CN111211894A - Data transmission method, device and system - Google Patents

Data transmission method, device and system Download PDF

Info

Publication number
CN111211894A
CN111211894A CN201811390932.6A CN201811390932A CN111211894A CN 111211894 A CN111211894 A CN 111211894A CN 201811390932 A CN201811390932 A CN 201811390932A CN 111211894 A CN111211894 A CN 111211894A
Authority
CN
China
Prior art keywords
random number
gateway
determined
key
digital
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811390932.6A
Other languages
Chinese (zh)
Other versions
CN111211894B (en
Inventor
叶东林
宋翔
彭艳飞
文彦峰
陈灿
陈旭泉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SF Technology Co Ltd
Original Assignee
SF Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SF Technology Co Ltd filed Critical SF Technology Co Ltd
Priority to CN201811390932.6A priority Critical patent/CN111211894B/en
Publication of CN111211894A publication Critical patent/CN111211894A/en
Application granted granted Critical
Publication of CN111211894B publication Critical patent/CN111211894B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a data transmission method, a device and a system, which relate to the communication technology, after a server is connected with a gateway, digital digests of at least two random numbers are determined according to at least two random numbers generated by interaction with the gateway and a selected symmetric encryption algorithm and an asymmetric encryption algorithm, the digital digests are compared with the digital digests determined by the gateway according to the same random numbers, when the two are the same, the successful key negotiation is determined, and then data transmission is performed through a key determined by the negotiation. The process of negotiating the key between the server and the gateway is carried out by comparing the digests of at least two random numbers generated by the two parties, so that the key negotiated by the method is extremely difficult to be cracked, and the security of data transmission can be improved by carrying out data transmission by the key.

Description

Data transmission method, device and system
Technical Field
The present disclosure relates generally to communication technologies, and in particular, to a data transmission method, apparatus, and system.
Background
In an application scene of the internet of things, a large number of sensors of the internet of things usually exist, data of the sensors are uniformly collected and processed through a computing gateway (or computing nodes, gateways, concentrators, centralized controllers and the like) and then transmitted to an application system (or systems, platforms, backstage, a master station, a host server and the like), and the architecture shows that one system corresponds to a plurality of computing gateways, and one gateway corresponds to a plurality of sensors.
At present, a method based on a TCP/IP protocol is used for data transmission between most computing gateways and application systems, and although bidirectional real-time data transmission can be performed, the following problems exist:
the data packet (or data frame) is not encrypted (only simple CRC check can only ensure the integrity of data), and the clear text transmission of the data is easy to steal and tamper. Or partial area of the data packet is encrypted, but the transmission of the key is plaintext transmission, and the key of each computing gateway is the same, so that once the transmission of the key is stolen or the key of one gateway is cracked, the data of all gateways can be stolen.
Disclosure of Invention
In view of the above-mentioned drawbacks and deficiencies of the prior art, it is desirable to provide a data transmission method, device and system to improve the security of data transmission.
In a first aspect, an embodiment of the present invention provides a data transmission method, including:
establishing connection with a gateway;
determining digital digests of the at least two random numbers according to at least two random numbers generated by interacting with the gateway and the selected symmetric encryption and asymmetric encryption algorithms, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and determining that the key agreement is successful when the two are the same;
and carrying out data transmission by negotiating the determined key.
In a second aspect, an embodiment of the present invention provides a data transmission method, including:
establishing connection with a server;
determining digital digests of the at least two random numbers according to at least two random numbers generated by interacting with the server and the selected symmetric encryption and asymmetric encryption algorithms, sending the digital digests to the server, comparing the digital digests determined by the server according to the same random numbers, and determining that the key agreement is successful when the two digital digests are the same;
and carrying out data transmission by negotiating the determined key.
In a third aspect, an embodiment of the present invention further provides a data transmission apparatus, including:
a connection unit, configured to establish a connection with a gateway;
the determining unit is used for determining the digital digests of the at least two random numbers according to the at least two random numbers generated by interacting with the gateway and the selected symmetric encryption algorithm and asymmetric encryption algorithm, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and determining that the key agreement is successful when the two are the same;
and the transmission unit is used for carrying out data transmission by negotiating the determined key.
In a fourth aspect, an embodiment of the present invention further provides a data transmission apparatus, including:
a connection establishing unit for establishing connection with a server;
the key agreement unit is used for determining digital digests of the at least two random numbers according to the at least two random numbers generated by interacting with the server and the selected symmetric encryption algorithm and asymmetric encryption algorithm, sending the digital digests to the server, comparing the digital digests determined by the server according to the same random numbers, and determining that the key agreement is successful when the two digital digests are the same;
and the data transmission unit is used for carrying out data transmission by negotiating the determined key.
In a fifth aspect, an embodiment of the present invention further provides a data transmission system, including a gateway and a server, where:
the server is used for establishing connection with the gateway; determining digital digests of the at least two random numbers according to at least two random numbers generated by interacting with a server and the selected symmetric encryption and asymmetric encryption algorithms, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and determining that key agreement is successful when the two are the same; carrying out data transmission by negotiating the determined key;
the gateway is used for establishing connection with the server; determining digital digests of the at least two random numbers according to at least two random numbers generated by interacting with the server and the selected symmetric encryption and asymmetric encryption algorithms, sending the digital digests to the server, comparing the digital digests determined by the server according to the same random numbers, and determining that the key agreement is successful when the two digital digests are the same; and carrying out data transmission by negotiating the determined key.
The embodiment of the invention provides a data transmission method, a device and a system, after a server is connected with a gateway, the server determines digital digests of at least two random numbers according to at least two random numbers generated by interaction with the gateway and a selected symmetric encryption algorithm and an asymmetric encryption algorithm, compares the digital digests with digital digests determined by the gateway according to the same random numbers, determines that key agreement is successful when the two are the same, and then performs data transmission through the agreed key. The process of negotiating the key between the server and the gateway is carried out by comparing the digests of at least two random numbers generated by the two parties, so that the key negotiated by the method is extremely difficult to be cracked, and the security of data transmission can be improved by carrying out data transmission by the key.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
fig. 1 is a flowchart of a data transmission method according to an embodiment of the present invention;
fig. 2 is a flowchart of gateway registration or login provided in an embodiment of the present invention;
fig. 3 is a flowchart of key agreement provided in the embodiment of the present invention;
fig. 4 is a second flowchart of a data transmission method according to an embodiment of the present invention;
fig. 5 and fig. 6 are schematic structural diagrams of a data transmission apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a data transmission system according to an embodiment of the present invention.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Referring to fig. 1, a data transmission method according to an embodiment of the present invention includes:
step S101, establishing connection with a gateway;
step S102, determining digital digests of at least two random numbers according to at least two random numbers generated by interacting with the gateway and the selected symmetric encryption algorithm and asymmetric encryption algorithm, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and determining that the key agreement is successful when the two are the same;
and step S103, data transmission is carried out through the determined key negotiation.
In step S102, the process of negotiating the key between the server and the gateway is performed by comparing the digests of at least two random numbers generated by the two parties, so that the key negotiated in this way is extremely difficult to be broken, and the security of data transmission can be improved by performing data transmission through the key.
In the embodiment of the present invention, three random numbers are taken as an example to specifically describe.
Specifically, in step S102, the random number, the algorithm and the digital digest need to be exchanged, and the server and the gateway may determine the digital digest of the random number according to the predetermined calculation method, and determine the secret key according to the random number according to the predetermined calculation method when the two are the same.
Step S102, determining digital digests of at least two random numbers according to at least two random numbers generated by interacting with the gateway and the selected symmetric encryption and asymmetric encryption algorithms, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and determining that the key agreement is successful when the two are the same, specifically comprising the following steps:
receiving a key negotiation request sent by a gateway, wherein the key negotiation request carries a random number R1 generated by the gateway;
sending a response message to the gateway, wherein the response message comprises a selected symmetric encryption algorithm, an asymmetric encryption algorithm, a digest algorithm, a random number R2 and a public key P1 of the asymmetric encryption algorithm;
receiving a key negotiation confirmation request sent by the gateway, wherein the key negotiation confirmation request comprises a digital digest D2 determined according to a random number R1, a random number R2 and a random number R3 generated by the gateway, and E1 obtained by encrypting the random number R3 by using a selected asymmetric encryption algorithm and a public key P1;
decrypting E1 by private key P2 determines random number R3; and determining a digital digest D4 according to the random number R1, the random number R2 and the random number R3 determined by decryption;
when D2 is the same as D4, the key determined to be a digital digest D3 of the random number R3 for symmetric encryption.
The random number is generated by a computer through code, for example, in some languages, the random number R1 may be generated through code "R1 ═ random ()", and the random numbers R2 and R3 are the same.
The symmetric encryption algorithm, the asymmetric encryption algorithm and the digest algorithm selected by the server can be set manually or selected randomly by the server.
The digital digest D2 determined according to the random number R1, the random number R2, and the random number R3 generated by the gateway is specifically:
a digital digest D2 determined by a selected digital digest algorithm according to the value obtained by adding the random number R1, the random number R2 and the random number R3 generated by the gateway;
determining a digital digest D4 according to the random number R1, the random number R2 and the random number R3 determined by decryption, specifically:
and D4 of the digital digest determined by the selected digital digest algorithm is used for adding the random number R1, the random number R2 and the random number R3 determined by decryption.
Further, in order to improve the security of data transmission, determining the digital digests of at least two random numbers according to at least two random numbers generated by interacting with the gateway and the selected symmetric encryption and asymmetric encryption algorithms, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and before determining that the key agreement is successful when the two are the same, the method further comprises the following steps:
and determining that the gateway is legal and needs to encrypt and transmit data.
The step of determining the gateway legality specifically comprises the following steps:
receiving a registration or login request sent by a gateway, wherein the registration or login request comprises a serial number of the gateway;
and verifying the serial number of the gateway and determining that the gateway is legal.
According to the embodiment of the invention, after the gateway registers the function to the application system, the process of negotiating the session key is added, and the ciphertext is adopted for transmission in the subsequent message transmission, so that the information transmission process is prevented from being stolen and tampered, and the information safety is ensured.
Through the steps, the server can be prevented from being accessed by illegal gateways when the gateways are registered/logged in.
Specifically, as shown in fig. 2, when the gateway device leaves the factory or is installed, a serial number (or an IP address, an MAC address, etc.) having a unique identifier is set, and an IP address (or a domain name) and a port number of the server are set; the gateway sends a registration or login request to the host server, wherein the request comprises a serial number of the gateway; after receiving a registration or login request, the server verifies whether the serial number of the gateway is legal (by comparing whether the gateway with the serial number exists in the database), if so, the response is successful (and parameters including whether a subsequent message adopts an encryption algorithm are included, the default is that the encryption algorithm needs to be adopted, the parameters are added to be used for a scene that part of systems do not need to encrypt the message), and if not, the network connection with the gateway is disconnected.
If the gateway is legal, the gateway receives the response of the server and determines whether to enter a 'negotiation session key' process according to whether an encryption algorithm is adopted in the response.
The process of negotiating the session key, i.e., step S102 in fig. 1, is configured to securely generate a session key for encrypting and decrypting a subsequent message (the session key refers to a new session key generated after a gateway is disconnected from a server each time and reconnected, that is, a key used for each connection is not the same, and a session key of each gateway is also not the same).
Specifically, as shown in fig. 3, the process of negotiating a key includes:
step S301, the gateway sends a negotiation key request to the server, where the negotiation key request includes: a symmetric encryption algorithm list (such as DES,3DES, AES, IDEA and the like), an asymmetric encryption algorithm list (RSA, D-H, ECC and the like), a summary algorithm list (MD5, SHA and the like), a random number R1;
step S302, after the server receives the request of negotiating the secret key, corresponding symmetric encryption algorithm, asymmetric encryption algorithm and abstract algorithm are selected and cached; a cache random number R1;
step S303, generating a public key P1 and a private key P2 of an asymmetric encryption algorithm according to the MAC address of the server in combination with the timestamp and the random number, and caching the private key P2; generating and buffering a random number R2;
step S304, generating a response message to be sent to the gateway, wherein the response message comprises: a selected symmetric encryption algorithm (e.g., AES), an asymmetric encryption algorithm (e.g., RSA), a digest algorithm (e.g., SHA), a public key P1 of the asymmetric encryption algorithm, a random number R2;
step S305, after receiving the response message, the gateway generates a random number R3, caches the appointed symmetric encryption algorithm, calculates a digest D1 for R3 by using the selected digital digest algorithm as a secret key of the symmetric encryption algorithm, and caches D1;
step S306, calculating a digital abstract D2 by using a selected digital abstract algorithm according to the value obtained by adding the random number R1, the random number R2 and the random number R3; encrypting R3 by using a specified asymmetric encryption algorithm and a public key P1 to obtain E1;
step S307, sending a key negotiation validation request to the server, where the key negotiation validation request includes: d2, E1;
step S308, after receiving the key negotiation confirmation request, the server decrypts the E1 by using a private key P2 of an asymmetric encryption algorithm to obtain a random number R3; calculating a summary D3 for R3 by using a selected digital summary algorithm;
step S309, calculating a digital abstract D4 by using a selected digital abstract algorithm according to the value obtained by adding the random number R1, the random number R2 and the random number R3; comparing the D2 with the D4, if the D2 and the D4 are the same, the negotiation of the key is successful, that is, the key of the symmetric encryption is D3, which means that all data are not tampered; if not, the negotiation of the session key is failed;
step S310, generating a response message and sending the response message to the gateway, wherein the message comprises: if the negotiation is successful, after the response message is sent, if the session key negotiation fails, the connection with the gateway is disconnected; and after receiving the response message, the gateway enters a normal communication flow if the session key is successfully negotiated, and otherwise, the gateway is disconnected from the server.
Because the gateway and the server adopt different session keys for each connection, the security of the keys is greatly guaranteed;
each secret key is generated by combining and calculating a plurality of high-strength different types of encryption algorithms which are randomly selected, and through at least twice generation of interactive information (random numbers), the final generation of the secret key can be failed due to the fact that any link data in the middle is tampered.
The symmetric key used for data encryption is negotiated by two parties according to an agreed rule, and the key is not transmitted in an actual link, so that the confidentiality of the key is higher.
When data transmission is carried out, a communication protocol adopts a self-defined binary data format (generally, data sent once is called a data frame or a data packet, one data frame mainly comprises a frame head, a message body and a frame tail), the data of the frame head and the frame tail are usually fixed in length, the length of the message body is not fixed (the length can be 0), and bytes at specific positions of the frame represent different meanings. Therefore, encoding and parsing data is cumbersome and cumbersome (requiring byte-by-byte parsing of each frame), and is difficult to modify and not easily scalable.
In the data transmission method provided in the embodiment of the present invention, data transmission may be performed through a frame structure as shown in table 1.
TABLE 1 data frame Format
Figure BDA0001874021930000081
Wherein, each part in the data frame is described as follows:
a start symbol: 2 bytes, fixed as: 0xAB 0xCD (user can modify itself to other values).
Control code: 1 byte, representing some type of operation, such as control, query, configuration, etc.
Command code: and 2 bytes, which represents specific commands of each type of operation, such as control type commands of restarting, powering on and powering off, and the like.
The serial number: the 8 bytes refer to the generation time (accurate to millisecond) or the unique serial number of the message, and the serial number of the response message is consistent with that of the responded message.
Message body length: 4 bytes, indicating the total length of the message body.
Message body: n bytes (n > ═ 0) indicating the specific message content.
And (4) checking codes: 2 bytes, and adopting American standard CRC16 algorithm to check all data of the frame header and the message body.
An end symbol: 1 byte, fixed to 0xFF (user can modify himself to other values).
Message body format description:
the message body data field represents specific service data. In the embodiment of the invention, JSON (JavaScript object notification, which is a lightweight data exchange format, adopts a text format completely independent of a programming language to store and express data) and object-oriented relationship are used, namely JSON and objects of a high-level programming language (such as Java, C + +, C #, Objective-C and the like) can be mutually converted, and the service programming language only needs to convert a corresponding service data transmission object DTO (data Transfer object) into a JSON character string format, then convert the JSON character string into byte data according to a UTF-8 format and store the byte data into a message body.
At this time, in step S103, performing data transmission by negotiating the determined key specifically includes:
converting data to be transmitted into object-oriented character strings;
converting the object-oriented character string into byte data and storing the byte data into a message body of the data frame;
and transmitting the data frame by negotiating the determined key.
Further, the operation command can also be transmitted through the control code and the command code of the data frame.
In theory, 255x 255-65025 operations can be supported.
In the embodiment of the present invention, a data transmission object format corresponding to the JSON character string corresponding to the suggested message body is shown in table 2.
TABLE 2 data transfer object Format
Figure BDA0001874021930000091
Therefore, the coding and decoding of the message body become more convenient, the whole system only needs a universal coding and decoding method, and only needs to pay attention to specific service logic for the service.
The data transmission is carried out through the data frame, and the programming complexity is reduced because the planning of each functional area of the data frame is clear and simple; different operations can be classified by combining the control codes and the command codes, the expansion is easy, 255x 255-65025 operations can be supported theoretically, and all service system use scenes are met; and object-oriented programming is supported, so that development is more focused on the service, debugging is facilitated, and development efficiency is greatly improved (compared with byte-oriented programming).
In practical application, the transmission of corresponding operation instructions, including control, query, configuration, active upload, alarm, etc., can be performed through the general communication function set of the gateway and the server as shown in table 3, so that a user can quickly implement corresponding service functions, the development time is shortened, and the product is quickly delivered.
Table 3 general function set for communication between gateway and server
Figure BDA0001874021930000101
Figure BDA0001874021930000111
An embodiment of the present invention further provides a data transmission method, where the method is executed by a gateway, and as shown in fig. 4, the method includes:
step S401, establishing connection with a server;
step S402, determining digital digests of at least two random numbers according to at least two random numbers generated by interacting with a server and the selected symmetric encryption and asymmetric encryption algorithms, sending the digital digests to the server, comparing the digital digests determined by the server according to the same random numbers, and determining that key agreement is successful when the two are the same;
and step S403, data transmission is carried out by negotiating the determined key.
Further, in step S402, determining digital digests of the at least two random numbers according to the at least two random numbers generated by interacting with the server and the selected symmetric encryption and asymmetric encryption algorithms, and sending the digital digests to the server, and comparing the digital digests determined by the server according to the same random numbers, and when the two are the same, determining that the key agreement is successful, specifically including:
sending a key negotiation request to a server, wherein the key negotiation request carries a random number R1 generated by the server;
receiving a response message returned by the server, wherein the response message comprises a selected symmetric encryption algorithm, an asymmetric encryption algorithm, a digest algorithm, a random number R2 and a public key P1 of the asymmetric encryption algorithm;
sending a key agreement confirmation request to the server, wherein the key agreement confirmation request comprises a digital digest D2 determined according to the random number R1, the random number R2 and the random number R3 generated by the gateway, and E1 obtained by encrypting the random number R3 by using a selected asymmetric encryption algorithm and a public key P1, decrypting the E1 by the server through a private key P2 to determine a random number R3, determining a digital digest D4 according to the random number R1, the random number R2 and the random number R3 determined by decryption, and determining a symmetrically encrypted key as the digital digest D3 of the random number R3 when the D2 is the same as the D4.
Further, the digital digest D2 determined according to the random number R1, the random number R2, and the random number R3 generated by the gateway specifically includes:
a digital digest D2 determined by a selected digital digest algorithm according to the value obtained by adding the random number R1, the random number R2 and the random number R3 generated by the gateway;
determining a digital digest D4 according to the random number R1, the random number R2 and the random number R3 determined by decryption, specifically:
and D4 of the digital digest determined by the selected digital digest algorithm is used for adding the random number R1, the random number R2 and the random number R3 determined by decryption.
Further, in step S103, performing data transmission by negotiating the determined key, specifically including:
converting data to be transmitted into object-oriented character strings;
converting the object-oriented character string into byte data and storing the byte data into a message body of the data frame;
and transmitting the data frame by negotiating the determined key.
Still further, the method further comprises:
and transmitting the operation command through the control code and the command code of the data frame.
It should be noted that while the operations of the method of the present invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Rather, the steps depicted in the flowcharts may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
An embodiment of the present invention further provides a data transmission device, where the data transmission device is disposed in a server, and as shown in fig. 5, the data transmission device includes:
a connection unit 501, configured to establish a connection with a gateway;
a determining unit 502, configured to determine digital digests of the at least two random numbers according to the at least two random numbers generated by interacting with the gateway and the selected symmetric encryption and asymmetric encryption algorithms, compare the digital digests with the digital digests determined by the gateway according to the same random number, and determine that the key agreement is successful when the two are the same;
a transmission unit 503, configured to perform data transmission by negotiating the determined key.
Further, the determining unit 502 is specifically configured to:
receiving a key negotiation request sent by a gateway, wherein the key negotiation request carries a random number R1 generated by the gateway;
sending a response message to the gateway, wherein the response message comprises a selected symmetric encryption algorithm, an asymmetric encryption algorithm, a digest algorithm, a random number R2 and a public key P1 of the asymmetric encryption algorithm;
receiving a key negotiation confirmation request sent by the gateway, wherein the key negotiation confirmation request comprises a digital digest D2 determined according to a random number R1, a random number R2 and a random number R3 generated by the gateway, and E1 obtained by encrypting the random number R3 by using a selected asymmetric encryption algorithm and a public key P1;
decrypting E1 by private key P2 determines random number R3; and determining a digital digest D4 according to the random number R1, the random number R2 and the random number R3 determined by decryption;
when D2 is the same as D4, the key determined to be a digital digest D3 of the random number R3 for symmetric encryption.
Further, the determining unit 502 is further configured to:
and determining the digital digests of the at least two random numbers according to the at least two random numbers generated by interacting with the gateway and the selected symmetric encryption and asymmetric encryption algorithms, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and determining that the gateway is legal and needs to encrypt and transmit data before determining that the key negotiation is successful when the two are the same.
Further, the determining unit 502 specifically determines that the gateway is legal, including:
receiving a registration or login request sent by a gateway, wherein the registration or login request comprises a serial number of the gateway;
and verifying the serial number of the gateway and determining that the gateway is legal.
Further, the transmission unit 503 is specifically configured to:
converting data to be transmitted into object-oriented character strings;
converting the object-oriented character string into byte data and storing the byte data into a message body of the data frame;
and transmitting the data frame by negotiating the determined key.
Further, the transmission unit 503 is further configured to:
and transmitting the operation command through the control code and the command code of the data frame.
It should be understood that the units or modules described in the apparatus correspond to the individual steps in the method described with reference to fig. 1. Thus, the operations and features described above for the method are equally applicable to the apparatus and the units comprised therein and will not be described in further detail here. The device can be realized in the browser or other security applications of the electronic equipment in advance, and can also be loaded into the browser or other security applications of the electronic equipment in a downloading mode and the like. Corresponding units in the device can cooperate with units in the electronic equipment to realize the solution of the embodiment of the application.
An embodiment of the present invention further provides a data transmission apparatus, where the apparatus is disposed in a gateway, and as shown in fig. 6, the apparatus includes:
a connection establishing unit 601, configured to establish a connection with a server;
a key agreement unit 602, configured to determine digital digests of the at least two random numbers according to the at least two random numbers generated by interacting with the server and the selected symmetric encryption and asymmetric encryption algorithms, and send the digital digests to the server, where the server compares the digital digests determined according to the same random number, and when the two are the same, it determines that the key agreement is successful;
a data transmission unit 603 configured to perform data transmission by negotiating the determined key.
Further, the key agreement unit 602 is specifically configured to:
sending a key negotiation request to a server, wherein the key negotiation request carries a random number R1 generated by the server;
receiving a response message returned by the server, wherein the response message comprises a selected symmetric encryption algorithm, an asymmetric encryption algorithm, a digest algorithm, a random number R2 and a public key P1 of the asymmetric encryption algorithm;
sending a key agreement confirmation request to the server, wherein the key agreement confirmation request comprises a digital digest D2 determined according to the random number R1, the random number R2 and the random number R3 generated by the gateway, and E1 obtained by encrypting the random number R3 by using a selected asymmetric encryption algorithm and a public key P1, decrypting the E1 by the server through a private key P2 to determine a random number R3, determining a digital digest D4 according to the random number R1, the random number R2 and the random number R3 determined by decryption, and determining a symmetrically encrypted key as the digital digest D3 of the random number R3 when the D2 is the same as the D4.
Further, the data transmission unit 603 is specifically configured to:
converting data to be transmitted into object-oriented character strings;
converting the object-oriented character string into byte data and storing the byte data into a message body of the data frame;
and transmitting the data frame by negotiating the determined key.
Further, the data transmission unit 603 is further configured to:
and transmitting the operation command through the control code and the command code of the data frame.
It should be understood that the units or modules described in the apparatus correspond to the individual steps in the method described with reference to fig. 4. Thus, the operations and features described above for the method are equally applicable to the apparatus and the units comprised therein and will not be described in further detail here. The device can be realized in the browser or other security applications of the electronic equipment in advance, and can also be loaded into the browser or other security applications of the electronic equipment in a downloading mode and the like. Corresponding units in the device can cooperate with units in the electronic equipment to realize the solution of the embodiment of the application.
An embodiment of the present invention further provides a data transmission system, as shown in fig. 7, the system includes a gateway 701 and a server 702, where:
a server 702 for establishing a connection with the gateway 701; determining digital digests of at least two random numbers according to at least two random numbers generated by interacting with the gateway 701 and the selected symmetric encryption and asymmetric encryption algorithms, comparing the digital digests with the digital digests determined by the gateway 701 according to the same random numbers, and determining that the key agreement is successful when the two are the same; carrying out data transmission by negotiating the determined key;
a gateway 701 configured to establish a connection with a server 702; determining digital digests of at least two random numbers according to at least two random numbers generated by interacting with the server 702 and the selected symmetric encryption and asymmetric encryption algorithms, sending the digital digests to the server 702, comparing the digital digests determined by the server 702 according to the same random numbers, and determining that the key agreement is successful when the two digital digests are the same; and carrying out data transmission by negotiating the determined key.
In particular, according to an embodiment of the present invention, the processes described above with reference to the flowcharts of fig. 1 and 4 may be implemented as computer software programs. For example, the embodiment of the invention shown in FIG. 1 comprises a computer program product comprising a computer program carried on a computer readable medium, the computer program comprising program code for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section, and/or installed from a removable medium. The computer program, when executed by a Central Processing Unit (CPU), performs the above-described functions defined in the system of the present application.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present invention may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves. The described units or modules may also be provided in a processor, and may be described as: a processor includes a connection unit, a determination unit, and a transmission unit. Where the names of these units or modules do not in some cases constitute a limitation of the unit or module itself, for example, a connection unit may also be described as a "unit for establishing a connection with a gateway".
As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to implement the data transmission method as described in the above embodiments.
For example, the electronic device may implement the following as shown in fig. 1: step S101, establishing connection with a gateway; step S102, determining digital digests of at least two random numbers according to at least two random numbers generated by interacting with the gateway and the selected symmetric encryption algorithm and asymmetric encryption algorithm, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and determining that the key agreement is successful when the two are the same; and step S103, data transmission is carried out through the determined key negotiation. As another example, the electronic device may implement the various steps shown in fig. 3 and 4.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by a person skilled in the art that the scope of the invention as referred to in the present application is not limited to the embodiments with a specific combination of the above-mentioned features, but also covers other embodiments with any combination of the above-mentioned features or their equivalents without departing from the inventive concept. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.

Claims (14)

1. A method of data transmission, comprising:
establishing connection with a gateway;
determining digital digests of the at least two random numbers according to at least two random numbers generated by interacting with the gateway and the selected symmetric encryption and asymmetric encryption algorithms, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and determining that the key agreement is successful when the two are the same;
and carrying out data transmission by negotiating the determined key.
2. The method according to claim 1, wherein the determining digital digests of the at least two random numbers according to at least two random numbers generated by interacting with the gateway and the selected symmetric encryption and asymmetric encryption algorithms, and comparing the digital digests with digital digests determined by the gateway according to the same random numbers, and determining that the key agreement is successful when the two are the same, specifically comprises:
receiving a key negotiation request sent by a gateway, wherein the key negotiation request carries a random number R1 generated by the gateway;
sending a response message to the gateway, wherein the response message comprises a selected symmetric encryption algorithm, an asymmetric encryption algorithm, a digest algorithm for determining a digital digest, a random number R2 and a public key P1 of the asymmetric encryption algorithm;
receiving a key negotiation confirmation request sent by a gateway, wherein the key negotiation confirmation request comprises a digital digest D2 determined according to a random number R1, a random number R2 and a random number R3 generated by the gateway, and E1 obtained by encrypting the random number R3 by using a selected asymmetric encryption algorithm and a public key P1;
decrypting E1 by private key P2 determines random number R3; and determining a digital digest D4 according to the random number R1, the random number R2 and the random number R3 determined by decryption;
when D2 is the same as D4, the key determined to be a digital digest D3 of the random number R3 for symmetric encryption.
3. The method according to claim 2, characterized in that the digital digest D2 determined from the random number R1, the random number R2 and the random number R3 generated by the gateway is:
a digital digest D2 determined by a selected digital digest algorithm according to the value obtained by adding the random number R1, the random number R2 and the random number R3 generated by the gateway;
the determining of the digital digest D4 according to the random number R1, the random number R2 and the random number R3 determined by decryption specifically includes:
and D4 of the digital digest determined by the selected digital digest algorithm is used for adding the random number R1, the random number R2 and the random number R3 determined by decryption.
4. The method of claim 1, wherein the determining digital digests of the at least two random numbers according to at least two random numbers generated by interacting with the gateway and the selected symmetric encryption and asymmetric encryption algorithms, and comparing the digital digests with digital digests determined by the gateway according to the same random numbers, and before determining that the key agreement is successful when the two are the same, further comprises:
and determining that the gateway is legal and needs to encrypt and transmit data.
5. The method of claim 1, wherein the negotiating the determined key for data transmission specifically comprises:
converting data to be transmitted into object-oriented character strings;
converting the object-oriented character string into byte data and storing the byte data into a message body of a data frame;
and transmitting the data frame by negotiating the determined key.
6. The method of claim 5, further comprising:
and transmitting an operation command through the control code and the command code of the data frame.
7. A method of data transmission, comprising:
establishing connection with a server;
determining digital digests of the at least two random numbers according to at least two random numbers generated by interacting with the server and the selected symmetric encryption and asymmetric encryption algorithms, sending the digital digests to the server, comparing the digital digests determined by the server according to the same random numbers, and determining that the key agreement is successful when the two digital digests are the same;
and carrying out data transmission by negotiating the determined key.
8. The method according to claim 7, wherein the determining digital digests of the at least two random numbers according to the at least two random numbers generated by interacting with the server and the selected symmetric encryption and asymmetric encryption algorithms, and sending the digital digests to the server, and the server comparing the digital digests determined according to the same random number, and determining that the key agreement is successful when the two are the same, specifically comprises:
sending a key negotiation request to a server, wherein the key negotiation request carries a random number R1 generated by the server;
receiving a response message returned by the server, wherein the response message comprises a selected symmetric encryption algorithm, an asymmetric encryption algorithm, a digest algorithm for determining a digital digest, a random number R2 and a public key P1 of the asymmetric encryption algorithm;
sending a key agreement confirmation request to a server, wherein the key agreement confirmation request comprises a digital digest D2 determined according to a random number R1, a random number R2 and a random number R3 generated by a gateway, and E1 obtained by encrypting the random number R3 by using a selected asymmetric encryption algorithm and a public key P1, decrypting the E1 by the server through a private key P2 to determine a random number R3, determining a digital digest D4 according to the random number R1, the random number R2 and the random number R3 determined by decryption, and determining a symmetrically encrypted key as the digital digest D3 of the random number R3 when the D2 is the same as the D4.
9. The method according to claim 8, wherein the digital digest D2 determined from the random number R1, the random number R2, and the random number R3 generated by the gateway is specifically:
a digital digest D2 determined by a selected digital digest algorithm according to the value obtained by adding the random number R1, the random number R2 and the random number R3 generated by the gateway;
the determining of the digital digest D4 according to the random number R1, the random number R2 and the random number R3 determined by decryption specifically includes:
and D4 of the digital digest determined by the selected digital digest algorithm is used for adding the random number R1, the random number R2 and the random number R3 determined by decryption.
10. The method of claim 9, wherein the negotiating the determined key for data transmission specifically comprises:
converting data to be transmitted into object-oriented character strings;
converting the object-oriented character string into byte data and storing the byte data into a message body of a data frame;
and transmitting the data frame by negotiating the determined key.
11. The method of claim 10, further comprising:
and transmitting an operation command through the control code and the command code of the data frame.
12. A data transmission apparatus, comprising:
a connection unit, configured to establish a connection with a gateway;
the determining unit is used for determining the digital digests of the at least two random numbers according to the at least two random numbers generated by interacting with the gateway and the selected symmetric encryption algorithm and asymmetric encryption algorithm, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and determining that the key agreement is successful when the two are the same;
and the transmission unit is used for carrying out data transmission by negotiating the determined key.
13. A data transmission apparatus, comprising:
a connection establishing unit for establishing connection with a server;
the key agreement unit is used for determining digital digests of the at least two random numbers according to the at least two random numbers generated by interacting with the server and the selected symmetric encryption algorithm and asymmetric encryption algorithm, sending the digital digests to the server, comparing the digital digests determined by the server according to the same random numbers, and determining that the key agreement is successful when the two digital digests are the same;
and the data transmission unit is used for carrying out data transmission by negotiating the determined key.
14. A data transmission system comprising a gateway and a server, wherein:
the server is used for establishing connection with the gateway; determining digital digests of the at least two random numbers according to at least two random numbers generated by interacting with the gateway and the selected symmetric encryption and asymmetric encryption algorithms, comparing the digital digests with the digital digests determined by the gateway according to the same random numbers, and determining that the key agreement is successful when the two are the same; carrying out data transmission by negotiating the determined key;
the gateway is used for establishing connection with the server; determining digital digests of the at least two random numbers according to at least two random numbers generated by interacting with the server and the selected symmetric encryption and asymmetric encryption algorithms, sending the digital digests to the server, comparing the digital digests determined by the server according to the same random numbers, and determining that the key agreement is successful when the two digital digests are the same; and carrying out data transmission by negotiating the determined key.
CN201811390932.6A 2018-11-21 2018-11-21 Data transmission method, device and system Active CN111211894B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811390932.6A CN111211894B (en) 2018-11-21 2018-11-21 Data transmission method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811390932.6A CN111211894B (en) 2018-11-21 2018-11-21 Data transmission method, device and system

Publications (2)

Publication Number Publication Date
CN111211894A true CN111211894A (en) 2020-05-29
CN111211894B CN111211894B (en) 2023-04-07

Family

ID=70786412

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811390932.6A Active CN111211894B (en) 2018-11-21 2018-11-21 Data transmission method, device and system

Country Status (1)

Country Link
CN (1) CN111211894B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112054906A (en) * 2020-08-21 2020-12-08 郑州信大捷安信息技术股份有限公司 Key negotiation method and system
CN112422275A (en) * 2020-10-26 2021-02-26 深圳Tcl新技术有限公司 Key negotiation method, system, equipment and computer storage medium in UART communication
CN113472792A (en) * 2021-07-01 2021-10-01 北京玩蟹科技有限公司 Long-connection network communication encryption method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8799646B1 (en) * 2011-12-23 2014-08-05 Symantec Corporation Methods and systems for authenticating devices
CN104639534A (en) * 2014-12-30 2015-05-20 北京奇虎科技有限公司 Website safety information uploading method and browser device
CN104735068A (en) * 2015-03-24 2015-06-24 江苏物联网研究发展中心 SIP security authentication method based on commercial passwords
US20170366524A1 (en) * 2016-06-16 2017-12-21 International Business Machines Corporation Synchronizing secure session keys
CN108809643A (en) * 2018-07-11 2018-11-13 飞天诚信科技股份有限公司 A kind of method, system and the equipment of equipment and high in the clouds arranging key

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8799646B1 (en) * 2011-12-23 2014-08-05 Symantec Corporation Methods and systems for authenticating devices
CN104639534A (en) * 2014-12-30 2015-05-20 北京奇虎科技有限公司 Website safety information uploading method and browser device
CN104735068A (en) * 2015-03-24 2015-06-24 江苏物联网研究发展中心 SIP security authentication method based on commercial passwords
US20170366524A1 (en) * 2016-06-16 2017-12-21 International Business Machines Corporation Synchronizing secure session keys
CN108809643A (en) * 2018-07-11 2018-11-13 飞天诚信科技股份有限公司 A kind of method, system and the equipment of equipment and high in the clouds arranging key

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
蔡成杭: "支持国产密码算法的OpenSSL设计实现及应用", 《信息安全研究》 *
谭义红主编: "《Java面向对象程序设计案例教程》", 1 August 2017, 北京邮电大学出版社 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112054906A (en) * 2020-08-21 2020-12-08 郑州信大捷安信息技术股份有限公司 Key negotiation method and system
CN112054906B (en) * 2020-08-21 2022-02-11 郑州信大捷安信息技术股份有限公司 Key negotiation method and system
CN112422275A (en) * 2020-10-26 2021-02-26 深圳Tcl新技术有限公司 Key negotiation method, system, equipment and computer storage medium in UART communication
CN113472792A (en) * 2021-07-01 2021-10-01 北京玩蟹科技有限公司 Long-connection network communication encryption method and system
CN113472792B (en) * 2021-07-01 2023-05-05 北京玩蟹科技有限公司 Communication encryption method and system for long-connection network

Also Published As

Publication number Publication date
CN111211894B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
CN108347331B (en) Method and device for safe communication between T _ Box device and ECU device in Internet of vehicles system
CN104168267B (en) A kind of identity identifying method of access SIP security protection video monitoring systems
RU2427898C2 (en) Protection of digital multimedia with various types of content
US9608963B2 (en) Scalable intermediate network device leveraging SSL session ticket extension
CN111435913B (en) Identity authentication method and device for terminal of Internet of things and storage medium
CN113225352B (en) Data transmission method and device, electronic equipment and storage medium
US11736304B2 (en) Secure authentication of remote equipment
CN111211894B (en) Data transmission method, device and system
US20240146725A1 (en) Mutual Secure Communications
CN111756529B (en) Quantum session key distribution method and system
HU223910B1 (en) Method of transmitting information data from a sender to a reciever via a transcoder, method of transcoding information data, method of receiving transcoded information data, sender, receiver and transcoder
CN107517194B (en) Return source authentication method and device of content distribution network
CN112073467A (en) Block chain-based data transmission method and device, storage medium and electronic equipment
CN109743170A (en) A kind of Streaming Media logs in and the method and apparatus of data transmission encryption
CN115378660A (en) Data transmission method, device, equipment and medium
CN115001720B (en) Optimization method, device, medium and equipment for safe transmission of federal learning modeling
CN113992734A (en) Session connection method, device and equipment
CN113891107A (en) Method, system, equipment and storage medium for wireless access of interactive network television
CN113596004A (en) Identity authentication method and device in multi-party security computing
CN113922976A (en) Equipment log transmission method and device, electronic equipment and storage medium
CN112689014B (en) Double-full-work communication method, device, computer equipment and storage medium
CN115296934B (en) Information transmission method and device based on industrial control network intrusion and electronic equipment
CN113206837B (en) Information transmission method and device, electronic equipment and computer readable medium
CN117596421B (en) Video encryption transmission method, device and system based on fusion terminal
CN115632863B (en) Data transmission method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant