CN115801388B - Message transmission method, device and storage medium - Google Patents
Message transmission method, device and storage medium Download PDFInfo
- Publication number
- CN115801388B CN115801388B CN202211415448.0A CN202211415448A CN115801388B CN 115801388 B CN115801388 B CN 115801388B CN 202211415448 A CN202211415448 A CN 202211415448A CN 115801388 B CN115801388 B CN 115801388B
- Authority
- CN
- China
- Prior art keywords
- message
- master key
- module
- secure access
- access gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 88
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000004891 communication Methods 0.000 claims abstract description 65
- 238000012545 processing Methods 0.000 claims description 28
- 230000006835 compression Effects 0.000 claims description 18
- 238000007906 compression Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 description 16
- 230000006870 function Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 5
- 238000013461 design Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 4
- 235000019800 disodium phosphate Nutrition 0.000 description 2
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000037361 pathway Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a message transmission method, a message transmission device and a storage medium, which relate to the technical field of communication and are used for ensuring the safety of data between a safety system and a special server. The method comprises the following steps: establishing a transmission channel between a secure access terminal module and a secure access gateway; the security access gateway is an access gateway in an enterprise intranet accessed by the user terminal; the transmission channel is connected with the secure access terminal module and the secure access gateway through the secure chip and the second system; negotiating a key with a security access gateway through a transmission channel to determine a session master key; encrypting a data message to be transmitted according to a session master key, and determining a first encrypted message; and sending the first encrypted message to the security access gateway through the transmission channel. The embodiment of the application is applied to the message transmission process.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method, an apparatus, and a storage medium for transmitting a message.
Background
The dual-system terminal comprises a safety system and a non-safety system, wherein the safety system is used for being connected with a special enterprise server so as to improve the safety of information transmission; the non-secure system is an open system for satisfying the needs of the user's daily life entertainment for the user terminal. A security chip is arranged between the security system and the non-security system in the dual-system terminal, so that the non-security system can be prevented from illegally acquiring information in the security system.
However, in the process of communication between the security system and the proprietary enterprise server, the message sent by the security system needs to pass through the non-security system and the public network, so that the risk of illegal theft of the message by the non-security system and the public network exists, and the security risk is caused for communication between the security system and the proprietary enterprise server. Therefore, how to guarantee the security of data between the security system and the proprietary server is an unresolved problem.
Disclosure of Invention
The application provides a message transmission method, a message transmission device and a storage medium. For ensuring the security of data between the security system and the proprietary server.
In order to achieve the above purpose, the present application adopts the following technical scheme:
in a first aspect, the present application provides a method for transmitting a message, where the method is applied to a secure access terminal module, where the secure access terminal module is a module in a first system of a user terminal, and the user terminal includes a first system and a second system; the first system is an encrypted system according to the secure access terminal module, the second system is an unencrypted system, and the first system and the second system are connected through a secure chip; the method comprises the following steps: the method comprises the steps that a transmission channel between a secure access terminal module and a secure access gateway is established by the secure access terminal module; the security access gateway is an access gateway in an enterprise intranet accessed by the user terminal; the transmission channel is connected with the secure access terminal module and the secure access gateway through the secure chip and the second system; the secure access terminal module negotiates a key with the secure access gateway through a transmission channel and determines a session master key; the security access terminal module encrypts a data message to be transmitted according to the session master key and determines a first encrypted message; the secure access terminal module sends a first encrypted message to the secure access gateway through the transmission channel.
With reference to the first aspect, in one possible implementation manner, the method further includes: acquiring a data message to be transmitted; sending first indication information to an external encryption module; the first indication information is used for indicating the external encryption module to report the session master key; a session master key is received from an external encryption module.
With reference to the first aspect, in one possible implementation manner, the method further includes: the external encryption module is an encryption module externally connected to the user terminal, and is communicated with the user terminal through the national cipher OpenVPN.
With reference to the first aspect, in one possible implementation manner, the method further includes: sending second instruction information to the external encryption module, wherein the second instruction information is used for instructing the external encryption module to generate a session master key according to the pre-prepared certificate and the pre-master key; the premaster secret is generated by an external encryption module, and the external encryption module stores a premade certificate.
With reference to the first aspect, in one possible implementation manner, the method further includes: in the handshake stage, determining security parameters selected by a security access gateway; the security parameters include at least one of: session identification, pre-made certificates, compression algorithms, password specifications, session master keys, and reuse identifications; and encrypting the data message to be transmitted according to the security parameters, and determining a first encrypted message.
In a second aspect, an embodiment of the present application provides a packet transmission device, including: communication unit and processing unit: the processing unit is used for establishing a transmission channel between the secure access terminal module and the secure access gateway; the security access gateway is an access gateway in an enterprise intranet accessed by the user terminal; the transmission channel is connected with the secure access terminal module and the secure access gateway through the secure chip and the second system; the processing unit is also used for negotiating a key with the security access gateway through the transmission channel and determining a session master key; the processing unit is also used for encrypting the data message to be transmitted according to the session master key and determining a first encrypted message; and the communication unit is used for sending the first encrypted message to the security access gateway through the transmission channel.
With reference to the second aspect, in one possible implementation manner, the processing unit is further configured to obtain a data packet to be transmitted; the communication unit is also used for sending the first indication information to the external encryption module; the first indication information is used for indicating the external encryption module to report the session master key; and the communication unit is also used for receiving the session master key from the external encryption module.
With reference to the second aspect, in one possible implementation manner, the external encryption module is an encryption module externally connected to the user terminal, and the external encryption module communicates with the user terminal through a national public vpn.
With reference to the second aspect, in one possible implementation manner, the communication unit is further configured to send second indication information to the external cryptographic module, where the second indication information is used to instruct the external cryptographic module to generate a session master key according to the pre-made certificate and the pre-master key; the premaster secret is generated by an external encryption module, and the external encryption module stores a premade certificate.
With reference to the second aspect, in a possible implementation manner, the processing unit is further configured to determine, in a handshake phase, a security parameter selected by the secure access gateway; the security parameters include at least one of: session identification, pre-made certificates, compression algorithms, password specifications, session master keys, and reuse identifications; and the processing unit is also used for encrypting the data message to be transmitted according to the security parameters and determining a first encrypted message.
In a third aspect, an embodiment of the present application provides a packet transmission device, where the packet transmission device includes: a processor and a memory; wherein the memory is configured to store computer-executable instructions that, when the message transmission device is operated, the processor executes the computer-executable instructions stored in the memory to cause the message transmission device to perform the message transmission method as described in any one of the possible implementations of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having instructions stored therein, which when executed by a processor of a message transmission apparatus, enable the message transmission apparatus to perform a message transmission method as described in any one of the possible implementations of the first aspect.
These and other aspects of the present application will be more readily apparent from the following description.
The scheme at least brings the following beneficial effects: in the embodiment of the application, in the process of communicating the secure access terminal module with the secure access gateway, the secure access terminal module negotiates a key with the secure access gateway through a transmission channel to determine a session master key. The secure access terminal can encrypt the message through the session master key to obtain a first encrypted message. Since the session master key is negotiated between the secure access terminal module and the secure access gateway, the secure access terminal module and the secure access gateway use the same session master key. In this way, the secure access gateway may decrypt the received first encrypted message. Even if the second system (non-secure system) and the public network acquire the first encrypted message, the second system (non-secure system) and the public network cannot acquire the information in the first encrypted message because the session master key cannot be acquired. Therefore, the present application can ensure the security of data between the first system (security system) and the proprietary server.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a message transmission device provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram of a message transmission device according to an embodiment of the present application;
fig. 3 is a flowchart of a message transmission method provided in an embodiment of the present application;
fig. 4 is a flowchart of another method for transmitting a message according to an embodiment of the present application;
fig. 5 is a schematic diagram comparing a dedicated virtual network card with a physical network card according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a message transmission device according to an embodiment of the present application;
fig. 7 is a flowchart of a message transmission method provided in an embodiment of the present application;
fig. 8 is a flowchart of another method for transmitting a message according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of another message transmission device according to an embodiment of the present application.
Detailed Description
The term "and/or" is herein merely an association relationship describing an associated object, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone.
The terms "first" and "second" and the like in the description and in the drawings are used for distinguishing between different objects or for distinguishing between different processes of the same object and not for describing a particular sequential order of objects.
Furthermore, references to the terms "comprising" and "having" and any variations thereof in the description of the present application are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or apparatus.
It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
In the description of the present application, unless otherwise indicated, the meaning of "a plurality" means two or more.
The technical solutions of the embodiments of the present application may be used in various communication systems, which may be a third generation partnership project (third generation partnership project,3 GPP) communication system, for example, a long term evolution (long term evolution, LTE) system, a 5G mobile communication system, an NR system, a new air interface internet of vehicles (vehicle to everything, NR V2X) system, a system of LTE and 5G hybrid networking, or a device-to-device (D2D) communication system, a machine-to-machine (machine to machine, M2M) communication system, an internet of things (Internet of Things, ioT), and other next generation communication systems, and may also be a non-3 GPP communication system, without limitation.
The technical solution of the embodiment of the application can be applied to various communication scenes, for example, one or more of the following communication scenes: enhanced mobile broadband (enhanced mobile broadband, emmbb), ultra-reliable low latency communication (ultra reliable low latency communication, URLLC), machine type communication (machine type communication, MTC), large-scale machine type communication (massive machine type communications, mctc), SA, D2D, V2X, and IoT, among other communication scenarios.
The above communication system and communication scenario to which the present application is applied are merely examples, and the communication system and communication scenario to which the present application is applied are not limited thereto, and are collectively described herein, and are not described in detail.
In some embodiments, the terminal device referred to in the present application may be a device for implementing a communication function. A terminal device may also be called a User Equipment (UE), a terminal, an access terminal, a subscriber unit, a subscriber station, a Mobile Station (MS), a remote station, a remote terminal, a Mobile Terminal (MT), a user terminal, a wireless communication device, a user agent, a user equipment, or the like. The terminal device may be, for example, a wireless terminal or a wired terminal in an IoT, V2X, D2D, M M, 5G network, or a future evolved public land mobile network (public land mobile network, PLMN). The wireless terminal can be a device with wireless transceiving function, can be deployed on land, and comprises indoor or outdoor, handheld or vehicle-mounted; can also be deployed on the water surface (such as ships, etc.); but may also be deployed in the air (e.g., on aircraft, balloon, satellite, etc.).
By way of example, the terminal device may be an unmanned aerial vehicle, an IoT device (e.g., sensor, electricity meter, water meter, etc.), a V2X device, a Station (ST) in a wireless local area network (wireless local area networks, WLAN), a cellular telephone, a cordless telephone, a session initiation protocol (session initiation protocol, SIP) phone, a wireless local loop (wireless local loop, WLL) station, a personal digital assistant (personal digital assistant, PDA) device, a handheld device with wireless communication functionality, a computing device or other processing device connected to a wireless modem, an on-board device, a wearable device (which may also be referred to as a wearable smart device), a tablet or a computer with wireless transceiver functionality, a Virtual Reality (VR) terminal, a wireless terminal in an industrial control (industrial control), a wireless terminal in an unmanned aerial vehicle (self-drive), a wireless terminal in a remote medical (remote medium) system (smart grid), a wireless terminal in a transportation security (transportation safety), a smart city (smart) terminal, a wireless to-vehicle-capable wireless communication capability of a UAV-to-vehicle, an unmanned aerial vehicle-to-a vehicle-the wireless vehicle, a vehicle-to-the unmanned aerial vehicle-the like. The terminal may be mobile or fixed, and is not particularly limited in this application.
In order to implement the message transmission method provided by the embodiment of the present application, the embodiment of the present application provides a message transmission device, which is used for executing the message transmission method provided by the embodiment of the present application, and fig. 1 is a schematic structural diagram of the message transmission device provided by the embodiment of the present application. As shown in fig. 1, the message transmission device 100 includes at least one processor 101, a communication line 102, and at least one communication interface 104, and may further include a memory 103. The processor 101, the memory 103, and the communication interface 104 may be connected through a communication line 102.
The processor 101 may be a central processing unit (central processing unit, CPU), an application specific integrated circuit (application specific integrated circuit, ASIC), or one or more integrated circuits configured to implement embodiments of the present application, such as: one or more digital signal processors (digital signal processor, DSP), or one or more field programmable gate arrays (field programmable gate array, FPGA).
Communication line 102 may include a pathway for communicating information between the aforementioned components.
The communication interface 104, for communicating with other devices or communication networks, may use any transceiver-like device, such as ethernet, radio access network (radio access network, RAN), WLAN, etc.
The memory 103 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc read-only memory (compact disc read-only memory) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to include or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
In a possible design, the memory 103 may exist independent of the processor 101, i.e. the memory 103 may be a memory external to the processor 101, where the memory 103 may be connected to the processor 101 through a communication line 102, for storing execution instructions or application program codes, and the execution is controlled by the processor 101 to implement a message transmission method provided in the embodiments described below. In yet another possible design, the memory 103 may be integrated with the processor 101, i.e., the memory 103 may be an internal memory of the processor 101, e.g., the memory 103 may be a cache, and may be used to temporarily store some data and instruction information, etc.
As one possible implementation, the processor 101 may include one or more CPUs, such as CPU0 and CPU1 in fig. 1. As another implementation, the packet transmission device 100 may include multiple processors, such as the processor 101 and the processor 107 in fig. 1. As yet another implementation, the packet transmission apparatus 100 may further include an output device 105 and an input device 106.
In the prior art, in the process of communication between a security system in a dual-system terminal and a proprietary enterprise server, a message sent by the security system needs to pass through an unsafe system and a public network in the dual-system terminal, so that the risk of illegal theft of the message by the unsafe system and the public network exists, and the security risk is caused for communication between the security system and the proprietary enterprise server.
In order to solve the technical problems in the related art, in the embodiment of the present application, during the process of communication between the secure access terminal module and the secure access gateway, the secure access terminal module negotiates a key with the secure access gateway through a transmission channel, and determines a session master key. In this way, the secure access terminal can encrypt the message through the session master key to obtain the first encrypted message. Since the session master key is negotiated between the secure access terminal module and the secure access gateway, the secure access terminal module and the secure access gateway use the same session master key. In this way, the secure access gateway may decrypt the received first encrypted message. Even if the non-secure system and the public network acquire the first encrypted message, the non-secure system and the public network cannot acquire the information in the first encrypted message because the session master key cannot be acquired. Thus, the present application ensures the security of data between the security system and the proprietary server.
In the following, a detailed description of a message transmission system provided in an embodiment of the present application is described with reference to fig. 2, where, as shown in fig. 2, the message transmission system includes: first system 201, second system 202, security chip 203, and intranet 204.
The first system 201 is a system for encrypting according to a secure access terminal module, and is configured to establish an encrypted connection with the intranet 204; the second system 202 is an unencrypted system, and is used for meeting the requirements of daily life and entertainment of a user on a user terminal; the intranet 204 is used to secure communications between enterprise employees.
Wherein the first system 201 comprises: an application module 2011, a dedicated virtual network card module 2012, a secure access terminal module 2013, a cryptographic daemon module 2014, an external encryption module 2015, and a transport services module 2016.
An application module 2011 configured to: and receiving an operation instruction of the user, and generating third indication information according to the operation instruction of the user, wherein the third indication information is used for indicating the special virtual network card module 2012 to generate a data message to be transmitted. The application module 2011 includes World Wide Web (Web) application and industry application; the third indication information includes a packet explorer (Packet Internet Groper, PING) instruction.
A dedicated virtual network card module 2012 configured to: and receiving the third indication information of the application module 2011, and generating a data message to be transmitted according to the third indication information. The dedicated virtual network card module 2012 is used for realizing seamless connection between the first system 201 and the application module 2011, and does not need to modify the application module 2011, the kernel of the first system 201 and the network protocol stack, thereby reducing the work of staff.
A secure access terminal module 2013 configured to: encrypting a data message to be transmitted according to the received session master key, and determining a first encrypted message; and sends the first encrypted message to the transport services module 2016.
A cryptographic daemon module 2014 configured to: a secure access terminal module 2013 and an external encryption module 2015 are connected.
An external encryption module 2015 configured to: and receiving second indication information sent by the secure access terminal module 2013, wherein the second indication information is used for indicating the external encryption module to generate a session master key according to the pre-made certificate and the pre-master key. The external encryption module 2015 includes a national Secure Digital (SD) card.
A second system 202 comprising: the transport services module 2021.
The transmission service module 2021 is configured to: the first encrypted message sent by the transmission service module 2016 in the first system 201 is received by the security chip 203, and forwarded to the intranet 204.
A security chip 203 configured to: is configured between the first system 201 and the second system 202 for isolating communication data of the first system 201 and the second system 202.
Enterprise intranet 204 includes: secure access gateway 2041.
Secure access gateway 2041 configured to: establishing a transmission channel with the secure access terminal module 2013, and negotiating and calculating a session master key; and receiving and decrypting the first encrypted message.
Intranet 204 also includes: an enterprise address book module 2042, an enterprise internal video and conferencing module 2043, a remote mobile office application 2044, and other web applications 2045. The enterprise address book module 2042 is used for storing the contact ways of all enterprise employees; the enterprise internal video and conference module 2043 is used for enabling enterprise staff to transmit internal video information in an intranet and hold a network conference; the remote mobile office application 2044 is used to satisfy the establishment of a remote wireless connection by enterprise personnel with the secure access gateway 2041 via a terminal; other web applications 2045 are used to meet other network needs of enterprise employees.
The embodiment of the application provides a message transmission method, which can be applied to a message transmission system shown in fig. 2. As shown in fig. 3, the message transmission method includes:
S301, the secure access terminal module establishes a transmission channel between the secure access terminal module and the secure access gateway.
The safety access terminal module is a module in a first system of a user terminal, and the user terminal comprises the first system and a second system; the first system is a system encrypted according to the secure access terminal module, the second system is an unencrypted system, and the first system and the second system are connected through a secure chip.
Optionally, the second system is an open system.
The second system is an Android system.
S302, the secure access terminal module negotiates a key with the secure access gateway through a transmission channel to determine a session master key.
Optionally, before S302, the secure access terminal module and the secure access gateway may perform authentication with each other first, and negotiate to determine a session master key after the authentication passes.
The process of mutually authenticating the security access terminal module and the security access gateway before the authentication process comprises the following steps: the secure access terminal module sends a certificate of the secure access terminal module to the secure access gateway, which verifies the identity of the secure access terminal module. The secure access gateway sends a certificate of the secure access gateway to the secure access terminal module, which verifies the identity of the secure access gateway.
S303, the security access terminal module encrypts the data message to be transmitted according to the session master key, and determines a first encrypted message.
In one possible implementation, the secure access terminal module encrypts the data message to be transmitted and determines the first encrypted message according to the session master key and a cryptographic specification (cryptographic algorithm) negotiated with the secure access gateway.
S304, the secure access terminal module sends a first encryption message to the secure access gateway through a transmission channel.
In one possible implementation, the secure access terminal module sends the first encrypted message to the secure access gateway through the transmission channel, so that the secure access gateway decrypts the first encrypted message according to the session master key.
The scheme at least brings the following beneficial effects: in the embodiment of the application, in the process of communicating the secure access terminal module with the secure access gateway, the secure access terminal module negotiates a key with the secure access gateway through a transmission channel to determine a session master key. In this way, the secure access terminal can encrypt the message through the session master key to obtain the first encrypted message. Since the session master key is negotiated between the secure access terminal module and the secure access gateway, the secure access terminal module and the secure access gateway use the same session master key. In this way, the secure access gateway may decrypt the received first encrypted message. Even if the second system and the public network acquire the first encrypted message, the second system and the public network cannot acquire the information in the first encrypted message because the session master key cannot be acquired. Therefore, the data security between the first system and the proprietary server can be ensured.
In a possible implementation manner, before S303, the secure access terminal module obtains the data packet to be transmitted and the session master key. The process of the secure access terminal module obtaining the data message to be transmitted and the session master key is described below.
Referring to fig. 3, as shown in fig. 4, the above-mentioned process of the secure access terminal module obtaining the data message to be transmitted and the session master key may be implemented specifically by the following S401-S403.
S401, the security access terminal module acquires a data message to be transmitted.
In one possible implementation, the secure access terminal module obtains the data packet to be transmitted from the dedicated virtual network card.
Optionally, the dedicated virtual network card is a kernel mode program in the first system, and is configured to connect an Application (APP) in the terminal with a secure access terminal module in the first system, so that the user sends a data packet to be transmitted to the secure access terminal module in the first system through the APP. Because the first system comprises the virtual network card, the APP in the terminal can be directly communicated with the secure access gateway through the virtual network card in the terminal of the first system, the APP on the user terminal and the communication module at the bottom layer of the first system do not need to be adaptively modified, and resources are saved.
It should be noted that, referring to fig. 4, as shown in fig. 5, the physical network card in kernel mode receives the third indication information of the APP in user mode through the network protocol stack (Network Protocol Stack), generates a data packet to be transmitted according to the third indication information, and forwards the data packet to be transmitted to the physical network. The kernel-mode virtual network card receives third indication information of the user-mode APP through the network protocol stack, generates a data message to be transmitted according to the third indication information, and forwards the data message to be transmitted to the application program. Because the first system does not have a physical network card, a virtual network card is arranged in the first system to realize the function of the physical network card. The virtual network card driver application is illustratively in communication with a network protocol.
S402, the secure access terminal module sends first indication information to the external encryption module.
The first indication information is used for indicating the external encryption module to report the session master key. The external encryption module is an encryption module externally connected to the user terminal, and is communicated with the user terminal through a national private virtual private channel (OpenVPN, OPN).
Optionally, the external encryption module is a national secure digital memory card (Secure Digital Memory Card, SD), and the external encryption module may provide password-related capabilities to the secure access terminal module.
In one possible implementation, the secure access terminal module sends the first indication information to the external encryption module through the cryptographic daemon module, so that the external encryption module calculates the session master key according to the related information.
Optionally, the cryptographic daemon module is an interface for interfacing with an external cryptographic module. S403, the secure access terminal module receives the session master key from the external encryption module.
In one possible implementation, the secure access terminal module stores the session master key to encrypt the subsequent data message to be transmitted.
In another possible implementation, in conjunction with fig. 4, as shown in fig. 6, the secure access module includes a national security SSL protocol module and a communication module. The national secure SSL protocol is used to establish a transport channel and negotiate a session master key. The security access module receives a data message to be transmitted, which is sent by the virtual network card; the secure access module receives the session master key of the national Secure Digital (SD) card through the password daemon module. The security access module encrypts the data message to be transmitted according to the session master key, determines a first encrypted message, and sends the first encrypted message to the transmission service module through the communication module. The transmission service module is used for transmitting information between the security access module and the security access gateway.
The scheme at least brings the following beneficial effects: in the embodiment of the application, the secure access terminal module invokes the session master key from the external encryption module, so that resource waste caused by the fact that the secure access terminal module needs to calculate the session master key is avoided. In the embodiment of the application, the external encryption module is modified, the modification is simple, the disassembly is convenient, and the modification of the terminal is not needed.
Referring to fig. 3, as shown in fig. 7, the above-mentioned process of determining a session master key by negotiating a key with a secure access gateway through a transmission channel may be implemented specifically as follows S701.
S701, the secure access terminal module sends second indication information to the external encryption module.
The second indication information is used for indicating the external encryption module to generate a session master key according to the pre-made certificate and the pre-master key.
The premaster secret is generated by an external encryption module, and the external encryption module stores a premade certificate.
After receiving the Server Key Exchange message sent by the secure access gateway, the secure access terminal module sends a request message to the external encryption module. The request message is for requesting a premaster secret and a premade certificate, and the Server Key Exchange message is for requesting a premaster secret. The secure access terminal module sends the premaster secret and the premaster secret to the secure access gateway so that the secure access gateway generates a decryption session master secret according to the premaster secret and the premaster secret. Because the secure access gateway and the external encryption module have the same parameters (pre-made certificate and pre-master key), the session master key generated by the external encryption module is the same as the decryption session master key generated by the secure access gateway, so that the secure access gateway can decrypt the first encrypted message according to the decryption session master key. Optionally, the pre-formed certificate comprises an authentication certificate (Certification Authority, CA). The external encryption module downloads the CA certificate from the CA system.
It should be noted that, after the external encryption module generates the session master key according to the second indication information, the session master key may be reported to the secure access terminal module in response to the first indication information of the secure access terminal module; the external encryption module may also actively report the session master key to the secure access terminal module.
The scheme at least brings the following beneficial effects: in the embodiment of the application, since the secure access terminal module sends the second indication information to the external encryption module, the external encryption module can generate the session master key according to the second indication information, thereby avoiding the waste of computing resources caused by the secure access terminal module itself computing the session master key.
Referring to fig. 3, as shown in fig. 8, the above-mentioned process of encrypting the data message to be transmitted according to the session master key and determining the first encrypted message may be implemented specifically by the following S801-S802.
S801, in a handshake stage, a security access terminal module determines security parameters selected by a security access gateway.
Wherein the security parameters include at least one of: session identification, pre-made credentials, compression algorithm, password specification, session master key, reuse identification.
It should be noted that, the session identifier is an optional byte sequence selected by the secure access gateway, and is used for identifying an active or recoverable session; the reuse flag is used to indicate whether a new connection can be initiated with the session.
Optionally, during the handshake phase, the secure access terminal module sends a pass-through Client Hello message to the secure access gateway. The Client Hello message includes: session identification, compression algorithm, password specification. The secure access gateway replies a Server Hello message to the secure access terminal module, the Server Hello message comprising: session identification, compression algorithm, password specification.
In one possible implementation, the secure access terminal module sends at least one compression algorithm and/or at least one cryptographic specification to the secure access gateway; the secure access gateway selects a first target compression algorithm and/or a first target password specification from at least one compression algorithm and/or at least one password specification according to a self-supported selection algorithm, and sends a first response message to the secure access terminal module, wherein the first response message comprises the first target algorithm and/or the first target password specification.
Illustratively, the first target algorithm is a compression algorithm in a Server Hello message, and the first target password specification is a password specification in the Server Hello message.
In another possible implementation, the secure access terminal module sends at least one compression algorithm and/or at least one cryptographic specification to the secure access gateway, the at least one compression algorithm and/or the at least one cryptographic specification being arranged in a priority order; the security access gateway selects a second target compression algorithm with highest priority from at least one compression algorithm according to the self-supported selection algorithm, selects a second target password specification with highest priority from at least one password specification, and sends a second response message to the security access terminal module, wherein the second response message comprises the second target algorithm and/or the second target password specification.
Illustratively, the second target algorithm is a compression algorithm in a Server Hello message, and the second target password specification is a password specification in the Server Hello message.
Optionally, the secure access terminal module sends the security parameters to an external encryption module.
S802, the security access terminal module encrypts a data message to be transmitted according to the security parameters, and determines a first encrypted message.
In a possible implementation manner, the security access terminal module performs data segmentation processing on the data message to be transmitted to obtain a plurality of sub-messages; then, compressing each sub-message by using a compression algorithm to obtain compressed sub-messages; and compressing each compressed sub-message according to the password specification and the session master key to obtain a first encrypted message.
The scheme at least brings the following beneficial effects: in the embodiment of the application, the security access terminal module performs key negotiation with the security access gateway to obtain the security parameters. The security access terminal can encrypt the message through the security parameters to obtain a first encrypted message. Because the session master key is negotiated between the secure access terminal module and the secure access gateway, the secure access terminal module and the secure access gateway use the same security parameters. In this way, the secure access gateway may decrypt the received first encrypted message. Even if the second system (non-secure system) and the public network acquire the first encrypted message, the second system (non-secure system) and the public network cannot acquire the information in the first encrypted message because the security parameters cannot be acquired. Therefore, the present application can ensure the security of data between the first system (security system) and the proprietary server.
It can be seen that the above technical solutions provided in the embodiments of the present application are mainly described from the method perspective. To achieve the above functions, it includes corresponding hardware structures and/or software modules that perform the respective functions. Those of skill in the art will readily appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The embodiment of the present application may divide the functional modules of the packet transmission device according to the above method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated modules may be implemented in hardware or in software functional modules. Optionally, the division of the modules in the embodiments of the present application is schematic, which is merely a logic function division, and other division manners may be actually implemented.
Fig. 9 is a schematic structural diagram of a message transmission device 90 according to an embodiment of the present application. The message transmission device 90 includes: a processing unit 901, and a communication unit 902.
A processing unit 901, configured to establish a transmission channel between the secure access terminal module and the secure access gateway; the security access gateway is an access gateway in an enterprise intranet accessed by the user terminal; the transmission channel is connected with the secure access terminal module and the secure access gateway through the secure chip and the second system; the processing unit 901 is further configured to negotiate a key with the security access gateway through a transmission channel, and determine a session master key; the processing unit 901 is further configured to encrypt a data packet to be transmitted according to a session master key, and determine a first encrypted packet; a communication unit 902, configured to send a first encrypted packet to the secure access gateway through a transmission channel.
Optionally, the processing unit 901 is further configured to obtain a data packet to be transmitted; a communication unit 902, configured to send first indication information to an external encryption module; the first indication information is used for indicating the external encryption module to report the session master key; the communication unit 902 is further configured to receive a session master key from an external encryption module.
Optionally, the external encryption module is an encryption module externally connected to the user terminal, and the external encryption module communicates with the user terminal through the national encryption OpenVPN.
Optionally, the communication unit 902 is further configured to send second indication information to the external encryption module, where the second indication information is used to instruct the external encryption module to generate a session master key according to the pre-made certificate and the pre-master key; the premaster secret is generated by an external encryption module, and the external encryption module stores a premade certificate.
Optionally, the processing unit 901 is further configured to determine, in a handshake phase, a security parameter selected by the security access gateway; the security parameters include at least one of: session identification, pre-made certificates, compression algorithms, password specifications, session master keys, and reuse identifications; the processing unit 901 is further configured to encrypt a data packet to be transmitted according to the security parameter, and determine a first encrypted packet.
Wherein the processing unit 901 may be a processor or a controller. Which may implement or perform the various exemplary logic blocks, modules, and circuits described in connection with this disclosure. A processor may also be a combination of computing functions, including for example, one or more microprocessor combinations, a combination of DSPs and microprocessors, and the like. The communication unit 902 may be a transceiver circuit or a communication interface, etc. The memory module may be a memory. When the processing unit 901 is a processor, the communication unit 902 is a communication interface, and the storage module is a memory, the message transmission device according to the embodiment of the present application may be a message transmission device shown in fig. 1.
From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the network node is divided into different functional modules to implement all or part of the functions described above. The specific working processes of the above-described system, module and network node may refer to the corresponding processes in the foregoing method embodiments, which are not described herein.
The embodiment of the application further provides a computer readable storage medium, in which instructions are stored, and when the computer executes the instructions, the computer executes each step in the method flow shown in the method embodiment.
The embodiment of the application also provides a chip, which comprises a processor and a communication interface, wherein the communication interface is coupled with the processor, and the processor is used for running a computer program or instructions to realize the message transmission method in the embodiment of the method.
Embodiments of the present application provide a computer program product comprising instructions which, when executed on a computer, cause the computer to perform the method for transmitting a message in the method embodiments described above.
The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: electrical connections having one or more wires, portable computer diskette, hard disk. Random access Memory (Random Access Memory, RAM), read-Only Memory (ROM), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), registers, hard disk, optical fiber, portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any other form of computer-readable storage medium suitable for use by a person or persons of skill in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an application specific integrated circuit (Application Specific Integrated Circuit, ASIC). In embodiments of the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Since the apparatus, device, computer readable storage medium, and computer program product in the embodiments of the present invention may be applied to the above-mentioned method, the technical effects that can be obtained by the apparatus, device, computer readable storage medium, and computer program product may also refer to the above-mentioned method embodiments, and the embodiments of the present invention are not repeated herein.
The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (6)
1. The message transmission method is characterized by being applied to a secure access terminal module, wherein the secure access terminal module is a module in a first system of a user terminal, and the user terminal comprises the first system and a second system; the first system is an encrypted system according to the secure access terminal module, the second system is an unencrypted system, and the first system and the second system are connected through a secure chip; the method comprises the following steps:
establishing a transmission channel between the secure access terminal module and a secure access gateway; the security access gateway is an access gateway in an enterprise intranet accessed by the user terminal; the transmission channel connects the secure access terminal module and the secure access gateway through the secure chip and the second system;
Negotiating a key with the security access gateway through the transmission channel to determine a session master key;
encrypting a data message to be transmitted according to the session master key, and determining a first encrypted message;
sending the first encrypted message to the security access gateway through the transmission channel;
before the data message is encrypted according to the session master key and the first encrypted message is determined, the method further comprises:
acquiring the data message to be transmitted;
sending first indication information to an external encryption module; the first indication information is used for indicating the external encryption module to report the session master key;
receiving the session master key from the external encryption module;
the external encryption module is an encryption module externally connected to the user terminal, and is communicated with the user terminal through a national secret virtual private channel OpenVPN;
the step of negotiating a key with the security access gateway through the transmission channel to determine a session master key includes:
sending second indication information to the external encryption module, wherein the second indication information is used for indicating the external encryption module to generate the session master key according to a pre-made certificate and a pre-master key; wherein the premaster secret is generated by the external encryption module, which stores the premade certificate.
2. The method of claim 1, wherein the encrypting the data message to be transmitted according to the session master key, and determining the first encrypted message, comprises:
in a handshake phase, determining security parameters selected by the security access gateway; the security parameters include at least one of: session identification, the prefabricated certificate, a compression algorithm, a password specification, a session master key and a reuse identification;
and encrypting the data message to be transmitted according to the security parameters, and determining the first encrypted message.
3. A message transmission device, characterized in that the device comprises a communication unit and a processing unit:
the processing unit is used for establishing a transmission channel between the secure access terminal module and the secure access gateway; the security access gateway is an access gateway in an enterprise intranet accessed by the user terminal; the transmission channel is connected with the secure access terminal module and the secure access gateway through a secure chip and a second system;
the processing unit is further configured to negotiate a key with the secure access gateway through the transmission channel, and determine a session master key;
the processing unit is further used for encrypting the data message to be transmitted according to the session master key and determining a first encrypted message;
The communication unit is used for sending the first encryption message to the security access gateway through the transmission channel;
the processing unit is further configured to obtain the data packet to be transmitted;
the communication unit is further used for sending first indication information to the external encryption module; the first indication information is used for indicating the external encryption module to report the session master key;
the communication unit is further configured to receive the session master key from the external encryption module;
the external encryption module is an encryption module externally connected to the user terminal, and is communicated with the user terminal through a national cipher OpenVPN;
the communication unit is further configured to send second indication information to the external encryption module, where the second indication information is used to instruct the external encryption module to generate the session master key according to a pre-made certificate and a pre-master key; wherein the premaster secret is generated by the external encryption module, which stores the premade certificate.
4. The apparatus of claim 3, wherein the device comprises a plurality of sensors,
the processing unit is further configured to determine, in a handshake phase, a security parameter selected by the security access gateway; the security parameters include at least one of: session identification, the prefabricated certificate, a compression algorithm, a password specification, a session master key and a reuse identification;
The processing unit is further configured to encrypt the data packet to be transmitted according to the security parameter, and determine the first encrypted packet.
5. A message transmission apparatus, comprising: a processor and a memory; wherein the memory is configured to store computer-executable instructions that, when executed by the message transmission device, cause the message transmission device to perform the message transmission method of any of claims 1-2.
6. A computer readable storage medium comprising instructions which, when executed by a message transmission apparatus, cause the computer to perform the message transmission method of any of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211415448.0A CN115801388B (en) | 2022-11-11 | 2022-11-11 | Message transmission method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211415448.0A CN115801388B (en) | 2022-11-11 | 2022-11-11 | Message transmission method, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115801388A CN115801388A (en) | 2023-03-14 |
| CN115801388B true CN115801388B (en) | 2024-04-09 |
Family
ID=85437118
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211415448.0A Active CN115801388B (en) | 2022-11-11 | 2022-11-11 | Message transmission method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115801388B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101790160A (en) * | 2009-01-23 | 2010-07-28 | 中兴通讯股份有限公司 | Method and device for safely consulting session key |
| CN206003101U (en) * | 2016-07-06 | 2017-03-08 | 山东同智伟业软件股份有限公司 | Safety mobile terminal based on double hard disk dual system patterns |
| CN107317925A (en) * | 2017-06-20 | 2017-11-03 | 北京壹人壹本信息科技有限公司 | Mobile terminal |
| CN107360154A (en) * | 2017-07-10 | 2017-11-17 | 中国科学院沈阳计算技术研究所有限公司 | A kind of intranet security cut-in method and system |
| CN108810023A (en) * | 2018-07-19 | 2018-11-13 | 北京智芯微电子科技有限公司 | Safe encryption method, key sharing method and safety encryption isolation gateway |
| CN111934879A (en) * | 2020-07-08 | 2020-11-13 | 福建亿能达信息技术股份有限公司 | Data transmission encryption method, device, equipment and medium for internal and external network system |
| WO2022123068A2 (en) * | 2020-12-10 | 2022-06-16 | Abn Amro Bank N.V. | Orchestrated quantum key distribution |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104216777B (en) * | 2014-08-29 | 2017-09-08 | 宇龙计算机通信科技(深圳)有限公司 | Dual system electronic installation and terminal |
| CN104468611B (en) * | 2014-12-24 | 2017-09-08 | 宇龙计算机通信科技(深圳)有限公司 | The data safety processing method and device switched based on dual system |
-
2022
- 2022-11-11 CN CN202211415448.0A patent/CN115801388B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101790160A (en) * | 2009-01-23 | 2010-07-28 | 中兴通讯股份有限公司 | Method and device for safely consulting session key |
| CN206003101U (en) * | 2016-07-06 | 2017-03-08 | 山东同智伟业软件股份有限公司 | Safety mobile terminal based on double hard disk dual system patterns |
| CN107317925A (en) * | 2017-06-20 | 2017-11-03 | 北京壹人壹本信息科技有限公司 | Mobile terminal |
| CN107360154A (en) * | 2017-07-10 | 2017-11-17 | 中国科学院沈阳计算技术研究所有限公司 | A kind of intranet security cut-in method and system |
| CN108810023A (en) * | 2018-07-19 | 2018-11-13 | 北京智芯微电子科技有限公司 | Safe encryption method, key sharing method and safety encryption isolation gateway |
| CN111934879A (en) * | 2020-07-08 | 2020-11-13 | 福建亿能达信息技术股份有限公司 | Data transmission encryption method, device, equipment and medium for internal and external network system |
| WO2022123068A2 (en) * | 2020-12-10 | 2022-06-16 | Abn Amro Bank N.V. | Orchestrated quantum key distribution |
Non-Patent Citations (1)
| Title |
|---|
| 移动办公安全保障体系关键技术浅析;符刚;《保密科学技术》;20220920;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115801388A (en) | 2023-03-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10601594B2 (en) | End-to-end service layer authentication | |
| EP3982590B1 (en) | Security authentication method, configuration method, and related device | |
| US10790995B2 (en) | Oracle authentication using multiple memory PUFs | |
| KR101688118B1 (en) | Security communication apparatus of internet of things environment and method thereof | |
| US10263960B2 (en) | Wireless communication system and wireless communication method | |
| US10542570B2 (en) | System and method for relaying data over a communication network | |
| CN109768861B (en) | Massive D2D anonymous discovery authentication and key agreement method | |
| CN112449323B (en) | Communication method, device and system | |
| CN112602290B (en) | Identity authentication method and device and readable storage medium | |
| KR20170037270A (en) | Method for registering device and setting secret key using two factor communacation channel | |
| WO2023083170A1 (en) | Key generation method and apparatus, terminal device, and server | |
| CN116405192A (en) | Certificate application method and equipment | |
| US20240244681A1 (en) | Communication method, apparatus, and system | |
| CN112019489B (en) | Verification method and device | |
| CN114449521B (en) | Communication method and communication device | |
| CN111357305B (en) | Communication method, equipment, system and storage medium of movable platform | |
| CN108616877B (en) | Communication method, system and equipment of small base station | |
| CN115801388B (en) | Message transmission method, device and storage medium | |
| CN114650531B (en) | Method for realizing multiple security enhancement functions based on USIM card and USIM card | |
| US20230308868A1 (en) | Method, devices and system for performing key management | |
| CN115714681B (en) | Data verification method, device and storage medium | |
| CN115278660A (en) | Access authentication method, device and system | |
| CN116192443A (en) | Data packet transmission method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |