CN105119928B - Data transmission method, device, system and the security server of Android intelligent terminal - Google Patents

Abstract

This application discloses the data transmission method of Android intelligent terminal, apparatus and systems.One specific implementation mode of the method includes：The network for monitoring application program uploads data；Data are uploaded according to network transmission configuration information to network to be encrypted to obtain encryption upload data, network transmission configuration information is for being encrypted classification to network data and configuring security strategy；Encryption is uploaded into data, security server is sent to by data security channel, data security channel is for protecting the transmission process of network data；Receive the encryption down-transmitting data that the corresponding encryption that security server is sent uploads data；Encryption down-transmitting data is decrypted to obtain target data, target data is sent to the application program.This embodiment improves the safeties of Android intelligent terminal transmitting network data.

Description

Data transmission method, device, system and the security server of Android intelligent terminal

Technical field

This application involves fields of communication technology, and in particular to field of network data transmission technology more particularly to Android intelligence Data transmission method, the apparatus and system of terminal.

Background technology

Android system is with its open, ease for use and recreational has obtained vast intelligent terminal (such as mobile phone, tablet) factory The high praise of quotient and user.Until in March, 2015, mobile phone amount based on android system has accounted for 65% or so of whole mobile phones, It can be seen that influence power of the Android system in mobile phone market.Meanwhile more and more conversational traffics (such as Mobile banking, mobile phone book tickets) It is completed on mobile phone by the form of cell phone application (Application, application program), greatly improves conversational traffic processing Efficiency and convenience.

Likewise, since Android system belongs to an open platform, its own is of less demanding to the administration authority of system, This results in the online environment of existing Android system, and there are many security risks.Although there is the safety much to Android mobile phone Property the APP (such as mobile phone house keeper, mobile phone antivirus software) that is reinforced, but in the safety for improving Android intelligent terminal Internet data Property aspect be also short of very much corresponding safeguard measure.

Invention content

This application provides the data transmission method of Android intelligent terminal, apparatus and systems, to solve Android intelligent terminal The not high technical problem of the safety of Internet data.

On the one hand, this application provides a kind of data transmission method of Android intelligent terminal, the method includes：Monitoring is answered Data are uploaded with the network of program；Data are uploaded according to network transmission configuration information to the network to be encrypted to obtain in encryption Data are passed, the network transmission configuration information is for being encrypted classification to network data and configuring security strategy；Described it will add Close upload data are sent to security server by data security channel, and the data security channel is used for the biography to network data Defeated process is protected；Receive the encryption down-transmitting data that the correspondence encryption that the security server is sent uploads data；It is right The encryption down-transmitting data is decrypted to obtain target data, and the target data is sent to the application program.

Second aspect, this application provides a kind of data transmission method of Android intelligent terminal, the method includes：It receives Android intelligent terminal uploads data by the encryption that data security channel is sent；Data are uploaded to the encryption to be decrypted to obtain Network uploads data；Network upload data are sent to corresponding destination server；The destination server is received to send The correspondence network upload the target datas of data；The target data is encrypted according to network transmission configuration information To encryption down-transmitting data, the encryption down-transmitting data is sent to the Android intelligent terminal by the data security channel.

The third aspect, this application provides a kind of data transmission device of Android intelligent terminal, described device includes：Monitoring Unit, the network for monitoring application program upload data；Network uploads DEU data encryption unit, for being configured according to network transmission Information uploads data to the network and is encrypted to obtain encryption upload data, and the network transmission configuration information is used for network Data are encrypted classification and configure security strategy；Encryption uploads data transmission unit, for leading to encryption upload data It crosses data security channel and is sent to security server, the data security channel is for protecting the transmission process of network data Shield；Down-transmitting data receiving unit is encrypted, adding for data is uploaded for receiving the correspondence encryption that the security server is sent Close down-transmitting data；Down-transmitting data decryption unit is encrypted, for being decrypted to obtain target data to the encryption down-transmitting data, and The target data is sent to the application program.

Fourth aspect, this application provides a kind of security server, the security server includes：Encryption uploads data and connects Unit is received, data are uploaded by the encryption that data security channel is sent for receiving Android intelligent terminal；Encryption uploads data solution Close unit is decrypted to obtain network upload data for uploading data to the encryption；Network uploads data transmission unit, uses It is sent to corresponding destination server in the network is uploaded data；Target data receiving unit, for receiving the target The correspondence network that server is sent uploads the target data of data；Target data encryption unit, for according to network transmission Configuration information is encrypted the target data to obtain encryption down-transmitting data, and the encryption down-transmitting data is passed through the data Escape way is sent to the Android intelligent terminal.

5th aspect, this application provides a kind of Android intelligent terminal data transmission systems, and the system comprises above-mentioned The data transmission device of the Android intelligent terminal and the above-mentioned security server.

The present embodiment method uploads data to network by network transmission configuration information and is encrypted to obtain encryption upload number According to, can to network upload data targetedly be protected；Then the encryption is uploaded by data by data security channel It is sent to security server, further the transmission process of data is protected；The encryption that security server is sent later Down-transmitting data is decrypted, and the whole process protection to network data is realized, and greatly improves Android intelligent terminal transmission network The safety of network data.

Description of the drawings

By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, the application's is other Feature, objects and advantages will become more apparent upon：

Fig. 1 is that this application can be applied to exemplary system architecture figures therein；

Fig. 2 is the flow chart according to one embodiment of the data transmission method of the Android intelligent terminal of the application；

Fig. 3 is the flow chart according to another embodiment of the data transmission method of the Android intelligent terminal of the application；

Fig. 4 is illustrated according to the composed structure of one embodiment of the data transmission device of the Android intelligent terminal of the application Figure；

Fig. 5 is the composed structure schematic diagram according to one embodiment of the security server of the application；

Fig. 6 is an actual scene structure chart according to the data transmission method of the Android intelligent terminal of the application；

Fig. 7 is the flow chart according to one embodiment of the data transmission method of the Android intelligent terminal of the application；

Fig. 8 is adapted for the structural schematic diagram of the computer system of the server for realizing the embodiment of the present application.

Specific implementation mode

The application is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched The specific embodiment stated is used only for explaining related invention, rather than the restriction to the invention.It also should be noted that in order to Convenient for description, is illustrated only in attached drawing and invent relevant part with related.

It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can phase Mutually combination.The application is described in detail below with reference to the accompanying drawings and in conjunction with the embodiments.

Fig. 1 shows the number of the data transmission method or Android intelligent terminal that can apply the Android intelligent terminal of the application According to the exemplary system architecture 100 of the embodiment of transmitting device.

As shown in Figure 1, system architecture 100 may include terminal device 101,102, network 103 and server 104.Network 103 between terminal device 101,102 and server 104 provide communication link medium.Network 103 may include various Connection type, such as wired, wireless communication link or fiber optic cables etc..

User can be interacted by network 103 with server 104 with using terminal equipment 101,102, be disappeared with receiving or sending Breath etc..Various telecommunication customer end applications, such as web browser applications, shopping class can be installed on terminal device 101,102 Using, searching class application, instant messaging tools, mailbox client, social platform software etc..

Terminal device 101,102 can be with display screen and supported web page browser application, the application of shopping class, search The various electronic equipments of class application, instant messaging tools, mailbox client, social platform software etc., including but not limited to intelligently Mobile phone, tablet computer, E-book reader, player, pocket computer on knee and desktop computer etc..

Server 104 can be to provide the server of various services, such as to the mobile phone silver on terminal device 101,102 Row, the application of shopping class, instant messaging tools provide the safety detection server supported.Security server can be to the hand that receives The data progress analyzing processing that machine bank, shopping class application, instant messaging tools etc. are sent, and handling result is (such as safe Policy information) feed back to terminal device.

It should be noted that the data transmission method for the Android intelligent terminal that the embodiment of the present application is provided is by terminal device 101, it 102 initiates, and encrypted data is sent to server 104 by terminal device 101,102；Server 104 is to receiving To data handled after issue destination server, the data of destination server are then sent to terminal device 101,102.

It should be understood that the number of the terminal device, network and server in Fig. 1 is only schematical.According to realization need It wants, can have any number of terminal device, network and server.

With continued reference to Fig. 2, one embodiment of the data transmission method of the Android intelligent terminal according to the application is shown Flow 200, the present embodiment method includes the following steps：

Step 201, the network for monitoring application program uploads data.

It is typically by the realization of monitoring unit (such as the management software being mounted on intelligent terminal) that monitoring network, which uploads data,. It can be that the application program installed in Android intelligent terminal is sent out that the network, which uploads data, can also be Android intelligent terminal (such as system update data) that system software is sent out.Network uploads data and is initiated by Android intelligent terminal, and is sent to correspondence Destination server.

Step 202, data are uploaded to above-mentioned network according to network transmission configuration information to be encrypted to obtain encryption upload number According to above-mentioned network transmission configuration information is for being encrypted classification to network data and configuring security strategy.

Network data can be diversified, for different types of network data, encrypted method and security strategy Also different.Therefore, it first has to that network upload data are encrypted according to network transmission configuration information, obtains encryption and upload number According to.

Step 203, above-mentioned encryption is uploaded into data and security server, above-mentioned data peace is sent to by data security channel Full tunnel is for protecting the transmission process of network data.

Data security channel can protect network data, and security server, which is then used to receive encryption, uploads data. Encryption is uploaded into data, security server is sent to by data security channel, is achieved that and (uploaded network in data source header Data encryption at encryption upload data) and data transmission procedure (being transmitted by data security channel) in network upload number According to protection.

Step 204, the encryption down-transmitting data that the above-mentioned encryption of correspondence that above-mentioned security server is sent uploads data is received.

Security server not instead of network uploads the destination server of data, in order to upload data for receiving network Server.After encryption upload data are sent to destination server by security server, pair that destination server is sent can be also received The encryption down-transmitting data for uploading data should be encrypted.

Step 205, above-mentioned encryption down-transmitting data is decrypted to obtain target data, above-mentioned target data is sent to State application program.

In order to ensure the safety of network data, the encryption down-transmitting data of reception is also to be encrypted.Therefore, it is necessary to pair to add Close down-transmitting data is decrypted, and obtains the target data that corresponding network uploads data.Corresponding step 201, target data is sent To the application program for sending out network upload data, the safe transmission of the number networks is completed.

The present embodiment method uploads data to network by network transmission configuration information and is encrypted to obtain encryption upload number According to, can to network upload data targetedly be protected；Then above-mentioned encryption is uploaded by data by data security channel It is sent to security server, further the transmission process of data is protected；The encryption that security server is sent later Down-transmitting data is decrypted, and the whole process protection to network data is realized, and greatly improves Android intelligent terminal transmission network The safety of network data.

In some optional realization methods of the present embodiment, data security channel needs uploading data progress to network It just establishes before network transmission, therefore, can also include the following steps before step 201：

Data security channel is established, may comprise steps of：

The first step, to above-mentioned security server transmission data CIPHERING REQUEST.

In practice, initiator's (Android intelligent terminal of such as the present embodiment) of network data needs first to send out to security server It send data encryption to ask, data is retransmited after confirmation can send network data to security server.

Second step receives the data security channel configuration information that above-mentioned security server is sent.

Data security channel configuration information contains the information for establishing data security channel, and Android intelligent terminal can basis Data security channel configuration information establishes corresponding data-interface.

Third walks, and configures the first data-interface according to above-mentioned data security channel configuration information, and to above-mentioned security service Device sends the first data-interface configuration information of above-mentioned first data-interface.

What the first data-interface was equivalent to the network data of Android intelligent terminal sends out port, needs the first data-interface Configuration information be sent to security server, so that security server is correspondingly arranged the receiving port of network data.

4th step receives the second data-interface configuration information that above-mentioned security server is sent.

Second data-interface configuration information contains the information of the second data-interface corresponding with the first data-interface.Its In, the second data-interface is exactly the receiving port of network data on the secure server.

5th step binds above-mentioned first data-interface configuration information and above-mentioned second data-interface configuration information, Data security channel application information is obtained, and above-mentioned data security channel application information is sent to above-mentioned security server.

First data-interface configuration information and the second data-interface configuration information are bound, can be avoided in the first number It is held as a hostage or distorts according to the network data transmitted between interface and the second data-interface；Then by the first data-interface after binding Configuration information and the second data-interface configuration information are sent to security server as data security channel application information.

6th step receives the Path Setup confirmation message that above-mentioned security server is sent, completes above-mentioned data security channel Foundation.

The Path Setup confirmation message that security server is sent is received, is illustrated on the secure server by the first number Data security channel is established according to interface and the second data-interface.At this point, Android intelligent terminal can pass through data security channel Carry out transmitting for network data.

In some optional realization methods of the present embodiment, after establishing data security channel, first have to on network It passes data to be encrypted, then transmit again.Correspondingly, step 102 may include steps of：

The first step determines that above-mentioned network uploads the data encryption type of data according to above-mentioned network transmission configuration information.

It can be seen from the above, network transmission configuration information is used to be directed to different types of network data, different encryptions is used Method and security strategy.Therefore, it first has to that classification is encrypted to network upload data.

The development and change of network are exceedingly fast, and the thing followed is the rapidly growth of internet worm, if it is desired to network data It is protected, must just grasp current network security situation in time, and targetedly protected to network data.For this purpose, The above-mentioned first step can also include the following steps：

Step a reads above-mentioned network transmission configuration information from above-mentioned security server.

Network transmission configuration information is believed the categorized protection that network data carries out according to the safety of current network data Breath, also, network transmission configuration information can (such as Baidu's mobile phone bodyguard virus base, Baidu kill according to newest internet worm library Malicious software virus library etc.) adjustment in time is to the Preservation tactics of network data.Therefore, Android intelligent terminal needs first from security service Device obtains newest network transmission configuration information.

Step b searches text if it includes text data that above-mentioned network, which uploads data, from above-mentioned network transmission configuration information Word security strategy determines word encryption type according to above-mentioned word security strategy；If it includes video counts that above-mentioned network, which uploads data, According to then the lookup Video security strategy from above-mentioned network transmission configuration information, determines that video adds according to above-mentioned Video security strategy Close type；If it includes audio data that above-mentioned network, which uploads data, audio secure is searched from above-mentioned network transmission configuration information Strategy determines audio encryption type according to above-mentioned audio secure strategy；If it includes image data that above-mentioned network, which uploads data, from Picture security strategy is searched in above-mentioned network transmission configuration information, and image ciphering type is determined according to above-mentioned picture security strategy.

For different network datas, viral type and the form of expression are also different, therefore will be according to network data (net Network upload data) concrete type determine protection security strategy and encryption type.It should be noted that network data is in addition to upper Outside text data, video data, audio data and the image data stated, also other kinds of data are also corresponding with its safety Strategy no longer describes one by one herein.

Second step generates the first secret key at random according to above-mentioned data encryption type.

After knowing the encryption type that network uploads data, the first secret key is generated according to the encryption type at random.Due to first What secret key was randomly generated, this has been considerably improved network and has uploaded Information Security.

Third walks, and carrying out asymmetric encryption to above-mentioned first secret key obtains the second secret key.

What the first secret key was randomly generated, belong to symmetric cryptography, symmetric cryptography still has the possibility being cracked.Therefore, After obtaining the first secret key, then asymmetric encryption is carried out to the first secret key and obtains the second secret key, substantially increased and crack difficulty, it will Network uploads the possibility that data are cracked and further decreases.

4th step uploads data by the above-mentioned network of above-mentioned second secret key pair and is encrypted to obtain encryption upload data.

It is encrypted twice it should be noted that the present embodiment uploads data to network, in practice, according to different nets Situations such as network environment and different types of network upload data, encrypted number and encrypted specific method may be different, but Therefore the application can't be construed as limiting.

In some optional realization methods of the present embodiment, after completing the encryption to network upload data, peace will receive The corresponding encryption down-transmitting data that full server is sent, target data can just be obtained by needing that encryption down-transmitting data is decrypted. Specifically, step 205 may include steps of：

The first step extracts the 4th secret key from above-mentioned encryption down-transmitting data.

4th secret key is that security server is arranged to protect network data, before decryption, needs first to extract the 4th close Spoon.

Second step carries out asymmetric decryption to above-mentioned 4th secret key and obtains third secret key.

It is answered with the second above-mentioned secret key pair, the 4th secret key herein is also to be obtained through asymmetric encryption.It therefore, be to Four secret keys carry out asymmetric decryption, obtain third secret key.

Third walks, and is decrypted to obtain target data to above-mentioned third secret key.

Third secret key is similar with the first secret key, belongs to symmetric cryptography, and corresponding network has just been obtained after decryption and has uploaded data Target data.

In practice, when network, which uploads data, obviously belongs to insensitive information, it can not be encrypted, can be saved in this way Save Android intelligent terminal performance.

Another embodiment flow chart of the data transmission method of Android intelligent terminal is shown below with reference to Fig. 3, Fig. 3 300, the present embodiment method includes the following steps：

Step 301, it receives Android intelligent terminal and data is uploaded by the encryption that data security channel is sent.

It is typically being received by corresponding Network Security Device (such as security server) that encryption, which uploads data,.Data safety is logical Road be connect Android intelligent terminal and Network Security Device data channel, can ensure network data in transmission process not by It distorts or intercepts and captures.

Step 302, data are uploaded to above-mentioned encryption to be decrypted to obtain network upload data.

Encryption, which uploads data, to be obtained after uploading data encryption to the network that Android intelligent terminal is sent out, it is therefore desirable to first Data are uploaded to encryption to be decrypted, and are obtained network and are uploaded data.

Step 303, above-mentioned network upload data are sent to corresponding destination server.

Destination server is that network uploads the data server to be reached, such as Baidu's Cloud Server.In order to be taken to target The data that business device is sent are protected, at this time, it may be necessary to which network to be uploaded to the ground for sending out address and being revised as security server of data Location, so that the data that security server sends destination server are protected.

Step 304, the target data that the above-mentioned network of correspondence that above-mentioned destination server is sent uploads data is received.

After destination server receives network upload data, particular content or the requirement of data can be uploaded according to network, to Security server sends corresponding network data (i.e. target data).It include the address letter of security server in target data Breath.

Step 305, above-mentioned target data is encrypted according to network transmission configuration information to obtain encryption down-transmitting data, it will Above-mentioned encryption down-transmitting data is sent to above-mentioned Android intelligent terminal by above-mentioned data security channel.

When being transmitted to target data, also target data is encrypted, obtain encryption down-transmitting data.At this point, The reception address information that will encrypt down-transmitting data is needed to remodify the address information for Android intelligent terminal.Encrypt down-transmitting data Corresponding Android intelligent terminal can be found by the address information, corresponding Android is then sent to by data security channel Intelligent terminal.

In some optional realization methods of the present embodiment, data security channel needs uploading data progress to network It is just established before network transmission, therefore, the present embodiment method can also include the following steps before step 301：

Data security channel is established, following steps are can specifically include：

The first step receives the data encryption request that Android intelligent terminal is sent.

Data encryption request is sent from initiator's (such as above-mentioned Android intelligent terminal) of network data to security server.

Second step asks to match confidence to above-mentioned Android intelligent terminal transmission data escape way according to above-mentioned data encryption Breath.

In order to protect the network data that Android intelligent terminal is sent, need to pacify to Android intelligent terminal transmission data Full tunnel configuration information informs that Android intelligent terminal carries out the transmission of network data by which type of data channel.

Data security channel configuration information is not fixed, with the security situation dynamic change of network data, Therefore, it is necessary to data security channel configuration information is arranged according to the actual network condition of Android intelligent terminal.Specifically, above-mentioned Second step can also include the following steps：

Step a, according to the network environment information residing for the above-mentioned above-mentioned Android intelligent terminal of data encryption requesting query.

Android intelligent terminal may be that the direct network server with mobile, unicom or telecommunications is connect, it is also possible to first connect Local router is connect, is then connect with the network server of movement, unicom or telecommunications by router, it is also possible to be other nets Network ambient conditions.Therefore, it is necessary to determine the actual network environment information of Android intelligent terminal first, data safety is then considered further that Channel configuration information.

Step b determines the data channel for the transmission that guarantees data security according to above-mentioned network environment information.

Different data channel is selected for different network environments, it can be according to the actually located net of Android intelligent terminal Network environment is selectively determined to guarantee data security the data channel of transmission.

Step c sends the data security channel configuration information of corresponding above-mentioned data channel to above-mentioned Android intelligent terminal.

After the information for obtaining the data channel for the transmission that can guarantee data security, so that it may to configure number according to the data channel According to escape way configuration information, and it is sent to Android intelligent terminal.

Third walks, and receives the first data-interface configuration information that above-mentioned Android intelligent terminal is sent.

First data-interface configuration information is that Android intelligent terminal is determined according to data security channel configuration information.First Corresponding first data-interface of data-interface configuration information is located in Android intelligent terminal, and the transmitting terminal of data is uploaded as network Mouthful.

4th step, establishes corresponding with above-mentioned first data-interface configuration information the second data-interface, and by above-mentioned second Second data-interface configuration information of data-interface is sent to above-mentioned Android intelligent terminal.

After knowing the first data-interface configuration information of Android intelligent terminal, need according to data security channel configuration information Establish the second data-interface of corresponding first data-interface.Second data-interface uploads the receiving port of data as network.It will Second data-interface configuration information of the second data-interface is sent to above-mentioned Android intelligent terminal, informs Android intelligent terminal second Data-interface has built up completion.

5th step receives the data security channel application information that above-mentioned Android intelligent terminal is sent.

Data security channel application information is that Android intelligent terminal will be after the first data-interface and the second binding data interfaces It obtains, illustrates that the transmission that network uploads data can be carried out by the first data-interface and the second data-interface.

6th step establishes above-mentioned data security channel according to above-mentioned data security channel application information, and to above-mentioned Android Intelligent terminal sendaisle establishes confirmation message.

After receiving data security channel application information, so that it may to establish the first data-interface of connection and second data-interface Then data security channel establishes confirmation message to by Android intelligent terminal sendaisle, inform that Android intelligent terminal can lead to It crosses data security channel and sends network upload data.

In some optional realization methods of the present embodiment, data security channel is used for the transmission process to network data It is protected, in addition to this, it is also necessary to network data itself be protected, the transmission of network data then could be carried out.Cause This, the present embodiment method can also include the following steps before step 301：

Network transmission configuration information is set, following steps are can specifically include：

The first step classifies network data to obtain data encryption type information.

Network data is all changing at any time, therefore, it is necessary to according to current network data security situation to network number According to being classified, to determine for the safeguard measure per a kind of network data, that is, need the classification number according to network data According to encryption type information.

Second step inquires data invasion record according to above-mentioned data encryption type information, and above-mentioned data invasion record includes The record that network data is invaded in setting time.

After obtaining data encryption type information, network disinfection server (such as Baidu's cloud disinfection server) can be passed through The newest data invasion record of the corresponding data encryption type information of solution.

Third walks, and the security strategy of the corresponding above-mentioned encryption type information of record setting is invaded according to above-mentioned data.

After inquiring data invasion record, is determined how by network disinfection server and network data is avoided to be invaded or such as The method what carries out killing to internet worm, and further determine that the security strategy of the corresponding encryption type information.

Above-mentioned data encryption type information and security strategy are packaged into network transmission configuration information by the 4th step.

Data encryption type information and the correspondence of security strategy are established, network transmission configuration information is obtained.Work as network Disinfection server does not find when being recorded by invasion of new network data, is directly added to data by network transmission configuration information The corresponding network data of close type information is configured；When finding when being recorded by invasion of new network data, it is somebody's turn to do according to corresponding Network transmission configuration information is changed by the solution of invasion record, realizes the dynamic real-time update of network transmission configuration information, It ensure that the safety of network data transmission.

In some optional realization methods of the present embodiment, encryption, which uploads data, to be obtained after uploading data encryption to network It arrives, cannot encryption directly be uploaded into data and be sent to destination server, but needed to upload in data from encryption and decrypt net Network uploads data, and network upload data are then sent to destination server again.Therefore, step 302 may include steps of：

The first step uploads extracting data from above-mentioned encryption and goes out the second secret key.

Second secret key is the secret key used when Android intelligent terminal uploads data to network, to upload data to encryption and carry out Decryption first has to obtain the second secret key.

Second step carries out asymmetric decryption to above-mentioned second secret key and obtains the first secret key.

Second secret key is obtained through asymmetric encryption, therefore, to be carried out asymmetric decryption to the second secret key, be obtained first Secret key.

Third walks, and above-mentioned first secret key is decrypted to obtain network upload data.

The symmetric key that first secret key is randomly generated, herein to the decryption of the first secret key by the way of symmetrically decrypting, The network for obtaining Android intelligent terminal transmission uploads data.

In some optional realization methods of the present embodiment, on obtaining the above-mentioned network of correspondence that destination server is sent After the target data for passing data, also target data is encrypted, then be sent again to Android intelligent terminal.Specifically, step Rapid 305 may include：

The first step determines the data encryption type of above-mentioned target data according to above-mentioned network transmission configuration information.

It is similar with to the network upload method of data encryption, first have to the data encryption type for determining target data.Network Transmission of configuration information is the categorized protection information carried out to network data according to current network Information Security, also, network passes Defeated configuration information can be timely according to newest internet worm library (such as mobile phone bodyguard virus base, mobile phone antivirus software virus base) Adjust the Preservation tactics to network data.Therefore, this step can also include：If above-mentioned target data includes text data, Word security strategy is searched from above-mentioned network transmission configuration information, determines that word encrypts class according to above-mentioned word security strategy Type；If above-mentioned target data includes video data, Video security strategy is searched from above-mentioned network transmission configuration information, according to Above-mentioned Video security strategy determines video-encryption type；If above-mentioned target data includes audio data, from above-mentioned network transmission Audio secure strategy is searched in configuration information, and audio encryption type is determined according to above-mentioned audio secure strategy；If above-mentioned number of targets According to comprising image data, then picture security strategy is searched from above-mentioned network transmission configuration information, according to the safe plan of above-mentioned picture Slightly determine image ciphering type.

For different network datas, viral type and the form of expression are also different, therefore to upload number according to network The security strategy and encryption type of protection are determined according to the concrete type of (network data).It should be noted that network data in addition to Outside above-mentioned text data, video data, audio data and image data, also other kinds of data are also corresponding with other The security strategy of categorical data, no longer describes one by one herein.

In practice, when target data obviously belongs to insensitive information, it can not be encrypted, peace can be saved in this way Full server performance.

Second step generates third secret key at random according to above-mentioned data encryption type.

Third secret key is similar with the first secret key, in order to improve safety, is also randomly generated.

Third walks, and carrying out asymmetric encryption to above-mentioned third secret key obtains the 4th secret key.

On the basis of third secret key, then carries out asymmetric encryption and obtain the 4th secret key.

4th step is encrypted to obtain encryption down-transmitting data by the above-mentioned target data of above-mentioned 4th secret key pair.

It should be noted that the present embodiment encrypts target data twice, in practice, according to different network rings Situations such as border and different types of target data, encrypted number and encrypted specific method may be different, but can't be because This is construed as limiting the application.

The composed structure schematic diagram of the data transmission device of Android intelligent terminal is shown below with reference to Fig. 4, Fig. 4.This reality The data transmission device 400 for applying the Android intelligent terminal of example may include：Monitoring unit 401, network upload DEU data encryption unit 402, encryption uploads data transmission unit 403, encryption down-transmitting data receiving unit 404 and encryption down-transmitting data decryption unit 405.Wherein, monitoring unit 401 is used to monitor the network upload data of application program；Network uploads DEU data encryption unit 402 and uses It is encrypted to obtain encryption upload data, above-mentioned network transmission in uploading data to above-mentioned network according to network transmission configuration information Configuration information is for being encrypted classification to network data and configuring security strategy；Encryption uploads data transmission unit 403 and is used for Above-mentioned encryption is uploaded into data, security server is sent to by data security channel, above-mentioned data security channel is used for network The transmission process of data is protected；Encryption down-transmitting data receiving unit 404 is for receiving pair that above-mentioned security server is sent Above-mentioned encryption is answered to upload the encryption down-transmitting data of data；Down-transmitting data decryption unit 405 is encrypted for passing number under above-mentioned encryption According to being decrypted to obtain target data, and above-mentioned target data is sent to above application program.

In the present embodiment, it is typically to be realized by network monitor equipment that monitoring network, which uploads data,.The present embodiment passes through Monitoring unit 401 uploads data to network and is monitored, and it can be answering of being installed in Android intelligent terminal which, which uploads data, It is sent out with program, can also be (such as system update data) that the system software of Android intelligent terminal is sent out.Network uploads Data are initiated by Android intelligent terminal, and are sent to corresponding destination server.

Network data can be diversified, and for different types of network data, network uploads DEU data encryption unit 402 encrypted methods and security strategy are also different.Therefore, first have to according to network transmission configuration information to network upload data into Row encryption obtains encryption and uploads data.

Data security channel can protect network data, and security server, which is then used to receive encryption, uploads data. After obtaining encryption upload data, encryption is uploaded by data by encryption upload data transmission unit 403 and passes through data security channel It is sent to security server, is achieved that and is passed in data source header (network is uploaded data encryption and uploads data at encryption) and data The protection of data is uploaded in defeated process (being transmitted by data security channel) to network.

Security server not instead of network uploads the destination server of data, in order to upload data for receiving network Server.Security server will encryption upload data be sent to after destination server and it is above-mentioned to security server send number According to process it is corresponding, the encryption down-transmitting data receiving unit 404 of security server can also receive pair that destination server is sent The encryption down-transmitting data for uploading data should be encrypted.

In order to ensure the safety of network data, the encryption down-transmitting data of reception is also to be encrypted.Therefore, it is necessary to pass through Encryption down-transmitting data is decrypted in encryption down-transmitting data decryption unit 405, obtains the target data that corresponding network uploads data. Target data is sent to and sends out the application program that network uploads data, completes the safe transmission of the number networks.

In some optional realization methods of the present embodiment, data security channel needs uploading data progress to network It is just established before network transmission, therefore, the data transmission device 400 of the Android intelligent terminal of the present embodiment can also include：

First passage establishes unit, for establishing data security channel.First passage establishes unit：Data add Close request transmission sub-unit, data security channel configuration information receiving subelement, the first data-interface establish subelement, the second number Subelement is established according to interface configuration information receiving subelement, application information subelement and second channel.Wherein, data encryption is asked Transmission sub-unit is used for above-mentioned security server transmission data CIPHERING REQUEST；Data security channel configuration information receiving subelement The data security channel configuration information sent for receiving above-mentioned security server；First data-interface establishes subelement for root The first data-interface is configured according to above-mentioned data security channel configuration information, and above-mentioned first data are sent to above-mentioned security server First data-interface configuration information of interface；Second data-interface configuration information receiving subelement is for receiving above-mentioned security service The second data-interface configuration information that device is sent；Application information subelement be used for by above-mentioned first data-interface configuration information with It states the second data-interface configuration information to be bound, obtains data security channel application information, and by above-mentioned data security channel Application information is sent to above-mentioned security server；It is logical for receive that above-mentioned security server sends that second channel establishes subelement Confirmation message is established in road, completes the foundation of above-mentioned data security channel.In practice, initiator's (such as the present embodiment of network data Android intelligent terminal) need first to security server transmission data CIPHERING REQUEST, to send to security server confirming Data are retransmited after network data.The present embodiment asks transmission sub-unit to be realized to data CIPHERING REQUEST by data encryption It sends.

Corresponding, data security channel configuration information receiving subelement can receive data security channel configuration information, data Escape way configuration information contains the information for establishing data security channel, and Android intelligent terminal can be according to data security channel Configuration information establishes corresponding data-interface.

Then, the first data-interface is configured according to above-mentioned data security channel configuration information, the first data-interface is equivalent to The network data of Android intelligent terminal sends out port, needs to establish subelement by the first data-interface by the first data-interface Configuration information be sent to security server, so that security server is correspondingly arranged the receiving port of network data.

Match correspondingly, the second data-interface configuration information receiving subelement will receive the second data-interface that server is sent Confidence ceases, and the second data-interface configuration information contains the information of the second data-interface corresponding with the first data-interface.Wherein, Second data-interface is exactly the receiving port of network data on the secure server.

Later, application information subelement ties up the first data-interface configuration information and the second data-interface configuration information It is fixed, the network data transmitted between the first data-interface and the second data-interface can be avoided to be held as a hostage or distort；Then will The first data-interface configuration information and the second data-interface configuration information after binding are sent out as data security channel application information Give security server.

Correspondingly, second channel, which establishes subelement, will receive the Path Setup confirmation message that security server is sent, explanation Data security channel is established by the first data-interface and the second data-interface on the secure server.At this point, Android Intelligent terminal can carry out transmitting for network data by data security channel.

In some optional realization methods of the present embodiment, after establishing data security channel, first have to on network It passes data to be encrypted, then transmit again.Therefore, network upload DEU data encryption unit 402 may include：First encryption type is true Stator unit, the first secret key generate subelement, the second secret key generates subelement and the first encryption sub-unit operable.Wherein, the first encryption Type determination unit is used to determine that above-mentioned network uploads the data encryption type of data according to above-mentioned network transmission configuration information； First secret key generates subelement and is used to generate the first secret key at random according to above-mentioned data encryption type；Second secret key generates subelement The second secret key is obtained for carrying out asymmetric encryption to above-mentioned first secret key；First encryption sub-unit operable is used for close by above-mentioned second Spoon uploads data to above-mentioned network and is encrypted to obtain encryption upload data.

It can be seen from the above, network transmission configuration information is used to be directed to different types of network data, different encryptions is used Method and security strategy.Therefore, it first has to upload data to network by the first encryption type determination subelement and be encrypted point Class.

After knowing the encryption type that network uploads data, the first secret key generates subelement and is generated at random according to the encryption type First secret key.It is randomly generated due to the first secret key, this has been considerably improved network and has uploaded Information Security.

What the first secret key was randomly generated, belong to symmetric cryptography, symmetric cryptography still has the possibility being cracked.Therefore, After obtaining the first secret key, the second secret key generates subelement and obtains the second secret key to the first secret key progress asymmetric encryption again, greatly Big improve cracks difficulty, and the possibility that network upload data are cracked is further decreased.

Finally, data are uploaded to above-mentioned network by the first encryption sub-unit operable to be encrypted to obtain encryption upload data.

It is encrypted twice it should be noted that the present embodiment uploads data to network, in practice, according to different nets Situations such as network environment and different types of network upload data, encrypted number and encrypted specific method may be different, but Therefore the application can't be construed as limiting.

In some optional realization methods of the present embodiment, since the development and change of network are exceedingly fast, the thing followed is The rapidly growth of internet worm, if it is desired to network data be protected, must just grasp current network security feelings in time Condition, and targetedly network data is protected.For this purpose, the first encryption type determination subelement may include：Acquisition of information Module and the first judgment module.Wherein, data obtaining module is used to read above-mentioned network transmission configuration from above-mentioned security server Information；First judgment module is used for when above-mentioned network uploads data and includes text data, from above-mentioned network transmission configuration information Middle lookup word security strategy determines word encryption type according to above-mentioned word security strategy, and data packet is uploaded in above-mentioned network When containing video data, searches Video security strategy from above-mentioned network transmission configuration information, true according to above-mentioned Video security strategy Determine video-encryption type, when above-mentioned network uploads data and includes audio data, is searched from above-mentioned network transmission configuration information Audio secure strategy determines audio encryption type according to above-mentioned audio secure strategy；It includes picture to upload data in above-mentioned network When data, picture security strategy is searched from above-mentioned network transmission configuration information, picture is determined according to above-mentioned picture security strategy Encryption type.

Network transmission configuration information is believed the categorized protection that network data carries out according to the safety of current network data Breath, also, network transmission configuration information can (such as Baidu's mobile phone bodyguard virus base, Baidu kill according to newest internet worm library Malicious software virus library etc.) adjustment in time is to the Preservation tactics of network data.Therefore, the data obtaining module in Android intelligent terminal It needs first to obtain newest network transmission configuration information from security server.

For different network datas, viral type and the form of expression are also different, therefore want the first judgment module root The security strategy and encryption type of protection are determined according to the concrete type of network data (network upload data).It should be noted that Network data is other than above-mentioned text data, video data, audio data and image data, also other kinds of data, Also it is corresponding with its security strategy, is no longer described one by one herein.

In some optional realization methods of the present embodiment, after completing the encryption to network upload data, peace will receive The corresponding encryption down-transmitting data that full server is sent, target data can just be obtained by needing that encryption down-transmitting data is decrypted. Specifically, encryption down-transmitting data decryption unit 405 may include：Second extraction subelement, third decryption subelement and the 4th solution Close subelement.Wherein, the second extraction subelement from above-mentioned encryption down-transmitting data for extracting the 4th secret key；Third decryption Unit is used to carry out asymmetric decryption to above-mentioned 4th secret key to obtain third secret key；4th decryption subelement is used for above-mentioned third Secret key is decrypted to obtain target data.

In the present embodiment, the 4th secret key is that security server is arranged to protect network data, before decryption, needs Two extraction subelements first extract the 4th secret key.

It is answered with the second above-mentioned secret key pair, the 4th secret key herein is also to be obtained through asymmetric encryption.Therefore, it is necessary to Three decryption the 4th secret keys of subelement pair carry out asymmetric decryption, obtain third secret key.

Third secret key is similar with the first secret key, belongs to symmetric cryptography, has just been obtained pair after the 4th decryption subelement decryption Network is answered to upload the target data of data.

In practice, when network, which uploads data, obviously belongs to insensitive information, it can not be encrypted, can be saved in this way Save Android intelligent terminal performance.

The composed structure schematic diagram of security server is shown below with reference to Fig. 5, Fig. 5.The above-mentioned safety clothes of the present embodiment Business device 500 may include：Encryption uploads data receipt unit 501, encryption uploads data decryption unit 502, network uploads data Transmission unit 503, target data receiving unit 504 and target data encryption unit 505.Wherein, encryption uploads data receiver list Member 501 uploads data for receiving Android intelligent terminal by the encryption that data security channel is sent；Encryption uploads data deciphering Unit 502 is used to upload data to above-mentioned encryption and is decrypted to obtain network upload data；Network uploads data transmission unit 503 For above-mentioned network upload data to be sent to above-mentioned corresponding destination server；Target data receiving unit 504 is for receiving The above-mentioned network of correspondence that above-mentioned destination server is sent uploads the target data of data；Target data encryption unit 505 is used for root Above-mentioned target data is encrypted according to network transmission configuration information to obtain encryption down-transmitting data, above-mentioned encryption down-transmitting data is led to It crosses above-mentioned data security channel and is sent to above-mentioned Android intelligent terminal.

It is typically being received by corresponding Network Security Device (such as security server) that encryption, which uploads data, and the present embodiment is logical It crosses encryption and uploads data receipt unit 501 to realize the reception for uploading data to encryption.Data security channel is connection Android intelligence The data channel of energy terminal and Network Security Device, can ensure that network data is not tampered or intercepts and captures in transmission process.

Encryption, which uploads data, to be obtained after uploading data encryption to the network that Android intelligent terminal is sent out, it is therefore desirable to first Data decryption unit 502 is uploaded by encryption encryption upload data are decrypted, obtain network and upload data.

Destination server is that network uploads the data server to be reached, such as Baidu's Cloud Server.In order to be taken to target The data that business device is sent are protected, at this time, it may be necessary to which network to be uploaded to the ground for sending out address and being revised as security server of data Location,

Then data transmission unit 503 is uploaded by network and network upload data is sent to corresponding destination server, So that the data that security server sends destination server are protected.

After destination server receives network upload data, particular content or the requirement of data can be uploaded according to network, to The target data receiving unit 504 of security server sends corresponding network data, and (i.e. target data includes in target data The address information of security server).

When being transmitted to target data, also target data is encrypted by target data encryption unit 505, Obtain encryption down-transmitting data.At this time, it may be necessary to remodify the reception for encrypting down-transmitting data address information for Android intelligent terminal Address information.Encryption down-transmitting data can find corresponding Android intelligent terminal by the address information, then pass through data Escape way is sent to corresponding Android intelligent terminal.

In some optional realization methods of the present embodiment, data security channel needs uploading data progress to network It is just established before network transmission, therefore, above-mentioned security server can also establish unit including second channel, for establishing data Escape way.Second channel establishes unit：Receiving subelement, data security channel configuration information are asked in data encryption Transmission sub-unit, the first data-interface configuration information receiving subelement, the second data-interface establish subelement, data security channel Application information receiving subelement and first passage establish subelement.Wherein, data encryption request receiving subelement is pacified for receiving The data encryption request that tall and erect intelligent terminal is sent；Data security channel configuration information transmission sub-unit according to above-mentioned data for adding It is close to ask to above-mentioned Android intelligent terminal transmission data escape way configuration information；It is single that first data-interface configuration information receives son Member is for receiving the first data-interface configuration information that above-mentioned Android intelligent terminal is sent；Second data-interface establishes subelement use In establishing corresponding with above-mentioned first data-interface configuration information the second data-interface, and by the second of above-mentioned second data-interface Data-interface configuration information is sent to above-mentioned Android intelligent terminal；Data security channel application information receiving subelement is for receiving The data security channel application information that above-mentioned Android intelligent terminal is sent；First passage establishes subelement for according to above-mentioned data Escape way application information establishes above-mentioned data security channel, and establishes confirmation letter to above-mentioned Android intelligent terminal sendaisle Breath.

Data encryption request is sent to safety clothes by initiator's (Android intelligent terminal in such as embodiment 1) of network data Receiving subelement is asked in the data encryption of business device.

In order to be protected to the network data that Android intelligent terminal is sent, need through data security channel configuration information Transmission sub-unit informs which type of Android intelligent terminal passes through to Android intelligent terminal transmission data escape way configuration information Data channel carries out the transmission of network data.

After Android intelligent terminal receives data security channel configuration information, the first data-interface can be configured, and first is counted It is sent to the first data-interface configuration information receiving subelement according to interface configuration information.First data-interface configuration information receives son The first data-interface configuration information that unit receives is that Android intelligent terminal is determined according to data security channel configuration information.The Corresponding first data-interface of one data-interface configuration information is located in Android intelligent terminal, and the transmission of data is uploaded as network Port.

After the first data-interface configuration information for obtaining Android intelligent terminal, the second data-interface establishes subelement and needs root The second data-interface of corresponding first data-interface is established according to data security channel configuration information.Second data-interface is as network Upload the receiving port of data.Second data-interface configuration information of the second data-interface is sent to above-mentioned Android intelligence eventually End, informs that the second data-interface of Android intelligent terminal has built up completion.

Then, it is logical to receive the data safety that Android intelligent terminal is sent for data security channel application information receiving subelement Road application information, data security channel application information are Android intelligent terminals by the first data-interface and the second binding data interfaces It obtains afterwards, illustrates that the transmission that network uploads data can be carried out by the first data-interface and the second data-interface.

After receiving data security channel application information, first passage establish subelement can establish connection the first data connect The data security channel of mouth and the second data-interface, then establishes confirmation message to by Android intelligent terminal sendaisle, informs Android intelligent terminal can send network by data security channel and upload data.

In some optional realization methods of the present embodiment, data security channel configuration information is not fixed, With the security situation dynamic change of network data, therefore, it is necessary to set according to the actual network condition of Android intelligent terminal Set data security channel configuration information.Specifically, data security channel configuration information transmission sub-unit may include：Network environment Enquiry module, data channel selecting module and configuration information sending module.Wherein, network environment enquiry module is used for according to above-mentioned Network environment information residing for the above-mentioned Android intelligent terminal of data encryption requesting query；Data channel selecting module be used for according to State data channel of the network environment information determination for the transmission that guarantees data security；Configuration information sending module is used for above-mentioned peace Tall and erect intelligent terminal sends the data security channel configuration information of corresponding above-mentioned data channel.

Android intelligent terminal may be that the direct network server with mobile, unicom or telecommunications is connect, it is also possible to first connect Local router is connect, is then connect with the network server of movement, unicom or telecommunications by router, it is also possible to be other nets Network ambient conditions.Therefore, it is necessary to determine that the actual network environment of Android intelligent terminal is believed by network environment enquiry module first Breath, then considers further that data security channel configuration information.

Select different data channel, data channel selecting module can be according to Android intelligence for different network environments The actually located network environment of terminal is selectively determined to guarantee data security the data channel of transmission.

After the information for obtaining the data channel for the transmission that can guarantee data security, configuration information sending module can basis The data channel configuration data escape way configuration information, and it is sent to Android intelligent terminal.

In some optional realization methods of the present embodiment, data security channel is used for the transmission process to network data It is protected, in addition to this, it is also necessary to network data itself be protected, the transmission of network data then could be carried out.Cause This, the above-mentioned security server of the present embodiment can also include：Network transmission configuration information unit, for network transmission configuration to be arranged Information.Network transmission configuration information unit may include：Encryption classification subelement, invasion record queries subelement, security strategy Subelement is set and network transmission configuration information generates subelement.Wherein, encryption classification subelement is used for above-mentioned network data Classified to obtain data encryption type information；Invasion record queries subelement according to above-mentioned data encryption type information for looking into Data invasion record is ask, above-mentioned data invasion record contains the record that network data in setting time is invaded；Security strategy Security strategy of the subelement for invading the corresponding above-mentioned encryption type information of record setting according to above-mentioned data is set；Network transmission Configuration information generates subelement and is used to above-mentioned data encryption type information and security strategy being packaged into network transmission configuration information.

Network data is all changing at any time, therefore, it is necessary to according to current network data security situation to network number According to being classified, to determine for the safeguard measure per a kind of network data, that is, need to encrypt classification subelement according to network number According to classification obtain data encryption type information.

It, can be by network disinfection server (such as Baidu's cloud disinfection server) after obtaining data encryption type information Invade the newest data invasion record that record queries subelement understands the corresponding data encryption type information.

After inquiring data invasion record, is determined how by network disinfection server and network data is avoided to be invaded or such as The method what carries out killing to internet worm, and subelement is further arranged by security strategy and determines corresponding encryption type letter The security strategy of breath.

Network transmission configuration information generates subelement and establishes data encryption type information and the correspondence of security strategy, obtains To network transmission configuration information.When network disinfection server do not find new network data by invasion record when, directly lead to Network transmission configuration information is crossed to configure the corresponding network data of data encryption type information；When the new network data of discovery When being recorded by invasion, network transmission configuration information is changed according to the corresponding solution by invasion record, realizes that network passes The dynamic real-time update of defeated configuration information ensure that the safety of network data transmission.

In some optional realization methods of the present embodiment, encryption, which uploads data, to be obtained after uploading data encryption to network It arrives, cannot encryption directly be uploaded into data and be sent to destination server, but needed to upload in data from encryption and decrypt net Network uploads data, and network upload data are then sent to destination server again.Therefore, encryption uploads data decryption unit 502 May include：First extraction subelement, the first decryption subelement and the second decryption subelement.Wherein, the first extraction subelement is used Go out the second secret key in uploading extracting data from above-mentioned encryption；It is non-right that first decryption subelement is used to carry out above-mentioned second secret key Decryption is claimed to obtain the first secret key；Second decryption subelement is used to that above-mentioned first secret key to be decrypted to obtain network upload data.

Second secret key is the secret key used when Android intelligent terminal uploads data to network, to upload data to encryption and carry out Decryption first has to obtain the second secret key by the first extraction subelement.

Seen from the above description, the second secret key is obtained through asymmetric encryption, therefore, to pass through the first decryption subelement Asymmetric decryption is carried out to the second secret key, obtains the first secret key.

The symmetric key that first secret key is randomly generated, herein, the decryption of second decryption the first secret key of subelement pair use The mode symmetrically decrypted, the network for obtaining Android intelligent terminal transmission upload data.

In some optional realization methods of the present embodiment, on obtaining the above-mentioned network of correspondence that destination server is sent After the target data for passing data, also target data is encrypted, then be sent again to Android intelligent terminal.On specifically, Stating target data encryption unit 505 may include：Second encryption type determination subelement, third secret key generate subelement, the 4th Secret key generates subelement and the second encryption sub-unit operable.Wherein, the second encryption type determination subelement is used to be passed according to above-mentioned network Defeated configuration information determines the data encryption type of above-mentioned target data；Third secret key generates subelement for adding according to above-mentioned data Close type generates third secret key at random；4th secret key generates subelement and is used to carry out asymmetric encryption to above-mentioned third secret key to obtain 4th secret key；Second encryption sub-unit operable is passed for being encrypted to obtain to encrypt down by the above-mentioned target data of above-mentioned 4th secret key pair Data.

It is similar with to the network upload method of data encryption, it first has to determine mesh by the second encryption type determination subelement Mark the data encryption type of data.

Then, third secret key generates subelement and generates third secret key at random.Third secret key is similar with the first secret key, in order to carry High security is also randomly generated.

On the basis of third secret key, then subelement is generated by the 4th secret key, third secret key progress asymmetric encryption is obtained To the 4th secret key.

Second encryption sub-unit operable is encrypted to obtain encryption down-transmitting data by the above-mentioned target data of above-mentioned 4th secret key pair.

It should be noted that the present embodiment encrypts target data twice, in practice, according to different network rings Situations such as border and different types of target data, encrypted number and encrypted specific method may be different, but can't be because This is construed as limiting the application.

In some optional realization methods of the present embodiment, network transmission configuration information is pacified according to current network data The categorized protection information that full property carries out network data, also, network transmission configuration information can be according to newest internet worm Library (such as mobile phone bodyguard virus base, mobile phone antivirus software virus base) adjusts the Preservation tactics to network data in time.Therefore, Two encryption type determination subelements may include：Second judgment module is used for when above-mentioned target data includes text data, from Word security strategy is searched in above-mentioned network transmission configuration information, and word encryption type is determined according to above-mentioned word security strategy； When above-mentioned target data includes video data, Video security strategy is searched from above-mentioned network transmission configuration information, according to upper It states Video security strategy and determines video-encryption type；When above-mentioned target data includes audio data, match from above-mentioned network transmission Audio secure strategy is searched in confidence breath, audio encryption type is determined according to above-mentioned audio secure strategy；In above-mentioned target data Including when image data, picture security strategy is searched from above-mentioned network transmission configuration information, according to above-mentioned picture security strategy Determine image ciphering type.

For different network datas, viral type and the form of expression are also different, therefore to upload number according to network The security strategy and encryption type of protection are determined according to the concrete type of (network data).It should be noted that network data in addition to Outside above-mentioned text data, video data, audio data and image data, also other kinds of data are also corresponding with other The security strategy of categorical data, no longer describes one by one herein.

In practice, when target data obviously belongs to insensitive information, it can not be encrypted, peace can be saved in this way Full server performance.

A kind of Android intelligent terminal data transmission system is further provided, above system includes that above-mentioned Android intelligence is whole The data transmission device at end and above-mentioned security server.Android intelligent terminal is to security server transmission data CIPHERING REQUEST； Security server establishes data security channel according to data encryption request；Android intelligent terminal is by data security channel to safety Server sends encryption and uploads data；Security server will encryption upload data deciphering after be sent to encryption upload data it is corresponding Destination server, and receive the target data that destination server is sent；What security server obtained after encrypting target data adds Close down-transmitting data is sent to Android intelligent terminal；Android intelligent terminal decrypts encryption down-transmitting data to obtain target data, and will Target data is sent to corresponding application program.The data transmission device and security server of the Android intelligent terminal of the present embodiment Identical as foregoing description, details are not described herein again.

It is an application scenario diagram of the present embodiment below with reference to Fig. 6, Fig. 6.In Fig. 6, multiple Android mobile phones 601 and safety Server 602 connects；Security server 602 is connect with Baidu Cloud Server 603 again.

The present embodiment by Android mobile phone for Baidu cloud is downloaded data, as shown in fig. 7, Fig. 7 show Android mobile phone from The flow chart of one embodiment that Baidu's cloud is downloaded data, illustrates this implementation below in conjunction with application scenarios shown in fig. 6. The present embodiment includes the following steps：

Step 701, under the data that Baidu's cloud application program of monitoring Android mobile phone 601 is sent to Baidu's Cloud Server 603 Carry solicited message.Network transmission configuration information first is downloaded from security server 602, checks the network rings where Android mobile phone 601 Whether border is safe, determines which kind of data channel to carry out network data transmission by.If not establishing data security channel, also want First establish data security channel.

Step 702, solicited message is downloaded to data by network transmission configuration information to be encrypted to obtain encryption upload number According to.The present embodiment also generates the first secret key at random, then obtains the second secret key to the first secret key asymmetric encryption.

Ciphering process can be same as the previously described embodiments, using encrypting twice, can also using single or more than twice Encryption.Can also be symmetric cryptography and other unexpected encryption methods of asymmetric encryption.

Step 703, encryption is uploaded into data and is sent to security server 602.

Encryption uploads data and is sent to security server 602 by data security channel, and data security channel can ensure Encryption uploads data and is not tampered in transmission process.

Step 704, after security server 602 receives encryption upload data, data is uploaded to encryption and are decrypted, are counted According to download solicited message.

When decryption, asymmetric decryption is first carried out, the first secret key is decrypted from the second secret key, then the first secret key is decrypted Obtain data download request information.

Step 705, data download request information is sent to Baidu's Cloud Server 603.

It is initiated aiming at Baidu's Cloud Server 603 due to data download request information, so data download request is believed It include the address information of Baidu's Cloud Server 603 in breath.Meanwhile the downloading data in order to be sent out to Baidu's Cloud Server 603 It is protected, needs that downloading data is encrypted.Therefore, it is necessary to repair the reception address in data download request information It is changed to the address of security server 602.

Step 706, downloading data (the i.e. mesh that the corresponding data that Baidu's Cloud Server 603 is sent downloads solicited message is received Mark data).

It, can be first when Baidu's Cloud Server 603 sends downloading data according to data download request information to Android mobile phone 601 Downloading data is sent to security server 602.

Step 707, security server 602 is encrypted downloading data to obtain encryption down-transmitting data.

Method when encrypted method can be encrypted with Android mobile phone 601 is identical, is first randomly generated third secret key, then Asymmetric encryption is carried out to third secret key and obtains the 4th secret key, is encrypted by the 4th secret key pair downloading data so that is downloaded The possibility that data are tampered is preferably minimized.

Step 708, security server 602 is sent to Android mobile phone 501 by down-transmitting data is encrypted.

At this time, it may be necessary to the reception for encrypting down-transmitting data address information be revised as to the address information of Android mobile phone 601, so Android mobile phone 601 is sent to by down-transmitting data is encrypted by data security channel afterwards.

Step 709, Android mobile phone 601 receives encryption down-transmitting data, and asymmetric decryption is carried out respectively to encryption down-transmitting data With symmetrical decryption, downloading data is obtained.

Step 7010, downloading data is sent to Baidu's cloud application program, so far, completes Android mobile phone 601 from transmission Data protection of the data download request information to reception downloading data whole process.

Below with reference to Fig. 8, it illustrates the computer systems 800 suitable for the server for realizing the embodiment of the present application Structural schematic diagram.

As shown in figure 8, computer system 800 includes central processing unit (CPU) 801, it can be read-only according to being stored in Program in memory (ROM) 802 is loaded into the program in random access storage device (RAM) 803 from storage section 808 And execute various actions appropriate and processing.In RAM803, also it is stored with system 800 and operates required various program sum numbers According to.CPU801, ROM802 and RAM803 are connected with each other by bus 804.Input/output (I/O) interface 805 is also connected to Bus 804.

It is connected to I/O interfaces 805 with lower component：Importation 806 including keyboard, mouse etc.；It is penetrated including such as cathode The output par, c 807 of spool (CRT), liquid crystal display (LCD) etc. and loud speaker etc.；Storage section 808 including hard disk etc.； And the communications portion 809 of the network interface card including LAN card, modem etc..Communications portion 809 via such as because The network of spy's net executes communication process.Driver 810 is also according to needing to be connected to I/O interfaces 805.Detachable media 811, it is all Such as disk, CD, magneto-optic disk, semiconductor memory are mounted on driver 810, as needed in order to be read from thereon The computer program gone out is mounted into storage section 808 as needed.

Particularly, in accordance with an embodiment of the present disclosure, it may be implemented as computer above with reference to the process of flow chart description Software program.For example, embodiment of the disclosure includes a kind of computer program product comprising be tangibly embodied in machine readable Computer program on medium, the computer program include the program code for method shown in execution flow chart.At this In the embodiment of sample, which can be downloaded and installed by communications portion 809 from network, and/or from removable Medium 811 is unloaded to be mounted.

Flow chart in attached drawing and block diagram, it is illustrated that according to the system of the various embodiments of the application, method and computer journey The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation A part for a part for one module, program segment, or code of table, the module, program segment, or code includes one or more Executable instruction for implementing the specified logical function.It should also be noted that in some implementations as replacements, institute in box The function of mark can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are practical On can be basically executed in parallel, they can also be executed in the opposite order sometimes, this is depended on the functions involved.Also it wants It is noted that the combination of each box in block diagram and or flow chart and the box in block diagram and or flow chart, Ke Yiyong The dedicated hardware based system of defined functions or operations is executed to realize, or can be referred to specialized hardware and computer The combination of order is realized.

Being described in unit involved in the embodiment of the present application can be realized by way of software, can also be by hard The mode of part is realized.Described unit can also be arranged in the processor, for example, can be described as：A kind of processor packet Include monitoring unit, network uploads DEU data encryption unit, encryption uploads data transmission unit, encrypts down-transmitting data receiving unit and adds Close down-transmitting data decryption unit.Wherein, the title of these units does not constitute the restriction to the unit itself under certain conditions. Such as, monitoring unit is also described as " unit of data is uploaded for monitoring network ".

As on the other hand, present invention also provides a kind of nonvolatile computer storage media, the non-volatile calculating Machine storage medium can be nonvolatile computer storage media included in device described in above-described embodiment；Can also be Individualism, without the nonvolatile computer storage media in supplying terminal.Above-mentioned nonvolatile computer storage media is deposited One or more program is contained, when one or more of programs are executed by an equipment so that the equipment：Monitoring The network of application program uploads data；Data are uploaded according to network transmission configuration information to network to be encrypted to obtain encryption upload Data, network transmission configuration information is for being encrypted classification to network data and configuring security strategy；Encryption is uploaded into data It is sent to security server by data security channel, data security channel is for protecting the transmission process of network data Shield；Receive the encryption down-transmitting data that the corresponding encryption that security server is sent uploads data；Encryption down-transmitting data is decrypted Target data is obtained, target data is sent to the application program.

Above description is only the preferred embodiment of the application and the explanation to institute's application technology principle.People in the art Member should be appreciated that invention scope involved in the application, however it is not limited to technology made of the specific combination of above-mentioned technical characteristic Scheme, while should also cover in the case where not departing from the inventive concept, it is carried out by above-mentioned technical characteristic or its equivalent feature Other technical solutions of arbitrary combination and formation.Such as features described above and (but not limited to) disclosed herein have it is similar The technical characteristic of function is replaced mutually and the technical solution that is formed.

Claims (13)

1. a kind of data transmission method of Android intelligent terminal, which is characterized in that the method includes：

The network for monitoring application program uploads data；

Data are uploaded according to network transmission configuration information to the network to be encrypted to obtain encryption upload data, the network passes Defeated configuration information is for being encrypted classification to network data and configuring security strategy；

The encryption is uploaded into data, security server is sent to by data security channel, the data security channel for pair The transmission process of network data is protected；

Receive the encryption down-transmitting data that the correspondence encryption that the security server is sent uploads data；

It is decrypted to obtain target data to the encryption down-transmitting data, and the target data is sent to and described applies journey Sequence；

Further include before the step of network of the monitoring application program uploads data：

The step of establishing data security channel, including：

To the security server transmission data CIPHERING REQUEST；

Receive the data security channel configuration information that the security server is sent；

The first data-interface is configured according to the data security channel configuration information, and described the is sent to the security server First data-interface configuration information of one data-interface；

Receive the second data-interface configuration information that the security server is sent；

The first data-interface configuration information and the second data-interface configuration information are bound, data safety is obtained Channel application information, and the data security channel application information is sent to the security server；

The Path Setup confirmation message that the security server is sent is received, the foundation of the data security channel is completed.

2. according to the method described in claim 1, it is characterized in that, it is described according to network transmission configuration information on the network Biography data are encrypted to obtain encryption upload data：

Determine that the network uploads the data encryption type of data according to the network transmission configuration information；

The first secret key is generated at random according to the data encryption type；

Asymmetric encryption is carried out to first secret key and obtains the second secret key；

Data are uploaded by network described in second secret key pair to be encrypted to obtain encryption upload data.

3. according to the method described in claim 1, it is characterized in that, described be decrypted to obtain mesh to the encryption down-transmitting data Marking data includes：

The 4th secret key is extracted from the encryption down-transmitting data；

Asymmetric decryption is carried out to the 4th secret key and obtains third secret key；

The third secret key is decrypted to obtain target data.

4. a kind of data transmission method of Android intelligent terminal, which is characterized in that the method includes：

It receives Android intelligent terminal and data is uploaded by the encryption that data security channel is sent；

Data are uploaded to the encryption to be decrypted to obtain network upload data；

Network upload data are sent to corresponding destination server；

Receive the target data that the correspondence network that the destination server is sent uploads data；

The target data is encrypted according to network transmission configuration information to obtain encryption down-transmitting data, will be passed under the encryption Data are sent to the Android intelligent terminal by the data security channel；

Further include before the step of encryption that the reception Android intelligent terminal is sent by data security channel uploads data：

The step of establishing data security channel, including：

Receive the data encryption request that Android intelligent terminal is sent；

It is asked to the Android intelligent terminal transmission data escape way configuration information according to the data encryption；

Receive the first data-interface configuration information that the Android intelligent terminal is sent；

Establish corresponding with the first data-interface configuration information the second data-interface, and by the of second data-interface Two data-interface configuration informations are sent to the Android intelligent terminal；

Receive the data security channel application information that the Android intelligent terminal is sent；

The data security channel is established according to the data security channel application information, and is sent to the Android intelligent terminal Path Setup confirmation message.

5. according to the method described in claim 4, it is characterized in that, described be decrypted to obtain net to encryption upload data Network uploads data：

Extracting data, which is uploaded, from the encryption goes out the second secret key；

Asymmetric decryption is carried out to second secret key and obtains the first secret key；

First secret key is decrypted to obtain network upload data.

6. according to the method described in claim 4, it is characterized in that, it is described according to network transmission configuration information to the number of targets Include according to being encrypted to obtain encryption down-transmitting data：

The data encryption type of the target data is determined according to the network transmission configuration information；

Third secret key is generated at random according to the data encryption type；

Asymmetric encryption is carried out to the third secret key and obtains the 4th secret key；

It is encrypted to obtain encryption down-transmitting data by target data described in the 4th secret key pair.

7. a kind of data transmission device of Android intelligent terminal, which is characterized in that described device includes：

Monitoring unit, the network for monitoring application program upload data；

Network uploads DEU data encryption unit, is encrypted for uploading data to the network according to network transmission configuration information Data are uploaded to encryption, the network transmission configuration information is for being encrypted classification to network data and configuring security strategy；

Encryption uploads data transmission unit, for encryption upload data to be sent to security service by data security channel Device, the data security channel is for protecting the transmission process of network data；

Down-transmitting data receiving unit is encrypted, adding for data is uploaded for receiving the correspondence encryption that the security server is sent Close down-transmitting data；

Down-transmitting data decryption unit is encrypted, obtains target data for the encryption down-transmitting data to be decrypted, and will be described Target data is sent to the application program；

Described device further includes：

First passage establishes unit, and for establishing data security channel, the first passage establishes unit and includes：

Transmission sub-unit is asked in data encryption, is used for the security server transmission data CIPHERING REQUEST；

Data security channel configuration information receiving subelement is matched for receiving the data security channel that the security server is sent Confidence ceases；

First data-interface establishes subelement, for configuring the first data-interface according to the data security channel configuration information, And the first data-interface configuration information of first data-interface is sent to the security server；

Second data-interface configuration information receiving subelement is matched for receiving the second data-interface that the security server is sent Confidence ceases；

Application information subelement, for will the first data-interface configuration information and the second data-interface configuration information into Row binding, obtains data security channel application information, and the data security channel application information is sent to the safety clothes Business device；

Second channel establishes subelement, the Path Setup confirmation message sent for receiving the security server, described in completion The foundation of data security channel.

8. device according to claim 7, which is characterized in that the network uploads DEU data encryption unit and includes：

First encryption type determination subelement, for determining that the network uploads data according to the network transmission configuration information Data encryption type；

First secret key generates subelement, for generating the first secret key at random according to the data encryption type；

Second secret key generates subelement, and the second secret key is obtained for carrying out asymmetric encryption to first secret key；

First encryption sub-unit operable is encrypted to obtain encryption upload for uploading data by network described in second secret key pair Data.

9. device according to claim 7, which is characterized in that the encryption down-transmitting data decryption unit includes：

Second extraction subelement, for extracting the 4th secret key from the encryption down-transmitting data；

Third decrypts subelement, and third secret key is obtained for carrying out asymmetric decryption to the 4th secret key；

4th decryption subelement, for being decrypted to obtain target data to the third secret key.

10. a kind of security server, which is characterized in that the security server includes：

Encryption uploads data receipt unit, and number is uploaded by the encryption that data security channel is sent for receiving Android intelligent terminal According to；

Encryption uploads data decryption unit, is decrypted to obtain network upload data for uploading data to the encryption；

Network uploads data transmission unit, for network upload data to be sent to corresponding destination server；

Target data receiving unit uploads the number of targets of data for receiving the correspondence network that the destination server is sent According to；

Target data encryption unit, for being encrypted to obtain under encryption to the target data according to network transmission configuration information Data are passed, the encryption down-transmitting data is sent to the Android intelligent terminal by the data security channel；

The security server further includes：

Second channel establishes unit, and for establishing data security channel, the second channel establishes unit and includes：

Receiving subelement is asked in data encryption, the data encryption request sent for receiving Android intelligent terminal；

Data security channel configuration information transmission sub-unit, for being asked to the Android intelligent terminal according to the data encryption Transmission data escape way configuration information；

First data-interface configuration information receiving subelement, the first data-interface sent for receiving the Android intelligent terminal Configuration information；

Second data-interface establishes subelement, is connect for establishing the second data corresponding with the first data-interface configuration information Mouthful, and the second data-interface configuration information of second data-interface is sent to the Android intelligent terminal；

Data security channel application information receiving subelement, the data security channel sent for receiving the Android intelligent terminal Application information；

First passage establishes subelement, for establishing the data security channel according to the data security channel application information, And establish confirmation message to the Android intelligent terminal sendaisle.

11. security server according to claim 10, which is characterized in that the encryption uploads data decryption unit packet It includes：

First extraction subelement goes out the second secret key for uploading extracting data from the encryption；

First decryption subelement obtains the first secret key for carrying out asymmetric decryption to second secret key；

Second decryption subelement obtains network upload data for first secret key to be decrypted.

12. security server according to claim 10, which is characterized in that the target data encryption unit includes：

Second encryption type determination subelement, the data for determining the target data according to the network transmission configuration information Encryption type；

Third secret key generates subelement, for generating third secret key at random according to the data encryption type；

4th secret key generates subelement, and the 4th secret key is obtained for carrying out asymmetric encryption to the third secret key；

Second encryption sub-unit operable passes number for being encrypted to obtain to encrypt down by target data described in the 4th secret key pair According to.

13. a kind of Android intelligent terminal data transmission system, which is characterized in that the system comprises claim 7-9 is any Any security server of the data transmission device and claim 10-12 of the Android intelligent terminal.