WO2024021958A1 - Procédé et système de traitement de communication, client, serveur de communication et serveur de supervision - Google Patents

Procédé et système de traitement de communication, client, serveur de communication et serveur de supervision Download PDF

Info

Publication number
WO2024021958A1
WO2024021958A1 PCT/CN2023/102571 CN2023102571W WO2024021958A1 WO 2024021958 A1 WO2024021958 A1 WO 2024021958A1 CN 2023102571 W CN2023102571 W CN 2023102571W WO 2024021958 A1 WO2024021958 A1 WO 2024021958A1
Authority
WO
WIPO (PCT)
Prior art keywords
encrypted
key
fragments
server
supervision
Prior art date
Application number
PCT/CN2023/102571
Other languages
English (en)
Chinese (zh)
Inventor
巫鹏涛
徐晟�
徐伟南
徐欣
Original Assignee
杭州安司源科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杭州安司源科技有限公司 filed Critical 杭州安司源科技有限公司
Publication of WO2024021958A1 publication Critical patent/WO2024021958A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • the present disclosure relates to the field of information security technology, and in particular to communication processing methods and systems, clients, communication servers and supervision servers, electronic devices, and computer storage media.
  • the communication server usually generates and saves the public key and private key of the user or group for key exchange on behalf of the agent.
  • the client encrypts messages sent from the client using its user's or group's private key or decrypts encrypted messages received by the client that are encrypted using the user's or group's public key.
  • a communication processing method includes: generating a public key and a private key for key exchange for a user or group of the client, the private key being The key is not stored in plain text; the private key is encrypted using a protection key to obtain an encrypted private key.
  • the protection key is a non-replayable randomly generated key generated by the client; for The protection key executes a threshold encryption algorithm to obtain multiple key fragments, wherein at least a preset number of key fragments are required to restore the protection key; the multiple key fragments are encrypted to obtain Multiple encrypted fragments, the multiple encrypted fragments including the first encrypted fragment encrypted using a user-side key that is imperceptible to the communication server; sending and storing the encrypted private key and the multiple encrypted fragments fragments to the communication server, where the encrypted fragments greater than or equal to the preset number cannot be decrypted by the communication server, and the encrypted private key and at least the preset number of encrypted fragments are used for the client
  • the private key is restored in memory by the protection key restored according to the user-side key, and the restored private key is used to issue a request from the client. Encrypt the message or decrypt the encrypted message received by the client and encrypted using the public key.
  • the user-side key includes at least one of the user's personal password, gesture password, digital certificate and preset picture characteristics.
  • the communication processing method further includes: when the user or group logs in to the client, obtaining the encrypted private key and at least a preset number of encrypted fragments from the communication server , wherein at least a preset number of encrypted fragments includes the first encrypted fragment; using the user-side key and the at least preset number of encrypted fragments, restore from the encrypted private key The private key; uses the restored private key to encrypt a message sent from the client or decrypts an encrypted message received by the client and encrypted using the public key.
  • restoring the private key from the encrypted private key includes: using the user-side key, from the first encrypted fragment among the at least a preset number of encrypted fragments, Restore the key fragments corresponding to the first encrypted fragments; when the number of restored key fragments is greater than or equal to the preset number, use the restored key fragments to obtain the key fragments from the From the encrypted private key, restore the private key of the user or group.
  • encrypting the multiple key fragments to obtain multiple encrypted fragments further includes: using the public key of the communication server to encrypt key fragments that are less than the preset number. Encrypt to obtain less than the preset number of second encrypted fragments, wherein the second encrypted fragments are updated by the communication server by decrypting and encrypting them according to the private key of the communication server, so The at least preset number of encrypted fragments also includes updated second encrypted fragments, and the communication server includes one communication server or multiple decentralized communication servers.
  • restoring the private key from the encrypted private key includes: using the user-side key, from the first encrypted fragment among the at least a preset number of encrypted fragments, Restore the key fragment corresponding to the first encrypted fragment; use the public key of the communication server to restore the key fragment corresponding to the at least preset number of encrypted fragments from the updated second encrypted fragment.
  • the key fragments corresponding to the second encrypted fragments when the number of restored key fragments is greater than or equal to the preset number, use the restored key fragments to obtain the encrypted key fragments from the encrypted key fragments.
  • restore the private key of the user or group restore the private key of the user or group.
  • the communication processing method further includes: when the user-side key is changed, using the user-side key to restore the first encrypted fragment to obtain the same as the first encrypted fragment. Corresponding key fragment; use the changed user-side key to re-encrypt the restored key fragment corresponding to the first encrypted fragment to obtain the updated first encrypted fragment; send and store the update The first encrypted fragment is sent to the communication server.
  • encrypting the plurality of key fragments to obtain multiple encrypted fragments includes: encrypting the key fragments using the public key of each supervision server in at least one supervision server, Obtain at least a preset number of third encrypted fragments, wherein the public key of each supervision server is obtained by the client through the communication server, and the plurality of encrypted fragments also includes the at least preset number of third encrypted fragments.
  • a number of third encrypted fragments, the preset number of third encrypted fragments is used by each supervision server to restore messages from encrypted messages sent by the client or received by the client, and Monitor whether the restored message meets the preset conditions.
  • the at least one supervision server corresponds to one supervisor or to multiple different supervisors. Different supervision servers of the same supervisor have the same public key and private key of the supervision server.
  • encrypting the multiple key fragments to obtain multiple encrypted fragments includes: using the public key of the communication server to encrypt less than the preset number of key fragments to obtain Less than the preset number of second encrypted fragments, wherein the second encrypted fragments are updated by the communication server in a manner of decrypting and encrypting according to the private key of the communication server, the communication service
  • the terminal includes one communication server or multiple decentralized communication servers; the public key of each supervision server in at least one supervision server is used to encrypt the key fragments to obtain at least one third encrypted fragment, Wherein, the public key of each supervision server is obtained by the client through the communication server, and the total number of the at least one third encrypted fragment and the updated second encrypted fragment is greater than or equal to the
  • a preset number is used for each supervision server to restore messages from encrypted messages sent by the client or received by the client, and monitor whether the restored messages meet the preset conditions, and the at least one The supervision server corresponds to one supervisor or to multiple different supervisors. Different supervision servers of the same supervisor have the
  • the communication processing method further includes: when a new supervision server is added, restoring the protection key according to the user-side key and at least a preset number of encrypted shards; and re-configuring the protection key.
  • the key executes the threshold encryption algorithm to obtain multiple key fragments; the multiple key fragments are re-encrypted to obtain multiple encrypted fragments, including: reusing the public key of the communication server to perform encryption for less than the preset value.
  • a number of key fragments are encrypted to obtain less than the preset number of second encrypted fragments, wherein the re-obtained second encrypted fragments are reused by the communication server according to the private key of the communication server Update by decrypting and encrypting; reuse the public key of each supervision server to encrypt the key fragments to obtain at least one third encrypted fragment; resend and store the re-obtained multiple encrypted fragments to the communication service end.
  • a communication processing method is provided, wherein, executed by the communication server, the method includes: receiving and storing an encrypted private key and a plurality of encrypted fragments from the client, wherein the encrypted The private key and the plurality of encrypted fragments are obtained through the communication processing method executed by the client as described in any of the above embodiments.
  • the plurality of encrypted fragments include a first encrypted fragment obtained by encrypting key fragments by the client using a user-side key that is imperceptible to the communication server and the client
  • the communication processing method further includes: using the private key of the communication server to decrypt the second encrypted fragments obtained by encrypting less than a preset number of key fragments using the public key of the communication server.
  • Two encrypted fragments use the private key of the communication server to encrypt the decrypted second encrypted fragment to obtain an updated second encrypted fragment, wherein the first encrypted fragment and the updated second encrypted fragment are Sharding is used to restore the private key of the client's user or group.
  • the communication processing method further includes: when the user or group logs in to the client, sending the first encrypted fragment and the updated second encrypted fragment to the client. end, for the client to restore the private key of the user or group; and/or when the user or group logs in to another client other than the client, send the first encrypted fragment and The updated second encrypted fragment is sent to the other clients for multi-client login by the user or group.
  • the plurality of encrypted fragments further includes at least one third encrypted fragment obtained by encrypting key fragments using the public key of at least one supervision server.
  • the communication processing method further includes: generating and Deploying at least one supervision service package to the supervision server, wherein the at least one supervision server corresponds to one supervision party or to multiple different supervision parties, and different supervision service terminals of the same supervision party have the same public key and private key of the supervision server.
  • the supervision service package deployed to each supervision server is configured to: use the private key of each supervision server, restore the third encrypted fragment obtained by using the public key of each supervision server, and restore the same The key fragment corresponding to the third encrypted fragment; using the public key of the communication server to restore the key fragment corresponding to the updated second encrypted fragment from the updated second encrypted fragment;
  • the restored key fragments are used to restore the user or group from the encrypted private key. or the private key of the group; decrypt the encrypted message sent from the client using the restored private key of the user or group or decrypt the public key received by the client using the public key of the user or group Decrypt the encrypted message obtained by encryption; monitor whether the decrypted encrypted message meets the preset conditions.
  • the supervision service package deployed to each supervision server is further configured to: after completion of monitoring, clear the restored private key of the user or group in the memory of each supervision server.
  • a communication processing method is provided, which is executed by a supervision server, including: when there is a need for encrypted message supervision, obtaining an updated second message encrypted using the private key of the communication server. Encrypt the fragments and the third encrypted fragment encrypted using the public key of the supervision server; call the supervision service package deployed on the supervision server according to the private key of the supervision server and the public key of the communication server The obtained updated second encrypted fragment and third encrypted fragment are processed to complete the supervision of the encrypted message, wherein the supervision service package is processed by the communication server as described in the above embodiment. Methods are generated and deployed.
  • the communication processing method further includes: in the absence of a third encrypted fragment encrypted using the public key of the supervision server, sending the public key of the supervision server through the communication server to the client, and notify the client to re-execute the threshold encryption algorithm on the protection key, obtain multiple key fragments, re-encrypt the multiple key fragments, and obtain the public key encryption including using the supervision server. Obtain multiple encrypted fragments of the third encrypted fragment and re-send and store the newly obtained multiple encrypted fragments to the communication server.
  • a client is provided, which is configured to perform any one of the above communication processing methods performed by the client.
  • a communication server is provided, which is configured to perform any one of the above communication processing methods performed by the communication server.
  • a supervision server is provided, which is configured to perform any one of the communication processing methods described above performed by the supervision server.
  • a communication processing system which includes the client described in any of the above embodiments.
  • the communication processing system further includes the communication server described in any of the above embodiments.
  • the communication processing system further includes the supervision server described in any of the above embodiments.
  • an electronic device including: a memory; and a processor coupled to the memory, the processor being configured to perform any of the above implementations based on instructions stored in the memory.
  • the communication processing method described in the example is provided, including: a memory; and a processor coupled to the memory, the processor being configured to perform any of the above implementations based on instructions stored in the memory.
  • a computer-storable medium on which computer program instructions are stored.
  • the instructions are executed by a processor, the communication processing method described in any of the above embodiments is implemented.
  • Figure 1 is a flowchart illustrating a communication processing method according to some embodiments of the present disclosure
  • Figure 2 is a schematic diagram illustrating obtaining multiple encrypted fragments according to some embodiments of the present disclosure
  • Figure 3 is a flowchart illustrating a communication processing method according to other embodiments of the present disclosure.
  • Figure 4 is a schematic diagram illustrating a communication processing method according to some embodiments of the present disclosure.
  • Figure 5 is a flowchart illustrating a communication processing method according to still some embodiments of the present disclosure.
  • Figure 6 is a block diagram illustrating a communications processing system according to some embodiments of the present disclosure.
  • Figure 7 is a block diagram illustrating an electronic device according to some embodiments of the present disclosure.
  • Figure 8 is a block diagram illustrating a computer system for implementing some embodiments of the present disclosure.
  • any specific values are to be construed as illustrative only and not as limiting. Accordingly, other examples of the exemplary embodiments may have different values.
  • the communication server and the user can solve the information security problem during the network transmission of communication messages through asymmetric encryption of public keys and private keys or key exchange algorithms.
  • encrypted messages sent from the sending client are usually decrypted by the communication server and then encrypted and forwarded to the receiving client, or the communication server holds the user's public information on behalf of the client. key and private key.
  • the encrypted message can be decrypted by the communication server in the same technical manner. This allows the communication server to hold the key on behalf of the user based on current regulatory requirements.
  • the encrypted message sent from the client or the encrypted message received by the client is decrypted using a key or communication server technology replay method to obtain the client's message plaintext. Since the communication server is the center of the entire communication link, if there is information leakage on the communication server, it will lead to the leakage of all user information, thus triggering security issues for user privacy information.
  • the communication server can obtain the clear text of the user's messages through technical means and also extract the user information in the name of supervision.
  • the operation process is also difficult to be perceived and evidenced by the outside world.
  • Corresponding operations Personnel are also information contact parties outside the legal provisions. The entire process may bring about various security issues regardless of the information security and legal and regulatory processes. It can be seen that related technologies have security risks of user privacy leakage, which leads to security issues based on end-to-end encrypted communication.
  • regulators usually implement supervision by obtaining message plaintext from the communication server, which will cause security issues in the process of message supervision by regulators.
  • the present disclosure proposes a communication processing method that can establish an end-to-end information secure communication channel between a message sending client and a message receiving client, and the communication server can use any technical means at any time
  • the original text of the communication message cannot be obtained, which can improve the security of end-to-end encrypted communication.
  • this disclosure also considers the supervision service of the supervision server, which can enable the supervision server to obtain the original text of the communication message for message supervision when the communication server cannot obtain the original text of the communication message, thereby realizing end-to-end encryption-based Safety supervision.
  • Security supervision is proposed in this disclosure and refers to supervision in which only the supervisor operates to obtain the message plaintext without destroying the end-to-end encryption and preventing the communication server from obtaining the message plaintext.
  • FIG. 1 is a flowchart illustrating a communication processing method according to some embodiments of the present disclosure.
  • the communication processing method performed by the client includes: step S110, generating the public key and private key for key exchange of the client's user or group, the private key is not stored in plain text; step S120 , use the protection key to encrypt the private key of the user or group to obtain the encrypted private key.
  • the protection key is a non-replayable randomly generated key generated by the client; step S130, perform a threshold on the protection key encryption algorithm to obtain multiple key fragments, wherein at least a preset number of key fragments are required to restore the protection key; step S140, encrypt multiple key fragments to obtain multiple encrypted fragments, multiple The encrypted fragments include a first encrypted fragment encrypted using a user-side key that is imperceptible to the communication server; and step S150, sending and storing the encrypted private key and multiple encrypted fragments to the communication server, wherein, is greater than Or the encrypted fragments equal to the preset number cannot be decrypted by the communication server.
  • the private key is not stored in clear text on any end (including the client and the communication server). In some embodiments, the private key is also not stored in clear text on the custody server.
  • the client generates the public key and private key of its user or group, so that the communication server is not aware of the generation rules of the user or group's private key and cannot regenerate the private key in any way.
  • the protection key is generated by the client and cannot be replayed. This protection key is used to encrypt the private key, and the protection key is encrypted after performing a threshold encryption algorithm. It becomes more difficult to restore the user's private key.
  • the number of encrypted fragments that cannot be decrypted by the communication server is further controlled to be greater than or equal to the minimum number of key fragments that can restore the protection key (i.e., the preset number), so that even if the communication server stores or holds all encryption
  • the fragmented and encrypted private key also cannot decrypt a sufficient number of encrypted fragments to restore the protection key, making it impossible to restore the user or group's private key.
  • the client sends the encrypted private key and multiple encrypted fragments to the communication server for storage, which ensures that the private key of the user or group can be safely stored, and also ensures that the communication server provides multi-terminal login services for the client.
  • the above embodiments can ensure that the user's private key is safely stored, and while providing services based on end-to-end encrypted communication, ensure that the communication server cannot obtain the original text of the communication message at any time by any technical means, improving the The security of communication messages protects users’ private information such as messages, thereby improving the security of communication based on end-to-end encryption.
  • the communication server holds encrypted private keys and multiple encrypted shards, so that users or groups can still log in normally when changing clients, which improves the security of end-to-end encrypted communication. On, multi-client login for users or groups is implemented.
  • a public key and a private key for key exchange of the user or group of the client are generated.
  • the private key of a user or group is not stored in clear text since it is generated.
  • the public key and private key of a user or group constitute an asymmetrically encrypted public-private key pair.
  • the client when the client registers a user account or a user group, the client generates a one-time non-replayable asymmetrically encrypted public-private key pair.
  • the public and private key pairs of users or groups are saved as user key packages (Key Bundle).
  • the user's public and private keys include the public and private keys used for the user's single chat.
  • the group's public and private keys include the public and private keys used for user group chats.
  • algorithms for generating public keys and private keys for key exchange include, but are not limited to, asymmetric encryption algorithms, DH algorithms, and DH-based extensions such as ECDH algorithms. algorithm.
  • asymmetric encryption algorithms include the RSA algorithm.
  • the private key of a user or group is a non-public key, which can be multiple or even dynamic.
  • the private key of the user or group is encrypted using the protection key to obtain an encrypted private key.
  • the protection key is a non-replayable, randomly generated key generated by the client.
  • a preset symmetric encryption algorithm can be used to generate a protection key (Recovery Bundle Key, RBK) through a random salt value (salt).
  • RBK Protection Bundle Key
  • salt random salt value
  • symmetric encryption of the private key is achieved.
  • the encrypted private key can be represented as RBK_Encrypt.
  • Non-replayable means that it cannot be regenerated by any technical means.
  • the protection key can be heaped or otherwise encrypted, requiring only the client's communicating client to know the recovery algorithm.
  • a threshold encryption algorithm is executed on the protection key to obtain multiple key fragments. Restoring a protected key requires at least a preset number of key shards.
  • a threshold encryption algorithm can be used to split the protection key to obtain multiple key fragments. Take the number of key fragments as N and the preset number as P as an example. P is the key reconstruction threshold, and P is greater than or equal to 2 and less than N. In some embodiments, both N and P can be configured according to actual conditions.
  • taking an end-to-end encrypted communication scenario including a client and a communication server as an example there are two multiple key shards, and the default number is two.
  • taking an end-to-end encrypted communication scenario including a client, a communication server, and a supervision server as an example there are three multiple key shards, and the default number is two.
  • the numbers listed here are only examples and do not constitute other limitations.
  • an end-to-end encrypted communication scenario may also include a client, one or more communication servers, and multiple supervision servers.
  • RBK is split into 3 key shards, represented as RBK_1, RBK_2, and RBK_3 respectively.
  • RBK_1, RBK_2, and RBK_3 key shards
  • step S140 multiple key fragments are encrypted to obtain multiple encrypted fragments, wherein the multiple encrypted fragments include first encrypted fragments encrypted using a user-side key that is imperceptible to the communication server.
  • the multiple encrypted fragments include first encrypted fragments encrypted using a user-side key that is imperceptible to the communication server.
  • the communication server cannot directly or indirectly perceive the user-side key.
  • the user-side key may include at least one of the user's personal password, gesture password, digital certificate, and preset picture characteristics.
  • the user's personal password is usually encrypted and stored through an irreversible encryption process. It is only obtained by the user of the client and cannot be sensed by devices other than the client such as the communication server. pass In this way, it can be further controlled that the encrypted fragments used for the client to restore the private key cannot be decrypted by the communication server, thereby further improving the security of end-to-end encrypted communication.
  • the user's personal password includes the user's account password and other passwords set by the user.
  • the user's personal password is used to symmetrically encrypt the key fragment RBK_1 to obtain the first encrypted fragment RBK_1_C.
  • the first encrypted shard cannot be restored if it leaves the client.
  • the SM2 encryption algorithm is used to symmetrically encrypt the key fragment RBK_1 to obtain the first encrypted fragment RBK_1_C.
  • step S150 the encrypted private key and multiple encrypted fragments are sent and stored to the communication server. Encrypted fragments greater than or equal to the preset number cannot be decrypted by the communication server but can be decrypted by the client.
  • the encrypted private key and at least a preset number of encrypted shards are used by the client to restore the user or group's private key in memory each time it communicates by restoring the protection key based on the user-side key.
  • the restored private key is used to encrypt messages sent from the client or to decrypt encrypted messages received by the client using the public key of the user or group.
  • the client restores the private key to a temporary restore or recovery in memory, which is not permanently stored on the client.
  • the communication processing method further includes the following steps 1)-3).
  • step 1) when a user or group logs in to the client, the encrypted private key and at least a preset number of encrypted fragments are obtained from the communication server. At least a predetermined number of encrypted fragments include the first encrypted fragment. For example, in the case where a user needs to send encrypted messages to other users through a single chat or group chat or needs to receive encrypted messages from other users, the user or group logs in to the client.
  • step 2) use the user-side key and at least a preset number of encrypted fragments to restore the user or group's private key from the encrypted private key.
  • user-side keys and at least a preset number of encrypted shards can be used to restore at least a preset number of key shards from at least a preset number of encrypted shards; A number of key shards are used to restore the user or group's private key from the encrypted private key.
  • the user-side key may be used to restore the key fragment corresponding to the first encryption fragment from the first encryption fragment among at least a preset number of encryption fragments, and in the restored key fragment
  • the restored key fragments are used to restore the user or group's private key from the encrypted private key.
  • the number of first encrypted fragments is greater than or equal to a preset number.
  • the client can restore all the first encrypted fragments to obtain the corresponding key fragments, or can restore a preset number of first encrypted fragments to obtain the corresponding key fragments, or can restore less than the preset number of first encrypted fragments to obtain the corresponding key fragments.
  • the first encrypted shard is restored. For client pairs If less than the preset number of first encrypted fragments are used for restoration, the private key of the user or group needs to be restored in combination with the key fragments that can be restored by other clients.
  • the user-side key can be used to restore the corresponding at least a preset number of key shards from at least a preset number of first encrypted shards, and use At least a preset number of key fragments corresponding to at least a predetermined number of first encrypted fragments restore the user's private key.
  • encrypting multiple key fragments to obtain multiple encrypted fragments may also include using the public key of the communication server to encrypt less than a preset number of key fragments to obtain less than a preset number. Let the number of second encrypted shards. The second encrypted fragment is updated by the communication server by decrypting and encrypting it according to the private key of the communication server.
  • the communication server includes one communication server or multiple decentralized communication servers. In the case where the communication server includes multiple decentralized communication servers, different communication servers correspond to different public keys of the communication server and thus correspond to different second encrypted shards. At least the preset number of encrypted shards also includes updated second encrypted shards.
  • the second encrypted fragment is updated so that both the client and the supervision server can decrypt the second encrypted fragment through the public key of the public communication server to assist in restoring the user's private key.
  • multiple decentralized communication servers can be used to prevent intermediaries from hijacking communication servers and further improve the security of end-to-end encrypted communication.
  • the key fragment RBK_2 is encrypted using the public key of the communication server to obtain the second encrypted fragment RBK_2_S.
  • the key fragment RBK_2 is encrypted using the SM2 encryption algorithm to obtain the second encrypted fragment RBK_2_S.
  • the updated second encrypted shard may be represented as RBK_2_S_C.
  • the private key of the user or group can be restored in the following manner.
  • the user-side key is used to restore the key fragment corresponding to the first encrypted fragment from the first encrypted fragment among at least a preset number of encrypted fragments.
  • the public key of the communication server is used to restore the key fragment corresponding to the second encrypted fragment from the updated second encrypted fragment among at least a preset number of encrypted fragments.
  • the total number of first encrypted fragments and updated second encrypted fragments is greater than or equal to a preset number.
  • the restored key fragments are used to restore the private key of the user or group from the encrypted private key.
  • Use different methods to separate different encryption Encrypt the fragment to increase the difficulty of restoring the private key of the user or group, thereby further improving the security of the private key of the user or group, thereby further improving the security of end-to-end encrypted communication.
  • step 3 the restored private key is used to encrypt the message sent from the client or the encrypted message received by the client and encrypted using the public key of the user or group is decrypted.
  • the user-side key when the user-side key is changed, the user-side key is used to restore the first encrypted fragment to obtain the key fragment corresponding to the first encrypted fragment; the changed user-side key is used key, re-encrypt the restored key fragment corresponding to the first encrypted fragment, and obtain the updated first encrypted fragment; send and store the updated first encrypted fragment to the communication server.
  • the first encrypted fragment can be updated separately, or the threshold encryption algorithm can be re-executed on the protection key, encrypted to obtain multiple new encrypted fragments, and the new encrypted fragments can be sent and stored to the communication server.
  • the client restores the private key of user 1 or group 1
  • the client uses the private key of user 1 or group 1 and the public key of the user's corresponding user 2 or communication group 2 to encrypt the message.
  • the encrypted message is transmitted to the communication server through the encrypted Internet network.
  • the communication server stores the encrypted message and sends it to the user's communication user 2 or communication group 2 through the encrypted Internet network.
  • the client used by the user's communication user 2 or communication group 2 can also obtain the encrypted private key and multiple encrypted fragments corresponding to the communication user 2 or communication group 2, so that the communication user 2 or communication group 2 can be restored.
  • the private key of communication group 2 uses the private key of communication user 2 or communication group 2 and the public key of user 1 or group 1 to decrypt the encrypted message to obtain the message.
  • the client restores the private key of user 1 or group 1
  • the client uses the private key of user 1 or group 1 and the public key of user 1's communication user 2 or communication group 2 to encrypt the message. Decrypt the message to obtain the message from the communication user 2 or communication group 2 of the user 1.
  • multiple encryption shards are also used by at least one supervision server to restore the privacy of the user or group corresponding to the encrypted message it supervises. key, and use the restored private key to restore the message from the encrypted message sent by the client or received by the client, and monitor whether the restored message meets the preset conditions.
  • each supervision server there are multiple encrypted fragments and at least a preset number of encrypted fragments that can be decrypted by each supervision server.
  • the preset condition includes that the restored message or message content does not contain content that does not comply with communication specifications.
  • content that does not comply with communication standards includes sensitive information, illegal information, etc.
  • at least one supervision server corresponds to one supervision party or to multiple different supervision parties. Different supervision servers of the same supervision party have the same public key and private key of the supervision server.
  • At least a preset number of encrypted shards among the multiple encrypted shards can be decrypted by the supervision server, thereby improving communication security and achieving the goal of protecting the private key of the user or group.
  • the supervision server can perform security supervision or security inspection on the communication message. It can safely handle the permissions of the three identities of the user, communication service provider and supervisor to view encrypted messages, which can meet the needs of real-time Security management requirements for communication services.
  • the above embodiment supports multiple supervision servers, supports the login of multiple supervision servers from the same supervisor, and also supports security supervision by multiple supervisors.
  • encrypting multiple key fragments to obtain multiple encrypted fragments includes: using the public key of each supervision server in at least one supervision server to encrypt the key fragments to obtain at least A preset number of third encrypted shards.
  • the public key of each supervision server is obtained by the client through the communication server.
  • the plurality of encrypted shards also includes at least a preset number of third encrypted shards, and the predetermined number of third encrypted shards are used by each supervision server to restore messages from encrypted messages sent by the client or received by the client. , and monitor whether the restored messages meet the preset conditions.
  • the public key of each supervision server is used to obtain the third encrypted fragment, which can only be decrypted with the private key of the supervision server.
  • the private key of each supervision server is generated by itself and cannot be sensed by other devices, which can further improve The security of supervision can not only realize the safety supervision of communication messages by a single supervision server, but also realize the safety supervision of communication messages by multiple supervision servers.
  • the key fragment RBK_3 is encrypted using the public key of the supervision server to obtain the third encrypted fragment RBK_3_A_X, where X identifies the Xth supervision server.
  • the key fragment RBK_3 is encrypted to obtain the third encrypted fragment RBK_3_A_X.
  • the public key of the supervision server can also be called the risk control public key.
  • encrypting multiple key fragments to obtain multiple encrypted fragments includes the following steps.
  • the communication server includes one communication server or multiple decentralized communication servers.
  • each supervision server in the at least one supervision server is used to encrypt at least one key fragment to obtain at least one third encrypted fragment.
  • the public key of each supervision server is obtained by the client through the communication server.
  • the total number of at least one third encrypted shard and the updated second encrypted shard is greater than or equal to the preset number for each supervision server to restore messages from encrypted messages sent by the client or received by the client, And monitor whether the restored messages meet the preset conditions.
  • each supervision server Supervised using a third encrypted shard corresponding to its public key.
  • the communication server will connect to a supervision server by default.
  • the server can also be called a server.
  • At least one supervision server corresponds to one supervisory party or to multiple different supervisory parties. Different supervision servers of the same supervisor have the same public key and private key of the supervision server, which can realize the login of multiple supervision servers of the same supervisor.
  • multiple encrypted slices may also include a first encrypted slice, a second encrypted slice, and a third encrypted slice at the same time.
  • the number of second encrypted fragments is less than the preset number
  • the total number of first encrypted fragments and second encrypted fragments is greater than or equal to the preset number
  • the total number of second encrypted fragments and third encrypted fragments is greater than or equal to equal to the preset quantity.
  • Encrypted shards allow the client, communication server, and supervision server to have different decryption permissions for different encrypted shards, thereby ensuring that the communication server cannot decrypt and obtain the protected key, and the client and supervision server can decrypt and obtain the protected key. , while improving communication security, it also realizes communication message security supervision without information leakage on the communication server.
  • Figure 2 is a schematic diagram illustrating obtaining multiple encrypted fragments according to some embodiments of the present disclosure.
  • the client uses the encryption algorithm to encrypt the private key of the user or group based on the protection key RBK, and obtains the encrypted private key of the user or group.
  • the client performs the threshold encryption algorithm on the protection key RBK and obtains three key fragments RBK_1, RBK_2 and RBK_3.
  • the threshold encryption algorithm sets the recovery threshold for restoring the private key of a user or group to 2.
  • a user or group's private key may be encrypted using the SM4 encryption algorithm.
  • the client encrypts the key fragment RBK_1 based on the user-side key that the communication server cannot perceive, and obtains the RBK_1 ciphertext as the first encrypted fragment.
  • the client also encrypts the key fragment RBK_2 based on the public key of the communication server to obtain the RBK_2 ciphertext as the second encrypted fragment.
  • the client also encrypts the key fragment RBK_3 based on the public key of the supervision server, and obtains the RBK_3 ciphertext as the third encrypted fragment.
  • the key shards can be encrypted using the SM2 encryption algorithm.
  • the encrypted private key, RBK_1 ciphertext, RBK_2 ciphertext, and RBK_3 ciphertext of the user or group are sent by the client to the communication server.
  • the RBK_2 ciphertext is updated on the communication server by decrypting and encrypting it with its private key, and the updated RBK_2 ciphertext is obtained.
  • the RBK_1 ciphertext and the updated RBK_2 ciphertext are used by the client to decrypt the encrypted private key of the user or group to obtain the private key of the user or group.
  • the RBK_3 ciphertext and the updated RBK_2 ciphertext are used by the supervision server to decrypt the encrypted private key of the user or group to obtain the private key of the user or group.
  • FIG. 2 is only a schematic illustration of the processing included in the method according to the exemplary embodiment of the present disclosure, and is not for limiting purposes.
  • the protection key when a supervision server is added, the protection key is restored based on the user-side key and at least a preset number of encryption shards; the threshold encryption algorithm is re-executed on the protection key to obtain multiple keys Fragmentation, re-encrypt multiple key fragments to obtain multiple encrypted fragments, and resend and store the encrypted private key and the multiple re-obtained encrypted fragments to the communication server.
  • Re-executing the threshold encryption algorithm on the protection key includes reusing the public key of the communication server, encrypting less than a preset number of key fragments, obtaining less than a preset number of second encrypted fragments, and reusing each Supervise the public key of the server, encrypt the key fragments, and obtain at least one third encrypted fragment.
  • the re-obtained second encrypted fragment is updated by the communication server by decrypting and encrypting it according to the private key of the communication server.
  • the user-side key is reused to encrypt at least one key fragment to obtain at least one first encrypted fragment; the public key of the communication server is used to encrypt the key fragment. Encryption is performed on a preset number of key fragments to obtain less than a preset number of second encrypted fragments, wherein the re-obtained second encrypted fragments are reused by the communication server according to the private key of the communication server.
  • the key is decrypted and encrypted, and the total number of first encrypted fragments and updated second encrypted fragments is greater than or equal to the preset number; reuse the public key of each supervision server to fragment at least one key Encrypt to obtain at least one third encrypted fragment.
  • the retrieved plurality of encrypted fragments include the first encrypted fragment, the second encrypted fragment and the third encrypted fragment.
  • an end-to-end information secure communication channel can be established between the message sending client and the message receiving client, and the communication server cannot obtain the original text of the communication message at any time by any technical means, so that it can Improve the security of communication based on end-to-end encryption.
  • this disclosure also considers the supervision service of the supervision server, which can enable the supervision server to obtain the original text of the communication message for message supervision when the communication server cannot obtain the original text of the communication message, thereby realizing end-to-end encryption-based Safety supervision.
  • Security supervision is proposed in this disclosure and refers to supervision in which only the supervisor operates to obtain the message plaintext without destroying the end-to-end encryption and preventing the communication server from obtaining the message plaintext.
  • FIG. 3 is a flowchart illustrating a communication processing method according to other embodiments of the present disclosure.
  • the communication processing method executed by the communication server includes step S310.
  • step S310 the communication server receives and stores the encrypted private key and multiple encrypted fragments from the client, where the encrypted private key and multiple encrypted fragments are executed by the client through any of the foregoing embodiments.
  • the communication processing method is obtained. For example, when a user or group logs in to the client, the client sends a login request to the communication server, and the communication server receives the login request from the client and performs login authentication on the client. When the login authentication is passed, the communication server sends the client's encrypted private key and at least a preset number of encrypted fragments that can be decrypted by the client to the client.
  • the communication server stores the encrypted private key and multiple encrypted shards from the client.
  • the multiple encrypted fragments include the first encrypted fragment obtained by the client encrypting the key fragment using a user-side key that is imperceptible to the communication server and the client using the Taking the second encrypted fragment obtained by encrypting less than a preset number of key fragments with the public key of the communication server as an example, the communication processing method executed by the communication server also includes steps S320 to S330.
  • step S320 the second encrypted fragment is decrypted using the private key of the communication server.
  • step S330 the private key of the communication server is used to encrypt the decrypted second encrypted fragment to obtain an updated second encrypted fragment.
  • the first encrypted fragment and the updated second encrypted fragment are used to restore the private key of the user or group of the client.
  • the total number of first encrypted fragments and updated second encrypted fragments is greater than or equal to the preset number.
  • the second encryption shard can be shared to reduce encryption The total number of shards to improve communication processing efficiency.
  • the communication server can also send the first encrypted fragment and the updated second encrypted fragment to the client when the user or group logs in to the client for the client to restore the user or group. 's private key.
  • the first encrypted fragment and the updated second encrypted fragment are sent. slice to other clients for multi-client login by users or groups.
  • the communication processing method executed by the communication server It also includes steps S340 to S350.
  • At least one supervision server corresponds to one supervisory party or to multiple different supervisory parties. Different supervision servers of the same supervision party have the same public key and private key of the supervision server.
  • a supervision service package for each supervision server is generated.
  • the supervision service package of each supervision server is configured to: use the private key of each supervision server to restore the secret key corresponding to the third encrypted fragment from the third encrypted fragment encrypted using the public key of each supervision server.
  • Key shards use the public key of the communication server to restore the key shards corresponding to the updated second encrypted shards from the updated second encrypted shards; when the number of restored key shards is greater than Or equal to the preset number, use the restored key fragments to restore the private key of the user or group from the encrypted private key of the user or group; use the restored user or group's private key
  • the private key is used to decrypt encrypted messages sent from the client or decrypt encrypted messages received by the client using the public key of the user or group; monitor whether the decrypted encrypted message meets the preset conditions.
  • the supervision service package may be an SDK (Software Development Kit) or a security supervision system with message decryption service.
  • the supervision service package of each supervision server is further configured to clear the restored private key of the user or group in the memory of each supervision server after completing the monitoring.
  • step S350 deploy the supervision service package to each supervision server.
  • the supervision service package of each supervision server can be deployed on the privatized server of each supervision server to further improve communication security.
  • the efficiency of supervision completed by multiple supervision servers is particularly improved. Further improve private key security by clearing the private key in memory after completing monitoring.
  • the communication server also synchronizes encrypted messages, encrypted private keys, and encrypted fragments that can be decrypted by the supervision server to the supervision server. In this way, regulatory efficiency can be improved.
  • the communication server receives the ciphertext inspection task submitted by the supervision server and verifies the legitimacy of the supervision server.
  • the communication server verifies that the supervision server meets the legality conditions, the communication server synchronizes the encrypted message (message ciphertext) and at least a preset number of encrypted fragments that the supervision server can decrypt (for example, RBK_2_S_C, RBK_3_A_X) and the encrypted private key to the supervision server.
  • a preset number of encrypted fragments that the supervision server can decrypt for example, RBK_2_S_C, RBK_3_A_X
  • FIG. 4 A schematic diagram of a communication processing method executed by a communication server according to some embodiments of the present disclosure will be described in detail below with reference to FIG. 4 .
  • Figure 4 is a schematic diagram illustrating a communication processing method according to some embodiments of the present disclosure.
  • the communication server generates a supervision service package for a certain supervision server.
  • the supervision service package is used to decrypt the updated RBK_2 ciphertext and RBK_3 ciphertext based on the private key of the supervision server and the public key of the communication server.
  • the secret is to get RBK_2 and RBK_3.
  • threshold recovery is performed to obtain the protection key RBK.
  • Decrypt the encrypted private key of the user or group according to the protection key RBK to obtain the private key of the user or group.
  • the supervision service package can also clear the user's private key from the memory of the corresponding supervision server.
  • Figure 4 is given as an exemplary description of an embodiment based on Figure 2 and is not intended to be limiting.
  • the communication server synchronizes the encrypted message, the encrypted private key of the user or group, the updated RBK_2 ciphertext and RBK_3 ciphertext in advance or in response to the needs of the supervision server. To the regulatory server.
  • FIG. 5 is a flowchart illustrating a communication processing method according to still some embodiments of the present disclosure.
  • the communication processing method executed by the supervision server includes steps S510 to S520.
  • step S510 if there is a need for encrypted message supervision, obtain the updated second encrypted fragment encrypted using the private key of the communication server and the third encrypted fragment encrypted using the public key of the supervision server. .
  • it can be obtained from the communication server, or the communication server can be pre-synchronized to the supervision server, and then obtained from the supervision server.
  • the public key and private key of the supervision server are generated by the supervision server. Different supervision servers of the same supervision party have the same public key and private key of the supervision server.
  • a certified network service provider can apply for a CA (Certification Authority) certificate, generate a public and private key pair of the supervision server, and provide the public key of the supervision server to the communication server so that the communication server Sent to client.
  • CA Content Authority
  • the supervision server when the supervision server has encrypted message supervision requirements, the supervision server submits a ciphertext inspection task to the communication server so that the communication server can verify the legitimacy of the supervision server.
  • the supervision server receives the encrypted message (message ciphertext) synchronized by the communication server and at least a preset number of encrypted fragments that the supervision server can decrypt (for example, , RBK_2_S_C, RBK_3_A_X) and the encrypted private key.
  • the encrypted message messages ciphertext
  • the supervision server receives the encrypted message (message ciphertext) synchronized by the communication server and at least a preset number of encrypted fragments that the supervision server can decrypt (for example, , RBK_2_S_C, RBK_3_A_X) and the encrypted private key.
  • a preset number of encrypted fragments for example, RBK_2_S_C, RBK_3_A_X
  • additional storage space needs to be provided for synchronization
  • step S520 according to the private key of the supervision server and the public key of the communication server, the supervision service package deployed on the supervision server is called to process the obtained updated second encrypted fragment and the third encrypted fragment to process the obtained updated second encrypted fragment and the third encrypted fragment. Regulation of encrypted messages.
  • the supervision service package is generated through the communication processing method executed by the communication server in the previous embodiment and deploy.
  • the supervision server can also send the public key of the supervision server to the client through the communication server, so that the client can encrypt the key fragments to obtain the third encrypted fragments.
  • the public key of the supervision server when there is no third encrypted fragment encrypted using the public key of the supervision server, the public key of the supervision server is sent to the client through the communication server, and the client is notified to re-encrypt the information.
  • the protection key executes the threshold encryption algorithm to obtain multiple key fragments, and re-encrypts the multiple key fragments to obtain multiple encrypted fragments including the third encrypted fragment encrypted using the public key of the supervision server. fragments and resend and store the retrieved multiple encrypted fragments to the communication server. In this case, it indicates that the supervision server is a new supervision server.
  • the present disclosure also provides a client.
  • the client is configured to perform the communication processing method performed by the client in any embodiments of the present disclosure.
  • the present disclosure also provides a communication server.
  • the communication server is configured to execute the communication processing method executed by the communication server in any embodiments of the present disclosure.
  • the present disclosure also provides a supervision server.
  • the supervision server is configured to execute the communication processing method performed by the supervision server in any embodiments of the present disclosure.
  • FIG. 6 is a block diagram illustrating a communications processing system in accordance with some embodiments of the present disclosure.
  • the communication processing system 6 includes a client 61 .
  • the client 61 is a client in any embodiment of the disclosure, and is configured to execute the communication processing method performed by the client in any embodiment of the disclosure.
  • the communication processing system 6 further includes a communication server 62 .
  • the communication server 62 is a communication server in any embodiment of the present disclosure, and is configured to execute the communication processing method performed by the communication server in any embodiment of the disclosure.
  • the communication processing system 6 further includes a supervision server 63 .
  • the supervision server 63 is a supervision server in any embodiment of the present disclosure, and is configured to execute the communication processing method performed by the supervision server in any embodiment of the present disclosure.
  • Figure 7 is a block diagram illustrating an electronic device according to some embodiments of the present disclosure.
  • the electronic device 7 includes a memory 71; and a processor 72 coupled to the memory 71.
  • the memory 71 is used to store instructions for executing corresponding embodiments of the communication processing method.
  • the processor 72 is configured to execute the communication processing method in any embodiment of the present disclosure based on instructions stored in the memory 71 .
  • Figure 8 is a block diagram illustrating a computer system for implementing some embodiments of the present disclosure.
  • Computer system 80 may be embodied in the form of a general purpose computing device.
  • Computer system 80 includes memory 810, a processor 820, and a bus 800 that connects various system components.
  • Memory 810 may include, for example, system memory, non-volatile storage media, or the like.
  • System memory stores, for example, operating systems, applications, boot loaders, and other programs.
  • System memory may include volatile storage media such as random access memory (RAM) and/or cache memory.
  • RAM random access memory
  • the non-volatile storage medium stores, for example, instructions for executing corresponding embodiments of at least one of the communication processing methods.
  • Non-volatile storage media include but are not limited to disk storage, optical storage, flash memory, etc.
  • the processor 820 may be implemented as a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic device, discrete hardware components such as discrete gates or transistors.
  • each module such as the judgment module and the determination module, can be implemented by instructions executing corresponding steps in a central processing unit (CPU) running memory, or by dedicated circuits executing corresponding steps.
  • CPU central processing unit
  • Bus 800 may use any of a variety of bus structures.
  • bus structures include, but are not limited to, Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, and Peripheral Component Interconnect (PCI) bus.
  • ISA Industry Standard Architecture
  • MCA Micro Channel Architecture
  • PCI Peripheral Component Interconnect
  • the computer system 80 may also include an input/output interface 830, a network interface 840, a storage interface 850, and the like. These interfaces 830, 840, 850, the memory 810 and the processor 820 may be connected through a bus 800.
  • the input and output interface 830 can provide a connection interface for input and output devices such as a monitor, mouse, and keyboard.
  • Network interface 840 provides a connection interface for various networked devices.
  • the storage interface 850 provides a connection interface for external storage devices such as floppy disks, USB disks, and SD cards.
  • These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable device to produce a machine, such that execution of the instructions by the processor produces implementations in one or more blocks of the flowcharts and/or block diagrams.
  • a device with specified functions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable device to produce a machine, such that execution of the instructions by the processor produces implementations in one or more blocks of the flowcharts and/or block diagrams.
  • Computer-readable program instructions which may also be stored in computer-readable memory, cause the computer to operate in a specific manner to produce an article of manufacture, including implementing the functions specified in one or more blocks of the flowcharts and/or block diagrams. instructions.
  • the disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)

Abstract

La présente divulgation concerne un procédé et un système de traitement de communication, un client, un serveur de communication et un serveur de supervision. Le procédé de traitement de communication exécuté par le client consiste : à générer une clé publique et une clé privée utilisées par un utilisateur ou un groupe du client pour un échange de clé ; à chiffrer la clé privée à l'aide d'une clé de protection ; à exécuter un algorithme de chiffrement de seuil sur la clé de protection afin d'obtenir de multiples fragments de clé, la restauration de la clé de protection nécessitant au moins un nombre prédéfini de fragments de clé ; à chiffrer les multiples fragments de clé afin d'obtenir de multiples fragments chiffrés, les multiples fragments chiffrés comprenant un premier fragment chiffré obtenu au moyen d'un chiffrement utilisant une clé côté utilisateur qui ne peut pas être détectée par le serveur de communication ; et à envoyer et à stocker la clé privée chiffrée et les multiples fragments chiffrés au serveur de communication, les fragments chiffrés étant supérieurs ou égaux à une quantité prédéfinie ne pouvant pas être déchiffrés par le serveur de communication, et la clé privée chiffrée et au moins la quantité prédéfinie de fragments chiffrés étant utilisés par le client ou le serveur de supervision pour restaurer la clé privée dans une mémoire par déchiffrement de la clé de protection restaurée de manière correspondante. Ainsi, le chiffrement ou le déchiffrement du message est réalisé.
PCT/CN2023/102571 2022-07-28 2023-06-27 Procédé et système de traitement de communication, client, serveur de communication et serveur de supervision WO2024021958A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210897419.6A CN115001865B (zh) 2022-07-28 2022-07-28 通信处理方法及系统、客户端、通信服务端和监管服务端
CN202210897419.6 2022-07-28

Publications (1)

Publication Number Publication Date
WO2024021958A1 true WO2024021958A1 (fr) 2024-02-01

Family

ID=83022456

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/102571 WO2024021958A1 (fr) 2022-07-28 2023-06-27 Procédé et système de traitement de communication, client, serveur de communication et serveur de supervision

Country Status (2)

Country Link
CN (1) CN115001865B (fr)
WO (1) WO2024021958A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001865B (zh) * 2022-07-28 2022-12-02 杭州安司源科技有限公司 通信处理方法及系统、客户端、通信服务端和监管服务端
CN116112458B (zh) * 2023-02-09 2024-08-23 网易(杭州)网络有限公司 通信方法、装置、设备及存储介质

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100211779A1 (en) * 2009-02-17 2010-08-19 Sundaram Ganapathy S Identity Based Authenticated Key Agreement Protocol
CN103634276A (zh) * 2012-08-23 2014-03-12 上海凌攀信息科技有限公司 一种针对即时通信消息的隐私保护方法
US20170171174A1 (en) * 2015-12-11 2017-06-15 Amazon Technologies, Inc. Key exchange through partially trusted third party
CN111193695A (zh) * 2019-07-26 2020-05-22 腾讯科技(深圳)有限公司 一种第三方账号登录的加密方法、装置及存储介质
CN111865956A (zh) * 2020-07-13 2020-10-30 杭州萤石软件有限公司 一种防服务劫持系统、方法、装置及存储介质
CN115001865A (zh) * 2022-07-28 2022-09-02 杭州安司源科技有限公司 通信处理方法及系统、客户端、通信服务端和监管服务端

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030204741A1 (en) * 2002-04-26 2003-10-30 Isadore Schoen Secure PKI proxy and method for instant messaging clients
CN104219051B (zh) * 2014-08-20 2018-04-13 北京奇艺世纪科技有限公司 一种群组内消息的通信方法和系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100211779A1 (en) * 2009-02-17 2010-08-19 Sundaram Ganapathy S Identity Based Authenticated Key Agreement Protocol
CN103634276A (zh) * 2012-08-23 2014-03-12 上海凌攀信息科技有限公司 一种针对即时通信消息的隐私保护方法
US20170171174A1 (en) * 2015-12-11 2017-06-15 Amazon Technologies, Inc. Key exchange through partially trusted third party
CN111193695A (zh) * 2019-07-26 2020-05-22 腾讯科技(深圳)有限公司 一种第三方账号登录的加密方法、装置及存储介质
CN111865956A (zh) * 2020-07-13 2020-10-30 杭州萤石软件有限公司 一种防服务劫持系统、方法、装置及存储介质
CN115001865A (zh) * 2022-07-28 2022-09-02 杭州安司源科技有限公司 通信处理方法及系统、客户端、通信服务端和监管服务端

Also Published As

Publication number Publication date
CN115001865A (zh) 2022-09-02
CN115001865B (zh) 2022-12-02

Similar Documents

Publication Publication Date Title
CN111371549B (zh) 一种报文数据传输方法、装置及系统
US11533297B2 (en) Secure communication channel with token renewal mechanism
US8447970B2 (en) Securing out-of-band messages
EP3324572B1 (fr) Procédé de transmission d'informations et dispositif mobile
WO2024021958A1 (fr) Procédé et système de traitement de communication, client, serveur de communication et serveur de supervision
CN109347835A (zh) 信息传输方法、客户端、服务器以及计算机可读存储介质
CN109981255B (zh) 密钥池的更新方法和系统
US9130744B1 (en) Sending an encrypted key pair and a secret shared by two devices to a trusted intermediary
CN112400299B (zh) 一种数据交互方法及相关设备
EP3232632A1 (fr) Procédé et système d'acquisition de texte en clair de données secrètes de réseau
EP3247087A1 (fr) Migration de clés de cryptage initiée par l'utilisateur
US20190199722A1 (en) Systems and methods for networked computing
CN111914291A (zh) 消息处理方法、装置、设备及存储介质
CN115065472B (zh) 基于多密钥加密解密的安全芯片加密解密方法及装置
CN113779619B (zh) 一种基于国密算法的ceph分布式对象存储系统加解密方法
US10630466B1 (en) Apparatus and method for exchanging cryptographic information with reduced overhead and latency
CN113726725A (zh) 一种数据加解密方法、装置、电子设备及存储介质
CN115001681A (zh) 密钥恢复方法、装置、系统、存储介质及电子装置
CN115499250B (zh) 一种数据加密方法及装置
CN110519222B (zh) 基于一次性非对称密钥对和密钥卡的外网接入身份认证方法和系统
CN111131311A (zh) 基于区块链的数据传输方法及区块链节点
CN108737087B (zh) 邮箱账号密码的保护方法及计算机可读存储介质
WO2020042023A1 (fr) Procédé et appareil de chiffrement de données de messagerie instantanée
CN114499837A (zh) 一种报文防泄露方法、装置、系统和设备
WO2023116266A1 (fr) Procédé, système et dispositif de chiffrement de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23845171

Country of ref document: EP

Kind code of ref document: A1