CN114024710B - Data transmission method, device, system and equipment - Google Patents

Data transmission method, device, system and equipment Download PDF

Info

Publication number
CN114024710B
CN114024710B CN202111134192.1A CN202111134192A CN114024710B CN 114024710 B CN114024710 B CN 114024710B CN 202111134192 A CN202111134192 A CN 202111134192A CN 114024710 B CN114024710 B CN 114024710B
Authority
CN
China
Prior art keywords
service
key
data
ciphertext
service data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111134192.1A
Other languages
Chinese (zh)
Other versions
CN114024710A (en
Inventor
赵海龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ccx Credit Technology Co ltd
Original Assignee
Ccx Credit Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ccx Credit Technology Co ltd filed Critical Ccx Credit Technology Co ltd
Priority to CN202111134192.1A priority Critical patent/CN114024710B/en
Publication of CN114024710A publication Critical patent/CN114024710A/en
Application granted granted Critical
Publication of CN114024710B publication Critical patent/CN114024710B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a data transmission method, a data transmission device, a data transmission system and data transmission equipment, which are applied to the technical field of computer application. The data transmission method may include: the service requester obtains a symmetric key; encrypting the service data by using the symmetric key to obtain a service data ciphertext; calculating a hash value of the service data ciphertext, and encrypting the hash value of the service data ciphertext by using an asymmetric private key of a requesting party to obtain service data hash signature data; the service provider decrypts the service data hash signature data by using the asymmetric public key of the requester, and the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, so that the verification signature passes; and continuing to decrypt the service data ciphertext by using the symmetric key to obtain the service data. In this way, the security of data transmission can be improved.

Description

Data transmission method, device, system and equipment
Technical Field
The present invention relates to the field of computer application technologies, and in particular, to a data transmission method, apparatus, system, and device.
Background
With the widespread use of electronic commerce and the like, a large amount of data needs to be transmitted through a network, and data transmitted during network transmission is peeped, wrapped, counterfeited and the like. The general data has privacy, and if the transmitted data is peeped, grabbed or forged, the privacy can be revealed, so that the safe transmission of the data is particularly important.
Disclosure of Invention
The embodiment of the invention aims to provide a data transmission method, a device, a system and equipment so as to improve the safety of data transmission. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a data transmission method, applied to a service requester, including:
obtaining a symmetric key;
encrypting the service data by using the symmetric key to obtain a service data ciphertext;
calculating the hash value of the service data ciphertext, and encrypting the hash value of the service data ciphertext by using an asymmetric private key of a requesting party to obtain service data hash signature data; the asymmetric private key of the requester is generated based on an asymmetric encryption algorithm negotiated by the service requester and the service provider, the asymmetric public key of the requester corresponds to the asymmetric private key of the requester, and the asymmetric public key of the provider corresponds to the asymmetric private key of the provider;
The service data ciphertext and the service data hash signature data are sent to a service provider, so that the service provider decrypts the service data hash signature data by using an asymmetric public key of a requester, and the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, and the verification signature passes; and continuing to decrypt the service data ciphertext by using the symmetric key to obtain the service data.
In a second aspect, an embodiment of the present invention provides a data transmission method, applied to a service provider, including:
receiving service data ciphertext and service data hash signature data sent by a service request party, wherein the service data ciphertext is obtained by encrypting service data by using a symmetric key, and the service data hash signature data is obtained by encrypting a hash value of the service data ciphertext by using a request party asymmetric private key;
acquiring an asymmetric public key of a requester;
decrypting the service data hash signature data using the requestor asymmetric public key,
if the decryption is successful, the hash value of the original business data ciphertext is obtained;
calculating the service data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the service data ciphertext;
Comparing the original hash value with the hash value corresponding to the service data ciphertext obtained by recalculation;
if the original hash value is consistent with the hash value corresponding to the service data ciphertext obtained through recalculation, the verification sign passes, and the service data ciphertext is continuously decrypted by using the symmetric key, so that the service data is obtained.
In a third aspect, an embodiment of the present disclosure provides a data transmission apparatus, applied to a service requester, including:
an obtaining module for obtaining a symmetric key;
the first encryption module is used for encrypting the service data by using the symmetric key to obtain a service data ciphertext;
the calculating module is used for calculating the hash value of the service data ciphertext;
the second encryption module is used for encrypting the hash value of the service data ciphertext by using the asymmetric private key of the requesting party to obtain service data hash signature data; the asymmetric private key of the requester is generated based on an asymmetric encryption algorithm negotiated by the service requester and the service provider, the asymmetric public key of the requester corresponds to the asymmetric private key of the requester, and the asymmetric public key of the provider corresponds to the asymmetric private key of the provider;
The sending module is used for sending the service data ciphertext and the service data hash signature data to a service provider so that the service provider decrypts the service data hash signature data by using an asymmetric public key of a requesting party, and the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, so that the verification signature passes; and continuing to decrypt the service data ciphertext by using the symmetric key to obtain the service data.
In a fourth aspect, an embodiment of the present disclosure provides a data transmission apparatus, applied to a service provider, including:
the first receiving module is used for receiving a service data ciphertext and service data hash signature data sent by a service request party, wherein the service data ciphertext is obtained by encrypting service data by using a symmetric key, and the service data hash signature data is obtained by encrypting a hash value of the service data ciphertext by using a request party asymmetric private key;
the first acquisition module is used for acquiring the asymmetric public key of the requester;
a first decryption module for decrypting the service data hash signature data using the requester asymmetric public key,
The obtaining module is used for obtaining the hash value of the original service data ciphertext if decryption is successful; calculating the service data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the service data ciphertext;
the comparison module is used for comparing the original hash value with the hash value corresponding to the service data ciphertext obtained by recalculation;
and the second decryption module is used for obtaining the service data by continuing decrypting the service data ciphertext by using the symmetric key if the original hash value is consistent with the hash value corresponding to the service data ciphertext obtained by recalculation.
In a fifth aspect, embodiments of the present disclosure provide a data transmission system, including: a service requester and a service provider;
the service requester is used for obtaining a symmetric key; encrypting the service data by using the symmetric key to obtain a service data ciphertext; calculating the hash value of the service data ciphertext, and encrypting the hash value of the service data ciphertext by using an asymmetric private key of a requesting party to obtain service data hash signature data; the asymmetric private key of the requester is generated based on an asymmetric encryption algorithm negotiated by the service requester and the service provider, the asymmetric public key of the requester corresponds to the asymmetric private key of the requester, and the asymmetric public key of the provider corresponds to the asymmetric private key of the provider; the service data ciphertext and the service data hash signature data are sent to a service provider, so that the service provider decrypts the service data hash signature data by using an asymmetric public key of a requester, and the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, and the verification signature passes; decrypting the service data ciphertext by using the symmetric key to obtain the service data;
The service provider is used for receiving service data ciphertext and service data hash signature data sent by the service requester, wherein the service data ciphertext is obtained by encrypting service data by using a symmetric key, and the service data hash signature data is obtained by encrypting a hash value of the service data ciphertext by using an asymmetric private key of the requester; acquiring an asymmetric public key of a requester; decrypting the service data hash signature data by using the asymmetric public key of the requesting party, and if the decryption is successful, obtaining the hash value of the original service data ciphertext; calculating the service data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the service data ciphertext; comparing the original hash value with the hash value corresponding to the service data ciphertext obtained by recalculation; if the original hash value is consistent with the hash value corresponding to the service data ciphertext obtained through recalculation, the verification sign passes, and the service data ciphertext is continuously decrypted by using the symmetric key, so that the service data is obtained.
In a sixth aspect, an embodiment of the present disclosure provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
A memory for storing a computer program;
and a processor, configured to implement the method steps described in the first aspect when executing the program stored in the memory.
In a seventh aspect, an embodiment of the present disclosure provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
and a processor configured to implement the method steps described in the second aspect when executing the program stored in the memory.
In yet another aspect of the present invention, there is also provided a computer readable storage medium having instructions stored therein, which when run on a computer, cause the computer to perform the method steps of the first aspect described above.
In a further aspect of the present invention there is also provided a computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the method steps of the second aspect described above.
In a further aspect of the invention there is also provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method steps of the first aspect described above.
In a further aspect of the invention there is also provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method steps of the second aspect described above.
The embodiment of the invention has the beneficial effects that:
the data transmission method, the device, the system and the equipment provided by the embodiment of the invention can encrypt the service data by using the symmetric key and encrypt the hash value of the service data ciphertext by using the asymmetric private key of the requesting party, namely sign the hash value of the service data ciphertext, and send the service data ciphertext and the service data hash signature data to the service provider, namely transmit the encrypted service data and the signed hash value of the service data ciphertext, so that the safety of data transmission can be improved.
Of course, it is not necessary for any one product or method of practicing the invention to achieve all of the advantages set forth above at the same time.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the invention, and other embodiments may be obtained according to these drawings to those skilled in the art.
Fig. 1 is a flowchart of a data transmission method applied to a service requester according to an embodiment of the present invention;
FIG. 2 is a flow chart of a service request transmitting private key ciphertext to a service provider in an embodiment of the invention;
fig. 3 is a flowchart of a data transmission method applied to a service provider according to an embodiment of the present invention;
fig. 4 is another flowchart of a data transmission method applied to a service provider according to an embodiment of the present invention;
fig. 5 is a flowchart of another data transmission method applied to a service provider according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a data transmission system according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a system application in an embodiment of the invention;
fig. 8 is a schematic structural diagram of a data transmission device applied to a service requester according to an embodiment of the present invention;
fig. 9 is a schematic diagram of another structure of a data transmission device applied to a service requester according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a data transmission device applied to a service requester according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of a data transmission device applied to a service provider according to an embodiment of the present invention;
Fig. 12 is a schematic structural diagram of another data transmission device applied to a service provider according to an embodiment of the present invention;
fig. 13 is a schematic structural diagram of a data transmission device applied to a service provider according to an embodiment of the present invention;
fig. 14 is a schematic structural diagram of a data transmission device applied to a service provider according to an embodiment of the present invention;
fig. 15 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;
fig. 16 is a schematic structural diagram of another electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, those of ordinary skill in the art will be able to devise all other embodiments that are obtained based on this application and are within the scope of the present invention.
The embodiment of the invention provides a data transmission method which is applied to a service requester and can comprise the following steps:
obtaining a symmetric key;
encrypting the service data by using the symmetric key to obtain a service data ciphertext;
Calculating a hash value of the service data ciphertext, and encrypting the hash value of the service data ciphertext by using an asymmetric private key of a requesting party to obtain service data hash signature data; the asymmetric private key of the requesting party is generated based on an asymmetric encryption algorithm negotiated by the service requesting party and the service provider, the asymmetric public key of the requesting party corresponds to the asymmetric private key of the requesting party, and the asymmetric public key of the provider corresponds to the asymmetric private key of the provider;
the service provider decrypts the service data hash signature data by using the asymmetric public key of the requester, and the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, so that the verification signature passes; and continuing to decrypt the service data ciphertext by using the symmetric key to obtain the service data.
In the embodiment of the invention, the service data is encrypted by using the symmetric key, and the hash value of the service data ciphertext is encrypted by using the asymmetric private key of the requesting party, namely the hash value of the service data ciphertext is signed, and the service data ciphertext and the service data hash signature data are sent to the service provider, namely the encrypted service data and the signed hash value of the service data ciphertext are transmitted, so that the safety of data transmission can be improved.
The embodiment of the invention also provides a data transmission method which is applied to the service provider and can comprise the following steps:
receiving service data ciphertext and service data hash signature data sent by a service request party, wherein the service data ciphertext is obtained by encrypting service data by using a symmetric key, and the service data hash signature data is obtained by encrypting a hash value of the service data ciphertext by using a request party asymmetric private key;
acquiring an asymmetric public key of a requester;
decrypting the service data hash signature data using the requestor asymmetric public key,
if the decryption is successful, the hash value of the original business data ciphertext is obtained;
calculating the service data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the service data ciphertext;
comparing the original hash value with the hash value corresponding to the service data ciphertext obtained by recalculation;
if the original hash value is consistent with the hash value corresponding to the service data ciphertext obtained through recalculation, the verification sign passes, and the service data ciphertext is continuously decrypted by using the symmetric key, so that the service data is obtained.
In the embodiment of the invention, the service provider receives the service data ciphertext and the service data hash signature data, namely encrypts the hash value of the service data ciphertext, so that the safety of data transmission can be improved. And the service provider can decrypt the service data hash signature data by using the asymmetric public key of the requester, namely, signature verification, and decrypt the service data ciphertext by using the symmetric key when the decrypted hash data is consistent with the recalculated service data ciphertext to obtain the service data, namely, after successful signature verification, decrypt the service data ciphertext to obtain the service data, thereby adding a signature verification mechanism, preventing the data from being eavesdropped, tampered, forged and the like, and further improving the safety of data transmission.
Fig. 1 is a flowchart of a data transmission method applied to a service requester according to an embodiment of the present invention.
Referring to fig. 1, a data transmission method applied to a service requester provided in an embodiment of the present invention may include:
s101, the service requester obtains a symmetric key.
In one mode, a service provider sends a synchronization key request to the service provider through a key distribution interface, wherein the synchronization key request comprises identification information of the service requester; and receiving a symmetric key for the identification information fed back by the service provider, wherein the symmetric key is generated by the service provider, and the service provider periodically replaces the symmetric key.
The identification information may be account information, port number, domain name or internet protocol (Internet Protocol, IP) address of the service requester, etc.
Specifically, the service provider periodically generates a symmetric key for use by the symmetric encryption algorithm and periodically replaces the symmetric key, and the service provider provides a key distribution interface for the symmetric encryption algorithm. The service requester calls the secret key distribution interface to send a synchronous secret key request, caller identification (such as client id and the like) is contained in the request, the service provider uses the provider asymmetric public key of the asymmetric encryption algorithm corresponding to the requester, the symmetric secret key is encrypted by using the corresponding asymmetric encryption algorithm and is returned to the service requester, and the service requester uses the own asymmetric secret key, namely the result returned by the service provider is decrypted by the requester asymmetric secret key, so that the symmetric encryption algorithm secret key is obtained.
In order to improve the security of symmetric key transmission, the embodiment of the invention provides a key exchange mode, which realizes that a service requester synchronizes a symmetric key generated by a service provider to the local of the service requester.
The identification information is account information.
The service requester sends a synchronous key request to the service provider through a key distribution interface, and the method comprises the following steps:
the service requester encrypts account information by using an asymmetric private key of the requester to obtain encrypted account information; and sending a synchronous key request comprising account information and encrypted account information to a service provider through a key distribution interface.
The service provider can receive a synchronous key request sent by the service requester; the synchronous key request comprises account information of a service requester and encrypted account information, wherein the encrypted account information is obtained by encrypting the account information by the service requester by using an asymmetric private key of the requester; analyzing the synchronous key request to obtain account information and encrypted account information; searching a locally stored asymmetric public key of a requester corresponding to the account information; decrypting the encrypted account information by using the asymmetric public key of the requesting party corresponding to the account information to obtain decrypted account information; searching a symmetric key corresponding to the decrypted account information; and encrypting the symmetric key by using the asymmetric public key of the requester, and returning the encrypted symmetric key to the service requester.
The service request party receives the encrypted symmetric key returned by the service provider; and decrypting the encrypted symmetric key by using the asymmetric private key of the requesting party to obtain the symmetric key.
Specifically, the service requester may first provide an access application to the service provider, and after receiving the access application of the service requester, the service provider allocates an account to the service requester, and sets a domain name and an IP address of the service requester as an authorized whitelist.
The service provider generates a symmetric key of a symmetric encryption algorithm for data encryption corresponding to an account number of the service requester, and saves the symmetric key locally and periodically changes.
The service provider may provide a service interface for synchronizing symmetric keys, i.e., a key distribution interface.
The service requester initiates a key synchronization request, the request parameters comprise account information, and the account information is encrypted (i.e. signed) by using a private key of an own asymmetric encryption algorithm, namely an asymmetric private key of the requester, and is sent to the service provider together with the account information.
After receiving the key synchronization request of the interface requester, the service provider analyzes the request parameters, obtains the account number of the service requester, inquires the locally stored asymmetric public key of the requester of the corresponding counterpart of the account number, decrypts the encrypted account number information by using the asymmetric public key of the requester, namely decrypts the account number information encryption value (namely verification sign), and if decryption fails, terminates processing and returns an error prompt. If the decryption is successful, the symmetric key of the symmetric encryption algorithm for data encryption corresponding to the account is queried, then the symmetric key is encrypted by using the public key of the asymmetric encryption algorithm of the other party, namely the asymmetric public key of the service requester, and then the signature data is returned to the service requester.
The service request party obtains the result returned by the service provider, and uses the private key of the own asymmetric encryption algorithm, namely the private key decryption key encryption value of the request party, if the decryption succeeds in obtaining the symmetric key, the symmetric key synchronization is completed, and the safe synchronization of the symmetric key is realized.
In another implementation, the service requester may randomly generate the symmetric key. In this way, the symmetric keys used in each encryption can be different, so that the interception of the symmetric keys is reduced, and the security is higher.
S102, the service requester encrypts the service data by using the symmetric key to obtain a service data ciphertext.
Encryption may be performed using a symmetric encryption algorithm, which may include a packet symmetric encryption algorithm (Data Encryption Standard, DES), 3DES (triple DES), advanced encryption standard (english: advanced Encryption Standard, AES), national encryption algorithm SM1 or SM4, and so on.
The service requester and the service provider may negotiate a symmetric encryption algorithm for data encryption in advance. For example, a symmetric encryption algorithm for data encryption is negotiated before the service requester and the service provider establish communication.
The service requester and the service provider may also negotiate the encryption mode of the service data in advance, for example, negotiate whether the data is encrypted in its entirety or encrypted according to the interface field, etc.
S103, the service requester calculates the hash value of the service data ciphertext, and encrypts the hash value of the service data ciphertext by using the asymmetric private key of the requester to obtain service data hash signature data.
Wherein the requestor asymmetric private key is generated based on an asymmetric encryption algorithm negotiated by the service requestor and the service provider.
The requestor asymmetric public key corresponds to the requestor asymmetric private key and the provider asymmetric public key corresponds to the provider asymmetric private key.
The hash value of the service data ciphertext can be calculated in a way of realizing hash coding, and the embodiment of the invention does not limit the way of calculating the hash value.
The hash value of the service data ciphertext can be asymmetrically encrypted by using the asymmetric private key of the requesting party, and any asymmetric encryption algorithm can be adopted for the asymmetric encryption, such as RSA (algorithm named by math Rivest, shamir and Adleman), elliptic curve cryptography (Elliptic Curve Cryptography), national cryptography SM2 and the like.
The service requester and the service provider negotiate an asymmetric encryption algorithm, each generate an asymmetric public key and private key pair, and send the public key to the other. Specifically, after the two parties negotiate an asymmetric encryption algorithm, the service requester generates a requester asymmetric public key and a requester asymmetric private key, and the service provider generates a provider asymmetric public key and a requester asymmetric private key.
The asymmetric public key and the private key are a pair of key pairs, namely, the asymmetric public key of the requesting party and the asymmetric private key of the requesting party are corresponding, if the asymmetric public key of the requesting party is used for encrypting the data, the data can be decrypted only by the corresponding asymmetric private key of the requesting party, and if the asymmetric private key of the requesting party is used for encrypting the data, the data can be decrypted only by the corresponding asymmetric public key of the requesting party. The provider asymmetric public key and the provider asymmetric private key are corresponding, and if the provider asymmetric public key is used for encrypting the data, the data can be decrypted only by the corresponding provider asymmetric private key, and if the provider asymmetric private key is used for encrypting the data, the data can be decrypted only by the corresponding provider asymmetric public key.
The key exchange process of the asymmetric encryption algorithm can be performed offline in advance, and the public key of the asymmetric encryption algorithm of the other party is stored in a local database or a file system, specifically, the service requester sends the own asymmetric public key to the service provider, and the service provider sends the own asymmetric public key to the service requester. The own public key can be sent to the other party through a mail channel and the like, and the public keys of the other party are received and stored.
In the embodiment of the invention, the service requester and the service provider can negotiate a hash check algorithm, such as SHA256 or national standard SM 3.
And S104, the service request party sends the service data ciphertext and the service data hash signature data to the service provider.
And sending the service data ciphertext and the service data hash signature data to the service provider through the data interface.
After receiving the service data ciphertext and the service data hash signature data, the service provider can decrypt the service data hash signature data by using the asymmetric public key of the requester, and the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, so that the verification signature passes; and continuing to decrypt the service data ciphertext by using the symmetric key to obtain the service data.
In the embodiment of the invention, a secret key distribution and signature verification mechanism is added on the basis of the traditional encryption processing of the transmission data, so that the security of the encryption secret key is ensured while the confidentiality of the data is solved.
In an alternative embodiment, when the key used by the service requester to symmetrically encrypt the service data is a symmetric key that the service requester randomly generates, the service provider does not know the symmetric key, so the symmetric key can be synchronized to the service provider. As shown in fig. 2, the data transmission method applied to a service requester provided in the embodiment of the present invention may further include:
S201, service request Fang Huoqu provides the asymmetric public key of the provider.
A pre-saved provider asymmetric public key may be obtained.
As described above, after the service requester and the service provider negotiate the asymmetric encryption algorithm, the service provider may generate a corresponding asymmetric public key and private key, the service provider saves the own asymmetric private key locally, and sends the provider asymmetric public key to the service requester.
The service requester may store the provider asymmetric public key locally on receipt of the provider asymmetric public key, so that the provider asymmetric public key may be obtained locally when the provider asymmetric public key is to be used.
S202, the service requester encrypts the symmetric key by using the asymmetric public key of the provider to obtain a key ciphertext.
And S203, the service requester sends the key ciphertext to the service provider.
The service request party simultaneously sends the service data ciphertext, the service data hash signature data and the key ciphertext to the service provider.
In this case, the service provider may obtain the symmetric key by: receiving a secret key ciphertext sent by a service request party, wherein the secret key ciphertext is obtained by encrypting a randomly generated symmetric key by the service request party by using an asymmetric public key of a provider; and decrypting the key ciphertext by using the asymmetric private key of the provider to obtain the symmetric key.
In the embodiment of the invention, the symmetric key is dynamically and randomly generated, so that the malicious third party is prevented from monitoring and replaying the transmitted data, and the interface security and the data security of the service provider are effectively protected.
Fig. 3 is a flowchart of a data transmission method applied to a service provider according to an embodiment of the present invention.
Referring to fig. 3, a data transmission method applied to a service provider according to an embodiment of the present invention may include:
s301, the service provider receives service data ciphertext and service data hash signature data sent by the service requester.
The service data ciphertext is obtained by encrypting service data by using a symmetric key, and the service data hash signature data is obtained by encrypting a hash value of the service data ciphertext by using a requester asymmetric private key.
S302, the service provider obtains the asymmetric public key of the requester.
The asymmetric public key of the requesting party is corresponding to the asymmetric private key of the requesting party, namely, only the asymmetric public key of the requesting party can decrypt the content encrypted by the asymmetric private key of the requesting party, and only the asymmetric private key of the requesting party can decrypt the content encrypted by the asymmetric public key of the requesting party.
After receiving the interface call request of the service requester, the service provider can analyze the request parameters (account number of the service requester) and query the locally stored asymmetric encryption algorithm public key of the opposite party, namely the asymmetric public key of the requester, and the latest symmetric encryption algorithm key for encrypting the service data, namely the symmetric key, corresponding to the account number.
S303, the service provider decrypts the business data hash signature data by using the asymmetric public key of the requesting party.
If decryption fails, the call processing is terminated, and the service request process can be understood to be terminated; if the decryption is successful, S304 is performed.
S304, the service provider obtains the hash value of the original service data ciphertext.
S305, the service provider calculates the service data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the service data ciphertext.
The same hash algorithm refers to the same hash algorithm used for obtaining the hash value of the service data ciphertext.
And S306, the service provider compares the original hash value with the hash value corresponding to the service data ciphertext obtained by recalculation.
If the decrypted hash data is inconsistent with the hash data of the ciphertext of the calculation service data, the call processing is terminated, and the service request process can be understood to be terminated; if the hash data is consistent, the verification passes, and S307 is executed.
S307, the service provider continues to decrypt the service data ciphertext by using the symmetric key to obtain the service data.
Firstly, the data sent by the service requester is checked and the signature data is decrypted by using the public key of the asymmetric encryption algorithm of the service requester, namely the asymmetric public key of the requester. If the decryption is successful, the verification sign is successful; if the decryption fails, the process terminates and a prompt message is returned to the service requester. If the decryption is successful, comparing the decrypted data with the hash data of the service data encryption value to verify the data integrity and consistency, if the data is inconsistent, terminating the processing, and returning the prompt information to the service requester.
And when the decrypted hash data is compared with the hash data of the service data encryption value recalculated, namely after verifying the data integrity, continuing to acquire the symmetric key to perform subsequent decryption.
When the symmetric key is generated by the service provider and then is synchronized to the service requester, the service provider can acquire the identification information of the service provider, and find the symmetric key corresponding to the identification information according to the identification information.
When the symmetric key is randomly generated by the service requester, the service provider receives a key ciphertext sent by the service requester, wherein the key ciphertext is obtained by encrypting the randomly generated symmetric key by the service requester by using an asymmetric public key of the provider; the service provider decrypts the private key ciphertext by using the provider private key to obtain the symmetric key.
Decrypting the service data by using a symmetric encryption algorithm, terminating the process if the decryption fails, and returning prompt information to the service requester; and if the decryption is successful, carrying out service logic processing.
And after the processing is finished, the same secret key is used for symmetrically encrypting the result data obtained by the service processing.
On the basis of the embodiment shown in fig. 3, after S307, the data transmission method applied to the service provider according to the embodiment of the present invention may further include, as shown in fig. 4:
S401, the service provider carries out logic processing on the service data to obtain result data corresponding to the service data.
The specific logic process may be determined based on the request parameters of the traffic data.
S402, the service provider encrypts the result data by using the symmetric key to obtain a result data ciphertext.
S403, the service provider calculates the hash value of the result data ciphertext, and encrypts the hash value of the result data ciphertext by using the asymmetric private key of the provider to obtain result data hash signature data.
And S404, the service provider returns the result data ciphertext and the result data hash signature data to the service requester.
The manner in which the service provider processes the result data is similar to the manner in which the service requester processes the service data, and specifically refer to the process in which the service requester processes the service data in the embodiment of fig. 1.
After the service provider returns the result data ciphertext and the result data hash signature data to the service requester, the service requester may process the result data ciphertext and the result data hash signature data to obtain result data. On the basis of the embodiment shown in fig. 1, the data transmission method applied to the service requester provided by the embodiment of the invention, as shown in fig. 5, may further include:
S501, a service requester receives result data ciphertext and result data hash signature data sent by a service provider, wherein the result data ciphertext is obtained by encrypting the result data by using a symmetric key, and the result data is obtained by logically processing service data by the service provider;
s502, the service requester decrypts the ciphertext of the hash signature data of the result data by using the asymmetric public key of the provider.
If decryption fails, the process terminates the call process, and can also understand the process of terminating the service request. The method comprises the steps of carrying out a first treatment on the surface of the If the decryption is successful, S503 is performed.
S503, the service requester obtains the original hash value.
S504, the service requester calculates a hash value for the result data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the result data ciphertext.
And S505, if the original hash value is consistent with the hash value corresponding to the result data ciphertext obtained by recalculation, decrypting the result data ciphertext by continuously utilizing the symmetric key to obtain the result data.
After the service requester obtains the return result, the return data is analyzed. Specifically, firstly, signing verification is carried out on the returned result, the result data hash signature data is decrypted by using the asymmetric public key of the provider of the service provider, if decryption is successful, the signing verification is successful, if decryption is failed, the processing terminates the calling processing, and the service request process can be understood to be terminated. If the decryption is successful, comparing the decrypted hash data with the hash data of the calculation result data ciphertext to check the data integrity, and if the data is inconsistent, terminating the call processing.
That is, if the result decrypted hash data is inconsistent with the result data ciphertext calculation hash data, the call processing is terminated, namely the service request process is terminated; and if the decrypted hash data is consistent with the calculated hash data of the result data ciphertext, continuing to decrypt the result data ciphertext by using the symmetric key to obtain the result data.
And decrypting the service processing result ciphertext data by using the key of the corresponding symmetric encryption algorithm when the request is requested, and ending the calling processing when the decryption fails. After the decryption is successful and the subsequent service processing is carried out, the interface calling processing is completed.
In the embodiment of the invention, the interface interaction parties (service requesters and service providers) negotiate encryption algorithms before communication, respectively generate asymmetric public keys and private key pairs, and send the public keys to the other party; before the service request party calls the interface, a symmetric key is randomly generated, the service data is encrypted, meanwhile, the symmetric key is encrypted by using the opposite asymmetric public key, namely the provider asymmetric public key, and finally, the hash value of the whole message data is calculated and the private key of the own party, namely the private key of the service request party is used for signing. The service request party sends the ciphertext of the service data, the key ciphertext of the symmetric encryption algorithm and the signature data of the message Wen Haxi to the service provider; the service provider analyzes the request data, decrypts the symmetric key by using the private key of the own party, further decrypts the service data, and simultaneously performs signature verification and hash verification on the message data by using the public key of the other party. The business data and the secret key are encrypted in the whole data transmission process, so that the data security is ensured, and meanwhile, a signature verification mechanism is added to prevent the data from being eavesdropped, tampered and forged.
The embodiment of the invention also provides a data transmission system, as shown in fig. 6, which may include: a service requester 601 and a service provider 602.
A service requester 601 for obtaining a symmetric key; encrypting the service data by using the symmetric key to obtain a service data ciphertext; calculating a hash value of the service data ciphertext, and encrypting the hash value of the service data ciphertext by using an asymmetric private key of a requesting party to obtain service data hash signature data; wherein the requester asymmetric private key is generated based on an asymmetric encryption algorithm negotiated by the service requester 601 and the service provider 602, the requester asymmetric public key corresponds to the requester asymmetric private key, and the provider asymmetric public key corresponds to the provider asymmetric private key; the service data ciphertext and the service data hash signature data are sent to the service provider 602, so that the service provider 602 decrypts the service data hash signature data by using the asymmetric public key of the requester, and the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, and the verification signature passes; decrypting the service data ciphertext by using the symmetric key to obtain service data;
The service provider 602 is configured to receive a service data ciphertext and service data hash signature data sent by the service requester 601, where the service data ciphertext is obtained by encrypting service data with a symmetric key, and the service data hash signature data is obtained by encrypting a hash value of the service data ciphertext with an asymmetric private key of the requester; acquiring an asymmetric public key of a requester; decrypting the hash signature data of the service data by using the asymmetric public key of the requesting party, and if the decryption is successful, obtaining the hash value of the original service data ciphertext; calculating the service data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the service data ciphertext; comparing the original hash value with the hash value corresponding to the service data ciphertext obtained by recalculation; if the original hash value is consistent with the hash value corresponding to the service data ciphertext obtained through recalculation, the verification sign passes, and the service data ciphertext is continuously decrypted by using the symmetric key, so that the service data is obtained.
The service requestor 601 and the service provider 602 in embodiments of the present invention may communicate through an interface. The service requester may be referred to as an interface requester and the service provider may be referred to as an interface service provider. As shown in figure 7 of the drawings,
The interface requester uses the public key of the opposite side, namely the key for symmetrically encrypting the service data by the asymmetric public key of the provider, namely the symmetric key is asymmetrically encrypted to obtain the key ciphertext.
The interface requester encrypts the service data by using a secret key, namely a symmetric secret key, so as to obtain encrypted service data.
The interface requester signs the hash value of the service data ciphertext or the hash value of the encrypted service data, and specifically performs asymmetric encryption by using an asymmetric private key of the requester to obtain signature data, namely the ciphertext of the hash value.
The interface service provider receives the secret key ciphertext sent by the interface requester, performs asymmetric decryption by using the own asymmetric private key to obtain a symmetric key, and uses the symmetric key to decrypt the encrypted service data to obtain the service data. Meanwhile, the interface service provider can perform signature verification, namely performing asymmetric signature verification on ciphertext of the hash value sent by the received interface requester, so as to realize hash verification and verify the integrity of data.
The embodiment of the invention provides a method for safely transmitting interface data in an Internet environment, which avoids the risks of eavesdropping, tampering and forging of the data and ensures the data safety in the interface transmission process.
The data transmission system provided by the embodiment of the invention is a system applying the data transmission method, so that all the embodiments of the data transmission method are applicable to the system and can achieve the same or similar beneficial effects.
Corresponding to the data transmission method applied to the service requester provided in the above embodiment, an embodiment of the present invention provides a data transmission device applied to the service requester, as shown in fig. 8, including:
an obtaining module 801, configured to obtain a symmetric key;
a first encryption module 802, configured to encrypt service data with a symmetric key to obtain a service data ciphertext;
a calculating module 803, configured to calculate a hash value of the service data ciphertext;
the second encryption module 804 is configured to encrypt the hash value of the service data ciphertext with the asymmetric private key of the requesting party to obtain service data hash signature data; the asymmetric private key of the requesting party is generated based on an asymmetric encryption algorithm negotiated by the service requesting party and the service provider, the asymmetric public key of the requesting party corresponds to the asymmetric private key of the requesting party, and the asymmetric public key of the provider corresponds to the asymmetric private key of the provider;
the sending module 805 is configured to send the service data ciphertext and the service data hash signature data to the service provider, so that the service provider decrypts the service data hash signature data by using the asymmetric public key of the requester, and if the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, the verification signature passes; and continuing to decrypt the service data ciphertext by using the symmetric key to obtain the service data.
Optionally, the obtaining module 801 is specifically configured to send a synchronization key request to the service provider through the key distribution interface, where the synchronization key request includes identification information of the service requester; and receiving a symmetric key for the identification information fed back by the service provider, wherein the symmetric key is generated by the service provider, and the service provider periodically replaces the symmetric key.
Optionally, the identification information is account information;
the obtaining module 801 is specifically configured to encrypt account information by using an asymmetric private key of a requesting party to obtain encrypted account information; transmitting a synchronous key request comprising account information and encrypted account information to a service provider through a key distribution interface; receiving an encrypted symmetric key returned by a service provider; and decrypting the encrypted symmetric key by using the asymmetric private key of the requesting party to obtain the symmetric key.
Optionally, the obtaining module 801 is specifically configured to randomly generate a symmetric key.
Optionally, as shown in fig. 9, the apparatus further includes:
an obtaining module 901, configured to obtain a provider asymmetric public key;
a third encryption module 902, configured to encrypt the symmetric key with the asymmetric public key of the provider to obtain a key ciphertext;
The sending module 805 is further configured to send the key ciphertext to the service provider.
Optionally, as shown in fig. 10, the apparatus further includes:
the receiving module 1001 is configured to receive, after sending the service data ciphertext and the service data hash signature data to the service provider, a result data ciphertext and result data hash signature data sent by the service provider, where the result data ciphertext is obtained by encrypting result data with a symmetric key, and the result data is obtained by logically processing the service data by the service provider;
a first decryption module 1002, configured to decrypt ciphertext of the hash signature data of the result data using the asymmetric public key of the provider;
an obtaining module 1003, configured to obtain an original hash value if decryption is successful; calculating a hash value for the result data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the result data ciphertext;
and the second decryption module 1004 is configured to decrypt the result data ciphertext by using the symmetric key continuously if the original hash value is consistent with the hash value corresponding to the result data ciphertext obtained by the recalculation, so as to obtain the result data.
The data transmission device provided by the embodiment of the invention is a device applying the data transmission method applied to the service requester, so that all the embodiments of the data transmission method applied to the service requester are applicable to the device and can achieve the same or similar beneficial effects.
Corresponding to the data transmission method applied to the service provider, the embodiment of the invention also provides a data transmission device applied to the service provider, as shown in fig. 11, including:
the first receiving module 1101 is configured to receive a service data ciphertext and service data hash signature data sent by a service requester, where the service data ciphertext is obtained by encrypting service data with a symmetric key, and the service data hash signature data is obtained by encrypting a hash value of the service data ciphertext with an asymmetric private key of the requester;
a first obtaining module 1102, configured to obtain a requester asymmetric public key;
a first decryption module 1103 for decrypting the service data hash signature data using the requester asymmetric public key,
an obtaining module 1104, configured to obtain a hash value of the original service data ciphertext if the decryption is successful; calculating the service data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the service data ciphertext;
a comparison module 1105, configured to compare the original hash value with a hash value corresponding to the service data ciphertext obtained by recalculation;
the second decryption module 1106 is configured to, if the original hash value is consistent with the hash value corresponding to the service data ciphertext obtained by the recalculation, pass the verification, and decrypt the service data ciphertext by using the symmetric key continuously to obtain service data.
Optionally, as shown in fig. 12, the apparatus further includes:
a second obtaining module 1201, configured to obtain identification information of a service provider;
the second decryption module 1106 is specifically configured to find a symmetric key corresponding to the identification information.
Optionally, the second decryption module 1106 is specifically configured to receive a key ciphertext sent by the service requester, where the key ciphertext is obtained by encrypting, by the service requester, a symmetric key that is generated randomly by using an asymmetric public key of the provider; and decrypting the key ciphertext by using the asymmetric private key of the provider to obtain the symmetric key.
Optionally, as shown in fig. 13, the apparatus further includes:
a second receiving module 1301, configured to receive a synchronization key request sent by a service requester; the synchronous key request comprises account information of a service requester and encrypted account information, wherein the encrypted account information is obtained by encrypting the account information by the service requester by using an asymmetric private key of the requester;
the parsing module 1302 is configured to parse the synchronization key request to obtain account information and encrypted account information;
the first searching module 1303 is configured to search a locally stored asymmetric public key of a requester corresponding to the account information;
a third decryption module 1304, configured to decrypt the encrypted account information by using a requester asymmetric public key corresponding to the account information, to obtain decrypted account information;
A second searching module 1305, configured to search a symmetric key corresponding to the decrypted account information;
the first encryption module 1306 is configured to encrypt the symmetric key with the asymmetric public key of the requester, and return the encrypted symmetric key to the service requester.
Optionally, as shown in fig. 14, the apparatus further includes:
the logic processing module 1401 is configured to decrypt the service data ciphertext by using the symmetric key, and then perform logic processing on the service data to obtain result data corresponding to the service data;
a second encryption module 1402, configured to encrypt the result data using the symmetric key to obtain a result data ciphertext;
a calculation module 1403, configured to calculate a hash value of the result data ciphertext;
a third encryption module 1404, configured to encrypt a hash value of the result data ciphertext with the provider asymmetric private key to obtain result data hash signature data;
a sending module 1405, configured to return the result data ciphertext and the result data hash signature data to the service requester.
The data transmission device provided by the embodiment of the invention is a device applying the data transmission method applied to the service provider, so that all the embodiments of the data transmission method applied to the service provider are applicable to the device and can achieve the same or similar beneficial effects.
The embodiment of the invention also provides an electronic device, as shown in fig. 15, which comprises a processor 1501, a communication interface 1502, a memory 1503 and a communication bus 1504, wherein the processor 1501, the communication interface 1502 and the memory 1503 complete communication with each other through the communication bus 1504.
A memory 1503 for storing a computer program;
the processor 1501 is configured to implement the method steps of the data transmission method applied to the service requester provided in the above embodiment when executing the program stored in the memory 1503.
The embodiment of the present invention further provides an electronic device, as shown in fig. 16, including a processor 1601, a communication interface 1602, a memory 1603, and a communication bus 1604, where the processor 1601, the communication interface 1602, and the memory 1603 perform communication with each other through the communication bus 1604.
A memory 1603 for storing a computer program;
the processor 1601 is configured to implement the method steps of the data transmission method applied to the service provider provided in the above embodiment when executing the program stored in the memory 1603.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In still another embodiment of the present invention, there is also provided a computer readable storage medium, in which a computer program is stored, the computer program implementing the method steps of the data transmission method applied to a service requester provided in the above embodiment when being executed by a processor.
In yet another embodiment of the present invention, there is also provided a computer readable storage medium having stored therein a computer program which, when executed by a processor, implements the method steps of the data transmission method applied to a service provider provided in the above embodiment.
In a further embodiment of the invention, a computer program product comprising instructions is also provided, which when run on a computer causes the computer to perform the method steps of the data transmission method provided in the above embodiment applied to a service requester.
In a further embodiment of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method steps of the data transmission method for a service provider provided by the above embodiments.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), etc.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system, apparatus, electronic device, computer readable storage medium, and computer program product embodiments, the description is relatively simple as it is substantially similar to method embodiments, as relevant points are found in the partial description of method embodiments.
The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (25)

1. A data transmission method, applied to a service requester, comprising:
obtaining a symmetric key;
encrypting the service data by using the symmetric key to obtain a service data ciphertext;
calculating the hash value of the service data ciphertext, and encrypting the hash value of the service data ciphertext by using an asymmetric private key of a requesting party to obtain service data hash signature data; the asymmetric private key of the requester is generated based on an asymmetric encryption algorithm negotiated by the service requester and the service provider, the asymmetric public key of the requester corresponds to the asymmetric private key of the requester, and the asymmetric public key of the provider corresponds to the asymmetric private key of the provider;
the service data ciphertext and the service data hash signature data are sent to a service provider, so that the service provider decrypts the service data hash signature data by using an asymmetric public key of a requester, and the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, and the verification signature passes; and continuing to decrypt the service data ciphertext by using the symmetric key to obtain the service data.
2. The method of claim 1, wherein the obtaining the symmetric key comprises:
sending a synchronous key request to a service provider through a key distribution interface, wherein the synchronous key request comprises identification information of the service requester;
and receiving a symmetric key for the identification information fed back by the service provider, wherein the symmetric key is generated by the service provider, and the service provider periodically replaces the symmetric key.
3. The method of claim 2, wherein the identification information is account information;
the sending, through the key distribution interface, a synchronization key request to the service provider includes:
encrypting the account information by using an asymmetric private key of a requesting party to obtain encrypted account information;
transmitting a synchronous key request comprising the account information and the encrypted account information to a service provider through a key distribution interface;
receiving a symmetric key for the identification information fed back by the service provider, including:
receiving an encrypted symmetric key returned by the service provider;
and decrypting the encrypted symmetric key by using the asymmetric private key of the requesting party to obtain the symmetric key.
4. The method of claim 1, wherein the obtaining the symmetric key comprises:
the symmetric key is randomly generated.
5. The method according to claim 4, wherein the method further comprises:
acquiring an asymmetric public key of a provider;
encrypting the symmetric key by using the asymmetric public key of the provider to obtain a key ciphertext;
and sending the key ciphertext to the service provider.
6. The method of claim 1, wherein after said sending the service data ciphertext and the service data hash signature data to a service provider, the method further comprises:
receiving result data ciphertext and result data hash signature data sent by the service provider, wherein the result data ciphertext is obtained by encrypting the result data by using the symmetric key, and the result data is obtained by logically processing the service data by the service provider;
decrypting ciphertext of the result data hash signature data by using a provider asymmetric public key;
if the decryption is successful, the original hash value is obtained;
calculating a hash value for the result data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the result data ciphertext;
And if the original hash value is consistent with the hash value corresponding to the result data ciphertext obtained by recalculation, continuing to decrypt the result data ciphertext by using the symmetric key to obtain the result data.
7. A data transmission method, applied to a service provider, comprising:
receiving service data ciphertext and service data hash signature data sent by a service request party, wherein the service data ciphertext is obtained by encrypting service data by using a symmetric key, and the service data hash signature data is obtained by encrypting a hash value of the service data ciphertext by using a request party asymmetric private key;
acquiring an asymmetric public key of a requester;
decrypting the service data hash signature data using the requestor asymmetric public key,
if the decryption is successful, the hash value of the original business data ciphertext is obtained;
calculating the service data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the service data ciphertext;
comparing the original hash value with the hash value corresponding to the service data ciphertext obtained by recalculation;
if the original hash value is consistent with the hash value corresponding to the service data ciphertext obtained through recalculation, the verification sign passes, and the service data ciphertext is continuously decrypted by using the symmetric key, so that the service data is obtained.
8. The method of claim 7, wherein the method further comprises:
acquiring the identification information of the service provider;
and searching a symmetric key corresponding to the identification information.
9. The method of claim 7, wherein the method further comprises:
receiving a secret key ciphertext sent by the service request party, wherein the secret key ciphertext is obtained by encrypting a randomly generated symmetric secret key by the service request party by using a provider asymmetric public key;
and decrypting the key ciphertext by using the asymmetric private key of the provider to obtain the symmetric key.
10. The method of claim 7, wherein the method further comprises:
receiving a synchronous key request sent by a service requester; the synchronous key request comprises account information of a service requester and encrypted account information, wherein the encrypted account information is obtained by encrypting the account information by the service requester by using an asymmetric private key of the requester;
analyzing the synchronous key request to obtain the account information and the encrypted account information;
searching a locally stored asymmetric public key of a requester corresponding to the account information;
Decrypting the encrypted account information by using a requester asymmetric public key corresponding to the account information to obtain decrypted account information;
searching a symmetric key corresponding to the decrypted account information;
and encrypting the symmetric key by using the asymmetric public key of the requester, and returning the encrypted symmetric key to the service requester.
11. The method of claim 7, wherein after decrypting the service data ciphertext using the symmetric key to obtain the service data, the method further comprises:
performing logic processing on the service data to obtain result data corresponding to the service data;
encrypting the result data by using the symmetric key to obtain a result data ciphertext;
calculating the hash value of the result data ciphertext, and encrypting the hash value of the result data ciphertext by using an asymmetric private key of a provider to obtain result data hash signature data;
and returning the result data ciphertext and the result data hash signature data to the service requester.
12. A data transmission apparatus for use with a service requester, comprising:
The obtaining module is used for obtaining the symmetric key;
the first encryption module is used for encrypting the service data by using the symmetric key to obtain a service data ciphertext;
the calculating module is used for calculating the hash value of the service data ciphertext;
the second encryption module is used for encrypting the hash value of the service data ciphertext by using the asymmetric private key of the requesting party to obtain service data hash signature data; the asymmetric private key of the requester is generated based on an asymmetric encryption algorithm negotiated by the service requester and the service provider, the asymmetric public key of the requester corresponds to the asymmetric private key of the requester, and the asymmetric public key of the provider corresponds to the asymmetric private key of the provider;
the sending module is used for sending the service data ciphertext and the service data hash signature data to a service provider so that the service provider decrypts the service data hash signature data by using an asymmetric public key of a requesting party, and the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, so that the verification signature passes; and continuing to decrypt the service data ciphertext by using the symmetric key to obtain the service data.
13. The apparatus according to claim 12, wherein the obtaining module is configured to send a synchronization key request to a service provider via a key distribution interface, the synchronization key request including identification information of the service requester; and receiving a symmetric key for the identification information fed back by the service provider, wherein the symmetric key is generated by the service provider, and the service provider periodically replaces the symmetric key.
14. The apparatus of claim 13, wherein the identification information is account information;
the obtaining module is specifically configured to encrypt the account information by using an asymmetric private key of a requesting party to obtain encrypted account information; transmitting a synchronous key request comprising the account information and the encrypted account information to a service provider through a key distribution interface; receiving an encrypted symmetric key returned by the service provider; and decrypting the encrypted symmetric key by using the asymmetric private key of the requesting party to obtain the symmetric key.
15. The apparatus according to claim 12, wherein the obtaining module is configured to randomly generate the symmetric key.
16. The apparatus of claim 15, wherein the apparatus further comprises:
the acquisition module is used for acquiring the asymmetric public key of the provider;
the third encryption module is used for encrypting the symmetric key by using the asymmetric public key of the provider to obtain a key ciphertext;
and the sending module is also used for sending the secret key ciphertext to the service provider.
17. The apparatus of claim 12, wherein the apparatus further comprises:
the receiving module is used for receiving the result data ciphertext and the result data hash signature data sent by the service provider after the service data ciphertext and the service data hash signature data are sent to the service provider, wherein the result data ciphertext is obtained by encrypting the result data by using the symmetric key, and the result data is obtained by logically processing the service data by the service provider;
the first decryption module is used for decrypting ciphertext of the hash signature data of the result data by using an asymmetric public key of a provider;
the obtaining module is used for obtaining an original hash value if decryption is successful; calculating a hash value for the result data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the result data ciphertext;
And the second decryption module is used for continuously decrypting the result data ciphertext by using the symmetric key if the original hash value is consistent with the hash value corresponding to the result data ciphertext obtained by recalculation, so as to obtain the result data.
18. A data transmission apparatus for use with a service provider, comprising:
the first receiving module is used for receiving a service data ciphertext and service data hash signature data sent by a service request party, wherein the service data ciphertext is obtained by encrypting service data by using a symmetric key, and the service data hash signature data is obtained by encrypting a hash value of the service data ciphertext by using a request party asymmetric private key;
the first acquisition module is used for acquiring the asymmetric public key of the requester;
a first decryption module for decrypting the service data hash signature data using the requester asymmetric public key,
the obtaining module is used for obtaining the hash value of the original service data ciphertext if decryption is successful; calculating the service data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the service data ciphertext;
The comparison module is used for comparing the original hash value with the hash value corresponding to the service data ciphertext obtained by recalculation;
and the second decryption module is used for obtaining the service data by continuing decrypting the service data ciphertext by using the symmetric key if the original hash value is consistent with the hash value corresponding to the service data ciphertext obtained by recalculation.
19. The apparatus of claim 18, wherein the apparatus further comprises:
a second obtaining module, configured to obtain identification information of the service provider;
the second decryption module is specifically configured to find a symmetric key corresponding to the identification information.
20. The apparatus of claim 18, wherein the second decryption module is configured to receive a key ciphertext sent by the service requester, the key ciphertext being obtained by encrypting a randomly generated symmetric key by the service requester using a provider asymmetric public key; and decrypting the key ciphertext by using the asymmetric private key of the provider to obtain the symmetric key.
21. The apparatus of claim 18, wherein the apparatus further comprises:
The second receiving module is used for receiving the synchronous key request sent by the service request party; the synchronous key request comprises account information of a service requester and encrypted account information, wherein the encrypted account information is obtained by encrypting the account information by the service requester by using an asymmetric private key of the requester;
the analysis module is used for analyzing the synchronous key request to obtain the account information and the encrypted account information;
the first searching module is used for searching a locally stored asymmetric public key of a requester corresponding to the account information;
the third decryption module is used for decrypting the encrypted account information by using the asymmetric public key of the requesting party corresponding to the account information to obtain decrypted account information;
the second searching module is used for searching the symmetric key corresponding to the decrypted account information;
the first encryption module is used for encrypting the symmetric key by using the asymmetric public key of the requester and returning the encrypted symmetric key to the service requester.
22. The apparatus of claim 18, wherein the apparatus further comprises:
the logic processing module is used for decrypting the service data ciphertext by using the symmetric key to obtain the service data, and then carrying out logic processing on the service data to obtain result data corresponding to the service data;
The second encryption module is used for encrypting the result data by using the symmetric key to obtain a result data ciphertext;
the calculation module is used for calculating the hash value of the result data ciphertext;
the third encryption module is used for encrypting the hash value of the result data ciphertext by using the asymmetric private key of the provider to obtain result data hash signature data;
and the sending module is used for returning the result data ciphertext and the result data hash signature data to the service requester.
23. A data transmission system, comprising: a service requester and a service provider;
the service requester is configured to obtain a symmetric key; encrypting the service data by using the symmetric key to obtain a service data ciphertext; calculating the hash value of the service data ciphertext, and encrypting the hash value of the service data ciphertext by using an asymmetric private key of a requesting party to obtain service data hash signature data; the asymmetric private key of the requester is generated based on an asymmetric encryption algorithm negotiated by the service requester and the service provider, the asymmetric public key of the requester corresponds to the asymmetric private key of the requester, and the asymmetric public key of the provider corresponds to the asymmetric private key of the provider; the service data ciphertext and the service data hash signature data are sent to a service provider, so that the service provider decrypts the service data hash signature data by using an asymmetric public key of a requester, and the decrypted hash value is consistent with the recalculated hash value of the service data ciphertext, and the verification signature passes; decrypting the service data ciphertext by using the symmetric key to obtain the service data;
The service provider is used for receiving service data ciphertext and service data hash signature data sent by the service requester, wherein the service data ciphertext is obtained by encrypting service data by using a symmetric key, and the service data hash signature data is obtained by encrypting a hash value of the service data ciphertext by using an asymmetric private key of the requester; acquiring an asymmetric public key of a requester; decrypting the service data hash signature data by using the asymmetric public key of the requesting party, and if the decryption is successful, obtaining the hash value of the original service data ciphertext; calculating the service data ciphertext by using the same hash algorithm to obtain a hash value corresponding to the service data ciphertext; comparing the original hash value with the hash value corresponding to the service data ciphertext obtained by recalculation; if the original hash value is consistent with the hash value corresponding to the service data ciphertext obtained through recalculation, the verification sign passes, and the service data ciphertext is continuously decrypted by using the symmetric key, so that the service data is obtained.
24. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
A memory for storing a computer program;
a processor for carrying out the method steps of any one of claims 1-6 when executing a program stored on a memory.
25. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory for storing a computer program;
a processor for carrying out the method steps of any one of claims 7-11 when executing a program stored on a memory.
CN202111134192.1A 2021-09-27 2021-09-27 Data transmission method, device, system and equipment Active CN114024710B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111134192.1A CN114024710B (en) 2021-09-27 2021-09-27 Data transmission method, device, system and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111134192.1A CN114024710B (en) 2021-09-27 2021-09-27 Data transmission method, device, system and equipment

Publications (2)

Publication Number Publication Date
CN114024710A CN114024710A (en) 2022-02-08
CN114024710B true CN114024710B (en) 2024-04-16

Family

ID=80054998

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111134192.1A Active CN114024710B (en) 2021-09-27 2021-09-27 Data transmission method, device, system and equipment

Country Status (1)

Country Link
CN (1) CN114024710B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118416B (en) * 2022-06-13 2024-04-16 中国科学院沈阳自动化研究所 Distributed database system based on privacy protection and confidentiality method
CN115208632B (en) * 2022-06-16 2023-11-07 国网浙江省电力有限公司营销服务中心 Front-end and back-end data encryption transmission method and system
CN115174195A (en) * 2022-06-30 2022-10-11 中国第一汽车股份有限公司 Database file processing method, encryption terminal and decryption terminal
CN115225365B (en) * 2022-07-14 2024-05-14 北京智芯微电子科技有限公司 Data security transmission method, platform and system based on cryptographic algorithm
CN115348114B (en) * 2022-10-19 2023-02-28 浙江浩普智能科技有限公司 Intelligent power plant data safety transmission method and system, electronic equipment and medium
CN115567324B (en) * 2022-11-24 2023-09-15 湖南天河国云科技有限公司 Data encryption transmission method, system, computer equipment and storage medium
CN116055207B (en) * 2023-01-31 2023-10-03 深圳市圣驼储能技术有限公司 Encryption method and system for communication data of Internet of things
CN116185767B (en) * 2023-02-02 2024-04-19 广东为辰信息科技有限公司 Method for monitoring data flow direction based on encryption technology
CN115865540B (en) * 2023-03-03 2023-05-16 北京和升达信息安全技术有限公司 Information security transmission method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161472A (en) * 2016-09-05 2016-11-23 上海前隆金融信息服务有限公司 A kind of method of data encryption, Apparatus and system
CN108683688A (en) * 2018-07-20 2018-10-19 中国建设银行股份有限公司浙江省分行 A method of information transmission security is realized based on Digital Envelope Technology
CN110535868A (en) * 2019-09-05 2019-12-03 山东浪潮商用***有限公司 Data transmission method and system based on Hybrid Encryption algorithm
CN111769934A (en) * 2020-07-08 2020-10-13 深圳思凯微电子有限公司 Data transmission method, system and computer readable storage medium
CN112118245A (en) * 2020-09-10 2020-12-22 中国联合网络通信集团有限公司 Key management method, system and equipment
WO2021022701A1 (en) * 2019-08-08 2021-02-11 平安科技(深圳)有限公司 Information transmission method and apparatus, client terminal, server, and storage medium
CN112910638A (en) * 2021-01-19 2021-06-04 上海布沁网络科技有限公司 Block chain system key retrieving method
CN113347143A (en) * 2021-04-14 2021-09-03 西安慧博文定信息技术有限公司 Identity authentication method, device, equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161472A (en) * 2016-09-05 2016-11-23 上海前隆金融信息服务有限公司 A kind of method of data encryption, Apparatus and system
CN108683688A (en) * 2018-07-20 2018-10-19 中国建设银行股份有限公司浙江省分行 A method of information transmission security is realized based on Digital Envelope Technology
WO2021022701A1 (en) * 2019-08-08 2021-02-11 平安科技(深圳)有限公司 Information transmission method and apparatus, client terminal, server, and storage medium
CN110535868A (en) * 2019-09-05 2019-12-03 山东浪潮商用***有限公司 Data transmission method and system based on Hybrid Encryption algorithm
CN111769934A (en) * 2020-07-08 2020-10-13 深圳思凯微电子有限公司 Data transmission method, system and computer readable storage medium
CN112118245A (en) * 2020-09-10 2020-12-22 中国联合网络通信集团有限公司 Key management method, system and equipment
CN112910638A (en) * 2021-01-19 2021-06-04 上海布沁网络科技有限公司 Block chain system key retrieving method
CN113347143A (en) * 2021-04-14 2021-09-03 西安慧博文定信息技术有限公司 Identity authentication method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN114024710A (en) 2022-02-08

Similar Documents

Publication Publication Date Title
CN114024710B (en) Data transmission method, device, system and equipment
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
WO2021120871A1 (en) Authentication key negotiation method and apparatus, storage medium and device
WO2022111102A1 (en) Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium
US11323433B2 (en) Digital credential management method and device
CN109800588B (en) Dynamic bar code encryption method and device and dynamic bar code decryption method and device
WO2013178019A1 (en) Method, device and system for implementing media data processing
CN111080299B (en) Anti-repudiation method for transaction information, client and server
US20230188325A1 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
CN112966287B (en) Method, system, device and computer readable medium for acquiring user data
WO2023160420A1 (en) Group message encryption method and apparatus, device and storage medium
CN113204772B (en) Data processing method, device, system, terminal, server and storage medium
CN112437044B (en) Instant messaging method and device
CN115150821A (en) Offline package transmission and storage method and device
CN111355702B (en) Method and system for secure transmission of data sets, medical facility and program product
CN114499837B (en) Message leakage prevention method, device, system and equipment
WO2014146609A1 (en) Information processing method, trust server and cloud server
CN108900595B (en) Method, device and equipment for accessing data of cloud storage server and computing medium
US20240106633A1 (en) Account opening methods, systems, and apparatuses
CN110035035B (en) Secondary authentication method and system for single sign-on
CN114640524B (en) Method, apparatus, device and medium for processing transaction replay attack
CN116244750A (en) Secret-related information maintenance method, device, equipment and storage medium
WO2019242163A1 (en) Data security verification method, apparatus and system, and computer device and storage medium
CN114338091B (en) Data transmission method, device, electronic equipment and storage medium
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant