CN106685644B

CN106685644B - Communication encryption method and device, gateway, server, intelligent terminal and system

Info

Publication number: CN106685644B
Application number: CN201510763170.XA
Authority: CN
Inventors: 于海龙; 刘智勇; 邢超; 周良杰
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2015-11-10
Filing date: 2015-11-10
Publication date: 2021-02-02
Anticipated expiration: 2035-11-10
Also published as: CN106685644A

Abstract

The embodiment of the application provides a communication encryption method, a communication encryption method device, a gateway, a server, an intelligent terminal and a system, which aim to solve the safety problem in the communication process of one-way communication equipment. The method comprises the following steps: sending a key request to a server, wherein the key request carries the association parameters of the intelligent terminal; receiving a key response fed back by the server, and acquiring a first key from the key response, wherein the first key is determined by the server according to all or part of the association parameters; and determining a second key according to the first key, wherein the second key is used for encrypting the communication data. The second key required by encryption can be determined, and the second key cannot be directly transmitted in the communication process, so that the security of the second key and the security of subsequent encryption of communication data are protected.

Description

Communication encryption method and device, gateway, server, intelligent terminal and system

Technical Field

The present application relates to the field of communications technologies, and in particular, to a communication encryption method, a communication encryption apparatus, a gateway, a server, an intelligent terminal, and a communication encryption system.

Background

Along with the development of science and technology, more and more facilities begin to intelligent development, for example install intelligent terminal on the car and can set up autopilot by automatic navigation, like again intelligent lock can automatic alarm when the non-safety is unblanked etc..

The intelligent security terminal such as an intelligent door lock is usually interacted with a server through a gateway, and the intelligent terminal and the gateway are communicated by adopting a one-way wireless communication technology. At present, one-way wireless communication is usually an unencrypted plaintext communication mode, which cannot ensure the safety of messages and may cause safety problems.

Therefore, one technical problem that needs to be urgently solved by those skilled in the art is: a communication encryption method, a gateway, a server and a system are provided to solve the security problem in the communication process of one-way communication equipment.

Disclosure of Invention

The technical problem to be solved by the embodiments of the present application is to provide a communication encryption method to solve the security problem in the communication process of a unidirectional communication device.

Correspondingly, the embodiment of the application also provides a communication encryption device, a gateway, a server, an intelligent terminal and an encryption communication system, which are used for ensuring the realization and application of the method.

In order to solve the above problem, according to a first aspect of an embodiment of the present application, a method for encrypting a message is disclosed, which includes: sending a key request to a server, wherein the key request carries the association parameters of the intelligent terminal; receiving a key response fed back by the server, and acquiring a first key from the key response, wherein the first key is determined by the server according to all or part of the association parameters; and determining a second key according to the first key, wherein the second key is used for encrypting the communication data.

Optionally, the association parameter includes a third key; said determining a second key from said first key comprises: acquiring a third key from the correlation parameter; and calculating a second key by using the third key and the first key according to a preset encryption algorithm.

Optionally, the third key is a key randomly generated by the intelligent terminal.

Optionally, before sending the key request to the server, the method further includes: acquiring associated parameters from a plaintext registration message sent by an intelligent terminal when carrying out key negotiation with the intelligent terminal in one-way communication; the sending the key request to the server includes: the key request carries the association parameters; encrypting the key request according to a preset mode to generate an encrypted key request; sending the encrypted key request to the server.

Optionally, obtaining the first key from the key response includes: and decrypting the key response according to a preset mode to obtain a first key.

Optionally, the first key is determined by the server after verifying that the intelligent terminal is legal according to all or part of the associated parameters.

Optionally, the association parameter further includes: and the fourth key is used for verifying the validity of the intelligent terminal by the server.

Optionally, the fourth key is determined according to a third key included in the association parameter, where the third key is a key randomly generated by the intelligent terminal.

Optionally, the method further includes: receiving a message sent by the intelligent terminal; and decrypting the message according to the second key so as to forward the message to the server.

Optionally, the association parameter further includes: and the terminal type information is distributed by the server according to the type of the intelligent terminal.

According to a second aspect of the embodiments of the present application, an embodiment of the present application further discloses a communication encryption method, including: acquiring the association parameters of the intelligent terminal from the key request; determining a first key in dependence on all or part of the associated parameter; and carrying the first key in the key response, and sending the key response, wherein the first key is used for determining a second key for encrypting communication data.

Optionally, the associated parameters include: the fourth key, before determining the first key according to all or part of the associated parameters, further comprises: and acquiring a fourth key from the associated parameters, and verifying the validity of the intelligent terminal by adopting the fourth key.

Optionally, the associated parameters include: a third key; and verifying the validity of the intelligent terminal by adopting the fourth key, wherein the verification comprises the following steps: calculating a verified fourth key according to the third key; comparing the verified fourth key with a fourth key in the associated parameters; and when the verified fourth key is the same as the fourth key in the associated parameters, confirming that the intelligent terminal is legal.

Optionally, the association parameter further includes: the terminal type information is distributed by the server according to the type of the intelligent terminal; said calculating a verified fourth key from said third key comprising: searching a fifth key of the intelligent terminal according to the terminal type information, wherein the fifth key is distributed to the intelligent terminal by a server according to the terminal type information; and calculating a verified fourth key by using the fifth key and the third key according to a preset encryption algorithm.

Optionally, the association parameter further includes: terminal address information; determining a first key from all or part of the associated parameters, including: and determining a first key by adopting the terminal address information and the fifth key according to a preset encryption algorithm.

Optionally, the obtaining the association parameter from the key request includes: receiving a key request, and decrypting the key request according to a preset mode to obtain associated parameters, wherein the associated parameters are obtained when a gateway and an intelligent terminal in one-way communication perform key agreement; the sending the key response includes: encrypting the key response according to a preset mode to generate an encrypted key response; sending the encrypted key response.

Optionally, the method further includes: and distributing the terminal type information and the fifth key for the intelligent terminal in advance according to the type.

According to a third aspect of the embodiments of the present application, an embodiment of the present application further discloses a communication encryption method, including: acquiring a correlation parameter; sending the association parameters to a gateway so that the gateway obtains a first key generated by a server according to the association parameters and determines a second key for encrypting communication data according to the first key; and encrypting the message by adopting the second key and then sending the message to the gateway.

Optionally, obtaining the associated parameter includes: randomly generating a third key, and determining a fourth key by using the third key; adding the third key and the fourth key to an associated parameter.

Optionally, determining a fourth key by using the third key includes: and acquiring a fifth key, and determining a fourth key by using the third key and the fifth key.

Optionally, the method further includes: and acquiring terminal type information and terminal address information, and adding the terminal type information and the terminal address information into the associated parameters. The terminal type information is distributed by the server according to the type of the intelligent terminal, and the fifth secret key is distributed by the server according to the terminal type information for the intelligent terminal.

According to a fourth aspect of the embodiments of the present application, an embodiment of the present application further discloses a communication encryption apparatus, including: the request sending module is used for sending a key request to the server, wherein the key request carries the association parameters of the intelligent terminal; a first key obtaining module, configured to receive a key response fed back by the server, and obtain a first key from the key response, where the first key is determined by the server according to all or part of the association parameters; and the second key determining module is used for determining a second key according to the first key, and the second key is used for encrypting the communication data.

Optionally, the association parameter includes a third key; the second key determining module is used for acquiring a third key from the associated parameters; and calculating a second key by using the third key and the first key according to a preset encryption algorithm.

Optionally, the method further includes: the parameter acquisition module is used for acquiring the associated parameters from the plaintext registration message sent by the intelligent terminal; the request sending module is configured to carry the association parameter in the key request; encrypting the key request according to a preset mode to generate an encrypted key request; sending the encrypted key request to the server.

Optionally, the first key obtaining module is configured to decrypt the key response according to a preset manner, so as to obtain the first key.

Optionally, the method further includes: the encryption communication module is used for receiving the message sent by the intelligent terminal; and decrypting the message according to the second key so as to forward the message to the server.

According to a fifth aspect of the embodiments of the present application, an embodiment of the present application further discloses a gateway, including the communication encryption apparatus disclosed in the fourth aspect of the embodiments of the present application.

According to a sixth aspect of the embodiments of the present application, an embodiment of the present application further discloses a communication encryption apparatus, including: the parameter acquisition module is used for acquiring the associated parameters of the intelligent terminal from the key request; a first key determination module for determining a first key according to all or part of the correlation parameters; and a response sending module, configured to send the key response by carrying the first key in the key response, where the first key is used to determine a second key used for encrypting communication data.

Optionally, the associated parameters include: a fourth key; the server further comprises: and the validity verification module is used for acquiring a fourth key from the associated parameters and verifying the validity of the intelligent terminal by adopting the fourth key.

Optionally, the associated parameters include: a third key; the validity verification module comprises: the challenge key generation submodule is used for calculating a verified fourth key according to the third key; the verification sub-module is used for comparing the verified fourth key with a fourth key in the associated parameters; and when the verified fourth key is the same as the fourth key in the associated parameters, confirming that the intelligent terminal is legal.

Optionally, the association parameter further includes: the terminal type information is distributed by the server according to the type of the intelligent terminal; the challenge key generation submodule is used for searching a fifth key of the intelligent terminal according to the terminal type information, and the fifth key is distributed to the intelligent terminal by the server according to the terminal type information; and calculating a verified fourth key by using the fifth key and the third key according to a preset encryption algorithm.

Optionally, the association parameter further includes: terminal address information; and the first key determining module is used for generating a first key by adopting the terminal address information and the fifth key according to a preset encryption algorithm.

Optionally, the parameter obtaining module is configured to receive a key request, decrypt the key request according to a preset manner, and obtain an associated parameter, where the associated parameter is obtained when a gateway performs key agreement with an intelligent terminal in one-way communication; the response sending module is used for encrypting the key response according to a preset mode to generate an encrypted key response; sending the encrypted key response.

Optionally, the method further includes: and the presetting module is used for distributing the terminal type information and the fifth key to the intelligent terminal in advance according to the type.

According to a seventh aspect of the embodiments of the present application, an embodiment of the present application further discloses a server including the communication encryption apparatus disclosed in the sixth aspect of the embodiments of the present application.

According to an eighth aspect of the embodiments of the present application, an embodiment of the present application further discloses a communication encryption apparatus, including: the acquisition module is used for acquiring the associated parameters; the parameter sending module is used for sending the association parameters to a gateway so that the gateway can obtain a first secret key generated by a server according to the association parameters and determine a second secret key for encrypting communication data according to the first secret key; and the communication module is used for encrypting the message by adopting the second key and then sending the message to the gateway.

Optionally, the obtaining module is configured to randomly generate a third key, and determine a fourth key by using the third key; adding the third key and the fourth key to an associated parameter.

Optionally, the obtaining module is configured to obtain a fifth key, and determine a fourth key by using the third key and the fifth key.

Optionally, the obtaining module is further configured to obtain terminal type information and terminal address information, and add the terminal type information and the terminal address information to the association parameter. The terminal type information is distributed by the server according to the type of the intelligent terminal, and the fifth secret key is distributed by the server according to the terminal type information for the intelligent terminal.

According to a ninth aspect of the embodiment of the present application, an embodiment of the present application further discloses an intelligent terminal, which includes the communication encryption device disclosed in the eighth aspect of the embodiment of the present application.

According to a tenth aspect of the embodiments of the present application, there is also disclosed an encryption communication system, including: the gateway according to the above embodiment, the server according to the above embodiment, and the intelligent terminal according to the above embodiment.

Compared with the prior art, the embodiment of the application has the following advantages:

in the embodiment of the application, a key request carrying related parameters is sent to a server, a key response fed back by the server is received, a first key is obtained from the key response, a second key is determined according to the first key, and communication data are encrypted by a user according to the second key, so that the second key required by encryption can be determined, the second key cannot be directly transmitted in the communication process, and the security of the second key and the security of subsequent communication data encryption are protected.

Drawings

FIG. 1 is a flow chart of the steps of a first communication encryption method embodiment of the present application;

FIG. 2 is a flow chart of the steps of an alternative embodiment of a first communication encryption method of the present application;

FIG. 3 is a flow chart of steps of a second communication encryption method embodiment of the present application;

FIG. 4 is a flow chart of steps in an alternate embodiment of a second communication encryption method of the present application;

FIG. 5 is a flow chart of steps in a third communication encryption method embodiment of the present application;

FIG. 6 is a flow chart of steps in an alternative embodiment of a third communication encryption method of the present application;

FIG. 7 is a block diagram of an embodiment of an encrypted communications system of the present application;

FIG. 8 is a schematic diagram of an encrypted communication according to an embodiment of the present application;

FIG. 9 is a flow chart of the steps of a preferred embodiment of a communication encryption method of the present application;

fig. 10A is a block diagram of a first embodiment of a communication encryption apparatus according to the present application;

FIG. 10B is a block diagram of an alternative embodiment of a first communication encryption apparatus according to the present application;

fig. 11A is a block diagram of a second embodiment of a communication encryption apparatus according to the present application;

FIG. 11B is a block diagram of an alternative embodiment of a second communication encryption apparatus according to the present application;

fig. 12 is a block diagram of a third embodiment of the encryption apparatus for communication according to the present application.

Detailed Description

In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.

One of the core concepts of the embodiments of the present application is a communication encryption method, a communication encryption method apparatus, a gateway (or called gateway device), a server, and a system, so as to solve the security problem in the communication process of a unidirectional communication device. The method comprises the steps of sending a key request carrying related parameters to a server, receiving a key response fed back by the server, obtaining a first key from the key response, determining a second key according to the first key, and encrypting communication data according to a second key user, so that the second key required by encryption can be determined, the second key cannot be directly transmitted in the communication process, and the security of the second key and the security of subsequent communication data encryption are protected.

In this embodiment of the application, the smart terminal may include a smart device having a multimedia function, and these devices support audio, video, data and other functions, for example, a mobile phone, a tablet, a smart wearable device, and the like. In this application embodiment, intelligent terminal can also include thing networking device, for example, intelligent household equipment, more specifically, can include intelligent air conditioner, intelligent door lock, intelligent security system etc.. In this embodiment, the intelligent terminal may further selectively include an input device such as a display, a keyboard, and a touch screen.

In this embodiment, the intelligent terminal may communicate with the gateway by using a one-way wireless communication technology, for example, the intelligent terminal sends a message to the gateway in a single direction, but does not receive the message from the gateway. The embodiment of the application is not limited to the use in this scenario, and may also be applied to an intelligent terminal having a bidirectional wireless communication technology. One-way wireless communication refers to an operation mode in which messages can be transmitted only in one direction. During one-way wireless communication, a communication channel is one-way, and a sending end and a receiving end are generally fixed, namely the sending end can only send information and cannot receive the information; the receiving end can only receive information and cannot send information. During bidirectional wireless communication, the transmitting end can be changed into a receiving end; accordingly, the receiving end may also be changed to the transmitting end.

Example one

This embodiment discusses the steps of the communication encryption method on the gateway side.

Referring to fig. 1, a flowchart illustrating steps of a first embodiment of a communication encryption method of the present application is shown, which may be implemented in various network devices, for example, on the gateway side. The method specifically comprises the following steps:

step 102, sending the key request to the server.

And the key request carries the associated parameters of the intelligent terminal. The association parameter is sent by the intelligent terminal to the gateway so that the gateway can determine a second key for encrypting the communication data based on the association parameter.

In this embodiment, the process of determining the second key based on the association parameter may be performed when the intelligent terminal registers, and the registration process may also be a key agreement process, so before the key request is sent to the server, the method further includes: acquiring associated parameters from a plaintext registration message sent by an intelligent terminal when carrying out key negotiation with the intelligent terminal in one-way communication; in the one-way communication process, the intelligent terminal sends a message to the gateway, the gateway processes or forwards the message to the server by itself, and encrypted data can be used for communication in the one-way communication process in order to ensure the safety of the data. Therefore, the gateway can firstly perform key agreement with the intelligent terminal in one-way communication. In key agreement, the intelligent terminal can register in the server before the encrypted communication starts, so the intelligent terminal can obtain the associated parameters to send to the gateway, and the associated parameters are also used for negotiating the key with the gateway. After receiving the association parameter, the gateway generates a key request based on the association parameter and sends the key request to the server, and the server can register the intelligent terminal based on the association parameter and inform the gateway of the required key.

In an optional embodiment of the present application, the sending the key request to the server includes: the key request carries the association parameters; encrypting the key request according to a preset mode to generate an encrypted key request; sending the encrypted key request to the server. In other words, to ensure data security, the server and the gateway may also use an encryption communication mode, where an encryption algorithm in a preset mode may use encryption algorithms such as symmetric encryption and asymmetric encryption, which is not limited in this embodiment. And after the key request carries the associated parameters, the key request is encrypted according to a preset mode, and the encrypted key request is generated and then sent to the server.

And 104, receiving a key response fed back by the server, and acquiring a first key from the key response.

After receiving the key request, the server acquires the association parameters from the key request, determines a first key according to all or part of the association parameters, adds the first key into the key response and feeds back the key response to the gateway, and the gateway receives the key response fed back by the server and acquires the first key from the key response. The server and the gateway can also perform encrypted communication, so that the key response can be decrypted according to a preset mode to obtain the first key.

In an optional embodiment of the present application, the association parameter comprises a third key; said determining a second key from said first key comprises: acquiring a third key from the correlation parameter; and calculating a second key by using the third key and the first key according to a preset encryption algorithm. And when calculating the second key, calculating by using the first key fed back by the server and a third key fed back by the intelligent terminal according to a predetermined encryption algorithm, wherein the third key is a key randomly generated by the intelligent terminal.

In another optional embodiment of the present application, the first key is determined by the server after verifying that the intelligent terminal is legal according to all or part of the associated parameters; the associated parameters further include: and the fourth key is used for verifying the validity of the intelligent terminal by the server. The fourth secret key is determined according to a third secret key included in the association parameters, and the third secret key is a secret key randomly generated by the intelligent terminal.

When the server registers the intelligent terminal according to the association parameters, the validity of the intelligent terminal can be verified according to all or part of the association parameters, the equipment key is determined according to the association parameters after the validity is confirmed, the equipment key generates a key response, and the key response is fed back to the gateway. When verifying the validity of the intelligent terminal, the fourth key in the associated parameters may be used for verification, and when determining the fourth key, the intelligent terminal may perform calculation according to the randomly generated third key. Correspondingly, the gateway acquires the equipment key from the key response of the server, and the equipment key is determined after the server verifies that the intelligent terminal is legal according to the associated parameters.

And 106, determining a second key according to the first key, wherein the second key is used for encrypting communication data.

And determining a second key according to the first key, wherein the second key is used for encrypting communication data, so that the gateway can perform one-way encrypted communication with the intelligent terminal according to the second key. That is, the subsequent intelligent terminal may encrypt the message according to the second key and then send the message to the gateway, and the gateway may also decrypt the message according to the network key and perform corresponding processing, such as sending the message to the server, and self-processing, etc. Namely, the gateway receives the message sent by the intelligent terminal; and decrypting the message according to the second key so as to forward the message to the server.

In this embodiment of the present invention, the association parameter further includes: and the terminal type information is distributed by the server according to the type of the intelligent terminal. The server can verify the validity of the intelligent terminal based on the terminal type information and the terminal address information and determine a first secret key fed back to the gateway.

As shown in fig. 2, the gateway-side communication encryption method based on the above process may specifically include the following steps:

step 202, when performing key agreement with a unidirectional communication intelligent terminal, obtaining an associated parameter from a plaintext registration message sent by the intelligent terminal.

Step 204, carrying the association parameter in the key request; and encrypting the key request according to a preset mode to generate an encrypted key request.

Step 206, sending the encrypted key request to the server.

Step 208, receiving the key response fed back by the server.

And 210, decrypting the key response according to a preset mode to obtain a first key.

Step 212, obtaining a third key from the associated parameter; and calculating a second key by using the third key and the first key according to a preset encryption algorithm.

Step 214, receiving a message sent by the intelligent terminal; and decrypting the message according to the second key so as to forward the message to the server.

And the intelligent terminal sends the associated parameters to the gateway, so that key negotiation is carried out between the intelligent terminal and the gateway and registration is carried out on the server. And then, the gateway carries the associated parameters in the key request, encrypts the key request and sends the encrypted key request to the server, and the server can verify the validity of the intelligent terminal based on the associated parameters and verify the validity. And after receiving the key response of the server, decrypting to obtain a first key, and adopting the first key and a second key of a third key in the associated parameters to complete key agreement with the intelligent terminal. And then, the message is encrypted and decrypted based on the second key in the process of passing with the intelligent terminal.

In summary, a key request carrying the associated parameters is sent to the server, a key response fed back by the server is received, a first key is obtained from the key response, a second key is determined according to the first key, and communication data is encrypted according to the second key by the user, so that the second key required for encryption can be determined, the second key cannot be directly transmitted in the communication process, and the security of the second key and the security of subsequent encryption of the communication data are protected.

Example two

This embodiment discusses the steps of the encrypted communication method on the server side.

Referring to fig. 3, a flowchart illustrating steps of a second communication encryption method embodiment of the present application is shown, which may be implemented in various network devices, for example, on the server side. The method specifically comprises the following steps:

step 302, obtaining the correlation parameters of the intelligent terminal from the key request.

In an optional embodiment of the present application, the gateway and the server use encryption communication, so after receiving the key request, the gateway decrypts the key request according to a preset manner to obtain the associated parameter, where the associated parameter is obtained when the gateway performs key negotiation with the intelligent terminal in one-way communication.

The intelligent terminal can initially register in the server, correspondingly, the encryption communication between the intelligent terminal and the gateway can also negotiate the key in advance, and the key negotiation process can be supported by the server of the third party. Therefore, the gateway adds the associated parameters to the key request and sends the key request to the server, and the server obtains the associated parameters from the key request after receiving the key request.

Step 304, determining a first key according to all or part of the associated parameters.

The server can feed back the key request, and the associated parameter is a parameter related to the device sent by the intelligent terminal, so that the first key can be determined wholly or partially according to the associated parameter.

In an optional embodiment of the present application, the association parameter includes: the fourth key, before determining the first key according to all or part of the associated parameters, further comprises: and acquiring a fourth key from the associated parameters, and verifying the validity of the intelligent terminal by adopting the fourth key. The server verifies the validity of the intelligent terminal according to the associated parameters, for example, part of parameters are obtained from the associated parameters and pre-stored parameters are calculated to obtain verification data, the associated parameters are determined to be correct according to the verification data, and after the validity of the intelligent terminal is verified, the intelligent terminal can be registered.

Preferably, the associated parameters include: a third key; and verifying the validity of the intelligent terminal by adopting the fourth key, wherein the verification comprises the following steps: calculating a verified fourth key according to the third key; comparing the verified fourth key with a fourth key in the associated parameters; and when the verified fourth key is the same as the fourth key in the associated parameters, confirming that the intelligent terminal is legal. The third key is a key randomly generated by the intelligent terminal.

In this embodiment, the fourth key is calculated according to a randomly generated third key, so that the server may obtain the third key from the associated parameters, calculate a verified fourth key according to the third key, and compare the verified fourth key with the fourth key in the associated parameters. And when the verified fourth key is the same as the fourth key in the associated parameters, confirming that the intelligent terminal is legal. Otherwise, the two are different, the intelligent terminal is illegal, and may be a forged intelligent terminal, and in order to prevent the key leakage, the negotiation process is ended without feeding back the key response.

In fact, the fourth key also needs to be related to the type of the smart terminal, so the related parameters further include: the terminal type information is distributed by the server according to the type of the intelligent terminal; said calculating a verified fourth key from said third key comprising: searching a fifth key of the intelligent terminal according to the terminal type information, wherein the fifth key is distributed to the intelligent terminal by a server according to the terminal type information; and calculating a verified fourth key by using the fifth key and the third key according to a preset encryption algorithm.

The server distributes the terminal type information and the fifth secret key to the intelligent terminal in advance according to the type, the terminal type information and the fifth secret key have an association relation, and the server stores the terminal type information and the fifth secret key in the intelligent terminal. Therefore, after the terminal type information is obtained from the intelligent terminal, the corresponding fifth key can be searched, and then the verified fourth key is calculated by adopting the fifth key and the third key according to the preset encryption algorithm. Therefore, the fourth key to be verified is determined to verify the fourth key sent by the gateway, the validity of the intelligent terminal is determined, and the password leakage caused by the forged intelligent terminal is prevented.

In this embodiment, the association parameter further includes: terminal address information; determining a first key from all or part of the associated parameters, including: and determining a first key by adopting the terminal address information and the fifth key according to a preset encryption algorithm.

After the intelligent terminal is determined to be legal and registered, the gateway can be informed of the first secret key, so that the terminal address information is obtained from the associated parameters, and then the first secret key is determined by adopting the terminal address information and the fifth secret key according to a preset encryption algorithm.

Step 306, the first key is carried in a key response, and the key response is sent to determine a second key for encrypting communication data based on the first key.

And generating a key response by using the first key, and then sending the key response to the gateway, so that the gateway can determine a second key required by the one-way encrypted communication based on the first key and subsequently execute the one-way encrypted communication. Wherein the sending the key response comprises: encrypting the key response according to a preset mode to generate an encrypted key response; sending the encrypted key response. The first key is secured by the server and the gateway encrypting the communication.

As shown in fig. 4, the server-side communication encryption method based on the above process may specifically include the following steps:

and 402, distributing the terminal type information and the fifth key to the intelligent terminal in advance according to the type.

Step 404, receiving the key request, and decrypting the key request according to a preset mode to obtain the associated parameters.

And 406, acquiring a third key, terminal type information and a fourth key from the association parameters, searching a fifth key of the intelligent terminal according to the terminal type information, and calculating a verified fourth key by using the fifth key and the third key according to a preset encryption algorithm.

Step 408, whether the verified fourth key and the fourth key in the associated parameter are the same.

If yes, that is, the verified fourth key is the same as the fourth key in the associated parameter, execute step 410; if not, namely the verified fourth key is different from the fourth key in the associated parameters, the negotiation process is ended.

And step 410, confirming that the intelligent terminal is legal.

Step 412, determining a first key by using the terminal address information and the fifth key according to a preset encryption algorithm.

Step 414, carrying the first key in the key response, and encrypting the key response according to a preset mode to generate an encrypted key response; sending the encrypted key response.

Therefore, after the server receives the key request sent by the gateway, the legitimacy of the intelligent terminal can be verified through the associated parameters, on one hand, the legal intelligent terminal is registered, on the other hand, the first key is calculated and fed back to the gateway based on the associated parameters, so that the gateway decrypts and obtains the first key after receiving the key response of the server, and the second key of the third key in the first key and the associated parameters is adopted, so that the key agreement with the intelligent terminal is completed. And then, the message is encrypted and decrypted based on the second key in the process of passing with the intelligent terminal.

In summary, the server obtains the association parameters of the intelligent terminal from the key request, determines the first key according to all or part of the association parameters, carries the first key in the key response, and sends the key response to determine the second key for encrypting the communication data based on the first key, so that the second key required by encryption can be determined, the second key cannot be directly transmitted in the communication process, and the security of the second key and the security of the subsequent encryption of the communication data are protected.

EXAMPLE III

This embodiment discusses the steps of the encryption communication method at the smart terminal side.

Referring to fig. 5, a flowchart illustrating steps of a third embodiment of the communication encryption method of the present application is shown, and the method may be implemented in various network devices, for example, on the side of an intelligent terminal. The method specifically comprises the following steps:

step 502, obtaining the associated parameters.

When the intelligent terminal is initially started, the intelligent terminal registers on the server and negotiates with the gateway about a key required by encrypted communication, so that associated parameters are acquired and sent to the gateway for registration and key negotiation.

In this embodiment, the intelligent terminal may randomly generate a third key, and determine a fourth key by using the third key; adding the third key and the fourth key to an associated parameter. The third key may be generated according to a preset random algorithm, which is not limited in this embodiment. Preferably, determining a fourth key by using the third key includes: and acquiring a fifth key, and determining a fourth key by using the third key and the fifth key. The fifth key is distributed to the intelligent terminal by the server according to the terminal type information; the terminal type information is distributed by the server according to the type of the intelligent terminal, so that the terminal type information and the terminal address information can be obtained and added into the associated parameters.

The server initially stores the terminal type information and the fifth key in the intelligent terminal, and the intelligent terminal can determine the fourth key by adopting the third key and the fifth key, so that the fourth key is added into the association parameters to ensure that the server carries out validity verification on the intelligent terminal, and prevent the fake intelligent terminal from appearing, therefore, the third key and the terminal type information can also be added into the association parameters and sent to the server. In order to facilitate the server to determine the fed back first key, terminal address information may also be added in the association parameters.

Step 504, sending the association parameter to a gateway, so that the gateway obtains a first key generated by a server according to the association parameter, and determines a second key for encrypting communication data according to the first key.

The intelligent terminal sends the associated parameters to the gateway in a plaintext mode, the gateway then communicates with the server to obtain a first secret key, and then a second secret key is determined based on the first secret key, and the second secret key is used for encrypting communication data.

Step 506, the second key is adopted to encrypt the message and then the message is sent to the gateway.

For the message to be sent to the gateway, the message may be encrypted by using the second key, and the corresponding gateway may also decrypt the message by using the second key.

Based on the above process, the intelligent terminal side communication encryption method is shown in fig. 6, and may specifically include the following steps:

step 602, obtaining the terminal type information, the terminal address information and the fifth key, and randomly generating the third key.

And step 604, determining a fourth key by using the third key and the fifth key.

Step 606, adding the terminal type information, the terminal address information, the third key and the fourth key to the association parameters.

Step 608, sending the association parameter to the gateway.

And step 610, encrypting the message by using the second key and then sending the message to the gateway.

And the slave intelligent terminal randomly generates a third key based on the stored terminal type information, terminal address information and a fifth key to determine a fourth key, adds the terminal type information, the terminal address information, the third key and the fourth key into the associated parameters and feeds back the associated parameters to the gateway, so that the slave intelligent terminal registers on the server through the gateway and negotiates with the gateway for the key, and the safety and the full direction of subsequent messages are ensured.

Example four

On the basis of the above embodiments, the present embodiment discusses the communication encryption method in detail with specific examples.

In the embodiment, it is assumed that the first key is an equipment key, the second key is a network key, the third key is a random key, the fourth key is an adjustment key, and the fifth key is a type key. The associated parameters required for the intelligent terminal to register on the server include: terminal address information, terminal type information, a random key, and a challenge key.

The terminal Address information (Device Address) may include a terminal Address, and addresses of different intelligent terminals are different, for example, the length is set to be 6 bytes.

The terminal type information (Model) may include a type Model of the intelligent terminal, and models of the same type of intelligent terminal are the same, and the Model is allocated by the server, for example, the length is set to be 4 bytes.

The Random Key (Random Key) may include a randomly generated Key, and the Random keys of different intelligent terminals are different, for example, set to be 8 bytes in length.

The Challenge Key (Challenge Key) may be composed of a type Key (Model Key) and a Random Key, for example, set to be 8 bytes in length.

The Model Key may include a Key associated with the type of terminal, so that the Model keys for the same type of terminal are the same, and are also assigned by the server, for example, set to be 20 bytes in length.

Based on the parameters, the server can generate a device key and feed the device key back to the gateway, so that the gateway can determine a network key required by encryption. Wherein:

the Device Key (Device Key) may be synthesized by Device Address and Model Key, for example, set to be 8 bytes in length.

The network Key (Security Key) may include a Key in encrypted network communication, and is also a Key that needs to be protected, and may be synthesized by a Device Key and a Random Key, for example, with a length set to 16 bytes.

Therefore, key agreement and encrypted communication between the gateway and the intelligent terminal are realized based on the parameters.

In this embodiment, the gateway may adopt a HUB (HUB), i.e. a multi-port repeater, which is widely applied to the local area network. An encrypted communication system is therefore shown in fig. 7, comprising: the intelligent encryption system comprises an intelligent terminal, a gateway and a server which are in one-way communication, and the intelligent terminal such as an intelligent mobile phone and the like which can be in two-way communication with the server can be arranged in the intelligent encryption system. The schematic diagram of the encrypted communication of the intelligent terminal, the gateway and the server based on the one-way communication is shown in fig. 8.

8.02, the intelligent terminal of the one-way communication sends a plaintext registration message to the gateway, wherein the plaintext registration message comprises the associated parameters. The associated parameters include: device Address, Model, Random Key, and Challenge Key.

And 8.04, the gateway generates a key request by adopting the associated parameters and sends the key request to the server.

8.06, the server verifies the validity of the intelligent terminal based on the associated parameters, namely, verifies whether the Challenge Key is accurate.

And 8.08, generating a Device Key and sending the Device Key to the gateway after the intelligent terminal is confirmed to be legal.

8.10, the gateway generates a Security Key based on the Device Key.

8.12, the intelligent terminal of the one-way communication sends the message encrypted by the Security Key. Correspondingly, the gateway decrypts the message by using the Security Key.

Therefore, key negotiation in one-way communication between the gateway and the intelligent terminal is realized. The network Key is composed of 2 parts, Random keys are randomly generated by equipment during registration, the Random keys generated during each registration are different, it is guaranteed that Security keys can be different during each registration, and even if a Device Key of one intelligent terminal is leaked, an attacker can break the Security keys used by the subsequent encryption of the intelligent terminal by acquiring the Random keys. The specific steps of the above-mentioned interaction process are shown in fig. 5.

Referring to fig. 9, a flowchart illustrating steps of a preferred embodiment of a communication encryption method according to the present application is shown, which may specifically include the following steps:

step 902, the gateway obtains the associated parameters from the plaintext registration message sent by the intelligent terminal.

Step 904, the gateway encrypts the associated parameters according to a preset mode to generate an encrypted key request; sending the encrypted key request to the server.

When the intelligent terminal is initialized, the intelligent terminal can generate a plaintext registration message by using the association parameters, and send the plaintext registration message to the gateway, where the association parameters include terminal Address information Device Address, terminal type information Model, Random Key and Challenge Key Challenge.

In order to ensure the communication security between the gateway and the server, in this embodiment, the gateway and the server also perform encrypted communication according to a preset method, where an encryption algorithm of the preset method may adopt encryption algorithms such as symmetric encryption and asymmetric encryption, which is not limited in this embodiment. Therefore, after acquiring the associated parameters from the plaintext registration message, the gateway encrypts the associated parameters according to a preset mode to generate an encrypted key request, and then sends the encrypted key request to the server.

Step 906, the server receives the key request sent by the gateway, and decrypts the key request according to a preset mode to obtain the associated parameters.

And the server receives the key request sent by the gateway, decrypts the key request according to a preset mode, and acquires the associated parameters from the decrypted key request. The server can also verify the gateway through encryption communication with the gateway, namely the gateway is confirmed to be a legal gateway when the preset mode can correctly decrypt the message, otherwise, the gateway is confirmed to be an illegal gateway if the preset mode cannot correctly decrypt the message, such as a false gateway and the like, and the message of the illegal gateway can be ignored.

After the server confirms that the gateway is legal, the server calculates the verified challenge key according to the random key in the association parameters, wherein the step of calculating the verified challenge key by using the random key specifically includes

steps

908 and 910.

Step 908, the server obtains the random key and the terminal type information from the association parameters, and searches the type key of the intelligent terminal according to the terminal type information.

Step 910, the server calculates a verified challenge key by using the type key and the random key according to a preset encryption algorithm.

And the server acquires the Random Key and the Model from the associated parameters, and then searches the Model Key of the intelligent terminal according to the Model. And then, computing the verified Challenge Key by adopting a Random Key and a Model Key according to a preset encryption algorithm. The encryption algorithm may be various algorithms such as a Sha-1 hash algorithm, etc.

Step 912, the server compares the verified challenge key with the challenge key in the associated parameters to determine whether the intelligent terminal is legal.

And the server compares the verified Challenge Key with the Challenge Key obtained from the associated parameters to determine whether the Challenge Key is the same or not.

And when the verified Challenge Key is the same as the Challenge Key in the associated parameters, confirming that the intelligent terminal is legal, and executing step 514.

Otherwise, when the verified Challenge Key is not the same as the Challenge Key in the associated parameters, the intelligent terminal is determined to be illegal, and the negotiation process is ended.

Step 914, the server obtains the terminal address information from the associated parameter, and generates the device key by using the terminal address information and the type key according to a preset encryption algorithm.

Step 916, the server encrypts the device key according to a preset mode to generate an encrypted key response, and sends the key response to the gateway.

And the server can feed back the Device Key to the gateway after confirming that the intelligent terminal is legal, so that the server acquires the Device Address from the association parameter and generates the Device Key by adopting the Device Address and the Model Key according to a preset encryption algorithm. Then, the preset mode encrypts the Device Key to generate an encrypted Key response, and the encrypted Key response is sent to the gateway.

Step 918, the gateway receives the key response fed back by the server; and decrypting the key response according to a preset mode to obtain the equipment key.

Step 920, the gateway obtains a random key from the associated parameters; and calculating the network key by adopting the random key and the equipment key according to a preset encryption algorithm.

And the gateway receives the Key response fed back by the server, decrypts the Key response according to a preset mode, and acquires the Device Key. And then acquiring a Random Key from the associated parameters initially sent by the intelligent terminal, and then calculating the Security Key by adopting the Device Key and the Random Key.

Step 922, after the gateway key negotiation is finished, receiving a network message sent by the intelligent terminal; and analyzing the network message according to the network key so as to forward the network message to the server.

And after the gateway calculates the Security Key, the gateway confirms that the Key negotiation is finished. The intelligent terminal can then conduct encrypted one-way communication with the gateway. The intelligent terminal and the gateway can adopt symmetric encryption, namely the same Security Key can be used for encrypting and decrypting messages at the same time, and the intelligent terminal and the gateway are a single-Key encryption algorithm. For example, the intelligent terminal and the gateway adopt AES128 encryption in the one-way communication process, and AES128 is an advanced symmetric encryption mode.

In summary, the Challenge Key is synthesized by a Model Key, and the Model Key is allocated to the intelligent terminal by the server, so that the forged Challenge Key is unsuccessful and the intelligent terminal is not forgeable on the basis of not knowing the Model Key, so that the server can verify the validity of the intelligent terminal.

Secondly, the server sends the gateway a Device Key, and the whole transmission process does not send a Model Key, i.e. even if an attacker obtains the Device Key, the attacker only knows the Device Key of the intelligent terminal, and does not know the Model keys of all the intelligent terminals, thereby ensuring the safety of the intelligent terminal.

And thirdly, the Random Key of each intelligent terminal is different in the Key negotiation process, so that the Security Key generated by each registration is different, and the communication safety between the gateway and the intelligent terminal is ensured.

It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the embodiments. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred and that no particular act is required of the embodiments of the application.

EXAMPLE five

On the basis of the above embodiments, the present embodiment also discloses a communication encryption apparatus, which can be configured in various network devices, for example, in a gateway.

Referring to fig. 10A, a block diagram of a first embodiment of a communication encryption apparatus according to the present application is shown, which may specifically include the following modules:

a request sending module 1002, configured to send a key request to a server, where the key request carries association parameters of an intelligent terminal.

A first key obtaining module 1004, configured to receive a key response fed back by the server, and obtain a first key from the key response, where the first key is determined by the server according to all or part of the association parameters.

A second key determining module 1006, configured to determine a second key according to the first key, where the second key is used to encrypt communication data.

Referring to fig. 10B, a block diagram of an alternative embodiment of the first communication encryption apparatus of the present application is shown, which may specifically include the following modules:

Wherein the association parameter comprises a third key; a second key determining module 1004, configured to obtain a third key from the association parameter; and calculating a second key by using the third key and the first key according to a preset encryption algorithm.

The third key is a key randomly generated by the intelligent terminal.

The gateway further comprises: a parameter obtaining module 1008, configured to obtain an association parameter from a plaintext registration message sent by the intelligent terminal; the request sending module 1002 is configured to carry the association parameter in the key request; encrypting the key request according to a preset mode to generate an encrypted key request; sending the encrypted key request to the server.

The first key obtaining module 1004 is configured to decrypt the key response according to a preset manner, so as to obtain a first key.

And the first key is determined by the server after verifying that the intelligent terminal is legal according to all or part of the associated parameters.

The associated parameters further include: and the fourth key is used for verifying the validity of the intelligent terminal by the server.

The fourth secret key is determined according to a third secret key included in the association parameters, and the third secret key is a secret key randomly generated by the intelligent terminal.

The gateway further comprises: the encryption communication module 1010 is used for receiving a message sent by the intelligent terminal; and decrypting the message according to the second key so as to forward the message to the server.

The associated parameters further include: and the terminal type information is distributed by the server according to the type of the intelligent terminal.

In this embodiment, the gateway may adopt a HUB (HUB), i.e. a multi-port repeater, which is widely applied to the local area network.

EXAMPLE six

On the basis of the above embodiments, the present embodiment also discloses a communication encryption apparatus, which can be configured in various network devices, for example, in a server.

Referring to fig. 11A, a block diagram of a second embodiment of a communication encryption apparatus according to the present application is shown, which may specifically include the following modules:

a parameter obtaining module 1102, configured to obtain the association parameter of the intelligent terminal from the key request.

A first key determining module 1104, configured to determine a first key according to all or part of the associated parameter.

A response sending module 1106, configured to carry the first key in a key response, and send the key response to determine, based on the first key, a second key used for encrypting communication data.

Referring to fig. 11B, a block diagram of an alternative embodiment of a second communication encryption apparatus according to the present application is shown, and specifically, the second communication encryption apparatus may include the following modules:

In an optional embodiment of the present application, the association parameter includes: a fourth key; the server further comprises: a validity verifying module 1108, configured to obtain a fourth key from the association parameter, and verify validity of the intelligent terminal by using the fourth key.

The associated parameters include: a third key; the validity verification module 1108 includes: a challenge key generation sub-module 11082, configured to calculate a verified fourth key according to the third key; a verification submodule 11084, configured to compare the verified fourth key with a fourth key in the associated parameter; and when the verified fourth key is the same as the fourth key in the associated parameters, confirming that the intelligent terminal is legal.

The associated parameters further include: the terminal type information is distributed by the server according to the type of the intelligent terminal; the challenge key generation sub-module 11082 is configured to search a fifth key of the intelligent terminal according to the terminal type information, where the fifth key is allocated to the intelligent terminal by the server according to the terminal type information; and calculating a verified fourth key by using the fifth key and the third key according to a preset encryption algorithm.

The third key is a key randomly generated by the intelligent terminal.

The associated parameters further include: terminal address information; the first key determining module 1104 is configured to generate a first key by using the terminal address information and the fifth key according to a preset encryption algorithm.

The parameter obtaining module 1102 is configured to receive a key request, decrypt the key request according to a preset mode, and obtain an associated parameter, where the associated parameter is obtained when a gateway performs key agreement with an intelligent terminal in unidirectional communication; the response sending module 1106 is configured to encrypt the key response according to a preset manner, and generate an encrypted key response; sending the encrypted key response.

The server further comprises: the presetting module 1110 is configured to pre-allocate the terminal type information and the fifth key to the intelligent terminal according to the type.

The network Key is composed of 2 parts, Random keys are randomly generated by equipment during registration, the Random keys generated during each registration are different, the fact that Security keys can be guaranteed to be different during each registration is guaranteed, and even if a Device Key of one intelligent terminal is revealed, an attacker needs to obtain the Random keys to break the Security keys used by the subsequent encryption of the intelligent terminal.

EXAMPLE seven

On the basis of the above embodiments, the present embodiment also discloses a communication encryption apparatus, which can be configured in various network devices, for example, in an intelligent terminal.

Referring to fig. 12, a block diagram of a server according to an embodiment of the present application is shown, which may specifically include the following modules:

an obtaining module 1202, configured to obtain the association parameter.

A parameter sending module 1204, configured to send the association parameter to a gateway, so that the gateway obtains a first key generated by the server according to the association parameter, and determines a second key used for encrypting the communication data according to the first key.

And the communication module 1206 is configured to encrypt the message with the second key and send the encrypted message to the gateway.

The acquisition module is used for randomly generating a third key and determining a fourth key by using the third key; adding the third key and the fourth key to an associated parameter. Preferably, the obtaining module is configured to obtain a fifth key, and determine a fourth key by using the third key and the fifth key.

The acquisition module is further configured to acquire terminal type information and terminal address information, and add the terminal type information and the terminal address information to the association parameters. The terminal type information is distributed by the server according to the type of the intelligent terminal, and the fifth secret key is distributed by the server according to the terminal type information for the intelligent terminal.

Above-mentioned this intelligent terminal includes: memory, display, processor and input unit. The input unit can be used for receiving numerical or character information input by a user and a control signal. Specifically, in the embodiment of the present invention, the input unit may include a touch screen, which may collect a touch operation performed by a user on or near the touch screen (for example, an operation performed by the user on the touch screen by using any suitable object or accessory such as a finger, a stylus pen, etc.), and drive the corresponding connection device according to a preset program. Of course, the input unit may include other input devices such as a physical keyboard, function keys (such as volume control keys, switch keys, etc.), and the like, in addition to the touch screen.

The Display includes a Display panel, and optionally, the Display panel may be configured in the form of a Liquid Crystal Display (LCD) or an Organic Light-Emitting Diode (OLED). The touch screen may cover the display panel to form a touch display screen, and when the touch display screen detects a touch operation on or near the touch display screen, the touch display screen transmits the touch operation to the processor 630 to perform corresponding processing.

In an embodiment of the present invention, the processor is configured to obtain the associated parameters by calling a software program, and/or a module, and/or data stored in the memory; sending the association parameters to a gateway so that the gateway obtains a first key generated by a server according to the association parameters and determines a second key for encrypting communication data according to the first key; and encrypting the message by adopting the second key and then sending the message to the gateway.

Optionally, the terminal type information and the terminal address information are obtained, and the terminal type information and the terminal address information are added to the association parameter. The terminal type information is distributed by the server according to the type of the intelligent terminal, and the fifth secret key is distributed by the server according to the terminal type information for the intelligent terminal.

Example eight

On the basis of the above embodiments, the present embodiment further provides an encryption communication system, as shown in fig. 3, the encryption communication system includes: intelligent terminal 12, gateway 10 and server 11.

The gateway 10 is substantially identical to the gateway described in the fifth embodiment, the server 11 is substantially identical to the server described in the sixth embodiment, and the intelligent terminal 12 is substantially identical to the intelligent terminal described in the seventh embodiment, so that details are not repeated.

For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.

As will be appreciated by one of skill in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

In a typical configuration, the computer device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium. Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (fransitory media), such as modulated data signals and carrier waves.

Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.

The communication encryption method, the gateway, the server and the communication encryption system provided by the present application are introduced in detail, and specific examples are applied in the present application to explain the principle and the implementation of the present application, and the description of the above embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims

1. A communication encryption method is applied to a gateway and comprises the following steps:

sending a key request to a server, wherein the key request carries association parameters sent by an intelligent terminal, the association parameters comprise a third key, and the third key is a randomly generated key;

receiving a key response fed back by the server, and acquiring a first key from the key response, wherein the first key is determined by the server according to all or part of the association parameters;

determining a second key according to the first key and a third key, wherein the second key is used for encrypting communication data so that the gateway performs unidirectional encryption communication with the intelligent terminal according to the second key;

receiving a message sent by the intelligent terminal;

and decrypting the message according to the second key so as to forward the message to the server.

2. The method of claim 1, wherein determining the second key based on the first key and the third key comprises:

acquiring a third key from the correlation parameter;

and calculating a second key by using the third key and the first key according to a preset encryption algorithm.

3. The method according to claim 2, wherein the third key is a key randomly generated by the smart terminal.

4. The method of claim 1, wherein before sending the key request to the server, further comprising:

acquiring associated parameters from a plaintext registration message sent by an intelligent terminal when carrying out key negotiation with the intelligent terminal in one-way communication;

the sending the key request to the server includes: the key request carries the association parameters; encrypting the key request according to a preset mode to generate an encrypted key request; sending the encrypted key request to the server.

5. The method of claim 1, wherein obtaining the first key from the key response comprises:

and decrypting the key response according to a preset mode to obtain a first key.

6. The method according to claim 1, wherein the first key is determined by the server after verifying that the smart terminal is legitimate according to all or part of the associated parameters.

7. The method of claim 6, wherein the associating parameters further comprises: and the fourth key is used for verifying the validity of the intelligent terminal by the server.

8. The method according to claim 7, wherein the fourth key is determined according to a third key included in the association parameter, and the third key is a key randomly generated by the smart terminal.

9. The method according to any one of claims 1 to 8, wherein the associating parameters further comprises: and the terminal type information is distributed by the server according to the type of the intelligent terminal.

10. A communication encryption method is applied to a server and comprises the following steps:

receiving a key request, and acquiring association parameters of the intelligent terminal from the key request, wherein the association parameters comprise a third key, the third key is a randomly generated key, and the association parameters are acquired when the gateway and the intelligent terminal in one-way communication perform key agreement;

determining a first key in dependence on all or part of the associated parameter;

and carrying the first key in the key response, and sending the key response, wherein the first key is used for determining a second key for encrypting communication data with a third key, so that the gateway performs one-way encryption communication with the intelligent terminal according to the second key, and forwards a message decrypted according to the second key to the server.

11. The method of claim 10, wherein the association parameters comprise: the fourth key, before determining the first key according to all or part of the associated parameters, further comprises:

and acquiring a fourth key from the associated parameters, and verifying the validity of the intelligent terminal by adopting the fourth key.

12. The method of claim 11, wherein the association parameters comprise: a third key; and verifying the validity of the intelligent terminal by adopting the fourth key, wherein the verification comprises the following steps:

calculating a verified fourth key according to the third key;

comparing the verified fourth key with a fourth key in the associated parameters;

and when the verified fourth key is the same as the fourth key in the associated parameters, confirming that the intelligent terminal is legal.

13. The method of claim 12, wherein the associating parameters further comprises: the terminal type information is distributed by the server according to the type of the intelligent terminal;

said calculating a verified fourth key from said third key comprising:

searching a fifth key of the intelligent terminal according to the terminal type information, wherein the fifth key is distributed to the intelligent terminal by a server according to the terminal type information;

and calculating a verified fourth key by using the fifth key and the third key according to a preset encryption algorithm.

14. The method according to claim 13, wherein the third key is a key randomly generated by the smart terminal.

15. The method of claim 13, wherein the associating parameters further comprises: terminal address information; determining a first key from all or part of the associated parameters, including:

and determining a first key by adopting the terminal address information and the fifth key according to a preset encryption algorithm.

16. The method of claim 10, wherein obtaining the association parameter from the key request comprises:

receiving a key request, and decrypting the key request according to a preset mode to obtain associated parameters, wherein the associated parameters are obtained when a gateway and an intelligent terminal in one-way communication perform key agreement;

the sending the key response includes:

encrypting the key response according to a preset mode to generate an encrypted key response; sending the encrypted key response.

17. The method of claim 13, further comprising:

and distributing the terminal type information and the fifth key for the intelligent terminal in advance according to the type.

18. A communication encryption method is characterized in that the method is applied to intelligent terminals, the intelligent terminals comprise intelligent terminals which communicate with a gateway by adopting a one-way wireless communication technology, and the method comprises the following steps:

acquiring association parameters, wherein the association parameters comprise a third key, and the third key is a randomly generated key;

sending the association parameters to a gateway so that the gateway obtains a first key generated by a server according to the association parameters, and determines a second key for encrypting communication data according to the first key and a third key, wherein the first key is determined according to all or part of the association parameters;

and encrypting the message by using the second key and then sending the message to the gateway so that the gateway decrypts the message according to the second key and forwards the message to the server.

19. The method of claim 18, wherein obtaining association parameters comprises:

randomly generating a third key, and determining a fourth key by using the third key;

adding the third key and the fourth key to an associated parameter.

20. The method of claim 19, wherein determining a fourth key using the third key comprises:

and acquiring a fifth key, and determining a fourth key by using the third key and the fifth key.

21. The method of claim 20, further comprising:

acquiring terminal type information and terminal address information, and adding the terminal type information and the terminal address information into an associated parameter; the terminal type information is distributed by the server according to the type of the intelligent terminal, and the fifth secret key is distributed by the server according to the terminal type information for the intelligent terminal.

22. A communication encryption apparatus, applied to a gateway, comprising:

the request sending module is used for sending a key request to the server, wherein the key request carries association parameters sent by the intelligent terminal, the association parameters comprise a third key, and the third key is a randomly generated key;

a first key obtaining module, configured to receive a key response fed back by the server, and obtain a first key from the key response, where the first key is determined by the server according to all or part of the association parameters;

the second key determining module is used for determining a second key according to the first key and a third key, wherein the second key is used for encrypting communication data so that the gateway can perform unidirectional encryption communication with the intelligent terminal according to the second key;

the encryption communication module is used for receiving the message sent by the intelligent terminal; and decrypting the message according to the second key so as to forward the message to the server.

23. The communication encryption apparatus according to claim 22, wherein the association parameter comprises a third key;

the second key determining module is used for acquiring a third key from the associated parameters; and calculating a second key by using the third key and the first key according to a preset encryption algorithm.

24. The communication encryption apparatus according to claim 23, wherein the third key is a key randomly generated by the smart terminal.

25. The communication encryption apparatus according to claim 22, further comprising:

the parameter acquisition module is used for acquiring the associated parameters from the plaintext registration message sent by the intelligent terminal;

the request sending module is configured to carry the association parameter in the key request; encrypting the key request according to a preset mode to generate an encrypted key request; sending the encrypted key request to the server.

26. The communication encryption apparatus according to claim 22,

and the first key acquisition module is used for decrypting the key response according to a preset mode to acquire a first key.

27. The communication encryption apparatus according to claim 22, wherein the first key is determined by the server after verifying that the smart terminal is legitimate according to all or part of the association parameters.

28. The communication encryption apparatus according to claim 27, wherein the association parameter further comprises: and the fourth key is used for verifying the validity of the intelligent terminal by the server.

29. The communication encryption apparatus according to claim 28, wherein the fourth key is determined according to a third key included in the association parameter, and the third key is a key randomly generated by the smart terminal.

30. The communication encryption apparatus according to any one of claims 22 to 29, wherein the association parameter further comprises: and the terminal type information is distributed by the server according to the type of the intelligent terminal.

31. A communication encryption apparatus, applied to a server, comprising:

the parameter acquisition module is used for receiving a key request and acquiring associated parameters of the intelligent terminal from the key request, wherein the associated parameters comprise a third key, the third key is a randomly generated key, and the associated parameters are acquired when the gateway and the intelligent terminal in one-way communication perform key negotiation;

a first key determination module for determining a first key according to all or part of the correlation parameters;

and the response sending module is used for carrying the first key in the key response, sending the key response, wherein the first key is used for determining a second key for encrypting the communication data with a third key, so that the gateway performs one-way encryption communication with the intelligent terminal according to the second key, and forwards a message decrypted according to the second key to the server.

32. The communication encryption apparatus according to claim 31, wherein the association parameter comprises: a fourth key; the communication encryption device further comprises:

and the validity verification module is used for acquiring a fourth key from the associated parameters and verifying the validity of the intelligent terminal by adopting the fourth key.

33. The communication encryption apparatus according to claim 32, wherein the association parameter comprises: a third key; the validity verification module comprises:

the challenge key generation submodule is used for calculating a verified fourth key according to the third key;

the verification sub-module is used for comparing the verified fourth key with a fourth key in the associated parameters; and when the verified fourth key is the same as the fourth key in the associated parameters, confirming that the intelligent terminal is legal.

34. The communication encryption apparatus according to claim 33, wherein the association parameter further comprises: the terminal type information is distributed by the server according to the type of the intelligent terminal;

the challenge key generation submodule is used for searching a fifth key of the intelligent terminal according to the terminal type information, and the fifth key is distributed to the intelligent terminal by the server according to the terminal type information; and calculating a verified fourth key by using the fifth key and the third key according to a preset encryption algorithm.

35. The communication encryption apparatus according to claim 34, wherein the third key is a key randomly generated by the smart terminal.

36. The communication encryption apparatus according to claim 34, wherein the association parameter further comprises: terminal address information;

and the first key determining module is used for generating a first key by adopting the terminal address information and the fifth key according to a preset encryption algorithm.

37. The communication encryption apparatus according to claim 31,

the parameter acquisition module is used for receiving a key request, decrypting the key request according to a preset mode and acquiring associated parameters, wherein the associated parameters are acquired when a gateway and an intelligent terminal in one-way communication perform key negotiation;

the response sending module is used for encrypting the key response according to a preset mode to generate an encrypted key response; sending the encrypted key response.

38. The communication encryption apparatus according to claim 34, further comprising:

and the presetting module is used for distributing the terminal type information and the fifth key to the intelligent terminal in advance according to the type.

39. The utility model provides a communication encryption device which characterized in that is applied to intelligent terminal, intelligent terminal includes the intelligent terminal who adopts one-way wireless communication technique to carry out the communication with the gateway, includes:

an obtaining module, configured to obtain a correlation parameter, where the correlation parameter includes a third key, and the third key is a randomly generated key;

a parameter sending module, configured to send the association parameter to a gateway, so that the gateway obtains a first key generated by a server according to the association parameter, and determines a second key used for encrypting communication data according to the first key and a third key, where the first key is determined according to all or part of the association parameter;

and the communication module is used for encrypting the message by using the second key and then sending the message to the gateway so that the gateway decrypts the message according to the second key and forwards the message to the server.

40. The communication encryption apparatus according to claim 39,

the acquisition module is used for randomly generating a third key and determining a fourth key by adopting the third key; adding the third key and the fourth key to an associated parameter.

41. The communication encryption apparatus according to claim 40,

the obtaining module is configured to obtain a fifth key, and determine a fourth key by using the third key and the fifth key.

42. The communication encryption apparatus according to claim 41,

the acquisition module is further used for acquiring terminal type information and terminal address information and adding the terminal type information and the terminal address information into the associated parameters; the terminal type information is distributed by the server according to the type of the intelligent terminal, and the fifth secret key is distributed by the server according to the terminal type information for the intelligent terminal.

43. An encrypted communication system, comprising: the communication encryption apparatus according to any one of claims 22 to 30, the communication encryption apparatus according to any one of claims 31 to 38, and the communication encryption apparatus according to any one of claims 39 to 42.

44. A gateway, comprising: a communications encryption apparatus according to any one of claims 22 to 30.

45. A server, comprising: a communications encryption apparatus according to any one of claims 31 to 38.

46. An intelligent terminal, comprising: a communications encryption apparatus according to any one of claims 39 to 42.