Access authentication method and system thereof
CN104040935B (en) * 2012-12-14 2017-06-20 华为技术有限公司 A kind of data encryption, the method and apparatus of decryption
CN108075879B (en) * 2016-11-10 2021-03-09 中国移动通信集团安徽有限公司 Data encryption and decryption method, device and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101621661A (en) * 2008-06-30 2010-01-06 北京中星微电子有限公司 Audio-video encryption and decryption transmission system
US20100183150A1 (en) * 2009-01-19 2010-07-22 The Industry & Academic Cooperation In Chungnam National University(Iac) Shared key management method, shared key generating method and message communication method for scada system, and recording medium
CN102725737A (en) * 2009-12-04 2012-10-10 密码研究公司 V erifiable, leak-resistant encryption and decryption
CN108235022A (en) * 2018-01-29 2018-06-29 苏州南尔材料科技有限公司 A kind of computer video data processing method

Also Published As

Publication number Publication date
CN110213228A (en) 2019-09-06
CN110213228B (en) 2021-09-07

Similar Documents

Publication Publication Date Title
TWI754046B (en) Secure dynamic threshold signature scheme employing trusted hardware
CN107810617B (en) Secret authentication and provisioning
WO2020215572A1 (en) Authentication communication method and device, storage medium, and computer device
US7793340B2 (en) Cryptographic binding of authentication schemes
WO2020087805A1 (en) Trusted authentication method employing two cryptographic values and chaotic encryption in measurement and control network
EP3073668B1 (en) Apparatus and method for authenticating network devices
US7836306B2 (en) Establishing secure mutual trust using an insecure password
US11095635B2 (en) Server authentication using multiple authentication chains
US20130227286A1 (en) Dynamic Identity Verification and Authentication, Dynamic Distributed Key Infrastructures, Dynamic Distributed Key Systems and Method for Identity Management, Authentication Servers, Data Security and Preventing Man-in-the-Middle Attacks, Side Channel Attacks, Botnet Attacks, and Credit Card and Financial Transaction Fraud, Mitigating Biometric False Positives and False Negatives, and Controlling Life of Accessible Data in the Cloud
US20060212928A1 (en) Method and apparatus to secure AAA protocol messages
US9531540B2 (en) Secure token-based signature schemes using look-up tables
WO2008014328A2 (en) Systems and methods for digitally-signed updates
WO2016054905A1 (en) Method for processing data
KR101739203B1 (en) Password-based user authentication method using one-time private key-based digital signature and homomorphic encryption
WO2023093319A1 (en) Blockchain-based account resetting method, and device
Hou et al. A Robust and Efficient Remote Authentication Scheme from Elliptic Curve Cryptosystem.
Alzomai et al. The mobile phone as a multi OTP device using trusted computing
US11438161B2 (en) Implicit attestation for network access
CN106713256A (en) Method for authenticating software and hardware binding of computer special for tax control
CN116707983A (en) Authorization authentication method and device, access authentication method and device, equipment and medium
CN114553566B (en) Data encryption method, device, equipment and storage medium
US11595218B2 (en) Authorization delegation
Zhang et al. Universally composable secure TNC model and EAP-TNC protocol in IF-T
JP2000509521A (en) How to use transient failures to verify the security of a cryptographic system
WO2023198036A1 (en) Key generation method and apparatus, and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19926433

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19926433

Country of ref document: EP

Kind code of ref document: A1