CN109150906A - A kind of real-time data communication safety method - Google Patents
A kind of real-time data communication safety method Download PDFInfo
- Publication number
- CN109150906A CN109150906A CN201811144260.0A CN201811144260A CN109150906A CN 109150906 A CN109150906 A CN 109150906A CN 201811144260 A CN201811144260 A CN 201811144260A CN 109150906 A CN109150906 A CN 109150906A
- Authority
- CN
- China
- Prior art keywords
- data
- key
- session
- real
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of real-time data communication safety methods, firstly, determining the two big critical issues for influencing data communications security, the i.e. transmission problem of validated user Verify Your Identity questions and sensitive data by the architecture and data characteristics of analysis data communication;Secondly, transmitting encryption system in conjunction with existing identity identifying technology and data, a kind of security service scheme suitable for data communication is proposed;The validity and safety of the program are analyzed again.Using HMAC identifying algorithm, user identity authentication and authority acquiring in realization system guarantee the reliability of private services device visitor, solve first of security protection of entire communication system security.Establish a safe and reliable communication channel, realize safety of the sensitive data on network transmission channel, guarantee data integrality and can not being tampered property.
Description
Technical field
The technology more particularly to a kind of real time data communicated the invention belongs to data safety in real-time data communication system is logical
Believe safety method.
Background technique
With the gradually maturing of Internet technology and the acceleration of network construction, the communication security of real time data in network
Problem emerges one after another, such as the report about virus, hacker etc. is commonplace, and means mode is also various.So how to have
The protection for carrying out data communications security in network of effect, is a research hotspot and demand point.Although China is sufficiently realized
To importance of the data communications security technology in future development, it is also evolving this safe practice, but is still lacked
Data communications security system in complete network channel, and it is weak to remain unchanged for the consciousness of self-protection of data communications security, lacks
Long-term planning fails to formulate a long-term action plan.It is shown according to related data, network user's usage amount in China is
The communication flows of real time sensitive data through leaping into the front ranks of the world, and in network also constantly rises, but due to data communication
It loses caused by safety and is also constantly increasing, be all a huge threat for individual interest and national collective interests,
So the protection for carrying out data communications security is very necessary.
Data communications security problem is mainly made of two aspects, the transmission including effective authentication and real time data
Safety.Artificial attack includes passive attack and active attack, brings great challenge safely to computer network communication, is endangered
Seriously.Passive attack will not change system information, but invade the confidentiality of information.Pretend to be the identity using user, it is right
Information in Networks and Communications route is monitored and is stolen, and is analyzed and researched to the data information of intercepting and capturing, causes data complete
The destruction of whole property and the leakage of information, bring security risk.
At present in the communication process of real time data, what is generallyd use is network physical isolation or Virtual Private Network
(VPN) mode.It proposes the conception encrypted to real time data in most of data communication researchs, but and makes and specifically grinding
Study carefully scheme.And there is also difficult points for data communications security method: formulation, data transmission procedure such as effective authentication system
In the generation of session key, the cipher mode of session key and real time data Encryption Algorithm selection, guaranteeing not shadow
The safe transmission of data is realized under conditions of sound message transmission rate.For these reasons, real-time data communication secure side is carried out
The research of method provides objective basis and support for the safety of data in data communication system, the peace of data communication in Logistics networks
Entirely, the safety and reliability of data is improved.
Summary of the invention
The technical problem to be solved by the present invention is providing a kind of method of real time data secure communication.Combined data communication
The security architecture of system proposes a kind of safety approach suitable for the level framework, using HMAC Hash identifying algorithm, realizes system
User identity authentication and authority acquiring in system guarantee the reliability of private services device visitor, solve entire communication system security
First of security protection.A safe and reliable communication channel is established, realizes peace of the real time data on network transmission channel
Quan Xing, guarantee data integrality and can not being tampered property, solve data transmission procedure in second security protection;Pass through body
Part certification and Hybrid Encryption Protocol, the final communication security for realizing real time data, solve data safety protection question.
3. the technical scheme is that a kind of real-time data communication safety method, it is characterised in that: include following step
Rapid: step (1) authentication procedures: user carries out logging request Q, server by user name and login password at client
After termination receives logging request Q, the random number K with timeliness is returned to client in response, and in a session
K is recorded, then client will obtain its equipment unique identifier mac value automatically, and this mac value and K are done HMAC operation, obtain
Informative abstract HMAC (K, mac), then sends server end for this informative abstract;Meanwhile server end uses random number K
HMAC operation is carried out with the address mac for being stored in the user in server database, then by the operation result of server and visitor
The operation result at family end compares, if result is consistent, by certification, user gets the Service Privileges of access data, if knot
Fruit is inconsistent, then rejects application, login failure;(2) foundation of safe lane: during system real-time data communication, pass through
Trusted third party's KDC key distribution center generates session key KS, is realized using SM2 elliptic curve public key cryptographic and digital signature
Session key KS's is shared between client and server end, establishes safe lane;(3) management of session key: algorithm is used
To generate disposable session key, while key is effectively distributed, stored and cancelled;(4) transmission of real time data:
It establishes after safe lane, communicating pair carries out AES symmetric cryptography transmission to real time data with shared session key KS, realizes
To the safe transmission of data;KDC can be cancelled when secondary session key after a conversation end, realize the encryption of " one-time pad "
Mode is to guarantee the safety of data transmission procedure.The disposable session key: I=E [K] (DT)
Newly
Wherein, DT is date/time value, and K is key, and the initial value of H is HMAC (K, mac), and as communicating pair is in body
Cryptographic Hash made by part authentication phase regards the seed of secrecy as, and every all to be replaced with its primary value, cryptographic operation uses
AES encryption, using the value of R as newly generated key value.
Beneficial effects of the present invention: present invention discusses a kind of real-time data communication safety methods, logical by analysis data
The architecture and data characteristics of letter system determine the two big critical issues for influencing data communications security, i.e. validated user body
The transmission problem of part authentication question and sensitive data.Secondly, encryption system is transmitted in conjunction with existing identity identifying technology and data,
I.e. HMAC identity identifying technology constructs Model of Identity Authentication System, by certification decoder and authenticates compiling of the encoder to message, with
And cipher key source generates the random key K value with timeliness, the operation of server end and client HMAC (K, mac) are realized effective
Authentication.Again by the building that key distribution center KDC is serviced, the management of KDC cipher key list, one-time pad is with secret
The foundation of safe lane is completed in the distribution of key.Finally by SM2 ellipse curve public key cipher algorithm and AES symmetric encipherment algorithm
Combination, guarantee under the premise of not influencing message transmission rate complete real time data safe transmission.
Using HMAC identifying algorithm, user identity authentication and authority acquiring in realization system guarantee the access of private services device
The reliability of person solves first of security protection of entire communication system security.A safe and reliable communication channel is established, it is real
Existing safety of the sensitive data on network transmission channel, guarantee data integrality and can not being tampered property.
Present invention primarily contemplates data communications security problem present in current network, in conjunction with existing safe practice,
On data communication system structure, it is logical that data safety is completed in terms of effective authentication and data security transmission two
The process of letter, solution security is higher, and feasibility is higher.It can be seen that building real-time data communication method is significant.
Detailed description of the invention
Fig. 1 is data communications security architecture diagram;
Fig. 2 is authentication procedures flow chart;
Fig. 3 is the session key shared procedure based on KDC;
Fig. 4 is real-time data encryption transmission process.
Specific embodiment
Further refinement explanation is made to real-time data communication safety method below, it includes the following steps:
Step 1, the parsing of data communications security framework: according to data communication system integral structural system, combined data communication
Data communications security framework can be divided into 3 bulks by the demand for security of process.Wherein, the area I is external network, and client passes through
External network carries out the access and data manipulation of built-in system in local area network.First of firewall, to realize to center local
Its mutual access control between higher level's net, Internet is realized in the safeguard protection of net using the filtering function of firewall.
The area II middling speed leads to the intrusion detection module of firewall, realizes to the safeguard protection of scheduling central office domain net, utilizes speed
Logical firewall can detect in network data flow automatically potentially invades, attacks and abuse route, realizes and joins with firewall module
Dynamic, adjust automatically control rule provides dynamic network protection for entire local area network.
The area III is intranet, includes application server, data server and KDC Key Management Center.Three is constituted
Internal private clound, stores the information of the sensitive data and other equipment in system.The second on its Intranet boundary is prevented fires
The included authentication function of wall, may be implemented internal user certification, at the same can in conjunction with the original domain user authentication of user or
Radius certification, realizes the access control of user class.
Step 2, data communications security analysis: two important problems involved in general data communication process: 1. recognize
(identification) problem of card, it is ensured that the legitimacy of communicating pair and the authenticity of data prevent from the active attacks such as distorting, pretend to be.②
Privacy concerns prevent attacker from decoding the confidential information in system server.It, can be with by data communications security Architecture Analysis
Seeing has following 3 for data communications security threat.
(1) authentication and unauthorized access
The certification that User ID and password are only relied in the Generally Recognized as safe prevention of system is very dangerous, is easy to be hypothesized or steal
It takes, very big security risk can be brought.Unauthorized user violates the operation of security strategy by personation, identity attack etc., keeps away
The defects of security mechanism or utilization security system of open system, carry out non-normal use to internal server resource.Therefore it needs
User identity authentication and authorization control mechanism based on Unified Policy are established based on application service and external information system, with area
Not different users and message reference person, and authorize their different message references and issued transaction permission.
(2) it the monitoring of data and steals
Monitoring refers to that attacker transmits information by means of acquisitions such as technical equipment, technological means.Client and server end
During transmitting data by network channel, it is understood that there may be situations such as information is monitored, and data are stolen, so in entire net
Situations such as data transmitted in network channel must be the ciphertext by strictly handling, and prevent loss of data.
(3) it the corrupt of unauthorized and distorts
Attacker destroys data or is distorted in network transmission channel midway intercepted data.Communicating pair can lead to
It crosses and completeness check is carried out to data to detect integrality.However a threat is still remained, if attacker is complete to data
Property check code itself modify, receive user still will be considered that data integrity is destroyed and abandons data.So communicating
During both sides carry out data transmission, identity authentication scheme and timestamp are introduced in the packet to prevent corrupt and usurp
Change.
For above-mentioned safety analysis, in conjunction with client and server communication mechanism in system, propose that HMAC identity is recognized
Card technology carries out Hash operation using the interim conversation random value that mobile phone mac value with uniqueness and server end generate, real
Existing ID authentication mechanism.By the Key Management Center of KDC, the session key with timeliness is generated, SM2 elliptic curve is utilized
Public key encryption and digital signature realize shared and communication two party effective certification of session key, while being added using AES data
It is close to construct Hybrid Encryption Protocol to complete the safe transmission of sensitive data, so that attacker is (not over security system certification
User) even if intercepted data, it is failed due to that can not decrypt.
Step 3, authentication selection: in safe communication system, when client will access private services device, first have to
Authentication of the server to client is carried out, to verify the legitimacy of client user's identity.HMAC body is used in the system
Part authentication techniques, entire authentication model is by certification encoder, cipher key source and certification decoder three parts composition.Authenticate encoder pair
The message of transmission generates authentication code, and cipher key source generates timeliness random key K, and certification decoder tests the message received
Card.Message authentication process is as follows:
1) client issues logging request;
2) being generated by the cipher key source of server end, there is the random key K of timeliness to return to client;
3) the certification encoder of client generates certification message with message of the random key K to sending, and is sent to service
Device end;
4) after received server-side to certification message, by the legitimacy of certification decoder verifying message, then receive if legal,
Otherwise it abandons.
Step 4, authentication procedures: the characteristics of according to data user, data communication system will distribute to user without repeating
Work number.User carries out logging request Q by user name and login password at client.Received server-side is to logging request
After Q, the random number K with timeliness is returned to client in response, and record K in a session.Then client
To obtain its equipment unique identifier mac value automatically, and this mac value and K are done into HMAC operation, obtain informative abstract HMAC (K,
mac).Then server end is sent by this informative abstract.
Meanwhile server end is carried out using random number K with the address mac for being stored in the user in server database
HMAC operation.Then the operation result of the operation result of server and client is compared.If result is consistent, by recognizing
Card, user get the Service Privileges of access data.If result is inconsistent, application, login failure are rejected.
Wherein hmac algorithm indicates are as follows:
HMAC message authentication technology can verify the authorization data and authentication data of communicating pair receiving, can be confirmed simultaneously
The command request that server end receives is the request authorized, and can guarantee that order is not changed during transmission
It moved.Random value k during simultaneous session has timeliness, can reduce the harm of Key Exposure bring.
The foundation of step 5, safe lane: in data communication system, safe user identity authentication system guarantee is
The access safety of system, and the data transmission security in system is also important research contents.When user accesses system Intranet, visitor
The data of family end and server end transmission, it should use end-to-end cipher mode, data on channel and switching node with
The form of ciphertext exists.During system real-time data communication, session is generated by trusted third party's KDC key distribution center
Key KS realizes session key KS between client and server end using SM2 elliptic curve public key cryptographic and digital signature
It is shared, to establish safe lane.
Step 6, the one-time-pad system design based on KDC: during data communication, in order to guarantee the secret of message
Property require communicating pair to carry out identity validation by signature simultaneously during session key is shared, complete communicating pair and shake hands
Process guarantees the safety of session to establish safe lane.Assuming that needing when A wishes to be communicated with B locally generated
Respective public key pair, by public key PKAAnd PKBIt is stored in the list of public keys of KDC, A and B respectively possess private key SKAAnd SKB, specific
Process is as follows:
(1) KDC receives the session key request of A sending
Secret key request message includes the identification identifier of A and B, indicates that A wishes to obtain the session key communicated with B.
(2) A receives the key request response message of KDC reply i.e.:
Key response message includes 4 contents, and guarantees that the message only has A that could decrypt with the public key encryption of A.First
Item content is disposable session key KS;Section 2 content is the public key PK of BB;Section 3 content is encrypted with the public key of B
Disposable session key KS and A public key, this content A is directly forwarded to B after receiving, for proving oneself identity;The
Four contents are current time node T1, to determine response message not by Replay Attack.
(3) A carries out corresponding decryption oprerations i.e.:
Thus to obtain session key KS and timing node T1, and it is sent to by KDC the data packet of B.
(4) A sends data packet to B
Its content sent includes 2 contents.First item content is the data packet to B that KDC cipher key center generates, by A
In generation, issues B;Section 2 content is the A session key of the private key signature of oneself and two timing node T1, T2, for being carried out with B
Authentication, to determine that data are not leaked and distorted by stealing in transmission process.
(5) data packet is decrypted in B
It whether consistent obtains session key KS, the KS that comparison is sent by KDC and the KS that customer end A is sent, and compares two
The interval of secondary timing node, it is ensured that the reliability of session.
(6) B sends data packet as the response to A to A
Response message is added again with the session key KS and three times of the private key signature of B later by the public key encryption of A
Point, T1, T2, T3, it is used as the acknowledgement messaging to A.
(7) A authenticates the message that B is sent
A and B carries out again authentication in cipher key transmitting process, guarantees the authenticity of communicating pair, to T1、T2And T3
The inspection of timestamp more ensures not to be intercepted or distort in cipher key transmitting process.Pass through above step, session key KS
It has been securely distributed to A and B.
The management of step 7, session key: for KDC cipher key center, the generation of session key is one very crucial
Problem, should ensure that generation session key be randomly or pseudo-randomly, in order to meet this demand, here using following algorithm come
Generate disposable session key:
I=E [K] (DT)
Newly
Wherein, DT is date/time value, and K is key, and the initial value of H is HMAC (K, mac), and as communicating pair is in body
Cryptographic Hash made by part authentication phase regards the seed of secrecy as, every all to be replaced with its primary value, cryptographic operation is adopted
Use AES encryption.Using the value of R as newly generated key value.Since date/time value has nonrepeatability and aes algorithm
Superperformance, therefore generate key have very strong unpredictability, meet the random demand to key.
Before user carries out secret communication, needs to generate session key by key distribution center and distribute to user couple
Side.The session key needs to be protected by encryption key, and encryption key general life cycle is longer, can pass through craft
Mode is distributed between KDC and user.
After all keys generate, key list can be stored in ciphertext form.In key list each single item the main contents include:
Mark, key name, our identity, other party identity, ciphertext etc..Point out whether the key can be used by mark domain.
When needing to cancel a certain key that user both sides share, the key is found according to key name in key list,
The mark domain for setting this is " unavailable ".In general, data key life cycle is very short, once intercommunication finishes, just by institute
Data key is cancelled, so realizing the cipher mode of " one-time pad " to a certain extent.
The transmission of step 8, real time data: it after communicating pair A and B establish safe lane, is secondly counted in real time
According to transmission, transmission process is as follows.
(1) A is encrypted to obtain ciphertext using aes algorithm with session key KS to the plaintext to be transmitted first, sufficiently benefit
With the fast advantage of the enciphering rate of aes algorithm.
(2) content received is decrypted using AES using session key KS by network transmission to the end B, B for ciphertext,
It quickly obtains in plain text.B uses same step to the process that A sends information.
(3) current sessions once terminate, and session key is dropped, and it is close that next session needs to regenerate new session
Key.
Step 9, safety analysis: may be the random key that cipher key source generates by security attack in entire verification process
K and sender's HMAC message authentication code can not extrapolate user information, the random key K that cipher key source generates according to the two values
Only in current sessions effectively, so greatly strengthening safety and practicability.HMAC identity is applied in data communication system
Authentication techniques can verify the information source and the stay of two nights of message, can more ensure the certification to informed source;Secondly, verifying message exists
It is not forged and distorts in transmit process, i.e., to the certification of message content;In addition, verifying message is not retransmitted in transmit process
Or delay etc., i.e. the certification to message timeliness.
(1) verifying of session both sides identity.Lack effectively recognizing to session both sides' identity in traditional one-time-pad system
Card, so that the exchange process of information, there are security risk, it is double right that " one-time pad " scheme of being somebody's turn to do realizes communication in a session
The authentication again of side, ensure that the identity reality and trustworthiness of session both sides, prevents the attack of network cheating.
(2) session initiated every time all joined current timing node in message transmitting procedure, for identifying this
The time state of session, the validity of verification time node during generating session key, and each session setup
Time is all different, to prevent Replay Attack.
(3) since the state at each moment of session is different, the random seed value during communicating pair is also different, this
Sample ensure that each interim conversation key be all it is different, be truly realized " one-time pad ", enormously simplify key
Distribution and management, so that user can be convenient, pellucidly using this encryption system without being concerned about concrete details problem.
(4) the advantages of taking full advantage of AES and SM2 elliptic curve encryption algorithm, using the highly-safe feature of SM2 come
The session key that encrypted confidential is higher, data volume is small encrypts a large amount of of ession for telecommunication using the fireballing advantage of AES encryption
Real time data meets and transmits the requirement in speed in the data during interim conversation.
Claims (2)
1. a kind of real-time data communication safety method, it is characterised in that: comprise the steps of: step (1) authentication procedures: using
Family carries out logging request Q by user name and login password at client, after received server-side to logging request Q, returns
The random number K with timeliness is returned to client in response, and record K in a session, then client will obtain automatically
Its equipment unique identifier mac value is taken, and this mac value and K are done into HMAC operation, obtains informative abstract HMAC (K, mac), then
Server end is sent by this informative abstract;Meanwhile server end using random number K and is stored in this in server database
The address mac of user carries out HMAC operation, then compares the operation result of the operation result of server and client, if knot
Fruit is consistent, then by certification, user gets the Service Privileges of access data, if result is inconsistent, rejects application, logs in and lose
It loses;(2) it the foundation of safe lane: during system real-time data communication, is produced by trusted third party's KDC key distribution center
Raw session key KS realizes that session is close between client and server end using SM2 elliptic curve public key cryptographic and digital signature
Key KS's is shared, establishes safe lane;(3) management of session key: disposable session key is generated using algorithm, while right
Key is effectively distributed, stored and is cancelled;(4) transmission of real time data: after establishing safe lane, communicating pair is used
Shared session key KS carries out the transmission of AES symmetric cryptography to real time data, realizes the safe transmission to data;In a session
After KDC can cancel when time session key, realize the cipher mode of " one-time pad " to guaranteeing data transmission procedure
Safety.
2. a kind of real-time data communication safety method according to claim 1, it is characterised in that: the disposable session
Key: I=E [K] (DT)
Newly
Wherein, DT is date/time value, and K is key, and the initial value of H is HMAC (K, mac), and as communicating pair is recognized in identity
Cryptographic Hash made by the card stage regards the seed of secrecy as, and every all to be replaced with its primary value, cryptographic operation uses AES
Encryption, using the value of R as newly generated key value.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811144260.0A CN109150906A (en) | 2018-09-29 | 2018-09-29 | A kind of real-time data communication safety method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811144260.0A CN109150906A (en) | 2018-09-29 | 2018-09-29 | A kind of real-time data communication safety method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109150906A true CN109150906A (en) | 2019-01-04 |
Family
ID=64813295
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811144260.0A Pending CN109150906A (en) | 2018-09-29 | 2018-09-29 | A kind of real-time data communication safety method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109150906A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109657426A (en) * | 2019-01-30 | 2019-04-19 | 贵州大学 | A kind of data source tracing method based on digital signature and digital watermarking |
CN111917796A (en) * | 2020-08-12 | 2020-11-10 | 杨银平 | Power grid equipment communication method |
CN113259306A (en) * | 2020-12-31 | 2021-08-13 | 上海自动化仪表有限公司 | Temperature transmitter integrating function safety and information safety and operation method thereof |
CN114258013A (en) * | 2020-09-11 | 2022-03-29 | 中国联合网络通信集团有限公司 | Data encryption method, device and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101039225A (en) * | 2007-04-04 | 2007-09-19 | 北京佳讯飞鸿电气有限责任公司 | Method for realizing data safe transmission of distribution cooperating intrusion detection system |
CN103997484A (en) * | 2014-02-28 | 2014-08-20 | 山东量子科学技术研究院有限公司 | SIP (Session Initiation Protocol) signaling safety communication system and method of quantum cryptography network |
US20150281195A1 (en) * | 2014-03-31 | 2015-10-01 | EXILANT Technologies Private Limited | Increased communication security |
CN105721499A (en) * | 2016-04-07 | 2016-06-29 | 周文奇 | Information security system of industrial communication security gateway |
CN106411525A (en) * | 2016-09-23 | 2017-02-15 | 浙江神州量子网络科技有限公司 | Message authentication method and system |
CN107506668A (en) * | 2017-08-31 | 2017-12-22 | 北京计算机技术及应用研究所 | A kind of USB flash disk access method based on communication information real-time authentication |
-
2018
- 2018-09-29 CN CN201811144260.0A patent/CN109150906A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101039225A (en) * | 2007-04-04 | 2007-09-19 | 北京佳讯飞鸿电气有限责任公司 | Method for realizing data safe transmission of distribution cooperating intrusion detection system |
CN103997484A (en) * | 2014-02-28 | 2014-08-20 | 山东量子科学技术研究院有限公司 | SIP (Session Initiation Protocol) signaling safety communication system and method of quantum cryptography network |
US20150281195A1 (en) * | 2014-03-31 | 2015-10-01 | EXILANT Technologies Private Limited | Increased communication security |
CN105721499A (en) * | 2016-04-07 | 2016-06-29 | 周文奇 | Information security system of industrial communication security gateway |
CN106411525A (en) * | 2016-09-23 | 2017-02-15 | 浙江神州量子网络科技有限公司 | Message authentication method and system |
CN107506668A (en) * | 2017-08-31 | 2017-12-22 | 北京计算机技术及应用研究所 | A kind of USB flash disk access method based on communication information real-time authentication |
Non-Patent Citations (1)
Title |
---|
杨新欢,等: ""电网数据通信安全服务***应用研究"", 《通信技术》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109657426A (en) * | 2019-01-30 | 2019-04-19 | 贵州大学 | A kind of data source tracing method based on digital signature and digital watermarking |
CN109657426B (en) * | 2019-01-30 | 2023-08-15 | 贵州大学 | Data tracing method based on digital signature and digital watermark |
CN111917796A (en) * | 2020-08-12 | 2020-11-10 | 杨银平 | Power grid equipment communication method |
CN111917796B (en) * | 2020-08-12 | 2022-04-26 | 怀化建南电子科技有限公司 | Power grid equipment communication method |
CN114258013A (en) * | 2020-09-11 | 2022-03-29 | 中国联合网络通信集团有限公司 | Data encryption method, device and storage medium |
CN114258013B (en) * | 2020-09-11 | 2023-10-31 | 中国联合网络通信集团有限公司 | Data encryption method, device and storage medium |
CN113259306A (en) * | 2020-12-31 | 2021-08-13 | 上海自动化仪表有限公司 | Temperature transmitter integrating function safety and information safety and operation method thereof |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111371730B (en) | Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene | |
CN103491072B (en) | A kind of border access control method based on double unidirection insulation network brakes | |
US10243742B2 (en) | Method and system for accessing a device by a user | |
CN103354498B (en) | A kind of file encryption transmission method of identity-based | |
CN114553568A (en) | Resource access control method based on zero-trust single packet authentication and authorization | |
CN109327313A (en) | A kind of Bidirectional identity authentication method with secret protection characteristic, server | |
CA2949847A1 (en) | System and method for secure deposit and recovery of secret data | |
Chattaraj et al. | A new two-server authentication and key agreement protocol for accessing secure cloud services | |
CN105162808B (en) | A kind of safe login method based on national secret algorithm | |
Rahman et al. | Security in wireless communication | |
CN109150906A (en) | A kind of real-time data communication safety method | |
CN103001976A (en) | Safe network information transmission method | |
CN104767731A (en) | Identity authentication protection method of Restful mobile transaction system | |
CN101686127A (en) | Novel USBKey secure calling method and USBKey device | |
CN109729523A (en) | A kind of method and apparatus of terminal networking certification | |
CN110493162A (en) | Identity identifying method and system based on wearable device | |
CN101867473A (en) | Connection establishment method and access authentication system for blocking-attacking resistant shared media terminal | |
Alizai et al. | Key-based cookie-less session management framework for application layer security | |
CN110602083B (en) | Secure transmission and storage method of digital identity authentication data | |
CN105245338B (en) | A kind of authentication method and apparatus system | |
CN106230840B (en) | A kind of command identifying method of high security | |
Zhang et al. | Is Today's End-to-End Communication Security Enough for 5G and Its Beyond? | |
CN109067774A (en) | A kind of safety access system and its safety access method based on trust tokens | |
CN110248334A (en) | A kind of car-ground communication Non-Access Stratum authentication method of LTE-R | |
Xiao et al. | Security mechanisms, attacks and security enhancements for the IEEE 802.11 WLANs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190104 |
|
WD01 | Invention patent application deemed withdrawn after publication |