CN109286599A - Data security protection method, smart machine, server and readable storage medium storing program for executing - Google Patents
Data security protection method, smart machine, server and readable storage medium storing program for executing Download PDFInfo
- Publication number
- CN109286599A CN109286599A CN201710596068.4A CN201710596068A CN109286599A CN 109286599 A CN109286599 A CN 109286599A CN 201710596068 A CN201710596068 A CN 201710596068A CN 109286599 A CN109286599 A CN 109286599A
- Authority
- CN
- China
- Prior art keywords
- smart machine
- server
- random number
- data packet
- authentication information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A kind of data security protection method, smart machine, server and readable storage medium storing program for executing, the described method includes: when needing to carry out aerial downloading firmware upgrade, smart machine authentication information is sent to server according to the preset period, and server authentication information request, the smart machine authentication information include: the attribute information of the smart machine;Receive the server authentication information that the server is sent, the server authentication information is by the server after receiving the server authentication information request, and according to the attribute information of the accessed smart machine and the information itself stored, the generation when smart machine is legal is confirmed;The server authentication information received is verified, and when being proved to be successful, foundation is connect with the secure communication of the server.Using the above scheme, communication security during smart machine upgrade-system can be improved.
Description
Technical field
The present embodiments relate to field of information security technology more particularly to a kind of data security protection method, intelligence to set
Standby, server and readable storage medium storing program for executing.
Background technique
With the rapid development of mobile Internet and Internet of Things, in more and more smart machine access nets.It is set intelligently
In standby appearance and development process, there may be some flaws.In order to preferably be experienced to user, in the life of smart machine
In period, one or many upgradings can be carried out to smart machine.
Currently, the upgrading of smart machine generallys use mobile terminal downloads software upgrading (Firmware Over in the air
Transmit Air, FOTA) upgraded.Remote upgrade is carried out to the system in smart machine using FOTA, is improving user
And operator convenience while, human cost input by operator and material resources cost can also be saved.
However, being carried out in remote upgrade procedure using FOTA technology to the system in smart machine, smart machine is subject to
Hacker attack, safety are lower.
Summary of the invention
The technical issues of embodiment of the present invention solves is the communication how improved during smart machine upgrade-system
Safety.
In order to solve the above technical problems, the embodiment of the present invention provides a kind of data security protection method, comprising: need into
When row downloading firmware upgrade in the air, smart machine authentication information, and service body are sent to server according to the preset period
Part authentication information request, the smart machine authentication information includes: the attribute information of the smart machine;Receive the server
The server authentication information of transmission, the server authentication information are receiving the server by the server
After authentication information request, and according to the attribute information of the accessed smart machine and the information itself stored,
Confirm generation when the smart machine is legal;The server authentication information received is verified, and is being verified
When success, foundation is connect with the secure communication of the server.
Optionally, the smart machine authentication information further include: the algorithm set supported.
Optionally, the server authentication information includes: the first random number, random number signature value and selected encryption
Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
Optionally, the described pair of server authentication information received is verified, comprising: from the server
The first random number and random number signature value are obtained in authentication information;The server public key stored using itself to it is described with
Machine number signature value is decrypted, and confirms that the first random number that decryption obtains is obtained with from the server authentication information
Whether the first random number arrived consistent, and the two is consistent when be denoted as and be proved to be successful, wherein the server public key and the clothes
The business preset privacy key of device matches.
Optionally, the method also includes: established after secure communication connect with the server, receive the server
The encryption upgrading data packet of transmission, the encryption upgrading data packet are treated by the server using preset first Encryption Algorithm
The upgrading data packet of upgrade-system is encrypted to obtain, wherein and first Encryption Algorithm is encrypted using first key, and
Belong to the algorithm set that the smart machine is supported;Using the first key and corresponding with first Encryption Algorithm
Decipherment algorithm, the encryption upgrading data packet received is decrypted, corresponding upgrading data packet is obtained.
Optionally, the method also includes: be decrypted, corresponded to the encryption upgrading data packet received
Upgrading data packet after, the obtained upgrading data packet of decryption is verified, and confirm that the upgrading data packet is correct.
Optionally, described that the upgrading data packet decrypted is verified, and confirm the upgrading data packet
Correctly, comprising: MAC operation is carried out to the upgrading data packet received using message digest algorithm, obtains MAC check code, and will
The MAC check code being calculated is sent to the server so that the server by the MAC check code received with stored
MAC check code be compared, and MAC check code comparison result is sent to the smart machine;Receive the server hair
The MAC check code comparison result sent then confirms the ascending series when both MAC check code comparison result displays are consistent
It is correct according to packet.
Optionally, the method also includes: when both MAC check code comparison result displays are inconsistent, to described
Server sends upgrading data packet retransmission request.
Optionally, the method also includes: before being verified to the obtained upgrading data packet of decryption, using the service
Device public key carries out signing messages verifying to the upgrading data packet.
Optionally, the upgrading data packet are as follows: difference packet or whole packet.
Optionally, first Encryption Algorithm is symmetric encipherment algorithm.
Optionally, described to use the first key and decipherment algorithm corresponding with first Encryption Algorithm, to reception
To the encryption upgrading data packet be decrypted, comprising: using the first key and being docked with first Encryption Algorithm
The encryption data received is decrypted, and 16 byte datas is obtained after every packet encryption data decryption, and the data after decryption are stored
In predeterminated position;When to the decryption of last bag data, according to the byte of padding number that last character indicates, remove filler
According to, obtain last packet ciphertext data and store to the predeterminated position.
Optionally, the smart machine authentication information further include: the second random number, second random number is by the intelligence
Equipment generates.
Optionally, the first key is generated in the following way:
Optionally, established after secure communication connect with the server, according to first random number, described second with
Machine number generates random cipher data;Using message digest algorithm, to the random cipher data, first random number and described
Second random number carries out operation and obtains the first key.
Optionally, the smart machine is according to first random number, the second generating random number random cipher data,
It include: second random number to be moved to left N, and carry out XOR operation after moving to right N with first random number, wherein described
First random number is much larger than M, and second random number is much smaller than M, wherein M is integer, and N is positive integer;By XOR operation result
As random cipher data.
Optionally, the smart machine is according to first random number, the second generating random number random cipher data,
Include: using first random number, second random number as cryptographic key factor, using message digest algorithm operation generate it is described with
Machine code data.
The embodiment of the present invention also provides a kind of smart machine, including memory and processor, is stored on the memory
The computer instruction that can be run on the processor, the processor execute any of the above-described when running the computer instruction
The step of data security protection method described in kind.
The embodiment of the present invention also provides a kind of computer readable storage medium, suitable for running on smart machine, the intelligence
Equipment is suitable for being communicated with server, and computer instruction, the computer are stored on the computer readable storage medium
The step of data security protection method described in executing any of the above-described kind when instruction operation.
The embodiment of the present invention also provides a kind of data security protection method, comprising: is needing to carry out in the air smart machine
When downloading firmware upgrade, the smart machine authentication information that smart machine is sent according to the preset period, and service body are received
Part authentication information request, the smart machine authentication information includes: the attribute information of the smart machine;According to accessed
The attribute information of the smart machine and the information itself stored confirm that the smart machine is legal;Receiving the clothes
After device authentication information request of being engaged in, and when confirming that the smart machine is legal, server authentication information is generated, and send
The extremely smart machine, so that the smart machine verifies the server authentication information received, and
When being proved to be successful, secure communication is established with the server and is connect.
Optionally, the smart machine authentication information further include: the algorithm set supported.
Optionally, the server authentication information includes: the first random number, random number signature value and selected encryption
Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
Optionally, the generation server authentication information, comprising: receiving the server authentication information
Request, and after confirming that the smart machine is legal, generate first random number;Using preset privacy key to described
One random number is encrypted, and the random number signature value is obtained;The intelligence is obtained from the smart machine authentication information to set
The standby Encryption Algorithm supported, selected encryption algorithm;It is calculated according to the random number, the random number signature value and selected encryption
Method generates authentication information.
Optionally, the method also includes: established after secure communication connect with the smart machine, using preset
The upgrading data packet that one Encryption Algorithm treats upgrade-system is encrypted, and encryption upgrading data packet is obtained, wherein described first adds
Close algorithm is encrypted using first key, and belongs to the algorithm set that the smart machine is supported;By the encryption
Upgrading data packet is sent to the smart machine, when so that the smart machine receiving the encryption upgrading data packet, uses
The first key and decipherment algorithm corresponding with first Encryption Algorithm, to the encryption upgrading data packet received into
Row decryption, obtains corresponding upgrading data packet.
Optionally, the method also includes: after the upgrading data packet is sent to the smart machine, receive the intelligence
The MAC check code that energy equipment is sent, the MAC check code is by the smart machine using message digest algorithm to the liter received
Grade data packet carries out MAC operation and obtains;The MAC check code received is compared with the MAC check code stored, and will
MAC check code comparison result is sent to the smart machine, so that the MAC check code comparison result that the smart machine receives
When both displays are consistent, confirm that the upgrading data packet is correct.
Optionally, the method also includes: receive the upgrading data packet retransmission request that the smart machine sends, the liter
Grade data packet retransmission request is generated by the smart machine when both MAC check code comparison result displays are inconsistent.
Optionally, the method also includes: the upgrading data packet of upgrade-system is treated using preset first Encryption Algorithm
It before being encrypted, is signed using the privacy key to the upgrading data packet, and described in signing messages is written
Upgrading data packet.
Optionally, the upgrading data packet is difference packet or whole packet.
Optionally, first Encryption Algorithm is symmetric encipherment algorithm.
Optionally, the upgrading data packet for treating upgrade-system using preset first Encryption Algorithm is encrypted, and is obtained
To encryption upgrading data packet, comprising: read 16 byte datas from the upgrading data packet every time and added as a bag data
It is close, and encrypted 16 byte data is sent to the smart machine;When generating the last one data packet, if last remaining
Data be discontented with 16 bytes, start filling behind last a data 0 to penultimate character, last character is institute
The byte number of the data of filling.
Optionally, the smart machine authentication information further include: the second random number, second random number is by the intelligence
Equipment generates.
Optionally, generate the first key in the following way: receive that the smart machine sends it is encrypted with
Machine code data, the encrypted random cipher data are established secure communication with the server by the smart machine and are connect
Afterwards, it according to first random number, second generating random number, and encrypts to obtain using the server public key;Using institute
It states privacy key the encrypted random cipher data received are decrypted, obtains random cipher data;Using described
Message digest algorithm obtains the random cipher data, first random number, second random number progress operation described
First key.
Optionally, the method also includes: obtain the intelligence from the smart machine authentication information received and set
Before standby attribute information, the identity of lander is verified, and confirms that the identity of the lander is legal.
Optionally, the identity to registrant is verified, comprising: using Authentication of Dyhibrid to the registrant
Identity verified, the double factor includes: private key signature, user name and corresponding entry password.
Optionally, described to be verified using identity of the Authentication of Dyhibrid to the registrant, comprising: to pass through public key
Infrastructure obtains the private key signature of registrant by the way of U-shield, and confirms and identity information stored in the server
Unanimously;Obtain the user name and entry password of registrant input, and respectively with the information that is stored in Public Key Infrastructure with
And information stored in the server is compared, confirmation is consistent.
Optionally, the server is aerial downloading Software Upgrade Server.
The embodiment of the present invention also provides a kind of server, including memory and processor, is stored with energy on the memory
Enough computer instructions run on the processor, the processor execute any of the above-described kind when running the computer instruction
The step of described data security protection method.
The embodiment of the present invention also provides a kind of computer readable storage medium, suitable for running on server, the server
Belong to and communicated with smart machine, computer instruction is stored on the computer readable storage medium, the computer refers to
The step of data security protection method described in executing any of the above-described kind when enabling operation.
The embodiment of the present invention also provides a kind of smart machine, is adapted for downloading firmware upgrade in the air, comprising: first sends
Unit is suitable for sending smart machine authentication information to server according to the preset period and server authentication information is asked
It asks, the smart machine authentication information includes: the attribute information of the smart machine;First receiving unit is suitable for described in reception
The server authentication information that server is sent, the server authentication information by the server receive it is described
After server authentication information request, and according to the attribute information of the accessed smart machine and itself stored
Information confirms generation when the smart machine is legal;First authentication unit, suitable for the server authentication received
Information is verified;Communication connection establishment unit is suitable for when to server authentication Information Authentication success, and described
Server establishes secure communication connection.
Optionally, the smart machine authentication information further include: the algorithm set supported.
Optionally, the server authentication information includes: the first random number, random number signature value and selected encryption
Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
Optionally, first authentication unit, suitable for obtaining the first random number from the server authentication information
And random number signature value;The random number signature value is decrypted in the server public key stored using itself, and confirms solution
Whether close the first obtained random number and the first random number got from the server authentication information are consistent, and will
It is denoted as and is proved to be successful when the two is consistent, wherein the server public key matches with the preset privacy key of the server.
Optionally, the smart machine further include: the second receiving unit and the first decryption unit, in which: described second connects
Unit is received, suitable for being established after secure communication connect with the server, the encryption that the server is sent is received and upgrades data
Packet, the encryption upgrading data packet are treated the upgrading data of upgrade-system by the server using preset first Encryption Algorithm
Packet is encrypted to obtain, wherein first Encryption Algorithm is encrypted using first key, and belongs to the smart machine institute
The algorithm set of support;First decryption unit, be suitable for using the first key and with first Encryption Algorithm
Corresponding decipherment algorithm is decrypted the encryption upgrading data packet received, obtains corresponding upgrading data packet.
Optionally, the smart machine further include: the second authentication unit, suitable for the encryption ascending series received
It is decrypted according to packet, after obtaining corresponding upgrading data packet, the upgrading data packet obtained to decryption is verified, and is confirmed
The upgrading data packet is correct.
Optionally, second authentication unit, suitable for being carried out using message digest algorithm to the upgrading data packet received
MAC operation obtains MAC check code, and the MAC check code being calculated is sent to the server, so that the server
The MAC check code received is compared with the MAC check code stored, and MAC check code comparison result is sent to institute
State smart machine;The MAC check code comparison result that the server is sent is received, when the MAC check code comparison result is shown
When the two is consistent, then confirm that the upgrading data packet is correct.
Optionally, the smart machine further include: retransmission request transmission unit is suitable for comparing knot when the MAC check code
When both fruit displays are inconsistent, upgrading data packet retransmission request is sent to the server.
Optionally, the smart machine further include: third authentication unit obtains decryption suitable for second authentication unit
Upgrading data packet verified before, using the server public key to the upgrading data packet carry out signing messages verifying.
Optionally, first Encryption Algorithm is symmetric encipherment algorithm.
Optionally, first decryption unit is suitable for using the first key and docks with first Encryption Algorithm
The encryption data received is decrypted, and 16 byte datas is obtained after every packet encryption data decryption, and the data after decryption are stored
In predeterminated position;When to the decryption of last bag data, according to the byte of padding number that last character indicates, remove filler
According to, obtain last packet ciphertext data and store to the predeterminated position.
Optionally, in the smart machine authentication information further include: the second random number, second random number is by the intelligence
It can equipment generation.
Optionally, first decryption unit, suitable for being established after secure communication connect with the server, according to described
First random number, the second generating random number random cipher data;Using message digest algorithm, to the random cipher number
Operation, which is carried out, according to, first random number and second random number obtains the first key.
Optionally, first decryption unit, suitable for second random number is moved to left N, and at random with described first
Number carries out XOR operation after moving to right N, wherein first random number is much larger than M, second random number is much smaller than M, wherein
M is integer, and N is positive integer;Using XOR operation result as random cipher data.
Optionally, first decryption unit, be suitable for using first random number, second random number as key because
Son generates the random cipher data using message digest algorithm operation.
The embodiment of the present invention also provides a kind of server, is suitable for carrying out smart machine aerial downloading firmware upgrade, comprising:
Third receiving unit, the smart machine authentication information and server sent suitable for receiving smart machine according to the preset period
Authentication information request, the smart machine authentication information include: the attribute information of the smart machine;Confirmation unit is fitted
According to the attribute information of the accessed smart machine and the information itself stored, confirm that the smart machine closes
Method;Authentication information generation unit suitable for after receiving the server authentication information request, and confirms the intelligence
After energy equipment is legal, server authentication information is generated;Second transmission unit is suitable for the server authentication information
It is sent to the smart machine, so that the smart machine verifies the server authentication information received,
And when being proved to be successful, secure communication is established with the server and is connect.
Optionally, the smart machine authentication information further include: the algorithm set supported.
Optionally, the server authentication information includes: the first random number, random number signature value and selected encryption
Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
Optionally, the authentication information generation unit, suitable for asking receiving the server authentication information
It asks, and after confirming that the smart machine is legal, generates first random number;Using preset privacy key to described first
Random number is encrypted, and the random number signature value is obtained;The smart machine is obtained from the smart machine authentication information
The Encryption Algorithm of support, selected encryption algorithm;According to the random number, the random number signature value and selected Encryption Algorithm,
Generate authentication information.
Optionally, the server further include: the second encryption unit and third transmission unit, in which: second encryption
Unit, suitable for being established after secure communication connect with the smart machine, using preset first Encryption Algorithm to system to be upgraded
The upgrading data packet of system is encrypted, obtain encryption upgrading data packet, wherein first Encryption Algorithm using first key into
Row encryption, and belong to the algorithm set that the smart machine is supported;The third transmission unit is suitable for the encryption
Upgrading data packet is sent to the smart machine, when so that the smart machine receiving the encryption upgrading data packet, uses
The first key and decipherment algorithm corresponding with first Encryption Algorithm, to the encryption upgrading data packet received into
Row decryption, obtains corresponding upgrading data packet.
Optionally, the server further include: the 4th receiving unit, comparing unit and the 4th transmission unit, in which: described
4th receiving unit receives what the smart machine was sent after the upgrading data packet is sent to the smart machine
MAC check code, the MAC check code carry out the upgrading data packet received using message digest algorithm by the smart machine
MAC operation obtains;The comparing unit, the MAC check code suitable for will receive are compared with the MAC check code stored,
It is whether consistent with both confirmations;4th transmission unit is set suitable for MAC check code comparison result is sent to the intelligence
It is standby, when so that both MAC check code comparison result displays that the smart machine receives are consistent, confirm the upgrading data packet
Correctly.
Optionally, the server further include: the 5th receiving unit, the ascending series sent suitable for receiving the smart machine
According to packet retransmission request, the upgrading data packet retransmission request is shown by the smart machine in the MAC check code comparison result
It is generated when the two is inconsistent.
Optionally, the server further include: third encryption unit is suitable in second encryption unit using preset
Before the upgrading data packet that first Encryption Algorithm treats upgrade-system is encrypted, using the privacy key to the upgrading
Data packet is signed, and the upgrading data packet is written in signing messages.
Optionally, first Encryption Algorithm is symmetric encipherment algorithm.
Optionally, second encryption unit, suitable for reading 16 byte data conducts from the upgrading data packet every time
One bag data is encrypted, and encrypted 16 byte data is sent to the smart machine;Generating the last one data
Bao Shi starts filling 0 to penultimate character if last remaining data are discontented with 16 bytes behind last a data,
Last character is the byte number for the data filled.
Optionally, the smart machine authentication information further include: the second random number, second random number is by the intelligence
Equipment generates.
Optionally, second encryption unit, comprising: receiving subelement, decryption subelement and generation subelement, in which:
The receiving subelement, the encrypted random cipher data sent suitable for receiving the smart machine, it is described it is encrypted with
Machine code data is established after secure communication connect by the smart machine and the server, according to first random number, institute
The second generating random number is stated, and encrypts to obtain using the server public key;The decryption subelement is suitable for using the service
The encrypted random cipher data received are decrypted in device private key, obtain random cipher data;The generation subelement,
Suitable for using the message digest algorithm, the random cipher data, first random number, second random number are carried out
Operation obtains the first key.
Optionally, the server further include: registrant's identity authenticating unit, suitable for from the smart machine received
Before the attribute information for obtaining the smart machine in authentication information, the identity of lander is verified, and is stepped on described in confirmation
The identity of land person is legal.
Optionally, registrant's identity authenticating unit, suitable for the body using Authentication of Dyhibrid to the registrant
It part is verified, the double factor includes: private key signature, user name and corresponding entry password.
Compared with prior art, the technical solution of the embodiment of the present invention has the advantages that
Smart machine is when needing to be downloaded firmware upgrade, by periodically sending smart machine certification to server
Information and server authentication information request, for server according to the smart machine authentication information to smart machine
Legitimacy is confirmed.The server identity authentication information that the server is sent based on the received, to the server
It is verified, and when being proved to be successful, foundation is connect with the secure communication of the server.Due to the smart machine with it is described
Secure communication connection between server, is when the two carries out mutually authentication and is verified, smart machine side allows
Server access, therefore the communication security during smart machine upgrade-system can be improved, effectively avoid hacker to intelligence
The attack of equipment.
The server is recognized when needing smart machine to carry out aerial downloading firmware upgrade according to the smart machine received
When card validation of information smart machine is legitimate device, server authentication information is sent to smart machine, for the intelligence
Equipment verifies the legitimacy of the server, and establishes secure communication with the server after being proved to be successful and connect.Due to
When the smart machine and the server-side are verified, secure communication connection is established, just so as to improve
Communication security during smart machine upgrade-system effectively avoids attack of the hacker to smart machine or server.
Further, it is established after secure communication connect in smart machine and server, server carries out upgrading data packet
Encryption obtains encryption upgrading data packet and is sent to the smart machine.It can by the way of being encrypted to upgrading data packet
To further increase the data safety of smart machine and server in communication process.
Further, server verifies the identity of lander, can be to avoid illegal lander's login service device.It is logical
It crosses and lander's identity of server is verified, the safety of server access right can be improved, and then improve and set with intelligence
Standby communication security.
Detailed description of the invention
Fig. 1 is a kind of flow chart of data security protection method in the embodiment of the present invention;
Fig. 2 is the flow chart of another data security protection method in the embodiment of the present invention;
Fig. 3 is a kind of structural schematic diagram of smart machine in the embodiment of the present invention;
Fig. 4 is the structural schematic diagram of another smart machine in the embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of server in the embodiment of the present invention;
Fig. 6 is the structural schematic diagram of another server in the embodiment of the present invention.
Specific embodiment
As described above, being carried out in remote upgrade procedure using FOTA to the system in smart machine, smart machine is subject to
Hacker attack, safety are lower.
To solve the above problems, in embodiments of the present invention, smart machine passes through when needing to be downloaded firmware upgrade
Periodically send smart machine authentication information and server authentication information request to server, for server according to
The smart machine authentication information confirms the legitimacy of smart machine.The server is sent based on the received
Server identity authentication information verifies the server, and when being proved to be successful, and establishes the safety with the server
Communication connection.It is to carry out identity mutually in the two due to the secure communication connection between the smart machine and the server
When verifying and being verified, smart machine side allows server to access, therefore during smart machine upgrade-system can be improved
Communication security, effectively avoid attack of the hacker to smart machine.
It is understandable to enable the above-mentioned purpose, feature and beneficial effect of the embodiment of the present invention to become apparent, below with reference to attached
Figure is described in detail specific embodiments of the present invention.
Referring to Fig.1, a kind of flow chart of data security protection method in the embodiment of the present invention is given.Below by specific
Step is described in detail.
Step 11, smart machine authentication information and server authentication are sent to server according to the preset period
Information request.
In specific implementation, when smart machine needs to carry out aerial downloading firmware upgrade, can by the preset period to
Server sends smart machine authentication information and server authentication information request.
In specific implementation, the smart machine authentication information can be used for identifying the identity of the smart machine.It is described
Smart machine authentication information may include the attribute information of the smart machine.The attribute information of the smart machine may include
The fastener product information of the smart machine also may include the firmware version number of the smart machine, can also include simultaneously
The fastener product information and firmware version number of the smart machine.
It is understood that in practical applications, the attribute information of the smart machine also may include that other can be marked
The information for knowing the smart machine identity, is not repeated herein.
In an embodiment of the present invention, the server is FOTA server.It is understood that being set according to the intelligence
Standby required business is different, and the type or type of the server can also be different.
Step 12, the server authentication information that the server is sent is received.
In specific implementation, after the server receives the smart machine authentication information that the smart machine is sent,
The attribute information that the smart machine can be got from smart machine authentication information is set according to the accessed intelligence
Standby attribute information and the information itself stored confirm whether the smart machine is legitimate device.When the confirmation intelligence
When equipment is legal, and after receiving the server authentication information request, server authentication information can be generated.
In an embodiment of the present invention, server can obtain intelligence and set from the smart machine authentication information received
Standby attribute information.For example, the server gets the fastener product information of smart machine from smart machine attribute information
And firmware version number, the fastener product information and firmware version number of the smart machine are searched from database.When searching from number
When according to the fastener product information and firmware version number for arriving the smart machine in library, then confirm that the smart machine is legal.When not
When finding, then confirm that the smart machine is not legitimate device, the provisional communication interrupted between the smart machine connects.
Wherein, the smart machine is legal refers to that the smart machine is registered on the server in advance.In specific implementation, in smart machine
When connecting between server in provisional communication, any business operation can not be carried out, can only carry out some data, information
Transmission.
In an embodiment of the present invention, the smart machine authentication information can also include: supported Encryption Algorithm collection
It closes.
In specific implementation, the server authentication information may include: the first random number, random number signature value and
Selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
In an embodiment of the present invention, the server can generate the server authentication letter in the following way
Breath: after confirming that the smart machine is legal, first random number is generated.Using preset privacy key to described first
Random number is encrypted, and the random number signature value is obtained.The smart machine is obtained from the smart machine authentication information
The Encryption Algorithm of support, selected encryption algorithm.According to the random number, the random number signature value and selected Encryption Algorithm,
Generate server authentication information.
In specific implementation, the random number can be the character of number composition, or number and letter composition
Character.
Step 13, the server authentication information received is verified, and when being proved to be successful, establish with
The secure communication of the server connects.
It in specific implementation, can be to being connect when receiving the server authentication information that the server is sent
The authentication information received is verified.In the authentication success to the server, establish and the server
Secure communication connection.
In specific implementation, according to the difference of the server authentication information, corresponding used verification mode
It can also be different.
In an embodiment of the present invention, the server authentication information can be verified in the following way:
The first random number and random number signature value are obtained from the server authentication information.The server stored using itself
The random number signature value is decrypted in public key, and the first random number for confirming that decryption obtains is tested with from the server identity
First got in card information scolds at random it is whether consistent, and the two is consistent when be denoted as and be proved to be successful.Wherein, the service
Device public key matches with the preset privacy key of the server.
Smart machine can sign to the server received using privacy key using the server public key
Information be decrypted, to verify the identity of the server.In an embodiment of the present invention, it can be dispatched from the factory in smart machine
Before, the server public key is placed in the smart machine.It is set for example, server public key can be embedded into the intelligence
In the program of standby installation.
By above scheme it is found that smart machine is when needing to be downloaded firmware upgrade, by periodically to server
Smart machine authentication information and server authentication information request are sent, so that server is authenticated according to the smart machine
Information confirms the legitimacy of smart machine.The server identity that the server is sent based on the received authenticates letter
Breath, verifies the server, and when being proved to be successful, and foundation is connect with the secure communication of the server.By institute
The secure communication connection between smart machine and the server is stated, is to carry out authentication mutually in the two and be verified
When, smart machine side allows server to access, therefore the communication security during smart machine upgrade-system can be improved, effectively
Avoid attack of the hacker to smart machine.
In specific implementation, it when needing to upgrade the system on certain some smart machine, needs to the intelligence
Equipment sends upgrading data packet, in order to improve safety of the upgrading data packet in transmission process.The server can use
The upgrading data packet that preset first Encryption Algorithm treats upgrade-system is encrypted to obtain encryption upgrading data packet, described will be added
Close upgrading data packet is sent to the smart machine, wherein first Encryption Algorithm is encrypted using first key, described
First Encryption Algorithm belongs to the algorithm set that the smart machine is supported.The smart machine can receive the service
The encryption upgrading data packet that device is sent, and the first key and decipherment algorithm corresponding with first Encryption Algorithm are used,
The encryption upgrading data packet received is decrypted, corresponding upgrading data packet is obtained.
In specific implementation, the upgrading data packet can be whole packet, or difference packet.Wherein, it is whole packet refer to
The corresponding complete data packet of new version after upgrade-system upgrading.Difference packet refers to the old edition before new version and upgrading after upgrading
This corresponding data packet of difference section.Upgraded using difference packet, only upgrades difference section, can reduce in escalation process
Required flow, and updating speed is very fast.
In an embodiment of the present invention, first Encryption Algorithm is symmetric encipherment algorithm.In specific implementation, described
One Encryption Algorithm can be national secret algorithm, or Advanced Encryption Standard (Advanced Encryption Standard,
AES) algorithm.It is understood that can also meet the intelligence using other Encryption Algorithm, used Encryption Algorithm and set
Upgrade service in standby firmware is supported, and the server is also supported simultaneously, is not repeated herein.
In an embodiment of the present invention, the smart machine can in the following way to the encryption upgrading data packet into
Row decryption: the first key and decipherment algorithm corresponding with first Encryption Algorithm can be used, described in receiving
Encryption upgrading data packet is decrypted, specific as follows: using the first key and with first Encryption Algorithm to receiving
Encryption data be decrypted, obtain 16 byte datas after the decryption of every packet encryption data, and the data after decryption are stored in pre-
If position.When last bag data is decrypted, according to the byte of padding number that last character indicates, removes and filled
Data, and be stored in the predeterminated position.
For example, being 11223344556677889900000000000007 after the decryption of last bag data, wherein finally
One character 7 indicates that filled character quantity is 7 bytes.Remove filled character and obtain original data and is
112233445566778899,112233445566778899 are stored to predeterminated position.
In specific implementation, to improve the communication security in upgrading data packet transmission process, the server can be adopted
Signature operation is carried out to the upgrading data packet with preset privacy key, and the upgrading data packet is written into signature value
In.After the smart machine receives the upgrading data packet, upgrading of the server public key to receiving can be used
Data packet is decrypted, and confirms that the upgrading data packet is what the server was sent, to the legal of the upgrading data packet
Property is verified.If the upgrading data packet is not that the server is sent out, the upgrading packet discard, and to the clothes
Business device sends upgrading data packet retransmission request.
It in specific implementation, can also include the second random number in the smart machine authentication information.Described second is random
Number is generated by the smart machine.
In an embodiment of the present invention, the smart machine can generate the first key in the following way, described
First key is referred to as process key:
It is established after secure communication connect in the smart machine and the server, according to first random number, described
Second generating random number random cipher data encrypt the random cipher data using the server public key, and will
Encrypted random cipher data are sent to the server.Using message digest algorithm, to random cipher data, described
First random number and second random number carry out operation and obtain the first key.When using symmetric encipherment algorithm, server
It is also required to use and the identical key of first key in the smart machine, namely the use first key.
In an embodiment of the present invention, the server can generate in the following way the first key: receive
It is encrypted to what is received using the privacy key when the encrypted random cipher data that the smart machine is sent
Random cipher data are decrypted, and random cipher data are obtained, and use the message digest algorithm, to the random cipher number
According to, first random number, second random number carry out operation obtain the first key, wherein the privacy key
It is corresponding with the server public key.Wherein, message digest algorithm used by the server is adopted with the smart machine
Message digest algorithm is identical, for example, the message digest algorithm can be SHA1, SHA5 etc..
Message digest algorithm ciphering process does not need key, and the data by encryption can not be decrypted, and only be inputted
Identical clear data can just obtain identical ciphertext by identical Message Digest 5, and communications security is higher.
In specific implementation, the smart machine is according to first random number, second generating random number with secret
Code data, may exist a variety of generating modes.
In an embodiment of the present invention, second random number is moved to left N, and moves to right N with first random number
After carry out XOR operation, and using XOR operation result as random cipher data.Wherein, first random number is much larger than M, institute
The second random number is stated much smaller than M, wherein M is integer, and N is positive integer.
For example, first random number that generates of the smart machine is much smaller than 1 (< < 1), the institute that the server generates
The second random number is stated much larger than 1 (> > 1), first random number is moved to left 1, then moves to right 1 with second random number
Data afterwards carry out XOR operation, and using XOR operation result as the random cipher data.
In an alternative embodiment of the invention, using first random number, second random number as cryptographic key factor, using letter
It ceases digest algorithm operation and generates the random cipher data.
In specific implementation, it is decrypted to the encryption upgrading data packet received, obtains corresponding ascending series
After packet, the upgrading data packet decrypted can be verified, and confirm that the upgrading data packet is correct.
In an embodiment of the present invention, the smart machine can be in the following way to the received ascending series
It is verified according to packet, and confirms that the data packet is correct.It is specific as follows:
MAC operation is carried out to the upgrading data packet received using message digest algorithm, obtains MAC check code, and will meter
Obtained MAC check code is sent to the server.The server is by the MAC check code received and the MAC that is stored
Check code is compared, and MAC check code comparison result is sent to the smart machine.Receive what the server was sent
MAC check code comparison result then confirms that sign test is correct when both MAC check code comparison result displays are consistent.
In specific implementation, the smart machine obtains message digest algorithm used by MAC check code, obtains with server
To message digest algorithm system used by MAC check code.For example, using (the Message Digest of message digest algorithm 5
Algorithm 5, MD5).
The legitimacy and integrality of received upgrading data packet can be verified by the way of MAC check code, improved
The correctness and communication security of received upgrading data packet.
Referring to Fig. 2, the flow chart of another data security protection method in the embodiment of the present invention is given.It is being embodied
In, the data security protection method can be used for server and carry out aerial downloading firmware upgrade to smart machine, below with reference to
Specific steps are described in detail.
Step 21, the smart machine authentication information that smart machine is sent according to the preset period, and service body are received
Part authentication information request.
It in specific implementation, may include smart machine attribute letter in smart machine authentication information received by server
Breath.
In specific implementation, the smart machine authentication information can be used for identifying the identity of the smart machine.At this
It invents in an embodiment, the attribute information of the smart machine may include the fastener product information of the smart machine, can also
It can also simultaneously include the fastener product information and firmware of the smart machine to include the firmware version number of the smart machine
Version number.
It is understood that in practical applications, the attribute information of the smart machine also may include that other can be marked
The information for knowing the smart machine identity, is not repeated herein.
In an embodiment of the present invention, the server is FOTA server, can remotely be carried out to the smart machine
Firmware upgrade.It is understood that the business according to needed for the smart machine is different, the type or type of the server
It can be different.
Step 22, according to the attribute information of the accessed smart machine and the information stored, confirm the intelligence
Energy equipment is legal.
In specific implementation, after the server receives the smart machine authentication information that the smart machine is sent,
The attribute information that the smart machine can be got from smart machine authentication information is set according to the accessed intelligence
Standby attribute information and the information itself stored confirm whether the smart machine is legitimate device.Specifically, when being obtained
When the attribute information for the smart machine got is consistent with the information that itself is stored, confirm that the smart machine is legal.It is right
Ying Di confirms the intelligence when the attribute information of the accessed smart machine and the inconsistent information itself stored
Energy equipment is illegal.
In an embodiment of the present invention, server can obtain intelligence and set from the smart machine authentication information received
Standby attribute information.For example, the server gets the fastener product information of smart machine from smart machine attribute information
And firmware version number, the fastener product information and firmware version number of the smart machine are searched from database.When searching from number
When according to the fastener product information and firmware version number for arriving the smart machine in library, then confirm that the smart machine is legal.When not
When finding, then confirming the smart machine not is legal, the provisional communication connection between interruption and the smart machine.Its
In, it can be using the smart machine registered on the server as legitimate device.
Step 23, server authentication information is generated, and is sent to the smart machine.
In specific implementation, after receiving the server authentication information request, and confirm the smart machine
When legal, server authentication information can be generated.The server authentication information of generation is sent to the intelligence to set
It is standby.The smart machine can verify the server authentication information received, and when being proved to be successful, with
The server establishes secure communication connection.
Using the above scheme, the server is when needing smart machine to carry out aerial downloading firmware upgrade, according to reception
When the smart machine authentication information confirmation smart machine arrived is legitimate device, server authentication letter is sent to smart machine
Breath, the legitimacy of the server is verified for the smart machine, and is established and pacified with the server after being proved to be successful
Full communication connection.Since when the smart machine and the server-side are verified, both sides just establish secure communication
Connection effectively avoids hacker from setting intelligence so as to improve communication security during smart machine upgrade-system
Standby or server attack.
In an embodiment of the present invention, the smart machine authentication information may include: supported algorithm set.
In specific implementation, the server authentication information may include: the first random number, random number signature value and
Selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
In an embodiment of the present invention, the server can generate the server authentication letter in the following way
Breath: receiving the server authentication information request, and after confirming that the smart machine is legal, generate described first with
Machine number.First random number is encrypted using preset privacy key, obtains the random number signature value.From described
The Encryption Algorithm that the smart machine is supported, selected encryption algorithm are obtained in smart machine authentication information.According to the random number,
The random number signature value and selected Encryption Algorithm generate server authentication information.
In an embodiment of the present invention, the smart machine can in the following way believe the server authentication
Breath is verified: the first random number and random number signature value are obtained from the server authentication information.Using preset
The random number signature value is decrypted in server public key, and confirm the first random number that decryption obtains with from the server
The first random number got in authentication information is consistent, is denoted as and is proved to be successful when the two is consistent.Wherein, the server
The privacy key of public key and the server matches.Smart machine can be using the server public key to the institute received
It states server to be decrypted using the information of privacy key signature, to verify the identity of the server.
It in specific implementation, can be to the smart machine after foundation is connect with the secure communication of the smart machine
Send data or message.For example, FOTA server can send upgrading data packet to smart machine, the upgrading data packet can be with
For difference packet or whole packet.
In order to improve the communication security between server and smart machine, in an embodiment of the present invention, use is preset
The upgrading data packet that first Encryption Algorithm treats upgrade-system is encrypted, and obtains encryption upgrading data packet, wherein described first
Encryption Algorithm is encrypted using first key, and belongs to the algorithm set that the smart machine is supported.Described it will add
Close upgrading data packet is sent to the smart machine.When the smart machine receives the encryption upgrading data packet, using institute
First key and decipherment algorithm corresponding with first Encryption Algorithm are stated, the encryption upgrading data packet received is carried out
Decryption, obtains corresponding upgrading data packet.
In specific implementation, after the upgrading data packet being sent to the smart machine, the smart machine hair is received
The MAC check code sent.The MAC check code received is compared with the MAC check code stored, and by MAC check code ratio
The smart machine is sent to result.The MAC check code is by the smart machine using message digest algorithm to receiving
Upgrading data packet carry out MAC operation and obtain, can be used for carrying out sign test to received upgrading data packet, when the intelligence
When both MAC check code comparison result displays that equipment receives are consistent, confirm that the upgrading data packet is correct, that is, receive
Upgrading data packet is legal, complete data packet.
When both MAC check code comparison result displays that the smart machine receives are inconsistent, by the upgrading data
Packet abandons, and sends upgrading data packet retransmission request to the server.
In specific implementation, the server can receive the upgrading data packet retransmission request that the smart machine is sent.
Upgrading data packet can be sent to the smart machine again according to upgrading data packet retransmission request.
In specific implementation, in order to further increase communication security, in preset first Encryption Algorithm of use to be upgraded
It before the upgrading data packet of system is encrypted, is signed using the privacy key to the upgrading data packet, and will
The upgrading data packet is written in signing messages.It, can be using service after the smart machine receives the upgrading data packet
Device public key carries out signing messages verifying to the upgrading data packet received, confirms the upgrading data packet for server transmission
, it is verified with the legitimacy to the upgrading data packet.If not the server is sent out, then packet discard, and to
The server sends upgrading data packet retransmission request.
In specific implementation, the upgrading data packet can be whole packet, or difference packet.
In an embodiment of the present invention, first Encryption Algorithm is symmetric encipherment algorithm.In specific implementation, described
One Encryption Algorithm can be national secret algorithm, or Advanced Encryption Standard (Advanced Encryption Standard,
AES) algorithm.It is understood that can also meet the intelligence using other Encryption Algorithm, used Encryption Algorithm and set
Upgrade service in standby firmware is supported, and the server is also supported simultaneously, is not repeated herein.
In specific implementation, the server can in the following way encrypt the upgrading data packet: every time
16 byte datas are read from the upgrading data packet to be encrypted as a bag data, and encrypted 16 byte data is sent out
It send to the smart machine.When generating the last one data packet, if last remaining data are discontented with 16 bytes, in last position
Start filling 0 behind data to penultimate character, last character is the byte number for the data filled.
For example, last bag data is 112233445566778899, last bag data is 9 bytes, then last
According to preset polishing rule after one character 9, supplement 0, last character is used to indicate all including itself
Byte number shared by polishing character.Data after supplement is complete are as follows: 11223344556677889900000000000007.It can be with
Understand, can also be filled, be not repeated herein using other filling modes.
In specific implementation, the smart machine authentication information can also include: the second random number, second random number
It is generated by the smart machine.
In specific implementation, the server can generate in the following way the first key: receive the intelligence
The encrypted random cipher data that equipment is sent.Using the privacy key to the encrypted random cipher number received
According to being decrypted, random cipher data are obtained.Using the message digest algorithm, to the random cipher data, described first
Random number, second random number carry out operation and obtain the first key.Wherein, the privacy key and the server
Public key is corresponding.Wherein, message digest algorithm used by the server and informative abstract used by the smart machine
Algorithm is identical, for example, the message digest algorithm can be SHA1, SHA5 etc..
In specific implementation, the attribute letter of the smart machine is obtained from the smart machine authentication information received
Before breath, the server can be verified the identity of lander, and confirm that the identity of the lander is legal.
In an embodiment of the present invention, the identity of the registrant can be verified using Authentication of Dyhibrid,
The double factor may include: private key signature, user name and corresponding entry password.
Specifically, the private key signature of registrant can be obtained in such a way that Public Key Infrastructure (PKI) is using U-shield,
And confirm consistent with identity information stored in the server.The user name and entry password of registrant's input are obtained,
And be compared respectively with the information and information stored in the server stored in Public Key Infrastructure, it is confirmed whether one
It causes.When confirming consistent, then it is legal to characterize lander's identity.
For example, the private key of U-shield (USBKEY) can be utilized using PKI mechanism when the server is FOTA server
Signature, and be compared with the identity information stored in the database in the FOTA server, when comparison result is shown unanimously
When, the user name and entry password of the input of the lander are obtained, and the identity information stored in USBKEY respectively and institute
It states the information identity information stored in FOTA server to be compared, the identity of the lander is further confirmed that, from
The safety of system is further increased in terms of to server access right.
In order to which those skilled in the art better understand and realize the present invention, the embodiment of the present invention also provides a kind of intelligence and sets
It is standby.
Referring to Fig. 3, a kind of smart machine structural schematic diagram in the embodiment of the present invention is given.The smart machine 30 is suitable for
Carry out aerial downloading firmware upgrade, may include: the first transmission unit 31, the first receiving unit 32, the first authentication unit 33 and
Communication connection establishment unit 34, in which:
First transmission unit 31 is suitable for sending smart machine authentication information to server according to the preset period, with
And server authentication information request, the smart machine authentication information include: the attribute information of the smart machine;
First receiving unit 32, the server authentication information sent suitable for receiving the server, the clothes
Device authentication information of being engaged in by the server after receiving the server authentication information request, and according to acquired
To the smart machine attribute information and the information that itself is stored, confirm generation when the smart machine is legal;
First authentication unit 33, suitable for being verified to the server authentication information received;
The communication connection establishment unit 34 is suitable for when to server authentication Information Authentication success, with institute
It states server and establishes secure communication connection.
From the foregoing, it will be observed that smart machine when needing to be downloaded firmware upgrade, periodically can send intelligence to server
Energy equipment authentication information and server authentication information request, so that server is according to the smart machine authentication information pair
The legitimacy of smart machine is confirmed.The server identity authentication information that the server is sent based on the received, it is right
The server is verified, and when being proved to be successful, and foundation is connect with the secure communication of the server.Due to the intelligence
Communication connection between equipment and the server is the smart machine when the two carries out mutually authentication and is verified
Side allows server to access, that is, establishes and connect with the secure communication of the server, therefore smart machine upgrade-system can be improved
During communication security, effectively avoid attack of the hacker to smart machine.
In specific implementation, the smart machine authentication information can also include: supported algorithm set.
In specific implementation, the server authentication information may include: the first random number, random number signature value and
Selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
In specific implementation, first authentication unit 33, suitable for obtaining from the server authentication information
One random number and random number signature value;The random number signature value is decrypted in the server public key stored using itself,
And confirm whether are the first random number that decryption obtains and the first random number got from the server authentication information
Unanimously, and when the two is consistent it is denoted as and is proved to be successful, wherein the server public key and the preset server of the server are private
Key matches.
The structural schematic diagram of another smart machine in the embodiment of the present invention provided referring to Fig. 4.In specific implementation, institute
Smart machine 30 is stated on the basis of Fig. 3, can also include the second receiving unit 41 and the first decryption unit 42, in which:
Second receiving unit 41 receives the service suitable for establishing after secure communication connect with the server
The encryption upgrading data packet that device is sent, the encryption upgrading data packet use preset first Encryption Algorithm pair by the server
The upgrading data packet of system to be upgraded is encrypted to obtain, wherein and first Encryption Algorithm is encrypted using first key,
And belong to the algorithm set that the smart machine is supported;
First decryption unit 42 is suitable for using the first key and decryption corresponding with first Encryption Algorithm
Algorithm is decrypted the encryption upgrading data packet received, obtains corresponding upgrading data packet.
In specific implementation, the smart machine 30 can also include: the second authentication unit 43.Second verifying is single
Member 43, suitable for being decrypted to the encryption upgrading data packet received, after obtaining corresponding upgrading data packet, to being connect
The upgrading data packet received carries out sign test, and confirms that sign test is correct.
In specific implementation, second authentication unit 43, suitable for using message digest algorithm to the ascending series received
MAC operation is carried out according to packet, MAC check code is obtained, and the MAC check code being calculated is sent to the server, so that institute
It states server and the MAC check code received is compared with the MAC check code stored, and by MAC check code comparison result
It is sent to the smart machine;The MAC check code comparison result that the server is sent is received, when the MAC check code compares
When the two is consistent as the result is shown, then confirm that the upgrading data packet is correct.
In specific implementation, the smart machine 30 can also include: retransmission request transmission unit 44.The re-transmission is asked
Transmission unit 44 is sought, is suitable for sending and upgrading to the server when both MAC check code comparison result displays are inconsistent
Data packet retransmission request.
In specific implementation, the smart machine 30 can also include: third authentication unit (not shown).Third verifying
Before unit is verified suitable for the upgrading data packet that second authentication unit obtains decryption, using the server public key
Signing messages verifying is carried out to the upgrading data packet.
In specific implementation, the upgrading data packet can be whole packet, or difference packet.
In an embodiment of the present invention, first Encryption Algorithm can be symmetric encipherment algorithm.
In specific implementation, first decryption unit 42 is suitable for encrypting using the first key and with described first
The encryption data received is decrypted in algorithm, obtains 16 byte datas after every packet encryption data decryption, and will be after decryption
Data are stored in predeterminated position;When to the decryption of last bag data, according to the byte of padding number that last character indicates, remove
Data are filled, the ciphertext data of last packet is obtained and are stored to the predeterminated position.
In specific implementation, the smart machine authentication information can also include: the second random number, second random number
It is generated by the smart machine.
In specific implementation, first decryption unit 42, suitable for being established after secure communication connect with the server,
According to first random number, the second generating random number random cipher data;Using message digest algorithm, to described random
Code data, first random number and second random number carry out operation and obtain the first key.
In specific implementation, first decryption unit 42, suitable for second random number is moved to left N, and with it is described
First random number carries out XOR operation after moving to right N, wherein first random number is much larger than M, second random number is far small
In M, wherein M is integer, and N is positive integer;Using XOR operation result as random cipher data.
In specific implementation, first decryption unit 42, suitable for being with first random number, second random number
Cryptographic key factor generates the random cipher data using message digest algorithm operation.
In specific implementation, the working principle and workflow of the smart machine, can be with reference to the above-mentioned implementation of the present invention
What example provided is used for the description in the data security protection method when needing to carry out aerial downloading firmware upgrade, does not do herein superfluous
It states.
The embodiment of the present invention also provides a kind of server.A kind of server in the embodiment of the present invention provided referring to Fig. 5
Structural schematic diagram, the server 50 are suitable for carrying out smart machine aerial downloading firmware upgrade, may include: that third reception is single
Member 51, confirmation unit 52, authentication information generation unit 53 and the second transmission unit 54, in which:
The third receiving unit 51 is recognized suitable for receiving the smart machine according to the smart machine that the preset period sends
It demonstrate,proves information and server authentication information request, the smart machine authentication information includes: the attribute of the smart machine
Information;
The confirmation unit 52, suitable for from according to the attribute information of the accessed smart machine and itself being stored
Information, confirm that the smart machine is legal;
The authentication information generation unit 53, suitable for after receiving the server authentication information request,
And after the confirmation smart machine is legal, server authentication information is generated;
Second transmission unit 54 makes suitable for the server authentication information is sent to the smart machine
The smart machine verifies the server authentication information received, it is and described and when being proved to be successful
Server establishes secure communication connection.
In specific implementation, the smart machine authentication information can also include: supported algorithm set.
In specific implementation, the server authentication information may include: the first random number, random number signature value and
Selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the algorithm set that the smart machine is supported.
In specific implementation, the authentication information generation unit 53, suitable for testing receiving the server identity
Information request is demonstrate,proved, and after confirming that the smart machine is legal, generates first random number;Using preset privacy key pair
First random number is encrypted, and the random number signature value is obtained;Described in being obtained from the smart machine authentication information
The Encryption Algorithm that smart machine is supported, selected encryption algorithm;According to the random number, the random number signature value and it is selected plus
Close algorithm generates authentication information.
The structural schematic diagram of another server in the inventive embodiments provided referring to Fig. 6.The server 50 is Fig. 5's
On the basis of can also include: the second encryption unit 61 and third transmission unit 62, in which:
Second encryption unit 61, suitable for establishing after secure communication connect with the smart machine, use is preset
The upgrading data packet that first Encryption Algorithm treats upgrade-system is encrypted, and obtains encryption upgrading data packet, wherein described first
Encryption Algorithm is encrypted using first key, and belongs to the algorithm set that the smart machine is supported;
The third transmission unit 62, suitable for the encryption upgrading data packet is sent to the smart machine, so that institute
When stating smart machine and receiving the encryption upgrading data packet, using the first key and corresponding with first Encryption Algorithm
Decipherment algorithm, the encryption upgrading data packet received is decrypted, corresponding upgrading data packet is obtained.
In specific implementation, the server 50 can also include: the 4th receiving unit 63, comparing unit 64 and the 4th hair
Send unit 65, in which:
4th receiving unit 63, after the upgrading data packet is sent to the smart machine, described in reception
The MAC check code that smart machine is sent, the MAC check code is by the smart machine using message digest algorithm to receiving
Upgrading data packet carries out MAC operation and obtains;
The comparing unit 64, the MAC check code suitable for will receive are compared with the MAC check code stored, with
Whether both confirmations are consistent;
4th transmission unit 65, suitable for MAC check code comparison result is sent to the smart machine, so that described
When both MAC check code comparison result displays that smart machine receives are consistent, confirm that the upgrading data packet is correct.
In specific implementation, the server 50 can also include: the 5th receiving unit (not shown), be suitable for described in reception
The upgrading data packet retransmission request that smart machine is sent, the upgrading data packet retransmission request is by the smart machine described
Both MAC check code comparison result displays generate when inconsistent.
In specific implementation, the server 50 can also include: third encryption unit (not shown).The third encryption
Unit is suitable for carrying out in second encryption unit using the upgrading data packet that preset first Encryption Algorithm treats upgrade-system
Before encryption, signed using the privacy key to the upgrading data packet, and the upgrading is written into signing messages
Data packet.
In specific implementation, the upgrading data packet can be whole packet, or difference packet.
In an embodiment of the present invention, first Encryption Algorithm is symmetric encipherment algorithm.
In specific implementation, second encryption unit 61, suitable for reading 16 bytes from the upgrading data packet every time
Data are encrypted as a bag data, and encrypted 16 byte data is sent to the smart machine;It is last generating
When one data packet, if last remaining data are discontented with 16 bytes, start filling 0 behind last a data to second from the bottom
A character, last character are the byte number for the data filled.
In specific implementation, the smart machine authentication information can also include: the second random number, second random number
It is generated by the smart machine.
In specific implementation, second encryption unit 61 may include: receiving subelement (not shown), decryption subelement
(not shown) and generation subelement (not shown), in which:
The receiving subelement, the encrypted random cipher data sent suitable for receiving the smart machine are described to add
Random cipher data after close are established after secure communication connect by the smart machine and the server, according to described first with
Machine number, second generating random number, and encrypt to obtain using the server public key;
The decryption subelement, suitable for using the privacy key to the encrypted random cipher data received into
Row decryption, obtains random cipher data;
The generation subelement, be suitable for use the message digest algorithm, to the random cipher data, described first with
Machine number, second random number carry out operation and obtain the first key.
In specific implementation, the server 50 can also include: registrant's identity authenticating unit (not shown), be suitable for from
Before the attribute information for obtaining the smart machine in the smart machine authentication information received, to the identity of lander into
Row verifying, and confirm that the identity of the lander is legal.
In specific implementation, registrant's identity authenticating unit is suitable for using Authentication of Dyhibrid to the login
The identity of person is verified, and the double factor may include: private key signature, user name and corresponding entry password.
In specific implementation, the working principle and workflow of the server can refer to the above embodiment of the present invention
What is provided is used to need to carry out smart machine description when aerial downloading firmware upgrade in corresponding data prevention method, herein
It does not repeat them here.
The embodiment of the present invention also provides a kind of smart machine, including memory and processor, is stored on the memory
The computer instruction that can be run on the processor, the processor execute any of the above-described when running the computer instruction
The needs that embodiment provides carry out the step of corresponding data security protection method when aerial downloading firmware upgrade.
The embodiment of the present invention also provides a kind of server, including memory and processor, is stored with energy on the memory
Enough computer instructions run on the processor, the processor execute any of the above-described reality when running the computer instruction
The step of being used to carry out smart machine corresponding data prevention method when aerial downloading firmware upgrade of example offer is provided.
The embodiment of the present invention also provides a kind of computer readable storage medium, suitable for running on smart machine, the intelligence
Equipment is suitable for being communicated with server, and computer instruction, the computer are stored on the computer readable storage medium
Corresponding data when being used to need to carry out aerial downloading firmware upgrade that any of the above-described embodiment provides are executed when instruction operation to pacify
The step of full protection method.
The embodiment of the present invention also provides a kind of computer readable storage medium, suitable for running on server, the server
Suitable for being communicated with smart machine, computer instruction is stored on the computer readable storage medium, the computer refers to
Corresponding data when carrying out aerial downloading firmware upgrade to smart machine for executing any of the above-described embodiment offer when running are enabled to prevent
The step of maintaining method.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage
Medium may include: ROM, RAM, disk or CD etc..
Although present disclosure is as above, present invention is not limited to this.Anyone skilled in the art are not departing from this
It in the spirit and scope of invention, can make various changes or modifications, therefore protection scope of the present invention should be with claim institute
Subject to the range of restriction.
Claims (66)
1. a kind of data security protection method characterized by comprising
When needing to carry out aerial downloading firmware upgrade, smart machine authentication information is sent to server according to the preset period,
And server authentication information request, the smart machine authentication information include:
The attribute information of the smart machine;
The server authentication information that the server is sent is received, the server authentication information is by the server
After receiving the server authentication information request, and according to the attribute information of the accessed smart machine and
The information itself stored confirms generation when the smart machine is legal;
The server authentication information received is verified, and when being proved to be successful, is established and the server
Secure communication connection.
2. data security protection method according to claim 1, which is characterized in that the smart machine authentication information also wraps
It includes: the algorithm set supported.
3. data security protection method according to claim 2, which is characterized in that the server authentication packet
It includes: the first random number, random number signature value and selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the intelligence
The algorithm set that energy equipment is supported.
4. data security protection method according to claim 3, which is characterized in that the described pair of server received
Authentication information is verified, comprising:
The first random number and random number signature value are obtained from the server authentication information;
The random number signature value is decrypted in the server public key stored using itself, and confirms decryption obtains first
Whether random number and the first random number got from the server authentication information consistent, and the two is consistent when remember
To be proved to be successful, wherein the server public key matches with the preset privacy key of the server.
5. data security protection method according to claim 4, which is characterized in that further include:
It is established after secure communication connect with the server, receives the encryption upgrading data packet that the server is sent, it is described
Encryption upgrading data packet is carried out by the server using the upgrading data packet that preset first Encryption Algorithm treats upgrade-system
Encryption obtains, wherein first Encryption Algorithm is encrypted using first key, and belongs to what the smart machine was supported
Algorithm set;
Using the first key and decipherment algorithm corresponding with first Encryption Algorithm, the encryption received is upgraded
Data packet is decrypted, and obtains corresponding upgrading data packet.
6. data security protection method according to claim 5, which is characterized in that further include:
It is decrypted to the encryption upgrading data packet received, after obtaining corresponding upgrading data packet, decryption is obtained
Upgrading data packet verified, and confirm that the upgrading data packet is correct.
7. data security protection method according to claim 6, which is characterized in that described to the liter decrypted
Grade data packet is verified, and confirms that the upgrading data packet is correct, comprising:
MAC operation is carried out to the upgrading data packet received using message digest algorithm, obtains MAC check code, and will calculate
To MAC check code be sent to the server so that the server is by the MAC check code received and the MAC that is stored
Check code is compared, and MAC check code comparison result is sent to the smart machine;
The MAC check code comparison result that the server is sent is received, when both MAC check code comparison result displays are consistent
When, then confirm that the upgrading data packet is correct.
8. data security protection method according to claim 7, which is characterized in that further include:
When both MAC check code comparison result displays are inconsistent, upgrading data packet re-transmission is sent to the server and is asked
It asks.
9. data security protection method according to claim 6, which is characterized in that further include:
Before being verified to the upgrading data packet that decryption obtains, the upgrading data packet is carried out using the server public key
Signing messages verifying.
10. data security protection method according to claim 5, which is characterized in that the upgrading data packet are as follows: difference packet
Or whole packet.
11. data security protection method according to claim 5, which is characterized in that first Encryption Algorithm is symmetrical
Encryption Algorithm.
12. data security protection method according to claim 11, which is characterized in that it is described using the first key and
The encryption upgrading data packet received is decrypted in decipherment algorithm corresponding with first Encryption Algorithm, comprising:
The encryption data received is decrypted using the first key and with first Encryption Algorithm, every packet encrypts number
According to obtaining 16 byte datas after decryption, and the data after decryption are stored in predeterminated position;
When to the decryption of last bag data, according to the byte of padding number that last character indicates, removes filling data, obtain most
The ciphertext data of latter packet is simultaneously stored to the predeterminated position.
13. data security protection method according to claim 12, which is characterized in that the smart machine authentication information is also
It include: the second random number, second random number is generated by the smart machine.
14. data security protection method according to claim 13, which is characterized in that generate described in the following way
One key:
Established after secure communication connect with the server, according to first random number, second generating random number with
Machine code data;
Using message digest algorithm, the random cipher data, first random number and second random number are transported
Calculation obtains the first key.
15. data security protection method according to claim 14, which is characterized in that the smart machine is according to described
One random number, the second generating random number random cipher data, comprising:
Second random number is moved to left N, and carries out XOR operation after moving to right N with first random number, wherein described
First random number is much larger than M, and second random number is much smaller than M, wherein M is integer, and N is positive integer;
Using XOR operation result as random cipher data.
16. data security protection method according to claim 14, which is characterized in that the smart machine is according to described
One random number, the second generating random number random cipher data, comprising:
Using first random number, second random number as cryptographic key factor, using message digest algorithm operation generate it is described with
Machine code data.
17. a kind of data security protection method characterized by comprising
When needing to carry out aerial downloading firmware upgrade to smart machine, the intelligence that smart machine is sent according to the preset period is received
Energy equipment authentication information and server authentication information request, the smart machine authentication information include: that the intelligence is set
Standby attribute information;
According to the attribute information of the accessed smart machine and the information itself stored, confirm that the smart machine closes
Method;
After receiving the server authentication information request, and when confirming that the smart machine is legal, server is generated
Authentication information, and it is sent to the smart machine, so that the smart machine tests the server identity received
Card information is verified, and when being proved to be successful, is established secure communication with the server and connect.
18. data security protection method according to claim 17, which is characterized in that the smart machine authentication information is also
It include: supported algorithm set.
19. data security protection method according to claim 18, which is characterized in that the server authentication information
It include: the first random number, random number signature value and selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to described
The algorithm set that smart machine is supported.
20. data security protection method according to claim 19, which is characterized in that the generation server authentication
Information, comprising:
It is receiving the server authentication information request, and after confirming that the smart machine is legal, is generating described first
Random number;
First random number is encrypted using preset privacy key, obtains the random number signature value;
The Encryption Algorithm that the smart machine is supported, selected encryption algorithm are obtained from the smart machine authentication information;
According to the random number, the random number signature value and selected Encryption Algorithm, authentication information is generated.
21. data security protection method according to claim 20, which is characterized in that further include:
It is established after secure communication connect with the smart machine, the liter of upgrade-system is treated using preset first Encryption Algorithm
Grade data packet is encrypted, and obtains encryption upgrading data packet, wherein first Encryption Algorithm is added using first key
It is close, and belong to the algorithm set that the smart machine is supported;
The encryption upgrading data packet is sent to the smart machine, so that the smart machine receives the encryption upgrading
When data packet, using the first key and decipherment algorithm corresponding with first Encryption Algorithm, to described in receiving plus
Close upgrading data packet is decrypted, and obtains corresponding upgrading data packet.
22. data security protection method according to claim 21, which is characterized in that further include:
After the upgrading data packet is sent to the smart machine, the MAC check code that the smart machine is sent is received, it is described
MAC check code carries out MAC operation to the upgrading data packet received using message digest algorithm by the smart machine and obtains;
The MAC check code received is compared with the MAC check code stored, and MAC check code comparison result is sent
Institute is confirmed when so that both MAC check code comparison result displays that the smart machine receives are consistent to the smart machine
It is correct to state upgrading data packet.
23. data security protection method according to claim 22, which is characterized in that further include:
The upgrading data packet retransmission request that the smart machine is sent is received, the upgrading data packet retransmission request is by the intelligence
Equipment is generated when both MAC check code comparison result displays are inconsistent.
24. data security protection method according to claim 21, which is characterized in that further include:
Before being encrypted using the upgrading data packet that preset first Encryption Algorithm treats upgrade-system, using the server
Private key signs to the upgrading data packet, and the upgrading data packet is written in signing messages.
25. data security protection method according to claim 21, which is characterized in that the upgrading data packet is difference packet
Or whole packet.
26. data security protection method according to claim 21, which is characterized in that first Encryption Algorithm is symmetrical
Encryption Algorithm.
27. data security protection method according to claim 26, which is characterized in that described using preset first encryption
The upgrading data packet that algorithm treats upgrade-system is encrypted, and encryption upgrading data packet is obtained, comprising:
16 byte datas are read from the upgrading data packet every time to be encrypted as a bag data, and by encrypted 16 word
Joint number evidence is sent to the smart machine;
When generating the last one data packet, if last remaining data are discontented with 16 bytes, start behind last a data
To penultimate character, last character is the byte number for the data filled for filling 0.
28. data security protection method according to claim 27, which is characterized in that the smart machine authentication information is also
It include: the second random number, second random number is generated by the smart machine.
29. data security protection method according to claim 28, which is characterized in that generate described in the following way
One key:
The encrypted random cipher data that the smart machine is sent are received, the encrypted random cipher data are by described
Smart machine and the server are established after secure communication connect, according to first random number, second generating random number,
And it encrypts to obtain using the server public key;
The encrypted random cipher data received are decrypted using the privacy key, obtain random cipher number
According to;
Using the message digest algorithm, the random cipher data, first random number, second random number are carried out
Operation obtains the first key.
30. data security protection method according to claim 17, which is characterized in that further include:
Before the attribute information for obtaining the smart machine in the smart machine authentication information received, to lander's
Identity is verified, and confirms that the identity of the lander is legal.
31. data security protection method according to claim 30, which is characterized in that the identity to registrant carries out
Verifying, comprising:
It is verified using identity of the Authentication of Dyhibrid to the registrant, the double factor includes: private key signature, user
Name with corresponding entry password.
32. data security protection method according to claim 31, which is characterized in that described to use Authentication of Dyhibrid
The identity of the registrant is verified, comprising:
The private key signature of registrant is obtained in such a way that Public Key Infrastructure is using U-shield, and is confirmed and deposited in the server
The identity information of storage is consistent;
Obtain the user name and entry password of registrant input, and respectively with the information stored in Public Key Infrastructure and
Information stored in the server is compared, and confirmation is consistent.
33. data security protection method according to claim 17, which is characterized in that the server is soft to download in the air
Part upgrade server.
34. a kind of smart machine is adapted for downloading firmware upgrade in the air characterized by comprising
First transmission unit is suitable for sending smart machine authentication information, and service body to server according to the preset period
Part authentication information request, the smart machine authentication information includes: the attribute information of the smart machine;
First receiving unit, the server authentication information sent suitable for receiving the server, the server identity are tested
Information is demonstrate,proved by the server after receiving the server authentication information request, and according to the accessed intelligence
The attribute information of energy equipment and the information itself stored, confirm generation when the smart machine is legal;
First authentication unit, suitable for being verified to the server authentication information received;
Communication connection establishment unit is suitable for building when to server authentication Information Authentication success with the server
Vertical secure communication connection.
35. smart machine according to claim 34, which is characterized in that the smart machine authentication information further include: institute
The algorithm set of support.
36. smart machine according to claim 35, which is characterized in that the server authentication information includes:
One random number, random number signature value and selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the smart machine
The algorithm set supported.
37. smart machine according to claim 36, which is characterized in that first authentication unit is suitable for from the clothes
The first random number and random number signature value are obtained in business device authentication information;The server public key stored using itself is to institute
Random number signature value is stated to be decrypted, and confirm the first random number that decryption obtains with from the server authentication information
Whether the first random number got consistent, and the two is consistent when be denoted as and be proved to be successful, wherein the server public key and institute
The preset privacy key of server is stated to match.
38. the smart machine according to claim 37, which is characterized in that further include: the second receiving unit and the first decryption
Unit, in which:
Second receiving unit receives the server and sends suitable for establishing after secure communication connect with the server
Encryption upgrading data packet, the encryption upgrading data packet by the server using preset first Encryption Algorithm to be upgraded
The upgrading data packet of system is encrypted to obtain, wherein first Encryption Algorithm is encrypted using first key, and is belonged to
The algorithm set that the smart machine is supported;
First decryption unit is suitable for using the first key and decipherment algorithm corresponding with first Encryption Algorithm,
The encryption upgrading data packet received is decrypted, corresponding upgrading data packet is obtained.
39. the smart machine according to claim 38, which is characterized in that further include: the second authentication unit, suitable for docking
The encryption upgrading data packet received is decrypted, after obtaining corresponding upgrading data packet, to the obtained upgrading of decryption
Data packet is verified, and confirms that the upgrading data packet is correct.
40. smart machine according to claim 39, which is characterized in that second authentication unit is suitable for using information
Digest algorithm carries out MAC operation to the upgrading data packet received, obtains MAC check code, and the MAC check code that will be calculated
It is sent to the server, so that the server compares the MAC check code received with the MAC check code stored
It is right, and MAC check code comparison result is sent to the smart machine;The MAC check code that the server is sent is received to compare
As a result, then confirming that the upgrading data packet is correct when both MAC check code comparison result displays are consistent.
41. smart machine according to claim 40, which is characterized in that further include: retransmission request transmission unit, suitable for working as
When both MAC check code comparison result displays are inconsistent, upgrading data packet retransmission request is sent to the server.
42. smart machine according to claim 39, which is characterized in that further include: third authentication unit is suitable for described the
Before the upgrading data packet that two authentication units obtain decryption is verified, using the server public key to the upgrading data
Packet carries out signing messages verifying.
43. the smart machine according to claim 38, which is characterized in that first Encryption Algorithm is symmetric cryptography calculation
Method.
44. smart machine according to claim 43, which is characterized in that first decryption unit is suitable for described in use
First key and the encryption data received is decrypted with first Encryption Algorithm, is obtained after every packet encryption data decryption
16 byte datas, and the data after decryption are stored in predeterminated position;When to the decryption of last bag data, according to the last character
The byte of padding number for according with instruction, removes filling data, obtains the ciphertext data of last packet and stores to the predeterminated position.
45. smart machine according to claim 44, which is characterized in that in the smart machine authentication information further include:
Second random number, second random number are generated by the smart machine.
46. smart machine according to claim 45, which is characterized in that first decryption unit, be suitable for it is described
After server establishes secure communication connection, according to first random number, the second generating random number random cipher data;It adopts
With message digest algorithm, operation is carried out to the random cipher data, first random number and second random number and is obtained
The first key.
47. smart machine according to claim 46, which is characterized in that first decryption unit is suitable for described the
Two random numbers move to left N, and carry out XOR operation after moving to right N with first random number, wherein first random number is remote
Greater than M, second random number is much smaller than M, wherein M is integer, and N is positive integer;Using XOR operation result as random cipher
Data.
48. smart machine according to claim 46, which is characterized in that first decryption unit is suitable for described the
One random number, second random number are cryptographic key factor, generate the random cipher data using message digest algorithm operation.
49. a kind of server is suitable for carrying out smart machine aerial downloading firmware upgrade characterized by comprising
Third receiving unit, the smart machine authentication information sent suitable for receiving smart machine according to the preset period, and clothes
Business device authentication information request, the smart machine authentication information includes: the attribute information of the smart machine;
Confirmation unit, suitable for according to the attribute information of the accessed smart machine and the information itself stored, confirmation
The smart machine is legal;
Authentication information generation unit, suitable for after receiving the server authentication information request, and described in confirming
After smart machine is legal, server authentication information is generated;
Second transmission unit, suitable for the server authentication information is sent to the smart machine, so that the intelligence
The server authentication information that equipment interconnection receives is verified, and when being proved to be successful, and is established with the server
Secure communication connection.
50. server according to claim 49, which is characterized in that the smart machine authentication information further include: propped up
The algorithm set held.
51. server according to claim 50, which is characterized in that the server authentication information includes: first
Random number, random number signature value and selected Encryption Algorithm, wherein the selected Encryption Algorithm belongs to the smart machine institute
The algorithm set of support.
52. server according to claim 51, which is characterized in that the authentication information generation unit is suitable for
It receives the server authentication information request, and after confirming that the smart machine is legal, generates first random number;
First random number is encrypted using preset privacy key, obtains the random number signature value;From the intelligence
The Encryption Algorithm that the smart machine is supported, selected encryption algorithm are obtained in equipment authentication information;According to the random number, described
Random number signature value and selected Encryption Algorithm generate authentication information.
53. server according to claim 52, which is characterized in that further include: the second encryption unit and third send list
Member, in which:
Second encryption unit, suitable for being established after secure communication connect with the smart machine, using preset first plus
The upgrading data packet that close algorithm treats upgrade-system is encrypted, and encryption upgrading data packet is obtained, wherein first encryption is calculated
Method is encrypted using first key, and belongs to the algorithm set that the smart machine is supported;
The third transmission unit, suitable for the encryption upgrading data packet is sent to the smart machine, so that the intelligence
When equipment receives the encryption upgrading data packet, using the first key and decryption corresponding with first Encryption Algorithm
Algorithm is decrypted the encryption upgrading data packet received, obtains corresponding upgrading data packet.
54. server according to claim 53, which is characterized in that further include: the 4th receiving unit, comparing unit and
Four transmission units, in which:
4th receiving unit receives the intelligence and sets after the upgrading data packet is sent to the smart machine
The MAC check code that preparation is sent, the MAC check code is by the smart machine using message digest algorithm to the ascending series received
MAC operation is carried out according to packet to obtain;
The comparing unit, the MAC check code suitable for will receive is compared with the MAC check code stored, to confirm two
Whether person is consistent;
4th transmission unit, suitable for MAC check code comparison result is sent to the smart machine, so that the intelligence is set
When both standby MAC check code comparison result displays received are consistent, confirm that the upgrading data packet is correct.
55. server according to claim 54, which is characterized in that further include: the 5th receiving unit is suitable for described in reception
The upgrading data packet retransmission request that smart machine is sent, the upgrading data packet retransmission request is by the smart machine described
Both MAC check code comparison result displays generate when inconsistent.
56. server according to claim 53, which is characterized in that further include: third encryption unit is suitable for described the
Before two encryption units are encrypted using the upgrading data packet that preset first Encryption Algorithm treats upgrade-system, using described
Privacy key signs to the upgrading data packet, and the upgrading data packet is written in signing messages.
57. server according to claim 53, which is characterized in that first Encryption Algorithm is symmetric encipherment algorithm.
58. server according to claim 57, which is characterized in that second encryption unit is suitable for every time from described
16 byte datas are read in upgrading data packet to be encrypted as a bag data, and encrypted 16 byte data is sent to institute
State smart machine;When generating the last one data packet, if last remaining data are discontented with 16 bytes, after last a data
Face starts filling 0 to penultimate character, and last character is the byte number for the data filled.
59. server according to claim 58, which is characterized in that the smart machine authentication information further include: second
Random number, second random number are generated by the smart machine.
60. server according to claim 59, which is characterized in that second encryption unit include: receiving subelement,
It decrypts subelement and generates subelement, in which:
The receiving subelement, the encrypted random cipher data sent suitable for receiving the smart machine, after the encryption
Random cipher data established after secure communication connect by the smart machine and the server, it is random according to described first
Several, described second generating random number, and encrypt to obtain using the server public key;
The decryption subelement, suitable for being solved using the privacy key to the encrypted random cipher data received
It is close, obtain random cipher data;
The generation subelement is suitable for using the message digest algorithm, at random to the random cipher data, described first
Several, described second random number carries out operation and obtains the first key.
61. server according to claim 49, which is characterized in that further include: registrant's identity authenticating unit, be suitable for from
Before the attribute information for obtaining the smart machine in the smart machine authentication information received, to the identity of lander into
Row verifying, and confirm that the identity of the lander is legal.
62. server according to claim 61, which is characterized in that registrant's identity authenticating unit is suitable for using
Authentication of Dyhibrid verifies the identity of the registrant, and the double factor includes: private key signature, user name with it is corresponding
Entry password.
63. a kind of smart machine, including memory and processor, it is stored with and can transports on the processor on the memory
Capable computer instruction, which is characterized in that perform claim requirement 1 to 16 is any when the processor runs the computer instruction
The step of data security protection method described in item.
64. a kind of server, including memory and processor, it is stored with and can runs on the processor on the memory
Computer instruction, which is characterized in that perform claim requires 17 to 33 any when the processor runs the computer instruction
The step of data security protection method described in item.
65. a kind of computer readable storage medium, suitable for running on smart machine, the smart machine is suitable for carrying out with server
It communicates, is stored with computer instruction on the computer readable storage medium, which is characterized in that when the computer instruction is run
Perform claim requires the step of 1 to 16 described in any item data security protection methods.
66. a kind of computer readable storage medium, suitable for running on server, the server belongs to be led to smart machine
Believe, be stored with computer instruction on the computer readable storage medium, which is characterized in that the computer instruction is held when running
The step of row claim 17 to 33 described in any item data security protection methods.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710596068.4A CN109286599A (en) | 2017-07-20 | 2017-07-20 | Data security protection method, smart machine, server and readable storage medium storing program for executing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710596068.4A CN109286599A (en) | 2017-07-20 | 2017-07-20 | Data security protection method, smart machine, server and readable storage medium storing program for executing |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109286599A true CN109286599A (en) | 2019-01-29 |
Family
ID=65185003
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710596068.4A Pending CN109286599A (en) | 2017-07-20 | 2017-07-20 | Data security protection method, smart machine, server and readable storage medium storing program for executing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109286599A (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109861817A (en) * | 2019-02-26 | 2019-06-07 | 数安时代科技股份有限公司 | Generate method, apparatus, system, equipment and the medium of key |
CN110134424A (en) * | 2019-05-16 | 2019-08-16 | 上海东软载波微电子有限公司 | Firmware upgrade method and system, server, smart machine, readable storage medium storing program for executing |
CN110225038A (en) * | 2019-06-13 | 2019-09-10 | 江苏亨通工控安全研究院有限公司 | Method, apparatus and system for industrial information safety |
CN110417804A (en) * | 2019-08-07 | 2019-11-05 | 济南新吉纳远程测控股份有限公司 | A kind of bidirectional identity authentication encryption communication method and system suitable for chip microcontroller |
CN110929262A (en) * | 2019-11-20 | 2020-03-27 | 上海钧正网络科技有限公司 | Online upgrading method and system |
CN110943980A (en) * | 2019-11-20 | 2020-03-31 | 杭州涂鸦信息技术有限公司 | Cloud security encryption verification method and system based on over-the-air technology upgrading |
CN111131300A (en) * | 2019-12-31 | 2020-05-08 | 上海移为通信技术股份有限公司 | Communication method, terminal and server |
CN111190631A (en) * | 2019-12-13 | 2020-05-22 | 东信和平科技股份有限公司 | Smart card and method for updating security after COS (chip operating System) of smart card |
CN111490880A (en) * | 2020-05-12 | 2020-08-04 | 上海明略人工智能(集团)有限公司 | File receiving method and device |
CN111556024A (en) * | 2020-03-31 | 2020-08-18 | 中国航天***科学与工程研究院 | Reverse access control system and method |
CN111698108A (en) * | 2019-03-13 | 2020-09-22 | 阿里巴巴集团控股有限公司 | Data transmission method and device |
CN112491879A (en) * | 2020-11-26 | 2021-03-12 | 中电金融设备***(深圳)有限公司 | Method for remotely updating firmware, computer equipment and storage medium |
CN113508635A (en) * | 2019-03-25 | 2021-10-15 | 华为技术有限公司 | Method for establishing wireless communication connection and related equipment |
CN114531300A (en) * | 2022-03-14 | 2022-05-24 | 无锡雪浪数制科技有限公司 | Industrial graph recognition method based on smart watch |
CN114629641A (en) * | 2022-03-17 | 2022-06-14 | 江南信安(北京)科技有限公司 | Code downloading starting safety protection method and device based on safety chip |
CN117892318A (en) * | 2024-03-12 | 2024-04-16 | 汉兴同衡科技集团有限公司 | Internet of things intelligent terminal data security protection method, system and storage device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102955700A (en) * | 2011-08-18 | 2013-03-06 | 腾讯科技(深圳)有限公司 | System and method for upgrading software |
EP2605477A1 (en) * | 2011-12-16 | 2013-06-19 | British Telecommunications public limited company | Proxy server operation |
CN104811484A (en) * | 2015-04-09 | 2015-07-29 | 努比亚技术有限公司 | FOTA (firmware over-the-air) upgrading method and device |
CN105812570A (en) * | 2016-04-21 | 2016-07-27 | 深圳市旭子科技有限公司 | Terminal firmware updating method and device |
CN105930730A (en) * | 2015-09-22 | 2016-09-07 | ***股份有限公司 | Terminal system security update method and apparatus in trusted execution environment |
-
2017
- 2017-07-20 CN CN201710596068.4A patent/CN109286599A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102955700A (en) * | 2011-08-18 | 2013-03-06 | 腾讯科技(深圳)有限公司 | System and method for upgrading software |
EP2605477A1 (en) * | 2011-12-16 | 2013-06-19 | British Telecommunications public limited company | Proxy server operation |
CN104811484A (en) * | 2015-04-09 | 2015-07-29 | 努比亚技术有限公司 | FOTA (firmware over-the-air) upgrading method and device |
CN105930730A (en) * | 2015-09-22 | 2016-09-07 | ***股份有限公司 | Terminal system security update method and apparatus in trusted execution environment |
CN105812570A (en) * | 2016-04-21 | 2016-07-27 | 深圳市旭子科技有限公司 | Terminal firmware updating method and device |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109861817A (en) * | 2019-02-26 | 2019-06-07 | 数安时代科技股份有限公司 | Generate method, apparatus, system, equipment and the medium of key |
CN111698108A (en) * | 2019-03-13 | 2020-09-22 | 阿里巴巴集团控股有限公司 | Data transmission method and device |
CN111698108B (en) * | 2019-03-13 | 2023-11-21 | 阿里巴巴集团控股有限公司 | Data transmission method and device |
CN113508635B (en) * | 2019-03-25 | 2023-10-20 | 华为技术有限公司 | Method for establishing wireless communication connection and related equipment |
CN113508635A (en) * | 2019-03-25 | 2021-10-15 | 华为技术有限公司 | Method for establishing wireless communication connection and related equipment |
CN110134424A (en) * | 2019-05-16 | 2019-08-16 | 上海东软载波微电子有限公司 | Firmware upgrade method and system, server, smart machine, readable storage medium storing program for executing |
CN110225038A (en) * | 2019-06-13 | 2019-09-10 | 江苏亨通工控安全研究院有限公司 | Method, apparatus and system for industrial information safety |
CN110225038B (en) * | 2019-06-13 | 2022-05-17 | 江苏亨通工控安全研究院有限公司 | Method, device and system for industrial information security |
CN110417804A (en) * | 2019-08-07 | 2019-11-05 | 济南新吉纳远程测控股份有限公司 | A kind of bidirectional identity authentication encryption communication method and system suitable for chip microcontroller |
CN110417804B (en) * | 2019-08-07 | 2021-11-26 | 济南新吉纳远程测控股份有限公司 | Bidirectional identity authentication encryption communication method and system suitable for single-chip microcomputer implementation |
CN110929262A (en) * | 2019-11-20 | 2020-03-27 | 上海钧正网络科技有限公司 | Online upgrading method and system |
CN110943980A (en) * | 2019-11-20 | 2020-03-31 | 杭州涂鸦信息技术有限公司 | Cloud security encryption verification method and system based on over-the-air technology upgrading |
CN111190631A (en) * | 2019-12-13 | 2020-05-22 | 东信和平科技股份有限公司 | Smart card and method for updating security after COS (chip operating System) of smart card |
CN111190631B (en) * | 2019-12-13 | 2023-08-22 | 东信和平科技股份有限公司 | Smart card and method for updating security after COS (class of service) of smart card |
CN111131300A (en) * | 2019-12-31 | 2020-05-08 | 上海移为通信技术股份有限公司 | Communication method, terminal and server |
CN111131300B (en) * | 2019-12-31 | 2022-06-17 | 上海移为通信技术股份有限公司 | Communication method, terminal and server |
CN111556024B (en) * | 2020-03-31 | 2022-07-05 | 中国航天***科学与工程研究院 | Reverse access control system and method |
CN111556024A (en) * | 2020-03-31 | 2020-08-18 | 中国航天***科学与工程研究院 | Reverse access control system and method |
CN111490880B (en) * | 2020-05-12 | 2023-10-20 | 上海明略人工智能(集团)有限公司 | File receiving method and device |
CN111490880A (en) * | 2020-05-12 | 2020-08-04 | 上海明略人工智能(集团)有限公司 | File receiving method and device |
CN112491879A (en) * | 2020-11-26 | 2021-03-12 | 中电金融设备***(深圳)有限公司 | Method for remotely updating firmware, computer equipment and storage medium |
CN114531300A (en) * | 2022-03-14 | 2022-05-24 | 无锡雪浪数制科技有限公司 | Industrial graph recognition method based on smart watch |
CN114629641A (en) * | 2022-03-17 | 2022-06-14 | 江南信安(北京)科技有限公司 | Code downloading starting safety protection method and device based on safety chip |
CN117892318A (en) * | 2024-03-12 | 2024-04-16 | 汉兴同衡科技集团有限公司 | Internet of things intelligent terminal data security protection method, system and storage device |
CN117892318B (en) * | 2024-03-12 | 2024-05-24 | 汉兴同衡科技集团有限公司 | Internet of things intelligent terminal data security protection method, system and storage device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109286599A (en) | Data security protection method, smart machine, server and readable storage medium storing program for executing | |
CN109962784B (en) | Data encryption, decryption and recovery method based on multiple digital envelope certificates | |
US9760721B2 (en) | Secure transaction method from a non-secure terminal | |
CN109104440B (en) | Cloud storage big data integrity verification method for mobile terminal equipment of Internet of things | |
US10601801B2 (en) | Identity authentication method and apparatus | |
CN104412273B (en) | Method and system for activation | |
CN106412862B (en) | short message reinforcement method, device and system | |
WO2019020051A1 (en) | Method and apparatus for security authentication | |
CN110532735A (en) | Firmware upgrade method | |
CN1921395B (en) | Method for improving security of network software | |
CN110198295A (en) | Safety certifying method and device and storage medium | |
CN108377190A (en) | A kind of authenticating device and its working method | |
CN108809633B (en) | Identity authentication method, device and system | |
CN113868672B (en) | Module wireless firmware upgrading method, security chip and wireless firmware upgrading platform | |
CN104378388B (en) | Executable file progress control method and device | |
CN102045333A (en) | Method for generating safety message process key | |
CN106060073B (en) | Channel key machinery of consultation | |
CN111541716A (en) | Data transmission method and related device | |
CN105847000A (en) | Token generation method and communication system based on same | |
CN105592071A (en) | Method and device for authorization between devices | |
CN110635901A (en) | Local Bluetooth dynamic authentication method and system for Internet of things equipment | |
CN105187369B (en) | A kind of data access method and device | |
CN111880824A (en) | Firmware data verification device and method, firmware update device and method and system | |
CN106789024A (en) | A kind of remote de-locking method, device and system | |
CN112291201B (en) | Service request transmission method and device and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 100089 18 / F, block B, Zhizhen building, No.7, Zhichun Road, Haidian District, Beijing Applicant after: Beijing Ziguang zhanrui Communication Technology Co.,Ltd. Address before: 100084, Room 516, building A, Tsinghua Science Park, Beijing, Haidian District Applicant before: BEIJING SPREADTRUM HI-TECH COMMUNICATIONS TECHNOLOGY Co.,Ltd. |
|
CB02 | Change of applicant information | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190129 |
|
RJ01 | Rejection of invention patent application after publication |