CN109286599A - Data security protection method, smart machine, server and readable storage medium storing program for executing - Google Patents

Data security protection method, smart machine, server and readable storage medium storing program for executing Download PDF

Info

Publication number
CN109286599A
CN109286599A CN201710596068.4A CN201710596068A CN109286599A CN 109286599 A CN109286599 A CN 109286599A CN 201710596068 A CN201710596068 A CN 201710596068A CN 109286599 A CN109286599 A CN 109286599A
Authority
CN
China
Prior art keywords
smart machine
server
random number
data packet
authentication information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710596068.4A
Other languages
Chinese (zh)
Inventor
于永庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Spreadtrum Hi Tech Communications Technology Co Ltd
Original Assignee
Beijing Spreadtrum Hi Tech Communications Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Spreadtrum Hi Tech Communications Technology Co Ltd filed Critical Beijing Spreadtrum Hi Tech Communications Technology Co Ltd
Priority to CN201710596068.4A priority Critical patent/CN109286599A/en
Publication of CN109286599A publication Critical patent/CN109286599A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A kind of data security protection method, smart machine, server and readable storage medium storing program for executing, the described method includes: when needing to carry out aerial downloading firmware upgrade, smart machine authentication information is sent to server according to the preset period, and server authentication information request, the smart machine authentication information include: the attribute information of the smart machine;Receive the server authentication information that the server is sent, the server authentication information is by the server after receiving the server authentication information request, and according to the attribute information of the accessed smart machine and the information itself stored, the generation when smart machine is legal is confirmed;The server authentication information received is verified, and when being proved to be successful, foundation is connect with the secure communication of the server.Using the above scheme, communication security during smart machine upgrade-system can be improved.

Description

Data security protection method, smart machine, server and readable storage medium storing program for executing
Technical field
The present embodiments relate to field of information security technology more particularly to a kind of data security protection method, intelligence to set Standby, server and readable storage medium storing program for executing.
Background technique
With the rapid development of mobile Internet and Internet of Things, in more and more smart machine access nets.It is set intelligently In standby appearance and development process, there may be some flaws.In order to preferably be experienced to user, in the life of smart machine In period, one or many upgradings can be carried out to smart machine.
Currently, the upgrading of smart machine generallys use mobile terminal downloads software upgrading (Firmware Over in the air Transmit Air, FOTA) upgraded.Remote upgrade is carried out to the system in smart machine using FOTA, is improving user And operator convenience while, human cost input by operator and material resources cost can also be saved.
However, being carried out in remote upgrade procedure using FOTA technology to the system in smart machine, smart machine is subject to Hacker attack, safety are lower.
Summary of the invention
The technical issues of embodiment of the present invention solves is the communication how improved during smart machine upgrade-system Safety.
In order to solve the above technical problems, the embodiment of the present invention provides a kind of data security protection method, comprising: need into When row downloading firmware upgrade in the air, smart machine authentication information, and service body are sent to server according to the preset period Part authentication information request, the smart machine authentication information includes: the attribute information of the smart machine;Receive the server The server authentication information of transmission, the server authentication information are receiving the server by the server After authentication information request, and according to the attribute information of the accessed smart machine and the information itself stored, Confirm generation when the smart machine is legal;The server authentication information received is verified, and is being verified When success, foundation is connect with the secure communication of the server.
Optionally, the smart machine authentication information further include: the algorithm set supported.
Optionally, the server authentication information includes: the first random number, random number signature value and selected encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
Optionally, the described pair of server authentication information received is verified, comprising: from the server The first random number and random number signature value are obtained in authentication information;The server public key stored using itself to it is described with Machine number signature value is decrypted, and confirms that the first random number that decryption obtains is obtained with from the server authentication information Whether the first random number arrived consistent, and the two is consistent when be denoted as and be proved to be successful, wherein the server public key and the clothes The business preset privacy key of device matches.
Optionally, the method also includes: established after secure communication connect with the server, receive the server The encryption upgrading data packet of transmission, the encryption upgrading data packet are treated by the server using preset first Encryption Algorithm The upgrading data packet of upgrade-system is encrypted to obtain, wherein and first Encryption Algorithm is encrypted using first key, and Belong to the algorithm set that the smart machine is supported;Using the first key and corresponding with first Encryption Algorithm Decipherment algorithm, the encryption upgrading data packet received is decrypted, corresponding upgrading data packet is obtained.
Optionally, the method also includes: be decrypted, corresponded to the encryption upgrading data packet received Upgrading data packet after, the obtained upgrading data packet of decryption is verified, and confirm that the upgrading data packet is correct.
Optionally, described that the upgrading data packet decrypted is verified, and confirm the upgrading data packet Correctly, comprising: MAC operation is carried out to the upgrading data packet received using message digest algorithm, obtains MAC check code, and will The MAC check code being calculated is sent to the server so that the server by the MAC check code received with stored MAC check code be compared, and MAC check code comparison result is sent to the smart machine;Receive the server hair The MAC check code comparison result sent then confirms the ascending series when both MAC check code comparison result displays are consistent It is correct according to packet.
Optionally, the method also includes: when both MAC check code comparison result displays are inconsistent, to described Server sends upgrading data packet retransmission request.
Optionally, the method also includes: before being verified to the obtained upgrading data packet of decryption, using the service Device public key carries out signing messages verifying to the upgrading data packet.
Optionally, the upgrading data packet are as follows: difference packet or whole packet.
Optionally, first Encryption Algorithm is symmetric encipherment algorithm.
Optionally, described to use the first key and decipherment algorithm corresponding with first Encryption Algorithm, to reception To the encryption upgrading data packet be decrypted, comprising: using the first key and being docked with first Encryption Algorithm The encryption data received is decrypted, and 16 byte datas is obtained after every packet encryption data decryption, and the data after decryption are stored In predeterminated position;When to the decryption of last bag data, according to the byte of padding number that last character indicates, remove filler According to, obtain last packet ciphertext data and store to the predeterminated position.
Optionally, the smart machine authentication information further include: the second random number, second random number is by the intelligence Equipment generates.
Optionally, the first key is generated in the following way:
Optionally, established after secure communication connect with the server, according to first random number, described second with Machine number generates random cipher data;Using message digest algorithm, to the random cipher data, first random number and described Second random number carries out operation and obtains the first key.
Optionally, the smart machine is according to first random number, the second generating random number random cipher data, It include: second random number to be moved to left N, and carry out XOR operation after moving to right N with first random number, wherein described First random number is much larger than M, and second random number is much smaller than M, wherein M is integer, and N is positive integer;By XOR operation result As random cipher data.
Optionally, the smart machine is according to first random number, the second generating random number random cipher data, Include: using first random number, second random number as cryptographic key factor, using message digest algorithm operation generate it is described with Machine code data.
The embodiment of the present invention also provides a kind of smart machine, including memory and processor, is stored on the memory The computer instruction that can be run on the processor, the processor execute any of the above-described when running the computer instruction The step of data security protection method described in kind.
The embodiment of the present invention also provides a kind of computer readable storage medium, suitable for running on smart machine, the intelligence Equipment is suitable for being communicated with server, and computer instruction, the computer are stored on the computer readable storage medium The step of data security protection method described in executing any of the above-described kind when instruction operation.
The embodiment of the present invention also provides a kind of data security protection method, comprising: is needing to carry out in the air smart machine When downloading firmware upgrade, the smart machine authentication information that smart machine is sent according to the preset period, and service body are received Part authentication information request, the smart machine authentication information includes: the attribute information of the smart machine;According to accessed The attribute information of the smart machine and the information itself stored confirm that the smart machine is legal;Receiving the clothes After device authentication information request of being engaged in, and when confirming that the smart machine is legal, server authentication information is generated, and send The extremely smart machine, so that the smart machine verifies the server authentication information received, and When being proved to be successful, secure communication is established with the server and is connect.
Optionally, the smart machine authentication information further include: the algorithm set supported.
Optionally, the server authentication information includes: the first random number, random number signature value and selected encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
Optionally, the generation server authentication information, comprising: receiving the server authentication information Request, and after confirming that the smart machine is legal, generate first random number;Using preset privacy key to described One random number is encrypted, and the random number signature value is obtained;The intelligence is obtained from the smart machine authentication information to set The standby Encryption Algorithm supported, selected encryption algorithm;It is calculated according to the random number, the random number signature value and selected encryption Method generates authentication information.
Optionally, the method also includes: established after secure communication connect with the smart machine, using preset The upgrading data packet that one Encryption Algorithm treats upgrade-system is encrypted, and encryption upgrading data packet is obtained, wherein described first adds Close algorithm is encrypted using first key, and belongs to the algorithm set that the smart machine is supported;By the encryption Upgrading data packet is sent to the smart machine, when so that the smart machine receiving the encryption upgrading data packet, uses The first key and decipherment algorithm corresponding with first Encryption Algorithm, to the encryption upgrading data packet received into Row decryption, obtains corresponding upgrading data packet.
Optionally, the method also includes: after the upgrading data packet is sent to the smart machine, receive the intelligence The MAC check code that energy equipment is sent, the MAC check code is by the smart machine using message digest algorithm to the liter received Grade data packet carries out MAC operation and obtains;The MAC check code received is compared with the MAC check code stored, and will MAC check code comparison result is sent to the smart machine, so that the MAC check code comparison result that the smart machine receives When both displays are consistent, confirm that the upgrading data packet is correct.
Optionally, the method also includes: receive the upgrading data packet retransmission request that the smart machine sends, the liter Grade data packet retransmission request is generated by the smart machine when both MAC check code comparison result displays are inconsistent.
Optionally, the method also includes: the upgrading data packet of upgrade-system is treated using preset first Encryption Algorithm It before being encrypted, is signed using the privacy key to the upgrading data packet, and described in signing messages is written Upgrading data packet.
Optionally, the upgrading data packet is difference packet or whole packet.
Optionally, first Encryption Algorithm is symmetric encipherment algorithm.
Optionally, the upgrading data packet for treating upgrade-system using preset first Encryption Algorithm is encrypted, and is obtained To encryption upgrading data packet, comprising: read 16 byte datas from the upgrading data packet every time and added as a bag data It is close, and encrypted 16 byte data is sent to the smart machine;When generating the last one data packet, if last remaining Data be discontented with 16 bytes, start filling behind last a data 0 to penultimate character, last character is institute The byte number of the data of filling.
Optionally, the smart machine authentication information further include: the second random number, second random number is by the intelligence Equipment generates.
Optionally, generate the first key in the following way: receive that the smart machine sends it is encrypted with Machine code data, the encrypted random cipher data are established secure communication with the server by the smart machine and are connect Afterwards, it according to first random number, second generating random number, and encrypts to obtain using the server public key;Using institute It states privacy key the encrypted random cipher data received are decrypted, obtains random cipher data;Using described Message digest algorithm obtains the random cipher data, first random number, second random number progress operation described First key.
Optionally, the method also includes: obtain the intelligence from the smart machine authentication information received and set Before standby attribute information, the identity of lander is verified, and confirms that the identity of the lander is legal.
Optionally, the identity to registrant is verified, comprising: using Authentication of Dyhibrid to the registrant Identity verified, the double factor includes: private key signature, user name and corresponding entry password.
Optionally, described to be verified using identity of the Authentication of Dyhibrid to the registrant, comprising: to pass through public key Infrastructure obtains the private key signature of registrant by the way of U-shield, and confirms and identity information stored in the server Unanimously;Obtain the user name and entry password of registrant input, and respectively with the information that is stored in Public Key Infrastructure with And information stored in the server is compared, confirmation is consistent.
Optionally, the server is aerial downloading Software Upgrade Server.
The embodiment of the present invention also provides a kind of server, including memory and processor, is stored with energy on the memory Enough computer instructions run on the processor, the processor execute any of the above-described kind when running the computer instruction The step of described data security protection method.
The embodiment of the present invention also provides a kind of computer readable storage medium, suitable for running on server, the server Belong to and communicated with smart machine, computer instruction is stored on the computer readable storage medium, the computer refers to The step of data security protection method described in executing any of the above-described kind when enabling operation.
The embodiment of the present invention also provides a kind of smart machine, is adapted for downloading firmware upgrade in the air, comprising: first sends Unit is suitable for sending smart machine authentication information to server according to the preset period and server authentication information is asked It asks, the smart machine authentication information includes: the attribute information of the smart machine;First receiving unit is suitable for described in reception The server authentication information that server is sent, the server authentication information by the server receive it is described After server authentication information request, and according to the attribute information of the accessed smart machine and itself stored Information confirms generation when the smart machine is legal;First authentication unit, suitable for the server authentication received Information is verified;Communication connection establishment unit is suitable for when to server authentication Information Authentication success, and described Server establishes secure communication connection.
Optionally, the smart machine authentication information further include: the algorithm set supported.
Optionally, the server authentication information includes: the first random number, random number signature value and selected encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
Optionally, first authentication unit, suitable for obtaining the first random number from the server authentication information And random number signature value;The random number signature value is decrypted in the server public key stored using itself, and confirms solution Whether close the first obtained random number and the first random number got from the server authentication information are consistent, and will It is denoted as and is proved to be successful when the two is consistent, wherein the server public key matches with the preset privacy key of the server.
Optionally, the smart machine further include: the second receiving unit and the first decryption unit, in which: described second connects Unit is received, suitable for being established after secure communication connect with the server, the encryption that the server is sent is received and upgrades data Packet, the encryption upgrading data packet are treated the upgrading data of upgrade-system by the server using preset first Encryption Algorithm Packet is encrypted to obtain, wherein first Encryption Algorithm is encrypted using first key, and belongs to the smart machine institute The algorithm set of support;First decryption unit, be suitable for using the first key and with first Encryption Algorithm Corresponding decipherment algorithm is decrypted the encryption upgrading data packet received, obtains corresponding upgrading data packet.
Optionally, the smart machine further include: the second authentication unit, suitable for the encryption ascending series received It is decrypted according to packet, after obtaining corresponding upgrading data packet, the upgrading data packet obtained to decryption is verified, and is confirmed The upgrading data packet is correct.
Optionally, second authentication unit, suitable for being carried out using message digest algorithm to the upgrading data packet received MAC operation obtains MAC check code, and the MAC check code being calculated is sent to the server, so that the server The MAC check code received is compared with the MAC check code stored, and MAC check code comparison result is sent to institute State smart machine;The MAC check code comparison result that the server is sent is received, when the MAC check code comparison result is shown When the two is consistent, then confirm that the upgrading data packet is correct.
Optionally, the smart machine further include: retransmission request transmission unit is suitable for comparing knot when the MAC check code When both fruit displays are inconsistent, upgrading data packet retransmission request is sent to the server.
Optionally, the smart machine further include: third authentication unit obtains decryption suitable for second authentication unit Upgrading data packet verified before, using the server public key to the upgrading data packet carry out signing messages verifying.
Optionally, first Encryption Algorithm is symmetric encipherment algorithm.
Optionally, first decryption unit is suitable for using the first key and docks with first Encryption Algorithm The encryption data received is decrypted, and 16 byte datas is obtained after every packet encryption data decryption, and the data after decryption are stored In predeterminated position;When to the decryption of last bag data, according to the byte of padding number that last character indicates, remove filler According to, obtain last packet ciphertext data and store to the predeterminated position.
Optionally, in the smart machine authentication information further include: the second random number, second random number is by the intelligence It can equipment generation.
Optionally, first decryption unit, suitable for being established after secure communication connect with the server, according to described First random number, the second generating random number random cipher data;Using message digest algorithm, to the random cipher number Operation, which is carried out, according to, first random number and second random number obtains the first key.
Optionally, first decryption unit, suitable for second random number is moved to left N, and at random with described first Number carries out XOR operation after moving to right N, wherein first random number is much larger than M, second random number is much smaller than M, wherein M is integer, and N is positive integer;Using XOR operation result as random cipher data.
Optionally, first decryption unit, be suitable for using first random number, second random number as key because Son generates the random cipher data using message digest algorithm operation.
The embodiment of the present invention also provides a kind of server, is suitable for carrying out smart machine aerial downloading firmware upgrade, comprising: Third receiving unit, the smart machine authentication information and server sent suitable for receiving smart machine according to the preset period Authentication information request, the smart machine authentication information include: the attribute information of the smart machine;Confirmation unit is fitted According to the attribute information of the accessed smart machine and the information itself stored, confirm that the smart machine closes Method;Authentication information generation unit suitable for after receiving the server authentication information request, and confirms the intelligence After energy equipment is legal, server authentication information is generated;Second transmission unit is suitable for the server authentication information It is sent to the smart machine, so that the smart machine verifies the server authentication information received, And when being proved to be successful, secure communication is established with the server and is connect.
Optionally, the smart machine authentication information further include: the algorithm set supported.
Optionally, the server authentication information includes: the first random number, random number signature value and selected encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
Optionally, the authentication information generation unit, suitable for asking receiving the server authentication information It asks, and after confirming that the smart machine is legal, generates first random number;Using preset privacy key to described first Random number is encrypted, and the random number signature value is obtained;The smart machine is obtained from the smart machine authentication information The Encryption Algorithm of support, selected encryption algorithm;According to the random number, the random number signature value and selected Encryption Algorithm, Generate authentication information.
Optionally, the server further include: the second encryption unit and third transmission unit, in which: second encryption Unit, suitable for being established after secure communication connect with the smart machine, using preset first Encryption Algorithm to system to be upgraded The upgrading data packet of system is encrypted, obtain encryption upgrading data packet, wherein first Encryption Algorithm using first key into Row encryption, and belong to the algorithm set that the smart machine is supported;The third transmission unit is suitable for the encryption Upgrading data packet is sent to the smart machine, when so that the smart machine receiving the encryption upgrading data packet, uses The first key and decipherment algorithm corresponding with first Encryption Algorithm, to the encryption upgrading data packet received into Row decryption, obtains corresponding upgrading data packet.
Optionally, the server further include: the 4th receiving unit, comparing unit and the 4th transmission unit, in which: described 4th receiving unit receives what the smart machine was sent after the upgrading data packet is sent to the smart machine MAC check code, the MAC check code carry out the upgrading data packet received using message digest algorithm by the smart machine MAC operation obtains;The comparing unit, the MAC check code suitable for will receive are compared with the MAC check code stored, It is whether consistent with both confirmations;4th transmission unit is set suitable for MAC check code comparison result is sent to the intelligence It is standby, when so that both MAC check code comparison result displays that the smart machine receives are consistent, confirm the upgrading data packet Correctly.
Optionally, the server further include: the 5th receiving unit, the ascending series sent suitable for receiving the smart machine According to packet retransmission request, the upgrading data packet retransmission request is shown by the smart machine in the MAC check code comparison result It is generated when the two is inconsistent.
Optionally, the server further include: third encryption unit is suitable in second encryption unit using preset Before the upgrading data packet that first Encryption Algorithm treats upgrade-system is encrypted, using the privacy key to the upgrading Data packet is signed, and the upgrading data packet is written in signing messages.
Optionally, first Encryption Algorithm is symmetric encipherment algorithm.
Optionally, second encryption unit, suitable for reading 16 byte data conducts from the upgrading data packet every time One bag data is encrypted, and encrypted 16 byte data is sent to the smart machine;Generating the last one data Bao Shi starts filling 0 to penultimate character if last remaining data are discontented with 16 bytes behind last a data, Last character is the byte number for the data filled.
Optionally, the smart machine authentication information further include: the second random number, second random number is by the intelligence Equipment generates.
Optionally, second encryption unit, comprising: receiving subelement, decryption subelement and generation subelement, in which: The receiving subelement, the encrypted random cipher data sent suitable for receiving the smart machine, it is described it is encrypted with Machine code data is established after secure communication connect by the smart machine and the server, according to first random number, institute The second generating random number is stated, and encrypts to obtain using the server public key;The decryption subelement is suitable for using the service The encrypted random cipher data received are decrypted in device private key, obtain random cipher data;The generation subelement, Suitable for using the message digest algorithm, the random cipher data, first random number, second random number are carried out Operation obtains the first key.
Optionally, the server further include: registrant's identity authenticating unit, suitable for from the smart machine received Before the attribute information for obtaining the smart machine in authentication information, the identity of lander is verified, and is stepped on described in confirmation The identity of land person is legal.
Optionally, registrant's identity authenticating unit, suitable for the body using Authentication of Dyhibrid to the registrant It part is verified, the double factor includes: private key signature, user name and corresponding entry password.
Compared with prior art, the technical solution of the embodiment of the present invention has the advantages that
Smart machine is when needing to be downloaded firmware upgrade, by periodically sending smart machine certification to server Information and server authentication information request, for server according to the smart machine authentication information to smart machine Legitimacy is confirmed.The server identity authentication information that the server is sent based on the received, to the server It is verified, and when being proved to be successful, foundation is connect with the secure communication of the server.Due to the smart machine with it is described Secure communication connection between server, is when the two carries out mutually authentication and is verified, smart machine side allows Server access, therefore the communication security during smart machine upgrade-system can be improved, effectively avoid hacker to intelligence The attack of equipment.
The server is recognized when needing smart machine to carry out aerial downloading firmware upgrade according to the smart machine received When card validation of information smart machine is legitimate device, server authentication information is sent to smart machine, for the intelligence Equipment verifies the legitimacy of the server, and establishes secure communication with the server after being proved to be successful and connect.Due to When the smart machine and the server-side are verified, secure communication connection is established, just so as to improve Communication security during smart machine upgrade-system effectively avoids attack of the hacker to smart machine or server.
Further, it is established after secure communication connect in smart machine and server, server carries out upgrading data packet Encryption obtains encryption upgrading data packet and is sent to the smart machine.It can by the way of being encrypted to upgrading data packet To further increase the data safety of smart machine and server in communication process.
Further, server verifies the identity of lander, can be to avoid illegal lander's login service device.It is logical It crosses and lander's identity of server is verified, the safety of server access right can be improved, and then improve and set with intelligence Standby communication security.
Detailed description of the invention
Fig. 1 is a kind of flow chart of data security protection method in the embodiment of the present invention;
Fig. 2 is the flow chart of another data security protection method in the embodiment of the present invention;
Fig. 3 is a kind of structural schematic diagram of smart machine in the embodiment of the present invention;
Fig. 4 is the structural schematic diagram of another smart machine in the embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of server in the embodiment of the present invention;
Fig. 6 is the structural schematic diagram of another server in the embodiment of the present invention.
Specific embodiment
As described above, being carried out in remote upgrade procedure using FOTA to the system in smart machine, smart machine is subject to Hacker attack, safety are lower.
To solve the above problems, in embodiments of the present invention, smart machine passes through when needing to be downloaded firmware upgrade Periodically send smart machine authentication information and server authentication information request to server, for server according to The smart machine authentication information confirms the legitimacy of smart machine.The server is sent based on the received Server identity authentication information verifies the server, and when being proved to be successful, and establishes the safety with the server Communication connection.It is to carry out identity mutually in the two due to the secure communication connection between the smart machine and the server When verifying and being verified, smart machine side allows server to access, therefore during smart machine upgrade-system can be improved Communication security, effectively avoid attack of the hacker to smart machine.
It is understandable to enable the above-mentioned purpose, feature and beneficial effect of the embodiment of the present invention to become apparent, below with reference to attached Figure is described in detail specific embodiments of the present invention.
Referring to Fig.1, a kind of flow chart of data security protection method in the embodiment of the present invention is given.Below by specific Step is described in detail.
Step 11, smart machine authentication information and server authentication are sent to server according to the preset period Information request.
In specific implementation, when smart machine needs to carry out aerial downloading firmware upgrade, can by the preset period to Server sends smart machine authentication information and server authentication information request.
In specific implementation, the smart machine authentication information can be used for identifying the identity of the smart machine.It is described Smart machine authentication information may include the attribute information of the smart machine.The attribute information of the smart machine may include The fastener product information of the smart machine also may include the firmware version number of the smart machine, can also include simultaneously The fastener product information and firmware version number of the smart machine.
It is understood that in practical applications, the attribute information of the smart machine also may include that other can be marked The information for knowing the smart machine identity, is not repeated herein.
In an embodiment of the present invention, the server is FOTA server.It is understood that being set according to the intelligence Standby required business is different, and the type or type of the server can also be different.
Step 12, the server authentication information that the server is sent is received.
In specific implementation, after the server receives the smart machine authentication information that the smart machine is sent, The attribute information that the smart machine can be got from smart machine authentication information is set according to the accessed intelligence Standby attribute information and the information itself stored confirm whether the smart machine is legitimate device.When the confirmation intelligence When equipment is legal, and after receiving the server authentication information request, server authentication information can be generated.
In an embodiment of the present invention, server can obtain intelligence and set from the smart machine authentication information received Standby attribute information.For example, the server gets the fastener product information of smart machine from smart machine attribute information And firmware version number, the fastener product information and firmware version number of the smart machine are searched from database.When searching from number When according to the fastener product information and firmware version number for arriving the smart machine in library, then confirm that the smart machine is legal.When not When finding, then confirm that the smart machine is not legitimate device, the provisional communication interrupted between the smart machine connects. Wherein, the smart machine is legal refers to that the smart machine is registered on the server in advance.In specific implementation, in smart machine When connecting between server in provisional communication, any business operation can not be carried out, can only carry out some data, information Transmission.
In an embodiment of the present invention, the smart machine authentication information can also include: supported Encryption Algorithm collection It closes.
In specific implementation, the server authentication information may include: the first random number, random number signature value and Selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
In an embodiment of the present invention, the server can generate the server authentication letter in the following way Breath: after confirming that the smart machine is legal, first random number is generated.Using preset privacy key to described first Random number is encrypted, and the random number signature value is obtained.The smart machine is obtained from the smart machine authentication information The Encryption Algorithm of support, selected encryption algorithm.According to the random number, the random number signature value and selected Encryption Algorithm, Generate server authentication information.
In specific implementation, the random number can be the character of number composition, or number and letter composition Character.
Step 13, the server authentication information received is verified, and when being proved to be successful, establish with The secure communication of the server connects.
It in specific implementation, can be to being connect when receiving the server authentication information that the server is sent The authentication information received is verified.In the authentication success to the server, establish and the server Secure communication connection.
In specific implementation, according to the difference of the server authentication information, corresponding used verification mode It can also be different.
In an embodiment of the present invention, the server authentication information can be verified in the following way: The first random number and random number signature value are obtained from the server authentication information.The server stored using itself The random number signature value is decrypted in public key, and the first random number for confirming that decryption obtains is tested with from the server identity First got in card information scolds at random it is whether consistent, and the two is consistent when be denoted as and be proved to be successful.Wherein, the service Device public key matches with the preset privacy key of the server.
Smart machine can sign to the server received using privacy key using the server public key Information be decrypted, to verify the identity of the server.In an embodiment of the present invention, it can be dispatched from the factory in smart machine Before, the server public key is placed in the smart machine.It is set for example, server public key can be embedded into the intelligence In the program of standby installation.
By above scheme it is found that smart machine is when needing to be downloaded firmware upgrade, by periodically to server Smart machine authentication information and server authentication information request are sent, so that server is authenticated according to the smart machine Information confirms the legitimacy of smart machine.The server identity that the server is sent based on the received authenticates letter Breath, verifies the server, and when being proved to be successful, and foundation is connect with the secure communication of the server.By institute The secure communication connection between smart machine and the server is stated, is to carry out authentication mutually in the two and be verified When, smart machine side allows server to access, therefore the communication security during smart machine upgrade-system can be improved, effectively Avoid attack of the hacker to smart machine.
In specific implementation, it when needing to upgrade the system on certain some smart machine, needs to the intelligence Equipment sends upgrading data packet, in order to improve safety of the upgrading data packet in transmission process.The server can use The upgrading data packet that preset first Encryption Algorithm treats upgrade-system is encrypted to obtain encryption upgrading data packet, described will be added Close upgrading data packet is sent to the smart machine, wherein first Encryption Algorithm is encrypted using first key, described First Encryption Algorithm belongs to the algorithm set that the smart machine is supported.The smart machine can receive the service The encryption upgrading data packet that device is sent, and the first key and decipherment algorithm corresponding with first Encryption Algorithm are used, The encryption upgrading data packet received is decrypted, corresponding upgrading data packet is obtained.
In specific implementation, the upgrading data packet can be whole packet, or difference packet.Wherein, it is whole packet refer to The corresponding complete data packet of new version after upgrade-system upgrading.Difference packet refers to the old edition before new version and upgrading after upgrading This corresponding data packet of difference section.Upgraded using difference packet, only upgrades difference section, can reduce in escalation process Required flow, and updating speed is very fast.
In an embodiment of the present invention, first Encryption Algorithm is symmetric encipherment algorithm.In specific implementation, described One Encryption Algorithm can be national secret algorithm, or Advanced Encryption Standard (Advanced Encryption Standard, AES) algorithm.It is understood that can also meet the intelligence using other Encryption Algorithm, used Encryption Algorithm and set Upgrade service in standby firmware is supported, and the server is also supported simultaneously, is not repeated herein.
In an embodiment of the present invention, the smart machine can in the following way to the encryption upgrading data packet into Row decryption: the first key and decipherment algorithm corresponding with first Encryption Algorithm can be used, described in receiving Encryption upgrading data packet is decrypted, specific as follows: using the first key and with first Encryption Algorithm to receiving Encryption data be decrypted, obtain 16 byte datas after the decryption of every packet encryption data, and the data after decryption are stored in pre- If position.When last bag data is decrypted, according to the byte of padding number that last character indicates, removes and filled Data, and be stored in the predeterminated position.
For example, being 11223344556677889900000000000007 after the decryption of last bag data, wherein finally One character 7 indicates that filled character quantity is 7 bytes.Remove filled character and obtain original data and is 112233445566778899,112233445566778899 are stored to predeterminated position.
In specific implementation, to improve the communication security in upgrading data packet transmission process, the server can be adopted Signature operation is carried out to the upgrading data packet with preset privacy key, and the upgrading data packet is written into signature value In.After the smart machine receives the upgrading data packet, upgrading of the server public key to receiving can be used Data packet is decrypted, and confirms that the upgrading data packet is what the server was sent, to the legal of the upgrading data packet Property is verified.If the upgrading data packet is not that the server is sent out, the upgrading packet discard, and to the clothes Business device sends upgrading data packet retransmission request.
It in specific implementation, can also include the second random number in the smart machine authentication information.Described second is random Number is generated by the smart machine.
In an embodiment of the present invention, the smart machine can generate the first key in the following way, described First key is referred to as process key:
It is established after secure communication connect in the smart machine and the server, according to first random number, described Second generating random number random cipher data encrypt the random cipher data using the server public key, and will Encrypted random cipher data are sent to the server.Using message digest algorithm, to random cipher data, described First random number and second random number carry out operation and obtain the first key.When using symmetric encipherment algorithm, server It is also required to use and the identical key of first key in the smart machine, namely the use first key.
In an embodiment of the present invention, the server can generate in the following way the first key: receive It is encrypted to what is received using the privacy key when the encrypted random cipher data that the smart machine is sent Random cipher data are decrypted, and random cipher data are obtained, and use the message digest algorithm, to the random cipher number According to, first random number, second random number carry out operation obtain the first key, wherein the privacy key It is corresponding with the server public key.Wherein, message digest algorithm used by the server is adopted with the smart machine Message digest algorithm is identical, for example, the message digest algorithm can be SHA1, SHA5 etc..
Message digest algorithm ciphering process does not need key, and the data by encryption can not be decrypted, and only be inputted Identical clear data can just obtain identical ciphertext by identical Message Digest 5, and communications security is higher.
In specific implementation, the smart machine is according to first random number, second generating random number with secret Code data, may exist a variety of generating modes.
In an embodiment of the present invention, second random number is moved to left N, and moves to right N with first random number After carry out XOR operation, and using XOR operation result as random cipher data.Wherein, first random number is much larger than M, institute The second random number is stated much smaller than M, wherein M is integer, and N is positive integer.
For example, first random number that generates of the smart machine is much smaller than 1 (< < 1), the institute that the server generates The second random number is stated much larger than 1 (> > 1), first random number is moved to left 1, then moves to right 1 with second random number Data afterwards carry out XOR operation, and using XOR operation result as the random cipher data.
In an alternative embodiment of the invention, using first random number, second random number as cryptographic key factor, using letter It ceases digest algorithm operation and generates the random cipher data.
In specific implementation, it is decrypted to the encryption upgrading data packet received, obtains corresponding ascending series After packet, the upgrading data packet decrypted can be verified, and confirm that the upgrading data packet is correct.
In an embodiment of the present invention, the smart machine can be in the following way to the received ascending series It is verified according to packet, and confirms that the data packet is correct.It is specific as follows:
MAC operation is carried out to the upgrading data packet received using message digest algorithm, obtains MAC check code, and will meter Obtained MAC check code is sent to the server.The server is by the MAC check code received and the MAC that is stored Check code is compared, and MAC check code comparison result is sent to the smart machine.Receive what the server was sent MAC check code comparison result then confirms that sign test is correct when both MAC check code comparison result displays are consistent.
In specific implementation, the smart machine obtains message digest algorithm used by MAC check code, obtains with server To message digest algorithm system used by MAC check code.For example, using (the Message Digest of message digest algorithm 5 Algorithm 5, MD5).
The legitimacy and integrality of received upgrading data packet can be verified by the way of MAC check code, improved The correctness and communication security of received upgrading data packet.
Referring to Fig. 2, the flow chart of another data security protection method in the embodiment of the present invention is given.It is being embodied In, the data security protection method can be used for server and carry out aerial downloading firmware upgrade to smart machine, below with reference to Specific steps are described in detail.
Step 21, the smart machine authentication information that smart machine is sent according to the preset period, and service body are received Part authentication information request.
It in specific implementation, may include smart machine attribute letter in smart machine authentication information received by server Breath.
In specific implementation, the smart machine authentication information can be used for identifying the identity of the smart machine.At this It invents in an embodiment, the attribute information of the smart machine may include the fastener product information of the smart machine, can also It can also simultaneously include the fastener product information and firmware of the smart machine to include the firmware version number of the smart machine Version number.
It is understood that in practical applications, the attribute information of the smart machine also may include that other can be marked The information for knowing the smart machine identity, is not repeated herein.
In an embodiment of the present invention, the server is FOTA server, can remotely be carried out to the smart machine Firmware upgrade.It is understood that the business according to needed for the smart machine is different, the type or type of the server It can be different.
Step 22, according to the attribute information of the accessed smart machine and the information stored, confirm the intelligence Energy equipment is legal.
In specific implementation, after the server receives the smart machine authentication information that the smart machine is sent, The attribute information that the smart machine can be got from smart machine authentication information is set according to the accessed intelligence Standby attribute information and the information itself stored confirm whether the smart machine is legitimate device.Specifically, when being obtained When the attribute information for the smart machine got is consistent with the information that itself is stored, confirm that the smart machine is legal.It is right Ying Di confirms the intelligence when the attribute information of the accessed smart machine and the inconsistent information itself stored Energy equipment is illegal.
In an embodiment of the present invention, server can obtain intelligence and set from the smart machine authentication information received Standby attribute information.For example, the server gets the fastener product information of smart machine from smart machine attribute information And firmware version number, the fastener product information and firmware version number of the smart machine are searched from database.When searching from number When according to the fastener product information and firmware version number for arriving the smart machine in library, then confirm that the smart machine is legal.When not When finding, then confirming the smart machine not is legal, the provisional communication connection between interruption and the smart machine.Its In, it can be using the smart machine registered on the server as legitimate device.
Step 23, server authentication information is generated, and is sent to the smart machine.
In specific implementation, after receiving the server authentication information request, and confirm the smart machine When legal, server authentication information can be generated.The server authentication information of generation is sent to the intelligence to set It is standby.The smart machine can verify the server authentication information received, and when being proved to be successful, with The server establishes secure communication connection.
Using the above scheme, the server is when needing smart machine to carry out aerial downloading firmware upgrade, according to reception When the smart machine authentication information confirmation smart machine arrived is legitimate device, server authentication letter is sent to smart machine Breath, the legitimacy of the server is verified for the smart machine, and is established and pacified with the server after being proved to be successful Full communication connection.Since when the smart machine and the server-side are verified, both sides just establish secure communication Connection effectively avoids hacker from setting intelligence so as to improve communication security during smart machine upgrade-system Standby or server attack.
In an embodiment of the present invention, the smart machine authentication information may include: supported algorithm set.
In specific implementation, the server authentication information may include: the first random number, random number signature value and Selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
In an embodiment of the present invention, the server can generate the server authentication letter in the following way Breath: receiving the server authentication information request, and after confirming that the smart machine is legal, generate described first with Machine number.First random number is encrypted using preset privacy key, obtains the random number signature value.From described The Encryption Algorithm that the smart machine is supported, selected encryption algorithm are obtained in smart machine authentication information.According to the random number, The random number signature value and selected Encryption Algorithm generate server authentication information.
In an embodiment of the present invention, the smart machine can in the following way believe the server authentication Breath is verified: the first random number and random number signature value are obtained from the server authentication information.Using preset The random number signature value is decrypted in server public key, and confirm the first random number that decryption obtains with from the server The first random number got in authentication information is consistent, is denoted as and is proved to be successful when the two is consistent.Wherein, the server The privacy key of public key and the server matches.Smart machine can be using the server public key to the institute received It states server to be decrypted using the information of privacy key signature, to verify the identity of the server.
It in specific implementation, can be to the smart machine after foundation is connect with the secure communication of the smart machine Send data or message.For example, FOTA server can send upgrading data packet to smart machine, the upgrading data packet can be with For difference packet or whole packet.
In order to improve the communication security between server and smart machine, in an embodiment of the present invention, use is preset The upgrading data packet that first Encryption Algorithm treats upgrade-system is encrypted, and obtains encryption upgrading data packet, wherein described first Encryption Algorithm is encrypted using first key, and belongs to the algorithm set that the smart machine is supported.Described it will add Close upgrading data packet is sent to the smart machine.When the smart machine receives the encryption upgrading data packet, using institute First key and decipherment algorithm corresponding with first Encryption Algorithm are stated, the encryption upgrading data packet received is carried out Decryption, obtains corresponding upgrading data packet.
In specific implementation, after the upgrading data packet being sent to the smart machine, the smart machine hair is received The MAC check code sent.The MAC check code received is compared with the MAC check code stored, and by MAC check code ratio The smart machine is sent to result.The MAC check code is by the smart machine using message digest algorithm to receiving Upgrading data packet carry out MAC operation and obtain, can be used for carrying out sign test to received upgrading data packet, when the intelligence When both MAC check code comparison result displays that equipment receives are consistent, confirm that the upgrading data packet is correct, that is, receive Upgrading data packet is legal, complete data packet.
When both MAC check code comparison result displays that the smart machine receives are inconsistent, by the upgrading data Packet abandons, and sends upgrading data packet retransmission request to the server.
In specific implementation, the server can receive the upgrading data packet retransmission request that the smart machine is sent. Upgrading data packet can be sent to the smart machine again according to upgrading data packet retransmission request.
In specific implementation, in order to further increase communication security, in preset first Encryption Algorithm of use to be upgraded It before the upgrading data packet of system is encrypted, is signed using the privacy key to the upgrading data packet, and will The upgrading data packet is written in signing messages.It, can be using service after the smart machine receives the upgrading data packet Device public key carries out signing messages verifying to the upgrading data packet received, confirms the upgrading data packet for server transmission , it is verified with the legitimacy to the upgrading data packet.If not the server is sent out, then packet discard, and to The server sends upgrading data packet retransmission request.
In specific implementation, the upgrading data packet can be whole packet, or difference packet.
In an embodiment of the present invention, first Encryption Algorithm is symmetric encipherment algorithm.In specific implementation, described One Encryption Algorithm can be national secret algorithm, or Advanced Encryption Standard (Advanced Encryption Standard, AES) algorithm.It is understood that can also meet the intelligence using other Encryption Algorithm, used Encryption Algorithm and set Upgrade service in standby firmware is supported, and the server is also supported simultaneously, is not repeated herein.
In specific implementation, the server can in the following way encrypt the upgrading data packet: every time 16 byte datas are read from the upgrading data packet to be encrypted as a bag data, and encrypted 16 byte data is sent out It send to the smart machine.When generating the last one data packet, if last remaining data are discontented with 16 bytes, in last position Start filling 0 behind data to penultimate character, last character is the byte number for the data filled.
For example, last bag data is 112233445566778899, last bag data is 9 bytes, then last According to preset polishing rule after one character 9, supplement 0, last character is used to indicate all including itself Byte number shared by polishing character.Data after supplement is complete are as follows: 11223344556677889900000000000007.It can be with Understand, can also be filled, be not repeated herein using other filling modes.
In specific implementation, the smart machine authentication information can also include: the second random number, second random number It is generated by the smart machine.
In specific implementation, the server can generate in the following way the first key: receive the intelligence The encrypted random cipher data that equipment is sent.Using the privacy key to the encrypted random cipher number received According to being decrypted, random cipher data are obtained.Using the message digest algorithm, to the random cipher data, described first Random number, second random number carry out operation and obtain the first key.Wherein, the privacy key and the server Public key is corresponding.Wherein, message digest algorithm used by the server and informative abstract used by the smart machine Algorithm is identical, for example, the message digest algorithm can be SHA1, SHA5 etc..
In specific implementation, the attribute letter of the smart machine is obtained from the smart machine authentication information received Before breath, the server can be verified the identity of lander, and confirm that the identity of the lander is legal.
In an embodiment of the present invention, the identity of the registrant can be verified using Authentication of Dyhibrid, The double factor may include: private key signature, user name and corresponding entry password.
Specifically, the private key signature of registrant can be obtained in such a way that Public Key Infrastructure (PKI) is using U-shield, And confirm consistent with identity information stored in the server.The user name and entry password of registrant's input are obtained, And be compared respectively with the information and information stored in the server stored in Public Key Infrastructure, it is confirmed whether one It causes.When confirming consistent, then it is legal to characterize lander's identity.
For example, the private key of U-shield (USBKEY) can be utilized using PKI mechanism when the server is FOTA server Signature, and be compared with the identity information stored in the database in the FOTA server, when comparison result is shown unanimously When, the user name and entry password of the input of the lander are obtained, and the identity information stored in USBKEY respectively and institute It states the information identity information stored in FOTA server to be compared, the identity of the lander is further confirmed that, from The safety of system is further increased in terms of to server access right.
In order to which those skilled in the art better understand and realize the present invention, the embodiment of the present invention also provides a kind of intelligence and sets It is standby.
Referring to Fig. 3, a kind of smart machine structural schematic diagram in the embodiment of the present invention is given.The smart machine 30 is suitable for Carry out aerial downloading firmware upgrade, may include: the first transmission unit 31, the first receiving unit 32, the first authentication unit 33 and Communication connection establishment unit 34, in which:
First transmission unit 31 is suitable for sending smart machine authentication information to server according to the preset period, with And server authentication information request, the smart machine authentication information include: the attribute information of the smart machine;
First receiving unit 32, the server authentication information sent suitable for receiving the server, the clothes Device authentication information of being engaged in by the server after receiving the server authentication information request, and according to acquired To the smart machine attribute information and the information that itself is stored, confirm generation when the smart machine is legal;
First authentication unit 33, suitable for being verified to the server authentication information received;
The communication connection establishment unit 34 is suitable for when to server authentication Information Authentication success, with institute It states server and establishes secure communication connection.
From the foregoing, it will be observed that smart machine when needing to be downloaded firmware upgrade, periodically can send intelligence to server Energy equipment authentication information and server authentication information request, so that server is according to the smart machine authentication information pair The legitimacy of smart machine is confirmed.The server identity authentication information that the server is sent based on the received, it is right The server is verified, and when being proved to be successful, and foundation is connect with the secure communication of the server.Due to the intelligence Communication connection between equipment and the server is the smart machine when the two carries out mutually authentication and is verified Side allows server to access, that is, establishes and connect with the secure communication of the server, therefore smart machine upgrade-system can be improved During communication security, effectively avoid attack of the hacker to smart machine.
In specific implementation, the smart machine authentication information can also include: supported algorithm set.
In specific implementation, the server authentication information may include: the first random number, random number signature value and Selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
In specific implementation, first authentication unit 33, suitable for obtaining from the server authentication information One random number and random number signature value;The random number signature value is decrypted in the server public key stored using itself, And confirm whether are the first random number that decryption obtains and the first random number got from the server authentication information Unanimously, and when the two is consistent it is denoted as and is proved to be successful, wherein the server public key and the preset server of the server are private Key matches.
The structural schematic diagram of another smart machine in the embodiment of the present invention provided referring to Fig. 4.In specific implementation, institute Smart machine 30 is stated on the basis of Fig. 3, can also include the second receiving unit 41 and the first decryption unit 42, in which:
Second receiving unit 41 receives the service suitable for establishing after secure communication connect with the server The encryption upgrading data packet that device is sent, the encryption upgrading data packet use preset first Encryption Algorithm pair by the server The upgrading data packet of system to be upgraded is encrypted to obtain, wherein and first Encryption Algorithm is encrypted using first key, And belong to the algorithm set that the smart machine is supported;
First decryption unit 42 is suitable for using the first key and decryption corresponding with first Encryption Algorithm Algorithm is decrypted the encryption upgrading data packet received, obtains corresponding upgrading data packet.
In specific implementation, the smart machine 30 can also include: the second authentication unit 43.Second verifying is single Member 43, suitable for being decrypted to the encryption upgrading data packet received, after obtaining corresponding upgrading data packet, to being connect The upgrading data packet received carries out sign test, and confirms that sign test is correct.
In specific implementation, second authentication unit 43, suitable for using message digest algorithm to the ascending series received MAC operation is carried out according to packet, MAC check code is obtained, and the MAC check code being calculated is sent to the server, so that institute It states server and the MAC check code received is compared with the MAC check code stored, and by MAC check code comparison result It is sent to the smart machine;The MAC check code comparison result that the server is sent is received, when the MAC check code compares When the two is consistent as the result is shown, then confirm that the upgrading data packet is correct.
In specific implementation, the smart machine 30 can also include: retransmission request transmission unit 44.The re-transmission is asked Transmission unit 44 is sought, is suitable for sending and upgrading to the server when both MAC check code comparison result displays are inconsistent Data packet retransmission request.
In specific implementation, the smart machine 30 can also include: third authentication unit (not shown).Third verifying Before unit is verified suitable for the upgrading data packet that second authentication unit obtains decryption, using the server public key Signing messages verifying is carried out to the upgrading data packet.
In specific implementation, the upgrading data packet can be whole packet, or difference packet.
In an embodiment of the present invention, first Encryption Algorithm can be symmetric encipherment algorithm.
In specific implementation, first decryption unit 42 is suitable for encrypting using the first key and with described first The encryption data received is decrypted in algorithm, obtains 16 byte datas after every packet encryption data decryption, and will be after decryption Data are stored in predeterminated position;When to the decryption of last bag data, according to the byte of padding number that last character indicates, remove Data are filled, the ciphertext data of last packet is obtained and are stored to the predeterminated position.
In specific implementation, the smart machine authentication information can also include: the second random number, second random number It is generated by the smart machine.
In specific implementation, first decryption unit 42, suitable for being established after secure communication connect with the server, According to first random number, the second generating random number random cipher data;Using message digest algorithm, to described random Code data, first random number and second random number carry out operation and obtain the first key.
In specific implementation, first decryption unit 42, suitable for second random number is moved to left N, and with it is described First random number carries out XOR operation after moving to right N, wherein first random number is much larger than M, second random number is far small In M, wherein M is integer, and N is positive integer;Using XOR operation result as random cipher data.
In specific implementation, first decryption unit 42, suitable for being with first random number, second random number Cryptographic key factor generates the random cipher data using message digest algorithm operation.
In specific implementation, the working principle and workflow of the smart machine, can be with reference to the above-mentioned implementation of the present invention What example provided is used for the description in the data security protection method when needing to carry out aerial downloading firmware upgrade, does not do herein superfluous It states.
The embodiment of the present invention also provides a kind of server.A kind of server in the embodiment of the present invention provided referring to Fig. 5 Structural schematic diagram, the server 50 are suitable for carrying out smart machine aerial downloading firmware upgrade, may include: that third reception is single Member 51, confirmation unit 52, authentication information generation unit 53 and the second transmission unit 54, in which:
The third receiving unit 51 is recognized suitable for receiving the smart machine according to the smart machine that the preset period sends It demonstrate,proves information and server authentication information request, the smart machine authentication information includes: the attribute of the smart machine Information;
The confirmation unit 52, suitable for from according to the attribute information of the accessed smart machine and itself being stored Information, confirm that the smart machine is legal;
The authentication information generation unit 53, suitable for after receiving the server authentication information request, And after the confirmation smart machine is legal, server authentication information is generated;
Second transmission unit 54 makes suitable for the server authentication information is sent to the smart machine The smart machine verifies the server authentication information received, it is and described and when being proved to be successful Server establishes secure communication connection.
In specific implementation, the smart machine authentication information can also include: supported algorithm set.
In specific implementation, the server authentication information may include: the first random number, random number signature value and Selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
In specific implementation, the authentication information generation unit 53, suitable for testing receiving the server identity Information request is demonstrate,proved, and after confirming that the smart machine is legal, generates first random number;Using preset privacy key pair First random number is encrypted, and the random number signature value is obtained;Described in being obtained from the smart machine authentication information The Encryption Algorithm that smart machine is supported, selected encryption algorithm;According to the random number, the random number signature value and it is selected plus Close algorithm generates authentication information.
The structural schematic diagram of another server in the inventive embodiments provided referring to Fig. 6.The server 50 is Fig. 5's On the basis of can also include: the second encryption unit 61 and third transmission unit 62, in which:
Second encryption unit 61, suitable for establishing after secure communication connect with the smart machine, use is preset The upgrading data packet that first Encryption Algorithm treats upgrade-system is encrypted, and obtains encryption upgrading data packet, wherein described first Encryption Algorithm is encrypted using first key, and belongs to the algorithm set that the smart machine is supported;
The third transmission unit 62, suitable for the encryption upgrading data packet is sent to the smart machine, so that institute When stating smart machine and receiving the encryption upgrading data packet, using the first key and corresponding with first Encryption Algorithm Decipherment algorithm, the encryption upgrading data packet received is decrypted, corresponding upgrading data packet is obtained.
In specific implementation, the server 50 can also include: the 4th receiving unit 63, comparing unit 64 and the 4th hair Send unit 65, in which:
4th receiving unit 63, after the upgrading data packet is sent to the smart machine, described in reception The MAC check code that smart machine is sent, the MAC check code is by the smart machine using message digest algorithm to receiving Upgrading data packet carries out MAC operation and obtains;
The comparing unit 64, the MAC check code suitable for will receive are compared with the MAC check code stored, with Whether both confirmations are consistent;
4th transmission unit 65, suitable for MAC check code comparison result is sent to the smart machine, so that described When both MAC check code comparison result displays that smart machine receives are consistent, confirm that the upgrading data packet is correct.
In specific implementation, the server 50 can also include: the 5th receiving unit (not shown), be suitable for described in reception The upgrading data packet retransmission request that smart machine is sent, the upgrading data packet retransmission request is by the smart machine described Both MAC check code comparison result displays generate when inconsistent.
In specific implementation, the server 50 can also include: third encryption unit (not shown).The third encryption Unit is suitable for carrying out in second encryption unit using the upgrading data packet that preset first Encryption Algorithm treats upgrade-system Before encryption, signed using the privacy key to the upgrading data packet, and the upgrading is written into signing messages Data packet.
In specific implementation, the upgrading data packet can be whole packet, or difference packet.
In an embodiment of the present invention, first Encryption Algorithm is symmetric encipherment algorithm.
In specific implementation, second encryption unit 61, suitable for reading 16 bytes from the upgrading data packet every time Data are encrypted as a bag data, and encrypted 16 byte data is sent to the smart machine;It is last generating When one data packet, if last remaining data are discontented with 16 bytes, start filling 0 behind last a data to second from the bottom A character, last character are the byte number for the data filled.
In specific implementation, the smart machine authentication information can also include: the second random number, second random number It is generated by the smart machine.
In specific implementation, second encryption unit 61 may include: receiving subelement (not shown), decryption subelement (not shown) and generation subelement (not shown), in which:
The receiving subelement, the encrypted random cipher data sent suitable for receiving the smart machine are described to add Random cipher data after close are established after secure communication connect by the smart machine and the server, according to described first with Machine number, second generating random number, and encrypt to obtain using the server public key;
The decryption subelement, suitable for using the privacy key to the encrypted random cipher data received into Row decryption, obtains random cipher data;
The generation subelement, be suitable for use the message digest algorithm, to the random cipher data, described first with Machine number, second random number carry out operation and obtain the first key.
In specific implementation, the server 50 can also include: registrant's identity authenticating unit (not shown), be suitable for from Before the attribute information for obtaining the smart machine in the smart machine authentication information received, to the identity of lander into Row verifying, and confirm that the identity of the lander is legal.
In specific implementation, registrant's identity authenticating unit is suitable for using Authentication of Dyhibrid to the login The identity of person is verified, and the double factor may include: private key signature, user name and corresponding entry password.
In specific implementation, the working principle and workflow of the server can refer to the above embodiment of the present invention What is provided is used to need to carry out smart machine description when aerial downloading firmware upgrade in corresponding data prevention method, herein It does not repeat them here.
The embodiment of the present invention also provides a kind of smart machine, including memory and processor, is stored on the memory The computer instruction that can be run on the processor, the processor execute any of the above-described when running the computer instruction The needs that embodiment provides carry out the step of corresponding data security protection method when aerial downloading firmware upgrade.
The embodiment of the present invention also provides a kind of server, including memory and processor, is stored with energy on the memory Enough computer instructions run on the processor, the processor execute any of the above-described reality when running the computer instruction The step of being used to carry out smart machine corresponding data prevention method when aerial downloading firmware upgrade of example offer is provided.
The embodiment of the present invention also provides a kind of computer readable storage medium, suitable for running on smart machine, the intelligence Equipment is suitable for being communicated with server, and computer instruction, the computer are stored on the computer readable storage medium Corresponding data when being used to need to carry out aerial downloading firmware upgrade that any of the above-described embodiment provides are executed when instruction operation to pacify The step of full protection method.
The embodiment of the present invention also provides a kind of computer readable storage medium, suitable for running on server, the server Suitable for being communicated with smart machine, computer instruction is stored on the computer readable storage medium, the computer refers to Corresponding data when carrying out aerial downloading firmware upgrade to smart machine for executing any of the above-described embodiment offer when running are enabled to prevent The step of maintaining method.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage Medium may include: ROM, RAM, disk or CD etc..
Although present disclosure is as above, present invention is not limited to this.Anyone skilled in the art are not departing from this It in the spirit and scope of invention, can make various changes or modifications, therefore protection scope of the present invention should be with claim institute Subject to the range of restriction.

Claims (66)

1. a kind of data security protection method characterized by comprising
When needing to carry out aerial downloading firmware upgrade, smart machine authentication information is sent to server according to the preset period, And server authentication information request, the smart machine authentication information include:
The attribute information of the smart machine;
The server authentication information that the server is sent is received, the server authentication information is by the server After receiving the server authentication information request, and according to the attribute information of the accessed smart machine and The information itself stored confirms generation when the smart machine is legal;
The server authentication information received is verified, and when being proved to be successful, is established and the server Secure communication connection.
2. data security protection method according to claim 1, which is characterized in that the smart machine authentication information also wraps It includes: the algorithm set supported.
3. data security protection method according to claim 2, which is characterized in that the server authentication packet It includes: the first random number, random number signature value and selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the intelligence The algorithm set that energy equipment is supported.
4. data security protection method according to claim 3, which is characterized in that the described pair of server received Authentication information is verified, comprising:
The first random number and random number signature value are obtained from the server authentication information;
The random number signature value is decrypted in the server public key stored using itself, and confirms decryption obtains first Whether random number and the first random number got from the server authentication information consistent, and the two is consistent when remember To be proved to be successful, wherein the server public key matches with the preset privacy key of the server.
5. data security protection method according to claim 4, which is characterized in that further include:
It is established after secure communication connect with the server, receives the encryption upgrading data packet that the server is sent, it is described Encryption upgrading data packet is carried out by the server using the upgrading data packet that preset first Encryption Algorithm treats upgrade-system Encryption obtains, wherein first Encryption Algorithm is encrypted using first key, and belongs to what the smart machine was supported Algorithm set;
Using the first key and decipherment algorithm corresponding with first Encryption Algorithm, the encryption received is upgraded Data packet is decrypted, and obtains corresponding upgrading data packet.
6. data security protection method according to claim 5, which is characterized in that further include:
It is decrypted to the encryption upgrading data packet received, after obtaining corresponding upgrading data packet, decryption is obtained Upgrading data packet verified, and confirm that the upgrading data packet is correct.
7. data security protection method according to claim 6, which is characterized in that described to the liter decrypted Grade data packet is verified, and confirms that the upgrading data packet is correct, comprising:
MAC operation is carried out to the upgrading data packet received using message digest algorithm, obtains MAC check code, and will calculate To MAC check code be sent to the server so that the server is by the MAC check code received and the MAC that is stored Check code is compared, and MAC check code comparison result is sent to the smart machine;
The MAC check code comparison result that the server is sent is received, when both MAC check code comparison result displays are consistent When, then confirm that the upgrading data packet is correct.
8. data security protection method according to claim 7, which is characterized in that further include:
When both MAC check code comparison result displays are inconsistent, upgrading data packet re-transmission is sent to the server and is asked It asks.
9. data security protection method according to claim 6, which is characterized in that further include:
Before being verified to the upgrading data packet that decryption obtains, the upgrading data packet is carried out using the server public key Signing messages verifying.
10. data security protection method according to claim 5, which is characterized in that the upgrading data packet are as follows: difference packet Or whole packet.
11. data security protection method according to claim 5, which is characterized in that first Encryption Algorithm is symmetrical Encryption Algorithm.
12. data security protection method according to claim 11, which is characterized in that it is described using the first key and The encryption upgrading data packet received is decrypted in decipherment algorithm corresponding with first Encryption Algorithm, comprising:
The encryption data received is decrypted using the first key and with first Encryption Algorithm, every packet encrypts number According to obtaining 16 byte datas after decryption, and the data after decryption are stored in predeterminated position;
When to the decryption of last bag data, according to the byte of padding number that last character indicates, removes filling data, obtain most The ciphertext data of latter packet is simultaneously stored to the predeterminated position.
13. data security protection method according to claim 12, which is characterized in that the smart machine authentication information is also It include: the second random number, second random number is generated by the smart machine.
14. data security protection method according to claim 13, which is characterized in that generate described in the following way One key:
Established after secure communication connect with the server, according to first random number, second generating random number with Machine code data;
Using message digest algorithm, the random cipher data, first random number and second random number are transported Calculation obtains the first key.
15. data security protection method according to claim 14, which is characterized in that the smart machine is according to described One random number, the second generating random number random cipher data, comprising:
Second random number is moved to left N, and carries out XOR operation after moving to right N with first random number, wherein described First random number is much larger than M, and second random number is much smaller than M, wherein M is integer, and N is positive integer;
Using XOR operation result as random cipher data.
16. data security protection method according to claim 14, which is characterized in that the smart machine is according to described One random number, the second generating random number random cipher data, comprising:
Using first random number, second random number as cryptographic key factor, using message digest algorithm operation generate it is described with Machine code data.
17. a kind of data security protection method characterized by comprising
When needing to carry out aerial downloading firmware upgrade to smart machine, the intelligence that smart machine is sent according to the preset period is received Energy equipment authentication information and server authentication information request, the smart machine authentication information include: that the intelligence is set Standby attribute information;
According to the attribute information of the accessed smart machine and the information itself stored, confirm that the smart machine closes Method;
After receiving the server authentication information request, and when confirming that the smart machine is legal, server is generated Authentication information, and it is sent to the smart machine, so that the smart machine tests the server identity received Card information is verified, and when being proved to be successful, is established secure communication with the server and connect.
18. data security protection method according to claim 17, which is characterized in that the smart machine authentication information is also It include: supported algorithm set.
19. data security protection method according to claim 18, which is characterized in that the server authentication information It include: the first random number, random number signature value and selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to described The algorithm set that smart machine is supported.
20. data security protection method according to claim 19, which is characterized in that the generation server authentication Information, comprising:
It is receiving the server authentication information request, and after confirming that the smart machine is legal, is generating described first Random number;
First random number is encrypted using preset privacy key, obtains the random number signature value;
The Encryption Algorithm that the smart machine is supported, selected encryption algorithm are obtained from the smart machine authentication information;
According to the random number, the random number signature value and selected Encryption Algorithm, authentication information is generated.
21. data security protection method according to claim 20, which is characterized in that further include:
It is established after secure communication connect with the smart machine, the liter of upgrade-system is treated using preset first Encryption Algorithm Grade data packet is encrypted, and obtains encryption upgrading data packet, wherein first Encryption Algorithm is added using first key It is close, and belong to the algorithm set that the smart machine is supported;
The encryption upgrading data packet is sent to the smart machine, so that the smart machine receives the encryption upgrading When data packet, using the first key and decipherment algorithm corresponding with first Encryption Algorithm, to described in receiving plus Close upgrading data packet is decrypted, and obtains corresponding upgrading data packet.
22. data security protection method according to claim 21, which is characterized in that further include:
After the upgrading data packet is sent to the smart machine, the MAC check code that the smart machine is sent is received, it is described MAC check code carries out MAC operation to the upgrading data packet received using message digest algorithm by the smart machine and obtains;
The MAC check code received is compared with the MAC check code stored, and MAC check code comparison result is sent Institute is confirmed when so that both MAC check code comparison result displays that the smart machine receives are consistent to the smart machine It is correct to state upgrading data packet.
23. data security protection method according to claim 22, which is characterized in that further include:
The upgrading data packet retransmission request that the smart machine is sent is received, the upgrading data packet retransmission request is by the intelligence Equipment is generated when both MAC check code comparison result displays are inconsistent.
24. data security protection method according to claim 21, which is characterized in that further include:
Before being encrypted using the upgrading data packet that preset first Encryption Algorithm treats upgrade-system, using the server Private key signs to the upgrading data packet, and the upgrading data packet is written in signing messages.
25. data security protection method according to claim 21, which is characterized in that the upgrading data packet is difference packet Or whole packet.
26. data security protection method according to claim 21, which is characterized in that first Encryption Algorithm is symmetrical Encryption Algorithm.
27. data security protection method according to claim 26, which is characterized in that described using preset first encryption The upgrading data packet that algorithm treats upgrade-system is encrypted, and encryption upgrading data packet is obtained, comprising:
16 byte datas are read from the upgrading data packet every time to be encrypted as a bag data, and by encrypted 16 word Joint number evidence is sent to the smart machine;
When generating the last one data packet, if last remaining data are discontented with 16 bytes, start behind last a data To penultimate character, last character is the byte number for the data filled for filling 0.
28. data security protection method according to claim 27, which is characterized in that the smart machine authentication information is also It include: the second random number, second random number is generated by the smart machine.
29. data security protection method according to claim 28, which is characterized in that generate described in the following way One key:
The encrypted random cipher data that the smart machine is sent are received, the encrypted random cipher data are by described Smart machine and the server are established after secure communication connect, according to first random number, second generating random number, And it encrypts to obtain using the server public key;
The encrypted random cipher data received are decrypted using the privacy key, obtain random cipher number According to;
Using the message digest algorithm, the random cipher data, first random number, second random number are carried out Operation obtains the first key.
30. data security protection method according to claim 17, which is characterized in that further include:
Before the attribute information for obtaining the smart machine in the smart machine authentication information received, to lander's Identity is verified, and confirms that the identity of the lander is legal.
31. data security protection method according to claim 30, which is characterized in that the identity to registrant carries out Verifying, comprising:
It is verified using identity of the Authentication of Dyhibrid to the registrant, the double factor includes: private key signature, user Name with corresponding entry password.
32. data security protection method according to claim 31, which is characterized in that described to use Authentication of Dyhibrid The identity of the registrant is verified, comprising:
The private key signature of registrant is obtained in such a way that Public Key Infrastructure is using U-shield, and is confirmed and deposited in the server The identity information of storage is consistent;
Obtain the user name and entry password of registrant input, and respectively with the information stored in Public Key Infrastructure and Information stored in the server is compared, and confirmation is consistent.
33. data security protection method according to claim 17, which is characterized in that the server is soft to download in the air Part upgrade server.
34. a kind of smart machine is adapted for downloading firmware upgrade in the air characterized by comprising
First transmission unit is suitable for sending smart machine authentication information, and service body to server according to the preset period Part authentication information request, the smart machine authentication information includes: the attribute information of the smart machine;
First receiving unit, the server authentication information sent suitable for receiving the server, the server identity are tested Information is demonstrate,proved by the server after receiving the server authentication information request, and according to the accessed intelligence The attribute information of energy equipment and the information itself stored, confirm generation when the smart machine is legal;
First authentication unit, suitable for being verified to the server authentication information received;
Communication connection establishment unit is suitable for building when to server authentication Information Authentication success with the server Vertical secure communication connection.
35. smart machine according to claim 34, which is characterized in that the smart machine authentication information further include: institute The algorithm set of support.
36. smart machine according to claim 35, which is characterized in that the server authentication information includes: One random number, random number signature value and selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the smart machine The algorithm set supported.
37. smart machine according to claim 36, which is characterized in that first authentication unit is suitable for from the clothes The first random number and random number signature value are obtained in business device authentication information;The server public key stored using itself is to institute Random number signature value is stated to be decrypted, and confirm the first random number that decryption obtains with from the server authentication information Whether the first random number got consistent, and the two is consistent when be denoted as and be proved to be successful, wherein the server public key and institute The preset privacy key of server is stated to match.
38. the smart machine according to claim 37, which is characterized in that further include: the second receiving unit and the first decryption Unit, in which:
Second receiving unit receives the server and sends suitable for establishing after secure communication connect with the server Encryption upgrading data packet, the encryption upgrading data packet by the server using preset first Encryption Algorithm to be upgraded The upgrading data packet of system is encrypted to obtain, wherein first Encryption Algorithm is encrypted using first key, and is belonged to The algorithm set that the smart machine is supported;
First decryption unit is suitable for using the first key and decipherment algorithm corresponding with first Encryption Algorithm, The encryption upgrading data packet received is decrypted, corresponding upgrading data packet is obtained.
39. the smart machine according to claim 38, which is characterized in that further include: the second authentication unit, suitable for docking The encryption upgrading data packet received is decrypted, after obtaining corresponding upgrading data packet, to the obtained upgrading of decryption Data packet is verified, and confirms that the upgrading data packet is correct.
40. smart machine according to claim 39, which is characterized in that second authentication unit is suitable for using information Digest algorithm carries out MAC operation to the upgrading data packet received, obtains MAC check code, and the MAC check code that will be calculated It is sent to the server, so that the server compares the MAC check code received with the MAC check code stored It is right, and MAC check code comparison result is sent to the smart machine;The MAC check code that the server is sent is received to compare As a result, then confirming that the upgrading data packet is correct when both MAC check code comparison result displays are consistent.
41. smart machine according to claim 40, which is characterized in that further include: retransmission request transmission unit, suitable for working as When both MAC check code comparison result displays are inconsistent, upgrading data packet retransmission request is sent to the server.
42. smart machine according to claim 39, which is characterized in that further include: third authentication unit is suitable for described the Before the upgrading data packet that two authentication units obtain decryption is verified, using the server public key to the upgrading data Packet carries out signing messages verifying.
43. the smart machine according to claim 38, which is characterized in that first Encryption Algorithm is symmetric cryptography calculation Method.
44. smart machine according to claim 43, which is characterized in that first decryption unit is suitable for described in use First key and the encryption data received is decrypted with first Encryption Algorithm, is obtained after every packet encryption data decryption 16 byte datas, and the data after decryption are stored in predeterminated position;When to the decryption of last bag data, according to the last character The byte of padding number for according with instruction, removes filling data, obtains the ciphertext data of last packet and stores to the predeterminated position.
45. smart machine according to claim 44, which is characterized in that in the smart machine authentication information further include: Second random number, second random number are generated by the smart machine.
46. smart machine according to claim 45, which is characterized in that first decryption unit, be suitable for it is described After server establishes secure communication connection, according to first random number, the second generating random number random cipher data;It adopts With message digest algorithm, operation is carried out to the random cipher data, first random number and second random number and is obtained The first key.
47. smart machine according to claim 46, which is characterized in that first decryption unit is suitable for described the Two random numbers move to left N, and carry out XOR operation after moving to right N with first random number, wherein first random number is remote Greater than M, second random number is much smaller than M, wherein M is integer, and N is positive integer;Using XOR operation result as random cipher Data.
48. smart machine according to claim 46, which is characterized in that first decryption unit is suitable for described the One random number, second random number are cryptographic key factor, generate the random cipher data using message digest algorithm operation.
49. a kind of server is suitable for carrying out smart machine aerial downloading firmware upgrade characterized by comprising
Third receiving unit, the smart machine authentication information sent suitable for receiving smart machine according to the preset period, and clothes Business device authentication information request, the smart machine authentication information includes: the attribute information of the smart machine;
Confirmation unit, suitable for according to the attribute information of the accessed smart machine and the information itself stored, confirmation The smart machine is legal;
Authentication information generation unit, suitable for after receiving the server authentication information request, and described in confirming After smart machine is legal, server authentication information is generated;
Second transmission unit, suitable for the server authentication information is sent to the smart machine, so that the intelligence The server authentication information that equipment interconnection receives is verified, and when being proved to be successful, and is established with the server Secure communication connection.
50. server according to claim 49, which is characterized in that the smart machine authentication information further include: propped up The algorithm set held.
51. server according to claim 50, which is characterized in that the server authentication information includes: first Random number, random number signature value and selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the smart machine institute The algorithm set of support.
52. server according to claim 51, which is characterized in that the authentication information generation unit is suitable for It receives the server authentication information request, and after confirming that the smart machine is legal, generates first random number; First random number is encrypted using preset privacy key, obtains the random number signature value;From the intelligence The Encryption Algorithm that the smart machine is supported, selected encryption algorithm are obtained in equipment authentication information;According to the random number, described Random number signature value and selected Encryption Algorithm generate authentication information.
53. server according to claim 52, which is characterized in that further include: the second encryption unit and third send list Member, in which:
Second encryption unit, suitable for being established after secure communication connect with the smart machine, using preset first plus The upgrading data packet that close algorithm treats upgrade-system is encrypted, and encryption upgrading data packet is obtained, wherein first encryption is calculated Method is encrypted using first key, and belongs to the algorithm set that the smart machine is supported;
The third transmission unit, suitable for the encryption upgrading data packet is sent to the smart machine, so that the intelligence When equipment receives the encryption upgrading data packet, using the first key and decryption corresponding with first Encryption Algorithm Algorithm is decrypted the encryption upgrading data packet received, obtains corresponding upgrading data packet.
54. server according to claim 53, which is characterized in that further include: the 4th receiving unit, comparing unit and Four transmission units, in which:
4th receiving unit receives the intelligence and sets after the upgrading data packet is sent to the smart machine The MAC check code that preparation is sent, the MAC check code is by the smart machine using message digest algorithm to the ascending series received MAC operation is carried out according to packet to obtain;
The comparing unit, the MAC check code suitable for will receive is compared with the MAC check code stored, to confirm two Whether person is consistent;
4th transmission unit, suitable for MAC check code comparison result is sent to the smart machine, so that the intelligence is set When both standby MAC check code comparison result displays received are consistent, confirm that the upgrading data packet is correct.
55. server according to claim 54, which is characterized in that further include: the 5th receiving unit is suitable for described in reception The upgrading data packet retransmission request that smart machine is sent, the upgrading data packet retransmission request is by the smart machine described Both MAC check code comparison result displays generate when inconsistent.
56. server according to claim 53, which is characterized in that further include: third encryption unit is suitable for described the Before two encryption units are encrypted using the upgrading data packet that preset first Encryption Algorithm treats upgrade-system, using described Privacy key signs to the upgrading data packet, and the upgrading data packet is written in signing messages.
57. server according to claim 53, which is characterized in that first Encryption Algorithm is symmetric encipherment algorithm.
58. server according to claim 57, which is characterized in that second encryption unit is suitable for every time from described 16 byte datas are read in upgrading data packet to be encrypted as a bag data, and encrypted 16 byte data is sent to institute State smart machine;When generating the last one data packet, if last remaining data are discontented with 16 bytes, after last a data Face starts filling 0 to penultimate character, and last character is the byte number for the data filled.
59. server according to claim 58, which is characterized in that the smart machine authentication information further include: second Random number, second random number are generated by the smart machine.
60. server according to claim 59, which is characterized in that second encryption unit include: receiving subelement, It decrypts subelement and generates subelement, in which:
The receiving subelement, the encrypted random cipher data sent suitable for receiving the smart machine, after the encryption Random cipher data established after secure communication connect by the smart machine and the server, it is random according to described first Several, described second generating random number, and encrypt to obtain using the server public key;
The decryption subelement, suitable for being solved using the privacy key to the encrypted random cipher data received It is close, obtain random cipher data;
The generation subelement is suitable for using the message digest algorithm, at random to the random cipher data, described first Several, described second random number carries out operation and obtains the first key.
61. server according to claim 49, which is characterized in that further include: registrant's identity authenticating unit, be suitable for from Before the attribute information for obtaining the smart machine in the smart machine authentication information received, to the identity of lander into Row verifying, and confirm that the identity of the lander is legal.
62. server according to claim 61, which is characterized in that registrant's identity authenticating unit is suitable for using Authentication of Dyhibrid verifies the identity of the registrant, and the double factor includes: private key signature, user name with it is corresponding Entry password.
63. a kind of smart machine, including memory and processor, it is stored with and can transports on the processor on the memory Capable computer instruction, which is characterized in that perform claim requirement 1 to 16 is any when the processor runs the computer instruction The step of data security protection method described in item.
64. a kind of server, including memory and processor, it is stored with and can runs on the processor on the memory Computer instruction, which is characterized in that perform claim requires 17 to 33 any when the processor runs the computer instruction The step of data security protection method described in item.
65. a kind of computer readable storage medium, suitable for running on smart machine, the smart machine is suitable for carrying out with server It communicates, is stored with computer instruction on the computer readable storage medium, which is characterized in that when the computer instruction is run Perform claim requires the step of 1 to 16 described in any item data security protection methods.
66. a kind of computer readable storage medium, suitable for running on server, the server belongs to be led to smart machine Believe, be stored with computer instruction on the computer readable storage medium, which is characterized in that the computer instruction is held when running The step of row claim 17 to 33 described in any item data security protection methods.
CN201710596068.4A 2017-07-20 2017-07-20 Data security protection method, smart machine, server and readable storage medium storing program for executing Pending CN109286599A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710596068.4A CN109286599A (en) 2017-07-20 2017-07-20 Data security protection method, smart machine, server and readable storage medium storing program for executing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710596068.4A CN109286599A (en) 2017-07-20 2017-07-20 Data security protection method, smart machine, server and readable storage medium storing program for executing

Publications (1)

Publication Number Publication Date
CN109286599A true CN109286599A (en) 2019-01-29

Family

ID=65185003

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710596068.4A Pending CN109286599A (en) 2017-07-20 2017-07-20 Data security protection method, smart machine, server and readable storage medium storing program for executing

Country Status (1)

Country Link
CN (1) CN109286599A (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109861817A (en) * 2019-02-26 2019-06-07 数安时代科技股份有限公司 Generate method, apparatus, system, equipment and the medium of key
CN110134424A (en) * 2019-05-16 2019-08-16 上海东软载波微电子有限公司 Firmware upgrade method and system, server, smart machine, readable storage medium storing program for executing
CN110225038A (en) * 2019-06-13 2019-09-10 江苏亨通工控安全研究院有限公司 Method, apparatus and system for industrial information safety
CN110417804A (en) * 2019-08-07 2019-11-05 济南新吉纳远程测控股份有限公司 A kind of bidirectional identity authentication encryption communication method and system suitable for chip microcontroller
CN110929262A (en) * 2019-11-20 2020-03-27 上海钧正网络科技有限公司 Online upgrading method and system
CN110943980A (en) * 2019-11-20 2020-03-31 杭州涂鸦信息技术有限公司 Cloud security encryption verification method and system based on over-the-air technology upgrading
CN111131300A (en) * 2019-12-31 2020-05-08 上海移为通信技术股份有限公司 Communication method, terminal and server
CN111190631A (en) * 2019-12-13 2020-05-22 东信和平科技股份有限公司 Smart card and method for updating security after COS (chip operating System) of smart card
CN111490880A (en) * 2020-05-12 2020-08-04 上海明略人工智能(集团)有限公司 File receiving method and device
CN111556024A (en) * 2020-03-31 2020-08-18 中国航天***科学与工程研究院 Reverse access control system and method
CN111698108A (en) * 2019-03-13 2020-09-22 阿里巴巴集团控股有限公司 Data transmission method and device
CN112491879A (en) * 2020-11-26 2021-03-12 中电金融设备***(深圳)有限公司 Method for remotely updating firmware, computer equipment and storage medium
CN113508635A (en) * 2019-03-25 2021-10-15 华为技术有限公司 Method for establishing wireless communication connection and related equipment
CN114531300A (en) * 2022-03-14 2022-05-24 无锡雪浪数制科技有限公司 Industrial graph recognition method based on smart watch
CN114629641A (en) * 2022-03-17 2022-06-14 江南信安(北京)科技有限公司 Code downloading starting safety protection method and device based on safety chip
CN117892318A (en) * 2024-03-12 2024-04-16 汉兴同衡科技集团有限公司 Internet of things intelligent terminal data security protection method, system and storage device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102955700A (en) * 2011-08-18 2013-03-06 腾讯科技(深圳)有限公司 System and method for upgrading software
EP2605477A1 (en) * 2011-12-16 2013-06-19 British Telecommunications public limited company Proxy server operation
CN104811484A (en) * 2015-04-09 2015-07-29 努比亚技术有限公司 FOTA (firmware over-the-air) upgrading method and device
CN105812570A (en) * 2016-04-21 2016-07-27 深圳市旭子科技有限公司 Terminal firmware updating method and device
CN105930730A (en) * 2015-09-22 2016-09-07 ***股份有限公司 Terminal system security update method and apparatus in trusted execution environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102955700A (en) * 2011-08-18 2013-03-06 腾讯科技(深圳)有限公司 System and method for upgrading software
EP2605477A1 (en) * 2011-12-16 2013-06-19 British Telecommunications public limited company Proxy server operation
CN104811484A (en) * 2015-04-09 2015-07-29 努比亚技术有限公司 FOTA (firmware over-the-air) upgrading method and device
CN105930730A (en) * 2015-09-22 2016-09-07 ***股份有限公司 Terminal system security update method and apparatus in trusted execution environment
CN105812570A (en) * 2016-04-21 2016-07-27 深圳市旭子科技有限公司 Terminal firmware updating method and device

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109861817A (en) * 2019-02-26 2019-06-07 数安时代科技股份有限公司 Generate method, apparatus, system, equipment and the medium of key
CN111698108A (en) * 2019-03-13 2020-09-22 阿里巴巴集团控股有限公司 Data transmission method and device
CN111698108B (en) * 2019-03-13 2023-11-21 阿里巴巴集团控股有限公司 Data transmission method and device
CN113508635B (en) * 2019-03-25 2023-10-20 华为技术有限公司 Method for establishing wireless communication connection and related equipment
CN113508635A (en) * 2019-03-25 2021-10-15 华为技术有限公司 Method for establishing wireless communication connection and related equipment
CN110134424A (en) * 2019-05-16 2019-08-16 上海东软载波微电子有限公司 Firmware upgrade method and system, server, smart machine, readable storage medium storing program for executing
CN110225038A (en) * 2019-06-13 2019-09-10 江苏亨通工控安全研究院有限公司 Method, apparatus and system for industrial information safety
CN110225038B (en) * 2019-06-13 2022-05-17 江苏亨通工控安全研究院有限公司 Method, device and system for industrial information security
CN110417804A (en) * 2019-08-07 2019-11-05 济南新吉纳远程测控股份有限公司 A kind of bidirectional identity authentication encryption communication method and system suitable for chip microcontroller
CN110417804B (en) * 2019-08-07 2021-11-26 济南新吉纳远程测控股份有限公司 Bidirectional identity authentication encryption communication method and system suitable for single-chip microcomputer implementation
CN110929262A (en) * 2019-11-20 2020-03-27 上海钧正网络科技有限公司 Online upgrading method and system
CN110943980A (en) * 2019-11-20 2020-03-31 杭州涂鸦信息技术有限公司 Cloud security encryption verification method and system based on over-the-air technology upgrading
CN111190631A (en) * 2019-12-13 2020-05-22 东信和平科技股份有限公司 Smart card and method for updating security after COS (chip operating System) of smart card
CN111190631B (en) * 2019-12-13 2023-08-22 东信和平科技股份有限公司 Smart card and method for updating security after COS (class of service) of smart card
CN111131300A (en) * 2019-12-31 2020-05-08 上海移为通信技术股份有限公司 Communication method, terminal and server
CN111131300B (en) * 2019-12-31 2022-06-17 上海移为通信技术股份有限公司 Communication method, terminal and server
CN111556024B (en) * 2020-03-31 2022-07-05 中国航天***科学与工程研究院 Reverse access control system and method
CN111556024A (en) * 2020-03-31 2020-08-18 中国航天***科学与工程研究院 Reverse access control system and method
CN111490880B (en) * 2020-05-12 2023-10-20 上海明略人工智能(集团)有限公司 File receiving method and device
CN111490880A (en) * 2020-05-12 2020-08-04 上海明略人工智能(集团)有限公司 File receiving method and device
CN112491879A (en) * 2020-11-26 2021-03-12 中电金融设备***(深圳)有限公司 Method for remotely updating firmware, computer equipment and storage medium
CN114531300A (en) * 2022-03-14 2022-05-24 无锡雪浪数制科技有限公司 Industrial graph recognition method based on smart watch
CN114629641A (en) * 2022-03-17 2022-06-14 江南信安(北京)科技有限公司 Code downloading starting safety protection method and device based on safety chip
CN117892318A (en) * 2024-03-12 2024-04-16 汉兴同衡科技集团有限公司 Internet of things intelligent terminal data security protection method, system and storage device
CN117892318B (en) * 2024-03-12 2024-05-24 汉兴同衡科技集团有限公司 Internet of things intelligent terminal data security protection method, system and storage device

Similar Documents

Publication Publication Date Title
CN109286599A (en) Data security protection method, smart machine, server and readable storage medium storing program for executing
CN109962784B (en) Data encryption, decryption and recovery method based on multiple digital envelope certificates
US9760721B2 (en) Secure transaction method from a non-secure terminal
CN109104440B (en) Cloud storage big data integrity verification method for mobile terminal equipment of Internet of things
US10601801B2 (en) Identity authentication method and apparatus
CN104412273B (en) Method and system for activation
CN106412862B (en) short message reinforcement method, device and system
WO2019020051A1 (en) Method and apparatus for security authentication
CN110532735A (en) Firmware upgrade method
CN1921395B (en) Method for improving security of network software
CN110198295A (en) Safety certifying method and device and storage medium
CN108377190A (en) A kind of authenticating device and its working method
CN108809633B (en) Identity authentication method, device and system
CN113868672B (en) Module wireless firmware upgrading method, security chip and wireless firmware upgrading platform
CN104378388B (en) Executable file progress control method and device
CN102045333A (en) Method for generating safety message process key
CN106060073B (en) Channel key machinery of consultation
CN111541716A (en) Data transmission method and related device
CN105847000A (en) Token generation method and communication system based on same
CN105592071A (en) Method and device for authorization between devices
CN110635901A (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN105187369B (en) A kind of data access method and device
CN111880824A (en) Firmware data verification device and method, firmware update device and method and system
CN106789024A (en) A kind of remote de-locking method, device and system
CN112291201B (en) Service request transmission method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100089 18 / F, block B, Zhizhen building, No.7, Zhichun Road, Haidian District, Beijing

Applicant after: Beijing Ziguang zhanrui Communication Technology Co.,Ltd.

Address before: 100084, Room 516, building A, Tsinghua Science Park, Beijing, Haidian District

Applicant before: BEIJING SPREADTRUM HI-TECH COMMUNICATIONS TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
RJ01 Rejection of invention patent application after publication

Application publication date: 20190129

RJ01 Rejection of invention patent application after publication