CN105119900A - Information secure transmission method, network access method and corresponding terminals - Google Patents

Information secure transmission method, network access method and corresponding terminals Download PDF

Info

Publication number
CN105119900A
CN105119900A CN201510424991.0A CN201510424991A CN105119900A CN 105119900 A CN105119900 A CN 105119900A CN 201510424991 A CN201510424991 A CN 201510424991A CN 105119900 A CN105119900 A CN 105119900A
Authority
CN
China
Prior art keywords
information
data message
ciphertext
transmitted
secondary key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510424991.0A
Other languages
Chinese (zh)
Other versions
CN105119900B (en
Inventor
刘敏
叶剑杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510424991.0A priority Critical patent/CN105119900B/en
Publication of CN105119900A publication Critical patent/CN105119900A/en
Application granted granted Critical
Publication of CN105119900B publication Critical patent/CN105119900B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/61Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio
    • H04L65/611Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio for multicast or broadcast

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention mainly aims to provide a mobile terminal and an information secure transmission method adopted by the mobile terminal. The information secure transmission method comprises the steps of acquiring information to be transmitted; constructing a data message, wherein the data message is enabled to contain a secondary ciphertext and a secondary key, the secondary ciphertext is formed in a mode that the information to be transmitted is encrypted by a primary key so as to form primary ciphertext and that the primary ciphertext is encrypted by the secondary key containing a random factor so as to form the secondary ciphertext; and sending the data message. Correspondingly, the invention further provides an intelligent terminal and a network access method thereof. According to the invention, an effect of communication security of a fast connection technology realized on the basis of an IEEE 802.11 protocol is further strengthened through improving content representation loaded by the message by the aid of password technologies.

Description

Information secure transmission method, networking cut-in method and corresponding terminal
Technical field
The present invention relates to information security technology, the information secure transmission method being specifically related to a kind of mobile terminal and adopting, relate to simultaneously a kind of intelligent terminal and cut-in method of networking.
Background technology
The control technology of intelligent terminal access objective network, based on IEEE802.11 agreement institute specification technique, by Devoting Major Efforts To Developing, its application is more and more general.The earliest based on based on AD-Hoc, WiFiDirect technology, make to set up direct-connected relation between control end (transmitting terminal) and receiving terminal, then starting to transmit the configuration information for accessing objective network, specifically comprising service set and the login password of objective network.Traditional direct-connected mode owing to needing to perform complicated shaking hands and handoff procedure between control end and receiving terminal and router, because of but poor efficiency.
One of technology of the quick connection improved, utilize the edited characteristic in the destination address territory of multicast packet frame or its frame body territory to carry out load information, and the reception of multicast packet frame, do not rely between receiving terminal and control end and whether set up direct-connected relation, like this, exempt the handshake procedure that equipment room connects, exempt and frequently switch annexation, therefore, the range of application of quick interconnection technique is more and more extensive.
Due to the Limited information that the Frame of data link layer can load, therefore usually only require lower data for transmission capacity, such as described configuration information.Really, also can open up and apply more widely, such as, only for sending the notice that needs to be shown to user interface end to end, or only for sending one for driving the signal instruction etc. of certain component working of receiving terminal.
On the one hand, no matter want the information transmitted to be which kind of type, all need the problem considering information security.In current above-mentioned various technology, its communication security principle, hold mathematically identical or relevant key respectively by receiving terminal and transmitting terminal, transmitting terminal is with after its secret key encryption held information to be transmitted, form data-message transmission to receiving terminal, receiving terminal uses the secret key decryption matched.This protocol mode is comparatively easy, but is also more easily cracked.Trace it to its cause, no matter be adopt the encrypted private key realized based on symmetric cryptosystem to treat, or adopt the public key encryption information to be transmitted realized based on asymmetric encryption techniques, the key encrypting information to be transmitted always immobilizes, therefore, the packet that disabled user is produced when repeatedly can be transmitted by intercepting and capturing carries out Brute Force, or the packet of simulation transmitting terminal, the attack of similar DDOS is initiated to receiving terminal, paralysis receiving terminal, even causes other nearby device comprising WiFi router to be also subject to same impact because needing identification data frame.
On the other hand, in current message transmitting procedure, receive and need to observe fixing open or custom protocol with transmission both sides, transmitting terminal cannot surmount given protocol and freely define the form of information to be transmitted, receiving terminal in like manner also corresponding cannot resolve the data message that receives flexibly to obtain raw information accurately, and the defect of existing information transmission technology underaction intelligence is seen some from this.Exactly because the also existence of the defect of this underaction, causing cracker by analyzing data message form simply, and raw information accurately can be obtained with lower time cost from the data message intercepted and captured, realizing the object of its illegal steal information.
In view of this, be necessary to improve existing data communication technology, with guarantee Internet of Things safer interconnect.
Summary of the invention
The first object of the present invention is intended at least part of problem solving at least one aspect above-mentioned, and the information secure transmission method providing a kind of mobile terminal and adopt, to realize information security control in source.
The second object of the present invention is at least part of problem solving at least one aspect above-mentioned, the networking cut-in method a kind of intelligent terminal being provided and adopting, make intelligent terminal receive configuration information to echo last object saferly, utilize this configuration information to access objective network.
In order to realize the first object of the present invention, the present invention takes following technical scheme:
A kind of information secure transmission method provided by the invention, comprises the steps:
Obtain information to be transmitted;
Construction data message, makes this data message comprise secondary ciphertext and secondary key, and described secondary ciphertext, by information to be transmitted described in one-time pad, forms a ciphertext, the more described secondary key encryption through comprising random factor is formed;
Send described data message.
Further, obtain in the step of information to be transmitted, receive described information to be transmitted by user interface and submit instruction to, performing subsequent step in response to this submission instruction.
Preferably, described information to be transmitted is the configuration information for accessing objective network.
Concrete, described configuration information comprises for determining the service set of described objective network and logging in the password of this objective network.
Further, the step of construction data message comprises following concrete steps:
Utilize described one-time pad information acquisition to be transmitted ciphertext;
Utilize the secondary key comprising random factor that a ciphertext is encrypted as secondary ciphertext;
Assemble described secondary key and described secondary ciphertext forms described data message.
Preferably, described information to be transmitted is formatted as the text comprising specific identifier before once being encrypted.
Disclosing according to one embodiment of present invention, described secondary key comprises described specific identifier and is reduced to described information to be transmitted for by described text.
Disclosing according to another embodiment of the present invention, described secondary key is random number.
Disclosing according to one of embodiments of the invention, a described secondary key is the PKI of the specification based on asymmetric encryption techniques, is suitable for utilizing corresponding private key to decipher this ciphertext to obtain described information to be transmitted.
Disclosing according to one of embodiments of the invention, a described secondary key is the private key of the specification based on symmetric cryptosystem, be suitable for decipher described in a ciphertext to obtain described information to be transmitted.
Disclosing according to one of embodiments of the invention, described secondary key is the private key of the specification based on symmetric cryptosystem, be suitable for decipher described in secondary ciphertext to obtain a described ciphertext.
Further, described data message also comprises the check code for characterizing whole data message length.
Preferably, send in the step of described data message, be formatted as multiple multicast packet frame characterized according to the order of sequence in data link layer and load this data message to send.
Further, in the described data message destination address territory that is loaded into described multicast packet frame and/or frame body territory.
Concrete, described multicast packet frame meets the specification of IEEE802.11 agreement.
A kind of mobile terminal provided by the invention, it comprises:
Acquiring unit, for obtaining information to be transmitted;
Structural unit, for construction data message, makes this data message comprise secondary ciphertext and secondary key, and described secondary ciphertext, by information to be transmitted described in one-time pad, forms a ciphertext, the more described secondary key encryption through comprising random factor is formed;
Transmission unit, for sending described data message.
Further, described acquiring unit is configured to receive described information to be transmitted by user interface and submit instruction to, starts structural unit in response to this submission instruction.
Preferably, described information to be transmitted is the configuration information for accessing objective network.
Concrete, described configuration information comprises for determining the service set of described objective network and logging in the password of this objective network.
Further, described structural unit comprises following concrete module:
An encrypting module, is configured to utilize described one-time pad information acquisition to be transmitted ciphertext;
Superencipher module, is configured to utilize the secondary key comprising random factor that a ciphertext is encrypted as secondary ciphertext;
Structure Knockdown block, for assembling described secondary key and described secondary ciphertext forms described data message.
Preferably, described information to be transmitted is formatted as the text comprising specific identifier before once being encrypted.
Disclosing according to one embodiment of present invention, described secondary key comprises described specific identifier and is reduced to described information to be transmitted for by described text.
Disclosing according to another embodiment of the present invention, described secondary key is random number.
Disclosing according to one of embodiments of the invention, a described secondary key is the PKI of the specification based on asymmetric encryption techniques, is suitable for utilizing corresponding private key to decipher this ciphertext to obtain described information to be transmitted.
Disclosing according to one of embodiments of the invention, a described secondary key is the private key of the specification based on symmetric cryptosystem, be suitable for decipher described in a ciphertext to obtain described information to be transmitted.
Disclosing according to one of embodiments of the invention, described secondary key is the private key of the specification based on symmetric cryptosystem, be suitable for decipher described in secondary ciphertext to obtain a described ciphertext.
Further, described data message also comprises the check code for characterizing whole data message length.
Preferably, described transmission unit, is configured to be formatted as multiple multicast packet frame characterized according to the order of sequence in data link layer and loads this data message to send.
Further, in the described data message destination address territory that is loaded into described multicast packet frame and/or frame body territory.
Concrete, described multicast packet frame meets the specification of IEEE802.11 agreement.
For realizing the second object of the present invention, the present invention adopts following technical scheme:
One networking cut-in method provided by the invention, comprises the steps:
Receive data message;
Utilize the contained secondary ciphertext of secondary key deciphering contained by this data message to obtain a ciphertext;
Described in the secret key decryption that utilization prestores, a ciphertext is to obtain configuration information wherein;
Arrange with this configuration information configuration own net, access described objective network.
Preferably, receive in the step of data message, after obtaining data message, utilize check code contained by data message to check the length of whole data message, only receive the data message of verification succeeds.
Further, the step receiving data message comprises following concrete steps:
Receive the multicast packet frame with same source;
The indexed sequential that the sequence code provided according to each multicast packet frame characterizes assembles the content code that each multicast packet frame carries;
Content code after assembling according to the order of sequence is converted to described data message.
Concrete, described multicast packet frame meets the specification of IEEE802.11 agreement.
Further, in described sequence code and the content code destination address territory that is expressed in corresponding multicast packet frame and/or frame body territory.
Disclosing according to one of embodiments of the invention, described secondary key is obtained by this encrypted private key for the private key of symmetric cryptosystem institute specification, described secondary ciphertext.
Disclosing according to one of embodiments of the invention, a described secondary key is the private key of asymmetric encryption techniques institute specification, and a described ciphertext is obtained by the public key encryption of correspondence.
Disclosing according to one of embodiments of the invention, a described secondary key is the private key of symmetric cryptosystem institute specification, and a described ciphertext is obtained by this encrypted private key.
Further, described in the secret key decryption that utilization prestores, a ciphertext is to obtain in the step of configuration information wherein, deciphered the text that rear acquisition comprises specific format, the text is resolved to described configuration information by the specific identifier utilizing described secondary key to comprise.
Concrete, described configuration information comprises for determining the service set of described objective network and logging in the password of this objective network.
A kind of intelligent terminal provided by the invention, it comprises:
Receiving element, for receiving data message;
Second decryption unit, it utilizes the contained secondary ciphertext of secondary key deciphering contained by this data message to obtain a ciphertext;
First decryption unit, described in the secret key decryption that its utilization prestores, a ciphertext is to obtain configuration information wherein;
Access unit, for arranging with this configuration information configuration own net, accesses described objective network.
Preferably, described receiving element, after being configured to obtain data message, utilizing check code contained by data message to check the length of whole data message, only receives the data message of verification succeeds.
Further, described receiving element comprises:
Frame receiver module, for receiving the multicast packet frame with same source;
Frame Knockdown block, the indexed sequential that the sequence code for providing according to each multicast packet frame characterizes assembles the content code that each multicast packet frame carries;
Modular converter, for by according to the order of sequence assembling after content code be converted to described data message.
Concrete, described multicast packet frame meets the specification of IEEE802.11 agreement.
Further, in described sequence code and the content code destination address territory that is expressed in corresponding multicast packet frame and/or frame body territory.
Disclosing according to one of embodiments of the invention, described secondary key is obtained by this encrypted private key for the private key of symmetric cryptosystem institute specification, described secondary ciphertext.
Disclosing according to one of embodiments of the invention, a described secondary key is the private key of asymmetric encryption techniques institute specification, and a described ciphertext is obtained by the public key encryption of correspondence.
Disclosing according to one of embodiments of the invention, a described secondary key is the private key of symmetric cryptosystem institute specification, and a described ciphertext is obtained by this encrypted private key.
Further, in described first decryption unit, be configured to have deciphered the text that rear acquisition comprises specific format, utilize the specific identifier comprised in described secondary key that the text is resolved to described configuration information.
Concrete, described configuration information comprises for determining the service set of described objective network and logging in the password of this objective network.
Compared with prior art, the solution of the present invention has the following advantages:
1, the present invention is by encapsulating the information to be transmitted such as the configuration information accessing objective network and so on, construct the data message with particular encryption form, treat on basis that transmission information once encrypts existing, impose superencipher, and key plain used for superencipher is covered in this data message, no matter this data message is broadcasted or the mode of multicast is carried out in the process transmitted, even if intercepted and captured, also more difficultly because there being two re-encryptions to be cracked.Even if by Brute Force; because described secondary key includes random factor; during each transmission information, secondary key is all usually different because of the existence of random factor; therefore interceptor cannot obtain according to the different pieces of information bag repeatedly intercepted and captured the rule that is determined described secondary key; thus transmitting terminal cannot be forged send datagram, the transmitting terminal being convenient to mobile terminal and so on thus can more safely to receiving terminal transmission information.Accordingly, at receiving terminal, because the above-mentioned mechanism of transmitting terminal makes data message present to utilize the regularity of the information content contained by it contained by secondary key deciphering, the information of such as configuration information and so on that data message loads can be extracted according to this rule, the legal form of effective differentiation data message, thus guarantee the fail safe of obtained information, reach the effect of secured reception information.
2, the present invention comprises specific identifier for resolving the formatted text being transmitted information not encrypted at secondary key, make secondary key possess encryption, the function of deciphering and the specific identifier contained for resolving the information of being transmitted simultaneously, form parsing scheme, further increase the complexity cracking this data message, after making transmitting terminal send data message, the fail safe of transmitting procedure is able to further raising.For receiving terminal, the formatted text of parsing scheme to the not encrypted being transmitted information that then can call wherein according to this improvement rule is resolved, specific identifier is wherein utilized to identify the content of received information, the final raw information that still can obtain the defeated expression of transmitting terminal tendency to develop, and its fail safe is obviously able to further raising.
3, in like manner, based on the existence of resolving scheme described in data message, make transmitting terminal can formulate the concrete form of the formatted text of information to be transmitted neatly, the to be transmitted information of the specific identifier that receiving terminal then can comprise according to the secondary key of data message to format effectively identifies, therefore, make transmitting terminal and receiving terminal be provided with the function of negotiation detail agreement, improve the intelligence degree of information representation and parsing.
4, the present invention is based on the characteristic of multicast packet frame, in the destination address territory that described data message is loaded into multiple multicast packet frame inside of stating according to the order of sequence by data link layer and/or frame body territory, due to multicast packet frame propagation and receive all without the need to depending on the direct-connected relation between receiving terminal and transmitting terminal, thus, annexation can be avoided to switch, the sport technique segment such as to shake hands, be convenient to propagate the information be transmitted more quickly, also be convenient to receiving terminal and utilize described information more quickly, it is special in described information is the configuration information for accessing objective network, the intelligent terminal realize target network insertion more quickly of this configuration information of reception can be made.On the other hand, owing to improve the speed of receives information, also more to reduce in transmitting procedure data message by the probability intercepted and captured, thus embody the security feature no matter the present invention is its reception programme or delivery plan further.
The aspect that the present invention adds and advantage will part provide in the following description, and these will become obvious from the following description, or be recognized by practice of the present invention.
Accompanying drawing explanation
The present invention above-mentioned and/or additional aspect and advantage will become obvious and easy understand from the following description of the accompanying drawings of embodiments, wherein:
Fig. 1 is the structural representation of multicast address of the present invention;
Fig. 2 is mapping relations schematic diagram between multicast address of the present invention and IP address;
Fig. 3 is the principle schematic of information secure transmission method of the present invention;
The principle schematic of the idiographic flow that the step S12 that Fig. 4 is information secure transmission method of the present invention realizes;
The structural representation of the data message that Fig. 5 constructs for the present invention;
Fig. 6 is the principle schematic of networking cut-in method of the present invention;
The principle schematic of the idiographic flow that the step S21 that Fig. 7 is networking cut-in method of the present invention realizes;
Fig. 8 is the structural representation of mobile terminal of the present invention;
Fig. 9 is the internal structure schematic diagram of the structural unit of mobile terminal of the present invention;
Figure 10 is the structural representation of intelligent terminal of the present invention;
Figure 11 is the internal structure schematic diagram of the receiving element of intelligent terminal of the present invention.
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the embodiment be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
Those skilled in the art of the present technique are appreciated that unless expressly stated, and singulative used herein " ", " one ", " described " and " being somebody's turn to do " also can comprise plural form.Should be further understood that, the wording used in specification of the present invention " comprises " and refers to there is described feature, integer, step, operation, element and/or assembly, but does not get rid of and exist or add other features one or more, integer, step, operation, element, assembly and/or their group.Should be appreciated that, when we claim element to be " connected " or " coupling " to another element time, it can be directly connected or coupled to other elements, or also can there is intermediary element.In addition, " connection " used herein or " coupling " can comprise wireless connections or wirelessly to couple.Wording "and/or" used herein comprises one or more whole or arbitrary unit listing item be associated and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, and all terms used herein (comprising technical term and scientific terminology), have the meaning identical with the general understanding of the those of ordinary skill in field belonging to the present invention.It should also be understood that, those terms defined in such as general dictionary, should be understood to that there is the meaning consistent with the meaning in the context of prior art, unless and by specific definitions as here, otherwise can not explain by idealized or too formal implication.
Those skilled in the art of the present technique are appreciated that, here used " terminal ", " terminal equipment ", " intelligent terminal ", " mobile terminal " had both comprised the equipment of wireless signal receiver, it only possesses the equipment of the wireless signal receiver without emissivities, comprise again the equipment receiving and launch hardware, it has and on bidirectional communication link, can perform the reception of two-way communication and launch the equipment of hardware.This equipment can comprise: honeycomb or other communication equipments, its honeycomb or other communication equipment of having single line display or multi-line display or not having multi-line display; PCS (PersonalCommunicationsService, PCS Personal Communications System), it can combine voice, data processing, fax and/or its communication ability; PDA (PersonalDigitalAssistant, personal digital assistant), it can comprise radio frequency receiver, beep-pager, the Internet/intranet access, web browser, notepad, calendar and/or GPS (GlobalPositioningSystem, global positioning system) receiver; Conventional laptop and/or palmtop computer or other equipment, it has and/or comprises the conventional laptop of radio frequency receiver and/or palmtop computer or other equipment.Here used various " terminals " can be portable, can transport, be arranged in the vehicles (aviation, sea-freight and/or land), or be suitable for and/or be configured at local runtime, and/or with distribution form, any other position operating in the earth and/or space is run.Here used various " terminals " can also be communication terminal, access terminals, music/video playback terminal, can be such as PDA, MID (MobileInternetDevice, mobile internet device) and/or there is the mobile phone of music/video playing function, also can be the equipment such as intelligent television, Set Top Box, intelligent video camera head, intelligent remote controller, smart jack.
The present invention is the information security technology solution proposed in order to the development in response to Internet of Things, makes information further reinforcing security from the whole transmitting procedure being sent to reception.The application scenarios major embodiment that the present invention adapts to is with the communication between the intelligent terminal of WiFi technology realization and mobile terminal, must not associate with operating system.Based on this, the present invention has been not only that the terminal of the similar mobile phone of center-control effect and so on provides substantial encoding mechanism on the one hand, so that for other intelligent terminals access objective network provides automation to access guide, on the other hand, also for providing decoding mechanism independent of other intelligent terminals outside the described mobile terminal playing center-control effect, thus the controlled access objective network of this type of intelligent terminal can be realized.
Also the core scheme that the present invention embodies security performance can be used in the scene broadcasted although both can be used for multicast, but for the consideration of concise description, being still only chosen at data link layer realizes data-message transmission situation with multicasting technology for exemplary embodiments is illustrated.Specifically, the present invention, about in the exemplary embodiments of data message transmission, realizes carrier with multicast packet frame for technology, realizes the transmission to data message.Be necessary that involved by Code And Decode two aspect by relevant data link layer of the present invention, rudimentary knowledge is disclosed thus, make those skilled in the art can exempt to realize it through creative thinking according to this specification.
Because the present invention is described for multicasting technology, relate to the utilization to multicast packet frame, and multicast packet frame of the present invention accepts the specification of 802.11 agreements, therefore, the rudimentary knowledge understanding the physical frame (mac frame) of 802.11 agreement institute specifications is in advance necessary.
Table 1:802.11 protocol suite mac frame structure (first trip unit is Bytes byte):
Corresponding explanation is done in each territory related to for table 1 below:
FrameControl, frame control domain;
Duration/ID, duration/mark, show this frame and its acknowledgement frame will busy channel how long; For frame control domain subtype be: the frame of PowerSave-Poll, this domain representation connection identity (AID, AssociationIndentification) of STA
AddressFields (1-4): be address field, comprises 4 addresses (source address, destination address, sender address and recipient address), depends on ToDS and the FromDS position in frame control field.
SeqCtrl, namely SequenceControl-is sequence control domain, for filtering repeating frame.
FrameBody: frame body territory, or claim data field, for representing the information sending or receive.
CheckSum: verification territory, comprises the cyclic redundancy check (CRC) (CRC) of 32.
Table 2: frame controls (FrameControl) structure (first trip unit is bit (position)):
2 2 4 1 1 1 1 1 1 1 1
Version Type Subtype To DS From DS MF Retry Pwr More W O
Each field related to for table 2 below does corresponding explanation:
ProtocolVersion-represents the version of IEEE802.11 standard.
Type-represents frame type: comprise the classes such as management, control and data.
Subtype-represents the subtype of frame, as: authentication frame (AuthenticationFrame), remove authentication frame (DeauthenticationFrame), association request frame (AssociationRequestFrame), connection response frame (AssociationResponseFrame), reconnect claim frame (ReassociationRequestFrame), reconnect response frame (ReassociationResponseFrame) and remove connection frame (DisassociationFrame), beacon frame (BeaconFrame), Probe frame (ProbeFrame), Probe claim frame (ProbeRequestFrame) or Probe response frame (ProbeResponseFrame).
ToDS-is when frame sends to DistributionSystem (DS), and this value is set to 1.
FromDS-is when frame receives from DistributionSystem (DS), and this value is set to 1.
MF-MoreFragment represents that this value is set to 1 when there being more segmentations to belong to same number of frames.
Retry-represents that this segmentation is the retransmit frames of precedent transmission segmentation.
Pwr-PowerManagement, after representing transmission frame, adopted powder source management mode of standing.
More-MoreData, in indicating that a lot of frame buffer is arrived at a station.
W-WEP, represents and to be encrypted frame main body according to WEP (WiredEquivalentPrivacy) algorithm.
O-Order1 represents that recipient should in strict accordance with this frame of sequential processes.
According to the explanation of table 2, the position, destination address territory of multicast packet frame can be determined by FromDS and ToDS field.Consult table 3:
Table 3: address field usage in a data frame:
Function To DS From DS Address1 (receiving terminal) Address2 (transmitting terminal) Address3 Address4
IBSS 0 0 DA SA BSSID Do not use
To AP (foundation structure type) 1 0 BSSID SA DA Do not use
From AP (foundation structure type) 0 1 DA BSSID SA Do not use
WDS (wireless distribution system) 1 1 RA TA DA SA
Those skilled in the art should know, and IP address space is divided into A, B, C tri-class.4th class and D class address are retained and are used as multicast address.In the IP agreement (IPv4) of the 4th edition, all IP addresses between from 224.0.0.0 to 239.255.255.255 all belong to D class address.
The most important thing is the 24th to 27 interdigits these four in multicast address, corresponding to the decimal system is 224 to 239, and other 28 reservations are used as the group mark of multicast, as shown in Figure 1.
The multicast address of IPv4 will convert network physical address in network layer.To the network address of a clean culture, the physical address corresponding with IP address can be obtained by ARP agreement.But ARP agreement cannot complete similar functions under multicast mode, must handy other method obtain physical address.The method of this transfer process has been proposed in the RFC document listed below:
RFC1112:MulticastIPv4toEthernetphysicaladdresscorrespondence
RFC1390:CorrespondencetoFDDI
RFC1469:CorrespondencetoToken-Ringnetworks
Within the scope of maximum ethernet address, transfer process is such: be fixed as 01:00:5E most by first 24 of ethernet address, and these several is important flag bit.Back to back one is fixed as 0, fills for other 23 with low 23 in IPv4 multicast address.This transfer process as shown in Figure 2.Such as, multicast address is its Ethernet hardware address of 224.0.0.5 is 01:00:5E:00:00:05.Can find out, low 23 (also can less) in destination address territory here just can as editing bit area, for load information.
In addition, frame body territory, i.e. FrameBody, the variable-length of this part content, its content specifically stored is determined by frame type (type) and subtype (subtype).
Can find out, the destination address territory in multicast packet frame and frame body territory are two editable field, and transmitting terminal can arrange edited bit area i.e. its low 23 contents in destination address territory, and the length in control frame body territory.No matter be use separately the edited bit area in destination address territory or the length in frame body territory, or the combination both using, all can be used for the information loading needs transmission.
When intelligent terminal does not connect WiFi access point, WiFi chip is the radiofrequency signal that can detect in space and identifies mac frame, but now equipment is not because the certification through access point has key, so cannot data in frame body territory in parse for frame structure further, but because the frame length in frame body territory is known, thus the frame length of whole multicast packet frame is also known, therefore, this characteristic does not affect the utilization of the frame length to multicast packet frame.So, the present invention by utilizing these fields, even if make also to receive when intelligent terminal is not networked the information that mobile terminal sends with multicast mode.In fact, also known according to 802.11 agreements, for a multicast packet frame, the length of its whole frame uniquely associates and is decided by the length in frame body territory wherein.
Knowledge according to above-mentioned announcement can be found out, for multicast packet frame, the destination address territory in its frame structure and/or the change of its frame body length of field all can be used for load configuration information.
A kind of information secure transmission method provided by the invention, normally as active initiator, or the visual angle as center-control side is described, this method can be embodied as computer program by programming to be arranged in similar mobile phone, panel computer or other mobile terminals and to run, such as, Android, IOS, WindowsPhone system of operation mobile phone or with panel computer in the APP (application program) utilizing this transmission method to realize is installed, perform this transmission method by this application program.
Refer to Fig. 3, an exemplary embodiments of information secure transmission method of the present invention, the method specifically comprises the steps:
Step S11, obtain information to be transmitted.
Consider that the present invention mainly utilizes multicast or broadcast technology to realize transfer of data, thus described information to be transmitted, especially tailored index is according to measuring the little information content, such as accessing the configuration information of objective network, usually only include service set and the password of objective network, amount of information is just less; And for example only comprise a directive statement performed for receiving end; For another example the announcement information that is pushed to receiving terminal is only comprised.Like this, play advantage of the present invention with all maximizing degree.As for the quantizating index of amount of information size, the data capacity can expressed due to each Frame is limited, can be determined by those skilled in the art according to actual conditions.
It is to be noted, in each embodiment of the present invention, for the easy consideration illustrated, often censure this information to be transmitted with the configuration information that this transmission information example is namely described, but should not be understood as to " information to be transmitted " this concept and converted saying and still refer to same object such as " be transmitted information ", the restriction of the concept such as " received information ".In like manner, follow-up relate to treat that transmission information is formatted, the operation such as encryption and the different-format content that causes, although its expression-form changes, its object pointed to is still " information to be transmitted " information pointed by this concept.
For the APP realized based on the present invention, when this APP is run, just by system drive, the hardware device on mobile phone is utilized.Well-known, mobile phone not only has WiFi module, display, control chip, also has the parts such as microphone, loud speaker, these parts all realize calling by this APP.
For android system, first mobile phone terminal is called by its acquiring unit and shows a movable component (Activity), or show the page utilizing HTML5 to realize, the WiFi access-in point information (enumerating with service set SSID) screen showing this user interface and scans, request user selected target network, and require that user inputs corresponding password, thus obtain SSID and the password of objective network.
According to the agreement of WiFi agreement, those skilled in the art can know, configuration information generally include that WiFi wireless router (representing objective network) provides for determine the service set (SSID) of this objective network with for logging in the login password of this objective network, may also need the cipher mode comprising login password in some cases, and also can provide login password for open network.Although WiFi agreement exists the fact of version upgrading, these are related to the configuration information realizing access network and indispensability and can be determined according to document of agreement correspondence by those skilled in the art, therefore, are not repeated for this reason its details and equivalent variations scheme thereof.
Flexible as details, after user have selected SSID, password corresponding to this SSID can be inquired about to cloud server, if password exists, then directly download password by high in the clouds, can save and require that user inputs the process of objective network password.
Step S12, construction data message, make this data message comprise secondary ciphertext and secondary key, and described secondary ciphertext, by information to be transmitted described in one-time pad, forms a ciphertext, the more described secondary key encryption through comprising random factor is formed.
After the information to be transmitted of the configuration information described in acquisition and so on, just need for its construction data message.The process of construction data message, serve the effect of linking up application layer and data link layer, specifically, the information to be transmitted of described configuration information and so on is obtained from application layer, and follow-uply will send this data message in data link layer, so the process of construction data message, is equivalent in fact a protocol layer defined by the present invention.Thus, the realization of this step is very flexibly, is illustrated below with some examples:
Consult a kind of instantiation procedure constructing described data message shown in Fig. 4, comprise the steps:
Step S121, utilize described one-time pad information acquisition to be transmitted ciphertext.
A described secondary key, refers to the key for once encrypting the information that is transmitted widely adopted at present, general employing public key encryption mode, i.e. asymmetric encryption mode.In public key encryption mode, the PKI that the urtext of information to be transmitted is held with it is encrypted as transmitting terminal by mobile terminal, and when being transferred to opposite end, the intelligent terminal as receiving terminal calls the private key prestored, treat transmission information to be decrypted, thus obtain its prototype version.Described PKI and private key, be algorithmically correlated with, and thus may be used for the data of mutually deciphering the other side's encryption.In the present embodiment, this step in like manner continues to use conventional art, and the configuration information of a double secret key unprocessed form described in utilization is encrypted, thus obtains a ciphertext.Asymmetric encryption techniques embodies higher fail safe, is often used in the higher scene of security requirement.
In flexible execution mode, a described secondary key can utilize encrypted private key, and namely symmetric cryptosystem realizes.In this technology, mobile terminal and intelligent terminal have an identical described secondary key respectively, and mobile terminal utilizes one-time pad information to be transmitted, obtain a ciphertext, be transferred to intelligent terminal, intelligent terminal just can utilize the secondary key prestored by decrypts information to be transmitted.Symmetric cryptography has the higher feature of the simple efficiency of algorithm, thus can preferentially be selected in the scene that some security requirement is not too high.
A ciphertext is encrypted as secondary ciphertext by the secondary key that step S122, utilization comprise random factor.
In the present embodiment, after one time ciphertext is formed, or some does not rely on the information described to be transmitted in the embodiment of once encrypting, and is utilized secondary key in this step and carries out superencipher formation secondary ciphertext.It is pointed out that described secondary key is particularly useful for adopting the private key of symmetric cryptosystem institute specification, thus, when after intelligent terminal for reception to corresponding message, with lower calculating consumption, secondary ciphertext can be decrypted.
Described secondary key, includes random factor, and described random factor is at least included in secondary key and adopts random number and utilize random mode to select a secondary key two kinds of situations.By the effect of this random factor, make secondary key all have uncertainty before being used to superencipher at every turn, when being namely about to carry out superencipher to a ciphertext, just determined.Thus, when secondary key carries out superencipher to each information to be transmitted, all can farthest embody its uniqueness.
The specific implementation of described secondary key can be presented as following several elective mode:
One, adopt random number as described secondary key.
In this mode, directly call random function, produce a particular number of bits as the random number of 16, this random number is defined as described secondary key.This mode the most easily realizes, and more efficiently, is convenient to intelligent terminal fast decryption.
Two, from the multiple keys prestored, described secondary key is determined randomly.
This mode in like manner by calling random function, can determine a secondary key prestored, and makes its endomorph reveal uncertainty.The secondary key determined therefrom, also has the feature of randomness, in like manner can play and manufacture to interceptor the effect decoding obstacle.
Three, for resolve not by the ordered set of the formatting identifying of the information described to be transmitted before once encrypting as described secondary key.
Information to be transmitted, generally includes multiple information word, foregoing configuration information, in an application scenarios, can be the information comprising service set (SSID) for providing WiFi access point and password (PSW) thereof.In each information word, generally characterized its information type and the corresponding information content with some form.When it needs transmission, be usually expressed as a character string with the form these information words be connected in series, complete the format treating transmission information, obtain the configuration information of format.
Specifically, for configuration information, service set and the equal configuration information unit of password, separated with element first formatting identifying " | " between information word, separated between the information type of information word and the information content with the second formatting identifying ": ".Such as service set represents its information type with SSID, password PSW represents its information type, and the information content of SSID is MYWiFi, and the information content of password is PLZLOGIN, before once not encrypted, to the textual form that it carries out the configuration information formaing the format formed be:
SSID:MYWiFi|PSW:PLZLOGIN
Note, in the configuration information of the format of above-mentioned expression, organize in a certain order, wherein SSID is front, PSW is rear, these two information type identifier can be used for the use identifying the corresponding information content, described formatting identifying ": |: " then embody its speciality, if arrange between transmitting terminal and receiving terminal to obtain the first formatting identifying from the first byte of secondary key, the second formatting identifying is obtained from the second byte, then which kind of symbol no matter transmitting terminal adopt for expressing described formatting identifying, for receiving terminal, all by obtaining the formatting identifying with appointment function from the first byte of secondary key and the second byte, and separate each information word with the symbol of wherein the first byte, and by the symbol isolation information type of the second byte and the information content thereof, thus correct parsing formats configuration information, restore the information content of each information word.Therefore, this example has embodied data message undoubtedly and has had the function carrying parsing scheme, makes described secondary key not only be suitable for deciphering secondary ciphertext, and be suitable for resolving not encrypted before the configuration information of format, add the complexity of data message, make interceptor more be difficult to crack.
Obviously, as specific identifier, described formatting identifying is suitable for the order occurred in the configuration information of format according to it, and by like manner arranged in sequence is in described secondary key, described formatting identifying can be determined at random.When needing, the number of the formatting identifying used is more, and arrange more diversified, its analytical capabilities that can express is more powerful, and the complexity of key also will improve further, thus makes secondary ciphertext more be difficult to decode.In this case, secondary key is in fact a specific identifier collection be made up of multiple formatting identifying, specific identifier string in this specific identifier collection, may be used for the configuration information of resolving format, and integrally, also can be used for deciphering the secondary ciphertext of this configuration information thus obtain a ciphertext.
In a further improvement, described configuration information is expressed to increase its readable difficulty: 0MYWiFiPLZLOGIN8 in the following manner.Can find out, in this expression way, different information word is not separated by with any symbol, but but still can be resolved by formatting identifying.
Specifically, be that the spaced-apart locations of information word is characterized into formatting identifying, make this formatting identifying be used to indicate the positional information of different information word in format configuration information.Such as, initial character " 0 " and last character " 8 " are actually nonessential interference factor, the interpolation of interference factor, even if make code breaker obtain the configuration information of described format, are also still difficult to its true content of intuitive judgment.And in secondary key, the content formed is " 020815 ", wherein, " 02 " is for characterizing the original position of first information word SSID for order the 2nd, " 08 " is the 8th for characterizing the original position of second information word SSID, and latter two " 15 " for characterizing the final position of whole configuration information.According to the principle with upper example equivalence, after receiving terminal reads " 020815 " this specific identifier string from secondary key, just by determining the original position of each information word, thus obtain different information word contents.If transmission both sides have arranged the information type of the information word of different order, then receiving terminal can understand the definite content of the information word that transmitting terminal is expressed in format configuration information accordingly.Can be known equally by the example observing this improvement, because the information content normal length of each information word of same configuration information differs (such as changing the password in configuration information), also may change, cause the position that in different configuration information, each information word occurs different, thus, the content of the corresponding specific identifier string formed is also not each all identical, plays the effect of random factor, the stochastic behaviour required for the present invention that therefore also made secondary key embody.
Visible, described specific identifier included by secondary key, also namely described various formatting identifyings, may be used for the configuration information text of format being reduced to the original configuration information having possessed identification meaning, the information content of its each information word can be identified and utilize smoothly.
According to description herein, information to be transmitted is after elder generation is encrypted to a ciphertext with its formatted text, then is expressed in described data message by described specific identifier collection encryption formation secondary ciphertext.It is to be noted, when considering that secondary key possesses the dual-use function of resolving and encrypt, in the example of an analytical capabilities for outstanding specific identifier collection improved, the process of once encrypting described in also can removing, in this case, being expressed in the configuration information in data message, just can be by the formatted text under its unencrypted state, and with described specific identifier set pair, it is encrypted the ciphertext of formation.
Be further used in the modified embodiment of the self-analytic data function strengthening specific identifier collection, ignore encryption further to consider, any encryption is not carried out to described formatted text, and only the formatting identifying string of specific identifier collection is provided in data message, so that receiving terminal utilizes formatting identifying wherein to resolve the described formatted text of the plaintext be included in described data message.
Four, in the third two kinds of cases disclosed and the basis of other variants of launching with this, the secondary key described in random number structure is added further.
A kind ofly before adapting in format configuration information, carry multiple examples of self-analytic data scheme, can certainly in conjunction with the mode of the first example described, for the secondary key described in front a kind of example adds a random number to strengthen its fail safe.
The comprehensively above-mentioned several examples determining to comprise the described secondary key of random factor provided, programmer can select any one way of example according to the agreement determined when programming and realize it, just can call symmetric encipherment algorithm to be further encrypted described ciphertext, thus the secondary ciphertext described in being formed.
Step S123, assemble described secondary key and described secondary ciphertext forms described data message.
When the clear text format of described secondary ciphertext and secondary key is determined, just according to the agreement between transmitting terminal and receiving terminal, as shown in Figure 5, secondary key can be prepended to described secondary ciphertext, be assembled into data message.For the consideration of verification, also the entire length of data message is used as the front end that check code is expressed in this data message further, whether the data message received is complete to enable receiving terminal utilize this check code to judge.Obviously, namely about the structure of data message, also the arrangement of various piece is more flexibly, the just preferably execution mode that the example of accompanying drawing provides, make described check code and secondary key in succession especially its specific identifier collection form its stem, end is its content part.Those skilled in the art can adjust the structure of this data message with reference to this flexible structure, assemble data message, and not should by the impact of this structure limit the understanding of the present invention.
After constructing data message of the present invention, just complete the work at custom protocol layer of transmitting terminal and receiving terminal, according to the specification of IEEE802.11 agreement, subsequent step will process below data link layer.
Step S13, send described data message.
In this step, need further described data message to be processed into frame data.The present invention is described for multicast packet frame, now introduce several utilize multicast packet frame transmit described in the example of data message:
One, only with the destination address territory of multicast packet frame for loading the content of described data message.
Specifically, separately low 23 of the edited bit area in multicast packet frame destination address territory is used, wherein first 6 are utilized to utilize 17 remaining bit tables to reach the content code of the ordered section that will load for expressing the sequence code of each multicast packet frame, therefore altogether can by 2 6=64 multicast packet frames transmit a data message.Wherein sequence code is that the multicast packet frame of " 000000 " with for referencial use, can be beneficial to the subsequent frame that receiving terminal starts to receive homology accordingly, also can arrange this reference.By this way described data message is loaded in 64 multicast packet frames, send receiving terminal to, receiving terminal just can according to contrary principle, according to each multicast packet frame sequence code indicated by order, the content code of each multicast packet frame is assembled according to the order of sequence, the data message described in acquisition.
Two, only with the frame body territory of multicast packet frame for loading the content of described data message.
Transmitting terminal is to the control in the frame body territory of multicast packet frame, be mainly reflected in the controlled utilization to its frame length, but the utilization of frame length needs to depend on benchmark, thus, in like manner can adopt the mode of above-mentioned reference frame, this reference frame is made to have the shortest frame length (uniqueness is associated with its frame body length of field), and control the length in the frame body territory of all the other each multicast packet frames, make to embody difference between different multicast packet frame and the frame length of described reference frame, make the binary format Bit String of this difference for expressing such as 10 bit contents, wherein such as front 4 for expressing described sequence code, rear 6 for expressing described content code, in like manner by 2 4=16 multicast packet frames load described data message.
Three, use the destination address territory of multicast packet frame and frame body territory for loading data message simultaneously.
To the understanding of this example, please also refer to front two examples.In this example, suppose according in aforementioned low 23 of first example determination destination address territory front 6 for order of representation code, Yu 17 for expression content code, in conjunction with the method for the second example, the frame length that frame body territory determines is utilized again further, make the binary format Bit String of the difference of the frame length between multicast packet frame and a reference frame be 3, then content code in fact by 17 add 3 totally 20 form, can find out, its information representation ability is expanded, and greatly strengthens.
Which kind of mode no matter is adopted to be used to multicast packet frame, utilize the loading of multiple multicast packet frames realizations to described data message characterized in order, thus described information to be transmitted is completed format in data link layer, all can meet the specification of IEEE802.11 agreement.
Complete described after the work for the treatment of of data link layer, just the mode of multicast packet frame can send the described data message comprising information to be transmitted to receiving terminal.
Information secure transmission method of the present invention is in transmission information process, even if all multicast packet frames are are all intercepted and captured, thus make interceptor obtain described data message, due to the safe invigoration effect that method of the present invention plays, interceptor is still difficult to decode the information be transmitted of the present invention.
The one networking cut-in method that the present invention further provides, can utilize the information transmitted with aforesaid information secure transmission method, refer to Fig. 6, this networking cut-in method comprises the steps:
Step S21, reception data message.
This step needs the frame being responsible for data link layer to receive to obtain corresponding data message.The process of reception data message has the phase reverse-power in agreement with the aforementioned process sent datagram, can with reference to the specification of IEEE802.11.Based on the example of aforementioned employing multicast packet frame, can with reference to the following concrete grammar alignment processing shown in Fig. 7:
Step S211, receive there is the multicast packet frame of same source.
This step receives the technology with the multicast packet frame of same source by WiFi module, dawn known to those skilled in the art, it is pointed out that alleged same source here, refer to the source address of described transmitting terminal, identify the transmit leg of the configuration information needed for this method with this.
The indexed sequential that step S212, the sequence code provided according to each multicast packet frame characterize assembles the content code that each multicast packet frame carries.
The edited bit area in the destination address territory utilizing separately multicast packet frame as front disclosed, separately utilize frame body length of field difference, common utilize as described in destination address territory edited bit area and as described in length difference three examples in frame body territory, for realizing the loading to described data message.The multicast packet frame loading data message has multiple, all sorted with sequence code, according to the contrary principle in agreement, this step can be decoded to all multicast packet frames that it receives, obtain corresponding sequence code and content code, the order that characterizes of code in order, carries out serial connection assembling by the content code of correspondence.
Step S213, by according to the order of sequence assembling after content code be converted to described data message.
Coded sequence according to the order of sequence after assembling, further according to the contrary principle in agreement, is converted into the data message that custom protocol layer of the present invention can identify, to carry out follow-up process.For guaranteeing the integrity degree of described data message, after the data message described in obtaining, the length of check code to this data message of its front end (specifically depending on data message structure) should be utilized to verify.For the data message do not conformed to, should abandon, only the successful data message of acceptance inspection.
Step S22, to utilize contained by this data message the contained secondary ciphertext of secondary key deciphering to obtain a ciphertext.
According to an example of the aforementioned announcement of the present invention, in the data message that receiving terminal obtains, contain described secondary key, and be suitable for the secondary ciphertext of deciphering with this secondary key.Thus, from this data message, read the secondary key expressed by it, use related algorithm to be decrypted this secondary ciphertext, a ciphertext of the configuration information be transmitted can be obtained.It is to be appreciated that accept the specification of symmetric cryptosystem due to described secondary key, therefore, need not prestore in this locality this secondary key.
According to the announcement of last method, described secondary key can be both merely random number, also can be the formatting identifying string be made up of formatting identifying, i.e. specific identifier collection, no matter secondary key has several heavy meaning, in this example, as long as secondary key is at the front decipher function that made self possess for encryption configuration information, just must secondary key be utilized in this step in advance to be decrypted secondary ciphertext.If in some example, format configuration information, without once encrypting, just carries out simple encryption through secondary key, then after this deciphering, just can obtain the configuration information of format, can directly resolve format configuration information on this basis.Otherwise, through secondary key deciphering after obtain if a ciphertext, then also need again to be decrypted, finally on the basis of twice deciphering obtain format configuration information could be resolved.Certainly, if in some embodiment, not by specific identifier collection (secondary key) for encryption configuration information, just without the need to deciphering herein.
Described in the secret key decryption that step S23, utilization prestore, a ciphertext is to obtain configuration information wherein.
In the example disclosed as front, a described ciphertext, utilize the configuration information encryption of a secondary key (PKI) to format to be formed, this secondary key is the PKI of asymmetric encryption techniques institute specification, thus, the intelligent terminal as receiving terminal prestores corresponding private key, in this step, intelligent terminal calls the private key prestored, and the secondary key (private key) also namely alleged by this method is decrypted described ciphertext.Can find out, a secondary key (private key) alleged by this method and both secondary keys (PKI) alleged by last method are by asymmetric encryption techniques institute specification, algorithmically relevant, the former is decruption key, the latter is encryption key, not have the same key of identical content, those skilled in the art should know.
Really, if adopt the configuration information of a double secret key format of symmetric cryptosystem institute specification to encrypt at transmitting terminal, then intelligent terminal just should to prestore a described secondary key identical in content as receiving terminal, this secondary key had both been the encryption key of transmitting terminal, was also the decruption key of receiving terminal.
After a ciphertext described in deciphering, obtain the configuration information of corresponding format.But, according to the multiple variation instance of aforementioned announcement, in any case obtain the configuration information of described format from data message, as the textual form of specific format, this formatted text is not yet identified and utilizes, and thus not yet can obtain the configuration information with the specification identifying meaning.According to the contrary principle in agreement, corresponding to certain embodiments, the text is resolved to the described configuration information having and identify meaning by the specific identifier that described secondary key should be utilized to comprise.Each example of corresponding aforementioned announcement, has following several corresponded manner for the treatment of the configuration information of described format:
One, the situation of transmitting terminal and the receiving terminal configuration information of this format of protocol analysis.
In this case, receiving terminal only need resolve the configuration information of described format according to agreement in advance, obtains wherein each information content.
Two, transmitting terminal utilizes formatting identifying formation specific identifier collection used in formatting procedure to be used as the situation of secondary key.
This situation, comprise two kinds of segmentation situations of aforementioned announcement, wherein one is that secondary key is whole specific identifier collection, comprise specific identifier centralized procurement formatting identifying and be used to indicate the mode of information content position and be used to indicate the mode of separating character, the specific part of another kind to be specific identifier collection be secondary key.
No matter which kind of situation, the contrary principle all not on away protocols.Thus, should stress in this kind of situation to obtain described specific identifier collection from described secondary key, corresponding as front each example each concrete condition of disclosing, identify the information content formaing configuration information.
In some example, the formatting identifying that specific identifier is concentrated is used to indicate the position residing for each information content, or be used to indicate the separator of each information content, comprise aforesaid first formatting identifying and the second formatting identifying, in any case, all can utilize the instruction of described formatting identifying, separate and extract described format configuration information, to obtain the configuration information of specification, namely also there is each information content identifying meaning.
According to the process of this step, finally can obtain the configuration information of specification, also the primitive meaning of the information obtaining transmitting terminal transmission is namely recognized, such as, for aforesaid configuration information, the service set SSID that receiving terminal can know the objective network that namely will access is MYWiFi, and the login password PSW of its correspondence is then PLZLOGIN.
It is to be noted, a kind ofly described specific identifier collection is only made only to have analytical capabilities, and do not utilize in the corresponding embodiment of its cipher key function, then need not through each decryption step aforesaid, and two decryption step are replaced with an integration step, directly utilize the configuration information of the format contained by specific identifier set pair data message to carry out resolving according to above-mentioned principle herein.In this case, although the configuration information of format is without special encryption once or twice, but because specific identifier collective of the present invention reveals certain for protocol function, also the compartmentation of its formatting identifying is namely utilized and the function for identifying each specifying information content contained by configuration information, thus, this situation also serves certain cipher round results.
Step S24, with this configuration information configuration own net arrange, access described objective network.
After obtaining described configuration information, just the service set (SSID) that provides of mobile terminal and corresponding password is obtained, intelligent terminal just can carry out self network settings, determine that corresponding SSID is MYWiFi, and arranging its password is corresponding PLZLOGIN, start the process of access objective network, carry out a series of handshake operation, until set up the connection with the WiFiAP representated by this SSID.
After intelligent terminal connects this AP, just accessed objective network, can communicate in theory with cloud server, the routing function also provided by current local area network communicates with the described mobile terminal in net.Thus intelligent terminal can send one to this mobile terminal and characterize the signal having completed network insertion, so that mobile terminal can provide operation further, control inerface does subsequent operation to user.
Visible, networking cut-in method of the present invention, based on safer encryption technology, more safely can receive configuration information, avoids the configuration information receiving illegal user simulation to obtain safer result of use.
Further, based on modularized thoughts, the invention provides a kind of aforesaid mobile terminal and intelligent terminal, preferably, the mobile phone that this mobile terminal has installed aforementioned corresponding APP realizes, the agreement utilizing computer program to achieve technical scheme of the present invention between mobile terminal and intelligent terminal to embody.
Refer to Fig. 8, in the exemplary embodiments of mobile terminal of the present invention, this intelligent terminal comprises acquiring unit 11, structural unit 12 and transmission unit 13.Function performed by each unit discloses as follows in detail:
Described acquiring unit 11, for obtaining information to be transmitted.
Consider that the present invention mainly utilizes multicast or broadcast technology to realize transfer of data, thus described information to be transmitted, especially tailored index is according to measuring the little information content, such as accessing the configuration information of objective network, usually only include service set and the password of objective network, amount of information is just less; And for example only comprise a directive statement performed for receiving end; For another example the announcement information that is pushed to receiving terminal is only comprised.Like this, play advantage of the present invention with all maximizing degree.As for the quantizating index of amount of information size, the data capacity can expressed due to each Frame is limited, can be determined by those skilled in the art according to actual conditions.
It is to be noted, in each embodiment of the present invention, for the easy consideration illustrated, often censure this information to be transmitted with the configuration information that this transmission information example is namely described, but should not be understood as to " information to be transmitted " this concept and converted saying and still refer to same object such as " be transmitted information ", the restriction of the concept such as " received information ".In like manner, follow-up relate to treat that transmission information is formatted, the operation such as encryption and the different-format content that causes, although its expression-form changes, its object pointed to is still " information to be transmitted " information pointed by this concept.
For the APP realized based on the present invention, when this APP is run, just by system drive, the hardware device on mobile phone is utilized.Well-known, mobile phone not only has WiFi module, display, control chip, also has the parts such as microphone, loud speaker, these parts all realize calling by this APP.
For android system, first mobile phone terminal is called by its acquiring unit 11 and shows a movable component (Activity), or show the page utilizing HTML5 to realize, the WiFi access-in point information (enumerating with service set SSID) screen showing this user interface and scans, request user selected target network, and require that user inputs corresponding password, thus obtain SSID and the password of objective network.
According to the agreement of WiFi agreement, those skilled in the art can know, configuration information generally include that WiFi wireless router (representing objective network) provides for determine the service set (SSID) of this objective network with for logging in the login password of this objective network, may also need the cipher mode comprising login password in some cases, and also can provide login password for open network.Although WiFi agreement exists the fact of version upgrading, these are related to the configuration information realizing access network and indispensability and can be determined according to document of agreement correspondence by those skilled in the art, therefore, are not repeated for this reason its details and equivalent variations scheme thereof.
Flexible as details, after user have selected SSID, password corresponding to this SSID can be inquired about to cloud server, if password exists, then directly download password by high in the clouds, can save and require that user inputs the process of objective network password.
Described structural unit 12, for construction data message, make this data message comprise secondary ciphertext and secondary key, described secondary ciphertext is by information to be transmitted described in one-time pad, form a ciphertext, the more described secondary key encryption through comprising random factor is formed.
After the information to be transmitted of the configuration information described in acquisition and so on, just need for its construction data message.The process of construction data message, serve the effect of linking up application layer and data link layer, specifically, the information to be transmitted of described configuration information and so on is obtained from application layer, and follow-uply will send this data message in data link layer, so the process of structural unit 12 construction data message, is equivalent in fact a protocol layer defined by the present invention.Thus, the realization of structural unit 12 is very flexibly, is illustrated below with some examples:
As shown in Figure 9 a kind of for constructing in the example of structural unit 12 of described data message, this structural unit 12 comprises encrypting module 121, superencipher module 122 and a structure Knockdown block 123, and the function declaration of each module is as follows:
A described encrypting module 121, utilizes described one-time pad information acquisition to be transmitted ciphertext.
A described secondary key, refers to the key for once encrypting the information that is transmitted widely adopted at present, general employing public key encryption mode, i.e. asymmetric encryption mode.In public key encryption mode, the PKI that the urtext of information to be transmitted is held with it is encrypted as transmitting terminal by mobile terminal, and when being transferred to opposite end, the intelligent terminal as receiving terminal calls the private key prestored, treat transmission information to be decrypted, thus obtain its prototype version.Described PKI and private key, be algorithmically correlated with, and thus may be used for the data of mutually deciphering the other side's encryption.In the present embodiment, a described encrypting module 121 in like manner continues to use conventional art, and the configuration information of a double secret key unprocessed form described in utilization is encrypted, thus obtains a ciphertext.Asymmetric encryption techniques embodies higher fail safe, is often used in the higher scene of security requirement.
In flexible execution mode, a described secondary key can utilize encrypted private key, and namely symmetric cryptosystem realizes.In this technology, mobile terminal and intelligent terminal have an identical described secondary key respectively, and mobile terminal utilizes one-time pad information to be transmitted, obtain a ciphertext, be transferred to intelligent terminal, intelligent terminal just can utilize the secondary key prestored by decrypts information to be transmitted.Symmetric cryptography has the higher feature of the simple efficiency of algorithm, thus can preferentially be selected in the scene that some security requirement is not too high.
Described superencipher module 122, is configured to utilize the secondary key comprising random factor that a ciphertext is encrypted as secondary ciphertext.
In the present embodiment, after one time ciphertext is formed, or some does not rely on the information described to be transmitted in the embodiment of once encrypting, and is utilized secondary key and carries out superencipher formation secondary ciphertext in superencipher module 122.It is pointed out that described secondary key is particularly useful for adopting the private key of symmetric cryptosystem institute specification, thus, when after intelligent terminal for reception to corresponding message, with lower calculating consumption, secondary ciphertext can be decrypted.
Described secondary key, includes random factor, and described random factor is at least included in secondary key and adopts random number and utilize random mode to select a secondary key two kinds of situations.By the effect of this random factor, make secondary key all have uncertainty before being used to superencipher at every turn, when being namely about to carry out superencipher to a ciphertext, just determined.Thus, when secondary key carries out superencipher to each information to be transmitted, all can farthest embody its uniqueness.
The specific implementation of described secondary key can be presented as following several elective mode:
One, adopt random number as described secondary key.
In this mode, superencipher module 122 directly calls random function, produces a particular number of bits as the random number of 16, this random number is defined as described secondary key.This mode the most easily realizes, and more efficiently, is convenient to intelligent terminal fast decryption.
Two, from the multiple keys prestored, described secondary key is determined randomly.
This mode in like manner can call random function by superencipher module 122, determines a secondary key prestored, and makes its endomorph reveal uncertainty.The secondary key determined therefrom, also has the feature of randomness, in like manner can play and manufacture to interceptor the effect decoding obstacle.
Three, for resolve not by the ordered set of the formatting identifying of the information described to be transmitted before once encrypting as described secondary key.
Information to be transmitted, generally includes multiple information word, foregoing configuration information, in an application scenarios, can be the information comprising service set (SSID) for providing WiFi access point and password (PSW) thereof.In each information word, generally characterized its information type and the corresponding information content with some form.When it needs transmission, be usually expressed as a character string with the form these information words be connected in series, complete the format treating transmission information, obtain the configuration information of format.
Specifically, for configuration information, service set and the equal configuration information unit of password, separated with element first formatting identifying " | " between information word, separated between the information type of information word and the information content with the second formatting identifying ": ".Such as service set represents its information type with SSID, password PSW represents its information type, and the information content of SSID is MYWiFi, and the information content of password is PLZLOGIN, before once not encrypted, to the textual form that it carries out the configuration information formaing the format formed be:
SSID:MYWiFi|PSW:PLZLOGIN
Note, in the configuration information of the format of above-mentioned expression, organize in a certain order, wherein SSID is front, PSW is rear, these two information type identifier can be used for the use identifying the corresponding information content, described formatting identifying ": |: " then embody its speciality, if arrange between transmitting terminal and receiving terminal to obtain the first formatting identifying from the first byte of secondary key, the second formatting identifying is obtained from the second byte, then which kind of symbol no matter transmitting terminal adopt for expressing described formatting identifying, for receiving terminal, all by obtaining the formatting identifying with appointment function from the first byte of secondary key and the second byte, and separate each information word with the symbol of wherein the first byte, and by the symbol isolation information type of the second byte and the information content thereof, thus correct parsing formats configuration information, restore the information content of each information word.Therefore, this example has embodied data message undoubtedly and has had the function carrying parsing scheme, makes described secondary key not only be suitable for deciphering secondary ciphertext, and be suitable for resolving not encrypted before the configuration information of format, add the complexity of data message, make interceptor more be difficult to crack.
Obviously, as specific identifier, described formatting identifying is suitable for the order occurred in the configuration information of format according to it, and by like manner arranged in sequence is in described secondary key, described formatting identifying can be determined at random.When needing, the number of the formatting identifying used is more, and arrange more diversified, its analytical capabilities that can express is more powerful, and the complexity of key also will improve further, thus makes secondary ciphertext more be difficult to decode.In this case, secondary key is in fact a specific identifier collection be made up of multiple formatting identifying, specific identifier string in this specific identifier collection, may be used for the configuration information of resolving format, and integrally, also can be used for deciphering the secondary ciphertext of this configuration information thus obtain a ciphertext.
In a further improvement, described configuration information is expressed to increase its readable difficulty: 0MYWiFiPLZLOGIN8 in the following manner.Can find out, in this expression way, different information word is not separated by with any symbol, but but still can be resolved by formatting identifying.
Specifically, be that the spaced-apart locations of information word is characterized into formatting identifying, make this formatting identifying be used to indicate the positional information of different information word in format configuration information.Such as, initial character " 0 " and last character " 8 " are actually nonessential interference factor, the interpolation of interference factor, even if make code breaker obtain the configuration information of described format, are also still difficult to its true content of intuitive judgment.And in secondary key, the content formed is " 020815 ", wherein, " 02 " is for characterizing the original position of first information word SSID for order the 2nd, " 08 " is the 8th for characterizing the original position of second information word SSID, and latter two " 15 " for characterizing the final position of whole configuration information.According to the principle with upper example equivalence, after receiving terminal reads " 020815 " this specific identifier string from secondary key, just by determining the original position of each information word, thus obtain different information word contents.If transmission both sides have arranged the information type of the information word of different order, then receiving terminal can understand the definite content of the information word that transmitting terminal is expressed in format configuration information accordingly.Can be known equally by the example observing this improvement, because the information content normal length of each information word of same configuration information differs (such as changing the password in configuration information), also may change, cause the position that in different configuration information, each information word occurs different, thus, the content of the corresponding specific identifier string formed is also not each all identical, plays the effect of random factor, the stochastic behaviour required for the present invention that therefore also made secondary key embody.
Visible, described specific identifier included by secondary key, also namely described various formatting identifyings, may be used for the configuration information text of format being reduced to the original configuration information having possessed identification meaning, the information content of its each information word can be identified and utilize smoothly.
According to description herein, information to be transmitted is after elder generation is encrypted to a ciphertext with its formatted text, then is expressed in described data message by described specific identifier collection encryption formation secondary ciphertext.It is to be noted, when considering that secondary key possesses the dual-use function of resolving and encrypt, in the example of an analytical capabilities for outstanding specific identifier collection improved, the process of once encrypting described in also can removing, in this case, being expressed in the configuration information in data message, just can be by the formatted text under its unencrypted state, and with described specific identifier set pair, it is encrypted the ciphertext of formation.
Be further used in the modified embodiment of the self-analytic data function strengthening specific identifier collection, ignore encryption further to consider, any encryption is not carried out to described formatted text, and only the formatting identifying string of specific identifier collection is provided in data message, so that receiving terminal utilizes formatting identifying wherein to resolve the described formatted text of the plaintext be included in described data message.
Four, in the third two kinds of cases disclosed and the basis of other variants of launching with this, the secondary key described in random number structure is added further.
A kind ofly before adapting in format configuration information, carry multiple examples of self-analytic data scheme, can certainly in conjunction with the mode of the first example described, for the secondary key described in front a kind of example adds a random number to strengthen its fail safe.
The comprehensively above-mentioned several examples determining to comprise the described secondary key of random factor provided, programmer can select any one way of example according to the agreement determined when programming and realize it, just call symmetric encipherment algorithm by superencipher module 122 to be further encrypted described ciphertext, thus the secondary ciphertext described in being formed.
Described structure Knockdown block 123, for assembling described secondary key and described secondary ciphertext forms described data message.
When the clear text format of described secondary ciphertext and secondary key is determined, just according to the agreement between transmitting terminal and receiving terminal, as shown in Figure 5, secondary key can be prepended to described secondary ciphertext, be assembled into data message.For the consideration of verification, also the entire length of data message is used as check code further, be expressed in the front end of this data message, whether the data message received is complete to enable receiving terminal utilize this check code to judge.Obviously, namely about the structure of data message, also the arrangement of various piece is more flexibly, the just preferably execution mode that the example of accompanying drawing provides, make described check code and secondary key in succession especially its specific identifier collection form its stem, end is its content part.Those skilled in the art can adjust the structure of this data message with reference to this flexible structure, assemble data message, and not should by the impact of this structure limit the understanding of the present invention.
After structural unit 12 constructs data message of the present invention, just complete transmitting terminal and receiving terminal in the work of custom protocol layer, according to the specification of IEEE802.11 agreement, call transmission unit 13 and in data link layer, data message is processed.
Described transmission unit 13, for sending described data message.
Described transmission unit 13, needs further described data message to be processed into frame data.The present invention is described for multicast packet frame, now introduce several utilize multicast packet frame transmit described in the example of data message:
One, only with the destination address territory of multicast packet frame for loading the content of described data message.
Specifically, separately low 23 of the edited bit area in multicast packet frame destination address territory is used, wherein first 6 are utilized to utilize 17 remaining bit tables to reach the content code of the ordered section that will load for expressing the sequence code of each multicast packet frame, therefore altogether can by 2 6=64 multicast packet frames transmit a data message.Wherein sequence code is that the multicast packet frame of " 000000 " with for referencial use, can be beneficial to the subsequent frame that receiving terminal starts to receive homology accordingly, also can arrange this reference.By this way described data message is loaded in 64 multicast packet frames, send receiving terminal to, receiving terminal just can according to contrary principle, according to each multicast packet frame sequence code indicated by order, the content code of each multicast packet frame is assembled according to the order of sequence, the data message described in acquisition.
Two, only with the frame body territory of multicast packet frame for loading the content of described data message.
Transmitting terminal is to the control in the frame body territory of multicast packet frame, be mainly reflected in the controlled utilization to its frame length, but the utilization of frame length needs to depend on benchmark, thus, in like manner can adopt the mode of above-mentioned reference frame, this reference frame is made to have the shortest frame length (uniqueness is associated with its frame body length of field), and control the length in the frame body territory of all the other each multicast packet frames, make to embody difference between different multicast packet frame and the frame length of described reference frame, make the binary format Bit String of this difference for expressing such as 10 bit contents, wherein such as front 4 for expressing described sequence code, rear 6 for expressing described content code, in like manner by 2 4=16 multicast packet frames load described data message.
Three, use the destination address territory of multicast packet frame and frame body territory for loading data message simultaneously.
To the understanding of this example, please also refer to front two examples.In this example, suppose according in aforementioned low 23 of first example determination destination address territory front 6 for order of representation code, Yu 17 for expression content code, in conjunction with the principle of the second example, the frame length that frame body territory determines is utilized again further, make the binary format Bit String of the difference of the frame length between multicast packet frame and a reference frame be 3, then content code in fact by 17 add 3 totally 20 form, can find out, its information representation ability is expanded, and greatly strengthens.
Can find out, which kind of mode no matter is adopted to be used to multicast packet frame, utilize the loading of multiple multicast packet frames realizations to described data message characterized in order, thus described information to be transmitted is completed format in data link layer, all can meet the specification of IEEE802.11 agreement.
Transmission unit 13 completes described after the work for the treatment of of data link layer, just the mode of multicast packet frame can send the described data message comprising information to be transmitted to receiving terminal.
Mobile terminal of the present invention is in the process of transmission information, even if all multicast packet frames are are all intercepted and captured, thus make interceptor obtain described data message, due to the safe invigoration effect that mobile terminal plays, interceptor is still difficult to decode the information be transmitted of the present invention.
Refer to Figure 10, a kind of intelligent terminal that the present invention further provides, can utilize the information of mobile terminal transmission, it comprises receiving element 21, second decryption unit 22, first decryption unit 23 and access unit 24, and the function of each unit discloses as follows:
Described receiving element 21, for receiving data message.
Receiving element 21 needs the frame being responsible for data link layer to receive to obtain corresponding data message.The process of reception data message has the phase reverse-power in agreement with the aforementioned process sent datagram, can with reference to the specification of IEEE802.11.Based on the example of aforementioned employing multicast packet frame, the constructing module of this receiving element 21 is utilized to realize receiving function, refer to Figure 11, receiving element 21 specifically comprises frame receiver module 211, frame Knockdown block 212 and modular converter 213, and the function that each module realizes is as follows:
Described frame receiver module 211, for receiving the multicast packet frame with same source.
Frame receiver module 211 receives the technology with the multicast packet frame of same source by WiFi module, dawn known to those skilled in the art, it is to be noted, here alleged same source, refer to the source address of described transmitting terminal, with the transmit leg of the configuration information needed for this identification intelligent terminal.
Described frame Knockdown block 212, the indexed sequential that the sequence code for providing according to each multicast packet frame characterizes assembles the content code that each multicast packet frame carries.
The edited bit area in the destination address territory utilizing separately multicast packet frame as front disclosed, separately utilize frame body length of field difference, common utilize as described in destination address territory edited bit area and as described in length difference three examples in frame body territory, for realizing the loading to described data message.The multicast packet frame loading data message has multiple, all sorted with sequence code, according to the contrary principle in agreement, frame Knockdown block 212 can be decoded to all multicast packet frames that it receives, obtain corresponding sequence code and content code, the order that characterizes of code in order, carries out serial connection assembling by the content code of correspondence.
Described modular converter 213, for by according to the order of sequence assembling after content code be converted to described data message.
Coded sequence according to the order of sequence after assembling, further according to the contrary principle in agreement, is converted into the data message that custom protocol layer of the present invention can identify, to carry out follow-up process.For guaranteeing the integrity degree of described data message, after the data message described in obtaining, the length of check code to this data message of its front end (specifically depending on data message structure) should be utilized to verify.For the data message do not conformed to, should abandon, only the successful data message of acceptance inspection.
The second described decryption unit 22, it utilizes the contained secondary ciphertext of secondary key deciphering contained by this data message to obtain a ciphertext.
According to an example of the aforementioned announcement of the present invention, in the data message that receiving terminal obtains, contain described secondary key, and be suitable for the secondary ciphertext of deciphering with this secondary key.Thus, the second decryption unit 22 reads the secondary key expressed by it from this data message, uses related algorithm to be decrypted this secondary ciphertext, can obtain a ciphertext of the configuration information be transmitted.It is to be appreciated that accept the specification of symmetric cryptosystem due to described secondary key, therefore, need not prestore in this locality this secondary key.
According to the announcement of mobile terminal, described secondary key can be both merely random number, also can be the formatting identifying string be made up of formatting identifying, i.e. specific identifier collection, no matter secondary key has several heavy meaning, in this example, as long as secondary key is at the front decipher function that made self possess for encryption configuration information, just secondary key must be utilized in advance to be decrypted secondary ciphertext in the second decryption unit 22.If in some example, format configuration information, without once encrypting, just carries out simple encryption through secondary key, then after this deciphering, just can obtain the configuration information of format, can directly resolve format configuration information on this basis.Otherwise, through secondary key deciphering after obtain if a ciphertext, then also need again to be decrypted, finally on the basis of twice deciphering obtain format configuration information could be resolved.Certainly, if in some embodiment, not by specific identifier collection (secondary key) for encryption configuration information, just without the need to deciphering herein.
The first described decryption unit 23, described in the secret key decryption that its utilization prestores, a ciphertext is to obtain configuration information wherein.
In the example disclosed as front, a described ciphertext, utilize the configuration information encryption of a secondary key (PKI) to format to be formed, this secondary key is the PKI of asymmetric encryption techniques institute specification, thus, the intelligent terminal as receiving terminal prestores corresponding private key, under the effect of the first decryption unit 23, call the private key prestored, the secondary key (private key) also namely alleged by this intelligent terminal is decrypted described ciphertext.Can find out, a secondary key (private key) alleged by this intelligent terminal and the secondary key alleged by mobile terminal (PKI) are by asymmetric encryption techniques institute specification, algorithmically relevant, the former is decruption key, the latter is encryption key, not have the same key of identical content, those skilled in the art should know.
Really, if adopt the configuration information of a double secret key format of symmetric cryptosystem institute specification to encrypt at transmitting terminal, then intelligent terminal just should to prestore a described secondary key identical in content as receiving terminal, this secondary key had both been the encryption key of transmitting terminal, was also the decruption key of receiving terminal.
After first decryption unit 23 deciphers a described ciphertext, obtain the configuration information of corresponding format.But, according to the multiple variation instance of aforementioned announcement, in any case obtain the configuration information of described format from data message, as the textual form of specific format, this formatted text is not yet identified and utilizes, and thus not yet can obtain the configuration information with the specification identifying meaning.According to the contrary principle in agreement, corresponding to certain embodiments, the text is resolved to the described configuration information having and identify meaning by the specific identifier that described secondary key should be utilized to comprise.Each example of corresponding aforementioned announcement, has following several corresponded manner for the treatment of the configuration information of described format:
One, the situation of transmitting terminal and the receiving terminal configuration information of this format of protocol analysis.
In this case, receiving terminal only need resolve the configuration information of described format according to agreement in advance, obtains wherein each information content.
Two, transmitting terminal utilizes formatting identifying formation specific identifier collection used in formatting procedure to be used as the situation of secondary key.
This situation, comprise two kinds of segmentation situations of aforementioned announcement, wherein one is that secondary key is whole specific identifier collection, comprise specific identifier centralized procurement formatting identifying and be used to indicate the mode of information content position and be used to indicate the mode of separating character, the specific part of another kind to be specific identifier collection be secondary key.
No matter which kind of situation, the contrary principle all not on away protocols.Thus, should stress in this kind of situation to obtain described specific identifier collection from described secondary key, corresponding as front each example each concrete condition of disclosing, identify the information content formaing configuration information.
In some example, the formatting identifying that specific identifier is concentrated is used to indicate the position residing for each information content, or be used to indicate the separator of each information content, comprise aforesaid first formatting identifying and the second formatting identifying, in any case, all can utilize the instruction of described formatting identifying, separate and extract described format configuration information, to obtain the configuration information of specification, namely also there is each information content identifying meaning.
According to the process of this unit, finally can obtain the configuration information of specification, also the primitive meaning of the information obtaining transmitting terminal transmission is namely recognized, such as, for aforesaid configuration information, the service set SSID that receiving terminal can know the objective network that namely will access is MYWiFi, and the login password PSW of its correspondence is then PLZLOGIN.
It is to be noted, a kind ofly described specific identifier collection is only made only to have analytical capabilities, and do not utilize in the corresponding embodiment of its cipher key function, then need not through aforesaid deciphering, and the first decryption unit 23 and the second decryption unit 22 are replaced with a resolution unit, utilize the configuration information of the format contained by specific identifier set pair data message to carry out resolving according to above-mentioned principle herein.In this case, should see, although the configuration information of format is without special encryption once or twice, but because specific identifier collective of the present invention reveals certain for protocol function, also the compartmentation of its formatting identifying is namely utilized and the function for identifying each specifying information content contained by configuration information, thus, this situation also serves certain cipher round results.
Described access unit 24, for arranging with this configuration information configuration own net, accesses described objective network.
After obtaining described configuration information, just the service set (SSID) that provides of mobile terminal and corresponding password is obtained, intelligent terminal just can carry out self network settings, determine that corresponding SSID is MYWiFi, and arranging its password is corresponding PLZLOGIN, start the process of access objective network, carry out a series of handshake operation, until set up the connection with the WiFiAP representated by this SSID.
After intelligent terminal connects this AP, just accessed objective network, can communicate in theory with cloud server, the routing function also provided by current local area network communicates with the described mobile terminal in net.Thus intelligent terminal can send one to this mobile terminal and characterize the signal having completed network insertion, so that mobile terminal can provide operation further, control inerface does subsequent operation to user.
Visible, intelligent terminal of the present invention, based on safer encryption technology, more safely can receive configuration information, avoids the configuration information receiving illegal user simulation to obtain safer result of use.
In sum, the present invention is by cryptographic technique, and the content loaded by improving data message is expressed, and further enhances the communication security effect of the technology that connects soon based on IEEE802.11 protocol realization.
The above is only some embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (10)

1. an information secure transmission method, is characterized in that, comprises the steps:
Obtain information to be transmitted;
Construction data message, makes this data message comprise secondary ciphertext and secondary key, and described secondary ciphertext, by information to be transmitted described in one-time pad, forms a ciphertext, the more described secondary key encryption through comprising random factor is formed;
Send described data message.
2. information secure transmission method according to claim 1, is characterized in that, obtains in the step of information to be transmitted, receives described information to be transmitted and submits instruction to, perform subsequent step in response to this submission instruction by user interface.
3. information secure transmission method according to claim 1, is characterized in that, described information to be transmitted is the configuration information for accessing objective network.
4. information secure transmission method according to claim 3, is characterized in that, described configuration information comprises for determining the service set of described objective network and logging in the password of this objective network.
5. information secure transmission method according to claim 1, is characterized in that, the step of construction data message comprises following concrete steps:
Utilize described one-time pad information acquisition to be transmitted ciphertext;
Utilize the secondary key comprising random factor that a ciphertext is encrypted as secondary ciphertext;
Assemble described secondary key and described secondary ciphertext forms described data message.
6. information secure transmission method according to claim 1, is characterized in that, described information to be transmitted is formatted as the text comprising specific identifier before once being encrypted.
7. information secure transmission method according to claim 1, is characterized in that, described secondary key comprises described specific identifier and is reduced to described information to be transmitted for by described text.
8. a mobile terminal, is characterized in that, comprising:
Acquiring unit, for obtaining information to be transmitted;
Structural unit, for construction data message, makes this data message comprise secondary ciphertext and secondary key, and described secondary ciphertext, by information to be transmitted described in one-time pad, forms a ciphertext, the more described secondary key encryption through comprising random factor is formed;
Transmission unit, for sending described data message.
9. a networking cut-in method, is characterized in that, comprise the steps:
Receive data message;
Utilize the contained secondary ciphertext of secondary key deciphering contained by this data message to obtain a ciphertext;
Described in the secret key decryption that utilization prestores, a ciphertext is to obtain configuration information wherein;
Arrange with this configuration information configuration own net, access described objective network.
10. an intelligent terminal, is characterized in that, it comprises:
Receiving element, for receiving data message;
Second decryption unit, it utilizes the contained secondary ciphertext of secondary key deciphering contained by this data message to obtain a ciphertext;
First decryption unit, described in the secret key decryption that its utilization prestores, a ciphertext is to obtain configuration information wherein;
Access unit, for arranging with this configuration information configuration own net, accesses described objective network.
CN201510424991.0A 2015-07-17 2015-07-17 Information secure transmission method, networking cut-in method and corresponding terminal Active CN105119900B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510424991.0A CN105119900B (en) 2015-07-17 2015-07-17 Information secure transmission method, networking cut-in method and corresponding terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510424991.0A CN105119900B (en) 2015-07-17 2015-07-17 Information secure transmission method, networking cut-in method and corresponding terminal

Publications (2)

Publication Number Publication Date
CN105119900A true CN105119900A (en) 2015-12-02
CN105119900B CN105119900B (en) 2019-02-26

Family

ID=54667790

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510424991.0A Active CN105119900B (en) 2015-07-17 2015-07-17 Information secure transmission method, networking cut-in method and corresponding terminal

Country Status (1)

Country Link
CN (1) CN105119900B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105592096A (en) * 2015-12-30 2016-05-18 Tcl集团股份有限公司 Rapid connection method and apparatus of network equipment
WO2017000915A1 (en) * 2015-07-01 2017-01-05 北京奇虎科技有限公司 Multicast transmission method, information extraction method and corresponding terminal and device
CN107645319A (en) * 2017-11-10 2018-01-30 国网江苏省电力公司泰州供电公司 A kind of smart jack component and its control method for power line secure communication
CN110928564A (en) * 2019-11-11 2020-03-27 中科有讯(北京)科技有限公司 Method for safely updating application, service server, cluster and storage medium
CN111447613A (en) * 2019-01-16 2020-07-24 南京快轮智能科技有限公司 Encryption system for shared products
CN111935317A (en) * 2020-09-27 2020-11-13 恒大新能源汽车投资控股集团有限公司 Vehicle information verification method and device and computer-readable storage medium
CN115102768A (en) * 2022-06-24 2022-09-23 平安银行股份有限公司 Data processing method and device and computer equipment
CN115643017A (en) * 2022-12-23 2023-01-24 云加速(北京)科技有限公司 Software identification validity checking method based on hybrid coding model
WO2024141096A1 (en) * 2022-12-30 2024-07-04 汉熵通信有限公司 Secure internet of things data transmission method and apparatus, system, and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102568062A (en) * 2011-09-29 2012-07-11 浙江吉利汽车研究院有限公司 Encryption and decryption method for remote controller
CN102801712A (en) * 2012-07-17 2012-11-28 苏州市米想网络信息技术有限公司 Network communication system adopting intelligent control
EP2698780A2 (en) * 2012-08-02 2014-02-19 Fujitsu Limited Encryption processing device and method
CN104640091A (en) * 2015-01-13 2015-05-20 董红伟 Method for encryption communication of short message of mobile phone
US20150188704A1 (en) * 2013-12-27 2015-07-02 Fujitsu Limited Data communication method and data communication apparatus

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102568062A (en) * 2011-09-29 2012-07-11 浙江吉利汽车研究院有限公司 Encryption and decryption method for remote controller
CN102801712A (en) * 2012-07-17 2012-11-28 苏州市米想网络信息技术有限公司 Network communication system adopting intelligent control
EP2698780A2 (en) * 2012-08-02 2014-02-19 Fujitsu Limited Encryption processing device and method
US20150188704A1 (en) * 2013-12-27 2015-07-02 Fujitsu Limited Data communication method and data communication apparatus
CN104640091A (en) * 2015-01-13 2015-05-20 董红伟 Method for encryption communication of short message of mobile phone

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017000915A1 (en) * 2015-07-01 2017-01-05 北京奇虎科技有限公司 Multicast transmission method, information extraction method and corresponding terminal and device
CN105592096A (en) * 2015-12-30 2016-05-18 Tcl集团股份有限公司 Rapid connection method and apparatus of network equipment
CN107645319A (en) * 2017-11-10 2018-01-30 国网江苏省电力公司泰州供电公司 A kind of smart jack component and its control method for power line secure communication
CN107645319B (en) * 2017-11-10 2024-02-02 国网江苏省电力公司泰州供电公司 Intelligent socket assembly control method for power line safety communication
CN111447613A (en) * 2019-01-16 2020-07-24 南京快轮智能科技有限公司 Encryption system for shared products
CN110928564A (en) * 2019-11-11 2020-03-27 中科有讯(北京)科技有限公司 Method for safely updating application, service server, cluster and storage medium
CN111935317A (en) * 2020-09-27 2020-11-13 恒大新能源汽车投资控股集团有限公司 Vehicle information verification method and device and computer-readable storage medium
CN111935317B (en) * 2020-09-27 2021-01-01 恒大新能源汽车投资控股集团有限公司 Vehicle information verification method and device and computer-readable storage medium
CN115102768A (en) * 2022-06-24 2022-09-23 平安银行股份有限公司 Data processing method and device and computer equipment
CN115102768B (en) * 2022-06-24 2024-03-19 平安银行股份有限公司 Data processing method and device and computer equipment
CN115643017A (en) * 2022-12-23 2023-01-24 云加速(北京)科技有限公司 Software identification validity checking method based on hybrid coding model
WO2024141096A1 (en) * 2022-12-30 2024-07-04 汉熵通信有限公司 Secure internet of things data transmission method and apparatus, system, and medium

Also Published As

Publication number Publication date
CN105119900B (en) 2019-02-26

Similar Documents

Publication Publication Date Title
CN105119900A (en) Information secure transmission method, network access method and corresponding terminals
CN108293185B (en) Wireless device authentication method and device
US9338130B2 (en) Apparatus and method to register Wi-Fi clients on a Wi-Fi network
CN105072665B (en) Networking control, cut-in method and corresponding terminal and equipment
US20170359344A1 (en) Network-visitability detection control
CN103765848A (en) Apparatus and methods for media access control replacement
KR20130111960A (en) Secure node admission in a communication network
CN105101102B (en) Multicast transmission method, information extracting method and corresponding terminal and equipment
KR101862739B1 (en) Method, device and system for terminal to establish connection
CN105379190A (en) System and method for indicating service set identifier
US20180262352A1 (en) Secure Authentication of Remote Equipment
CN105120454A (en) Information transmission method, network access method and corresponding terminals
CN103945369A (en) Internet access configuration method for WIFI device by checking length of WIFI data packets
CN110784865A (en) Network distribution method and terminal of Internet of things equipment, Internet of things equipment and network distribution system
CN103841523A (en) Information transmission method for conducting Wi-Fi message length based on multicast physical address
US10419212B2 (en) Methods, systems, apparatuses, and devices for securing network communications using multiple security protocols
US10666624B2 (en) Systems and methods for optimized network layer message processing
CN110474922B (en) Communication method, PC system and access control router
CN104869570A (en) Speaking terminal confirmation method based on language channel
CN105120012B (en) Smart machine and its networking cut-in method, message receiving method and device
WO2016119624A1 (en) Data transmission method and apparatus thereof
CN103945379B (en) A kind of method that access authentication and data communication are realized in access network
CN105657640A (en) Wireless network access parameter obtaining method and device of intelligent communication devices
US20050197116A1 (en) Wireless communication apparatus
CN102014342B (en) Network system and method for hybrid networking

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220720

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

TR01 Transfer of patent right