CN116415268A - Data processing method, device, equipment and medium - Google Patents

Data processing method, device, equipment and medium Download PDF

Info

Publication number
CN116415268A
CN116415268A CN202111663749.0A CN202111663749A CN116415268A CN 116415268 A CN116415268 A CN 116415268A CN 202111663749 A CN202111663749 A CN 202111663749A CN 116415268 A CN116415268 A CN 116415268A
Authority
CN
China
Prior art keywords
public key
encrypted message
determining
verification information
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111663749.0A
Other languages
Chinese (zh)
Inventor
孙国臣
高雪松
林玥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hisense Group Holding Co Ltd
Original Assignee
Hisense Group Holding Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hisense Group Holding Co Ltd filed Critical Hisense Group Holding Co Ltd
Priority to CN202111663749.0A priority Critical patent/CN116415268A/en
Publication of CN116415268A publication Critical patent/CN116415268A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a data processing method, a device, equipment and a medium. Because the second device and the first device send the first public key to the first device through the first encryption message in the process of exchanging the first public key, and the first encryption message is obtained after the first public key and the first verification information are encrypted through the preset first encryption algorithm, only the compliant device can decrypt the first encryption message to obtain the first public key in the first encryption message, and the security of the first public key in the transmission process is ensured. And after the first device acquires the first verification information in the first encrypted message, the first device can verify the first verification information, and when the first verification information is determined to pass, the first public key is determined to be legal, so that the problem of man-in-the-middle attack is avoided, and the first public key is ensured to be sent by the first device with compliance, thereby further ensuring the safety and the legality of the acquired first public key.

Description

Data processing method, device, equipment and medium
Technical Field
The present disclosure relates to the field of data processing technologies, and in particular, to a data processing method, apparatus, device, and medium.
Background
DH (Diffie-Hellman) key exchange: DH key exchange was an algorithm invented jointly by Diffie and Hellman in 1976. Using this algorithm, the communicating parties can generate a shared secret number by simply exchanging some information that can be disclosed, such as the DH public key, and this shared secret number can be used as a key for a symmetric cipher. Because the two devices in communication do not authenticate each other, the problem of man-in-the-middle attack easily occurs in the process of exchanging DH public keys between the two communication parties, namely, an attacker and the two communication parties respectively create independent contacts, the information interacted between the two communication parties is forwarded by the attacker, the two communication parties do not know that the information originally sent to the opposite terminal device is intercepted by the attacker, the information received from the opposite terminal device is forwarded by the attacker, and the attacker can tamper the intercepted information and forward the intercepted information to the corresponding device, so that the interaction safety between the two communication parties is seriously affected.
Disclosure of Invention
The application provides a data processing method, a device, equipment and a medium, which are used for solving the problem of low safety of data interaction in the process of exchanging DH public keys by the existing communication parties.
In a first aspect, the present application provides a data processing method, the method being applied to a first device, the method comprising:
acquiring a first encrypted message sent by second equipment; wherein the first encrypted message is determined by the second device based on a preset first encryption algorithm;
decrypting the first encrypted message according to a first decryption algorithm corresponding to the first encryption algorithm to obtain a first public key and first verification information carried in the first encrypted message;
and if the first verification information passes, determining that the first public key is legal.
In a second aspect, the present application provides a data processing apparatus for application to a first device, the apparatus comprising:
the receiving unit is used for acquiring a first encrypted message sent by the second equipment; wherein the first encrypted message is determined by the second device based on a preset first encryption algorithm;
the decryption unit is used for decrypting the first encrypted message according to a first decryption algorithm corresponding to the first encryption algorithm to obtain a first public key and first verification information carried in the first encrypted message;
and the verification unit is used for determining that the first public key is legal if the first verification information passes.
In a third aspect, the present application provides an electronic device comprising a processor for implementing the steps of the data processing method as described above when executing a computer program stored in a memory.
In a fourth aspect, the present application provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of a data processing method as described above.
Because the second device and the first device send the first public key to the first device through the first encryption message in the process of exchanging the first public key, and the first encryption message is obtained after the first public key and the first verification information are encrypted through the preset first encryption algorithm, only the compliant device can decrypt the first encryption message to obtain the first public key in the first encryption message, and the security of the first public key in the transmission process is ensured. And after the first device acquires the first verification information in the first encrypted message, the first device can verify the first verification information, and when the first verification information is determined to pass, the first public key is determined to be legal, so that the problem of man-in-the-middle attack is avoided, and the first public key is ensured to be sent by the first device with compliance, thereby further ensuring the safety and the legality of the acquired first public key.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings described below are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a data processing process according to some embodiments of the present application;
FIG. 2 is a schematic diagram of a specific data processing flow provided in some embodiments of the present application;
FIG. 3 is a schematic diagram of a specific public key determination process provided in some embodiments of the present application;
FIG. 4 is a schematic diagram of a data processing apparatus according to some embodiments of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to some embodiments of the present application.
Detailed Description
The present application will be described in further detail below with reference to the attached drawings, wherein it is apparent that the described embodiments are only some, but not all embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.
In one possible scenario, in the process of interaction between devices, for example, the server sends video data to the client, the application server sends user data to the cloud platform server, and so on, in order to ensure the security of data sent by two communicating devices to each other, a session key needs to be determined before the two devices perform a session, and then the transmitted data is encrypted by the session key, and the encrypted data is sent to the receiving device, so as to realize interaction between the two devices. In particular, the process of two devices implementing interaction may consist essentially of three steps. The first step is to perform two-way authentication between two devices, and the two-way authentication step can be divided into two stages, wherein the two devices mutually authenticate a certificate issued by a counterpart in the first stage relative to a CA (Certification Authority, authentication agency), namely, the authenticity of the certificate of the counterpart is authenticated, and the two devices mutually perform identity authentication, namely, the counterpart is confirmed to be the owner of the certificate. And the second step is that a key negotiation stage is carried out between two devices, and the two devices adopt a key negotiation algorithm to negotiate a session key on the basis of the first step. And thirdly, encrypting the transmitted data by the two devices by adopting the session key determined in the second step, and sending the encrypted data to the other side.
At present, in the second step, a DH exchange algorithm is generally adopted as a key negotiation algorithm, and in the process of determining a session key by adopting the algorithm, two devices do not authenticate each other and exchange public keys directly, so that the two devices are easy to attack by a man-in-the-middle in the process, that is, an attacker and two communication parties respectively create independent contact, the interactive messages between the two communication parties are all forwarded by the attacker, the two communication parties do not know that the message originally sent to the opposite terminal device is intercepted by the attacker, nor that the message received from the opposite terminal device is forwarded by the attacker, and the attacker can tamper the intercepted message and forward the intercepted message to the corresponding device, so that the interactive security between the two communication parties is seriously affected.
In order to solve the above problems, the present application provides a data processing method, apparatus, device, and medium. The method comprises the following steps: acquiring a first encrypted message sent by second equipment; wherein the first encrypted message is determined by the second device based on a preset first encryption algorithm; decrypting the first encrypted message according to a first decryption algorithm corresponding to the first encryption algorithm to obtain a first public key and first verification information carried in the first encrypted message; and if the first verification information passes, determining that the first public key is legal. Because the second device and the first device send the first public key to the first device through the first encryption message in the process of exchanging the first public key, and the first encryption message is obtained after the first public key and the first verification information are encrypted through the preset first encryption algorithm, only the compliant device can decrypt the first encryption message to obtain the first public key in the first encryption message, and the security of the first public key in the transmission process is ensured. And after the first device acquires the first verification information in the first encrypted message, the first device can verify the first verification information, and when the first verification information is determined to pass, the first public key is determined to be legal, so that the problem of man-in-the-middle attack is avoided, and the first public key is ensured to be sent by the first device with compliance, thereby further ensuring the safety and the legality of the acquired first public key.
After the design concept of the embodiment of the present application is introduced, some simple descriptions are made below for application scenarios applicable to the technical solution of the embodiment of the present application, and it should be noted that the application scenarios described below are only used to illustrate the embodiment of the present application and are not limiting. In specific implementation, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.
Taking the first device as a server and the second device as a terminal device, the second device can acquire video data from the first device, if the terminal device wants to acquire video data from the server, the terminal device needs to pass certificate authentication between the terminal device and the server, and then the second device determines a key pair according to the acquired public parameters. The key pair includes a public key and a private key. Meanwhile, the second device also determines verification information, encrypts the public key and the verification information according to a preset encryption algorithm, and obtains an encrypted message. The second device sends the second message to the server to facilitate determination of the session key with the server. After receiving the encrypted message sent by the terminal device, the server may decrypt the encrypted message by adopting a decryption algorithm corresponding to the encryption algorithm, thereby obtaining the public key and the verification information carried in the encrypted message. The server can determine whether the public key is legal or not through verification of the verification information. And determining a session key based on the public key when the public key is determined to be legitimate.
In order to improve the security of data interaction, the embodiment of the application provides a data processing method, a device, equipment and a medium.
Fig. 1 is a schematic diagram of a data processing procedure according to some embodiments of the present application, where the procedure includes:
s101: acquiring a first encrypted message sent by second equipment; wherein the first encrypted message is determined by the second device based on a preset first encryption algorithm.
The data processing method provided by the embodiment of the application is applied to electronic equipment (recorded as first equipment), and the first electronic equipment can be intelligent equipment such as a mobile terminal, an intelligent television, an intelligent air conditioner and the like, and can also be a server such as an intelligent brain, an application server and the like.
Wherein the device that interacts with the first device is a second device. For example, the first device is a server, the second device is a terminal device, or the first device is a terminal device, the second device is a server, or the like.
In this application, the first encryption algorithm is an encryption algorithm used by the second device. The first encryption algorithm may be any one of encryption algorithms such as Hash-operation message authentication code (Hash-based Message Authentication Code, HMAC), RSA encryption algorithm, national encryption algorithm (e.g., SM2 encryption algorithm), etc., and in a specific implementation process, the first encryption algorithm may be flexibly determined according to actual requirements, which is not limited herein.
In one possible scenario, when the first device determines a session key with the second device, the second device needs to send a self-determined public key (denoted as a first public key) to the first device, and in order to ensure security of the first public key, a preset first encryption algorithm may be used to encrypt the first public key, so as to obtain an encrypted message (denoted as a first encrypted message). The second device sends the first public key to the first device by sending the first encrypted message to the first device, so that the security of the first public key is ensured. After receiving the first encrypted message sent by the second device, the first device can process the first encrypted message to obtain the first public key, and determine a session key according to the first public key, so as to facilitate the subsequent encryption of data to be transmitted by the first device according to the session key, and ensure the security of the data transmitted by the first device to the second device.
Similarly, the first device also needs to send the self-determined public key (denoted as a second public key) to the second device, and in order to ensure the security of the second public key, a preset second encryption algorithm may be used to encrypt the second public key to obtain an encrypted message (denoted as a second encrypted message). The first device sends the second public key to the second device by sending the second encrypted message to the second device, so that the security of the second public key is ensured. After receiving the second encrypted message sent by the first device, the second device may also process the second encrypted message to obtain the second public key, and determine the session key according to the second public key, so as to facilitate the subsequent encryption of the data to be transmitted by the second device according to the session key, and ensure the security of the data transmitted by the second device to the first device.
The second encryption algorithm may be the same as or different from the first encryption algorithm.
S102: and decrypting the first encrypted message according to a first decryption algorithm corresponding to the first encryption algorithm to obtain a first public key and first verification information carried in the first encrypted message.
In the application, the first device stores a decryption algorithm (denoted as a first decryption algorithm) corresponding to the first encryption algorithm, so that the first decryption algorithm can decrypt the first encrypted message sent by the second device, and obtain content data carried in the first encrypted message.
Considering that in the process of determining the session key, if two devices do not authenticate each other any more and exchange public keys directly, the possibility of man-in-the-middle attack problem is increased, and the interaction security between two communication parties is seriously affected. Therefore, in the embodiment of the present application, the first encrypted message also carries authentication information (denoted as first authentication information), so that, according to the first authentication information, the first device can determine whether the device sending the first encrypted message is a compliant device. Specifically, the second device may determine the first public key and determine the first authentication information of the second device, then encrypt the first public key and the first authentication information through a preset first encryption algorithm, obtain a first encrypted message, and send the first encrypted message to the first device. After the first device receives the first encrypted message, a first decryption algorithm corresponding to the first encryption algorithm may be adopted to decrypt the first encrypted message, so as to obtain a first public key and first verification information carried in the first encrypted message. The subsequent first device may verify the first verification information to determine whether the second device is a compliant device, and further determine whether the first public key may be used to determine a session key, i.e., whether the first public key is legitimate.
Wherein the first authentication information includes one or more of: device information, a timestamp, and a sequence number of the first encrypted message.
Similarly, the first device may determine the second public key and determine its own authentication information (denoted as second authentication information), then encrypt the second public key and the second authentication information by using a preset second encryption algorithm, obtain a second encrypted message, and send the second encrypted message to the second device. After receiving the second encrypted message, the second device may decrypt the second encrypted message by using a decryption algorithm (denoted as a second decryption algorithm) corresponding to the second encryption algorithm, to obtain a second public key and second verification information carried in the second encrypted message. The second device may then verify the second verification information to determine whether the first device is a compliant device, and further determine whether the second public key may be used to determine a session key, i.e., whether the second public key is legitimate.
Taking the first device as a server and the second device as a terminal device as an example, the terminal device can determine the first authentication information of the terminal device while determining the first public key, then encrypt the first public key and the first authentication information through the first SM2 private key to obtain a first encrypted message, and send the first encrypted message to the server. After receiving the first encrypted message, the server may decrypt the first encrypted message by using the SM2 public key corresponding to the first SM2 private key, to obtain the first public key and the first verification information carried in the first encrypted message. The subsequent server may verify the first verification information, thereby determining whether the terminal device is a compliant device, and further determining whether the first public key may be used to determine a session key, i.e. determining whether the first public key is legal.
In one possible implementation, the first device may obtain the disclosure parameters. The disclosure parameters may be acquired by the device itself and may be sent by other devices. Based on the public parameter, the first device may determine a private key (denoted as a second private key). And then determining a second public key based on the public parameter and the second private key through a preset public key generation algorithm.
For example, the public parameters include prime number p and integer a, a being a primitive root for p. The first device randomly selects a value X smaller than p A The value X is calculated A A second private key is determined as itself. And determining a second public key based on the public parameter and the second private key through a preset public key generation algorithm.
In one example, the preset public key generation algorithm may be expressed as follows:
Figure BDA0003450988720000081
wherein YA is Y A Representing a second public key, X A And a and p are public parameters representing a second private key determined by the first device.
Likewise, the second device may obtain the disclosure parameters. The disclosure parameters may be acquired by the device itself and may be sent by other devices. Based on the public parameter, the second device may determine a private key (denoted as a first private key). And then determining a first public key based on the public parameter and the first private key through a preset public key generation algorithm.
For example, the public parameters include prime number p and integer a, a being a primitive root for p. The second device randomly selects a value X smaller than p B The value X is calculated B A first private key is determined as itself. Based on a preset public key generation algorithmThe public parameter and the first private key determine a first public key.
In one example, the preset public key generation algorithm may be expressed as follows:
Figure BDA0003450988720000082
wherein YA is Y B Representing a first public key, X B And a and p are public parameters representing a first private key determined by the second device.
S103: and if the first verification information passes, determining that the first public key is legal.
After the first verification information is obtained based on the above embodiment, the first device may verify the obtained first verification information to determine whether the second device is a compliant device, and further determine whether the first public key is legal, so as to ensure the security of the session key that is determined according to the first public key.
For example, if the first verification information includes the device information, the timestamp, and the serial number, determining that the first verification information passes includes:
in one example, verifying the obtained first verification information includes the following:
In the first case, only the device information is included in the first authentication information.
In one example, a situation may occur in which a third party device impersonates a second device interacting with a first device. Therefore, in the present application, at least one piece of compliance device information is stored in the first device, so as to determine whether the second device is a compliance device according to the compliance device information. After the device information carried in the first verification information is obtained based on the above embodiment, the device information may be matched with each piece of pre-stored compliance device information, to determine whether there is the compliance device information matched with the device information. If the matching compliance device information is determined, the second device may be determined to be a compliance device.
The device information may include a device type (e.g., refrigerator, television, mobile phone, etc.), and/or device identification information.
Consider that there may be instances where an illegitimate device interacts with a first device using legitimate authentication information that has expired. Therefore, in the embodiment of the present application, the first device stores the validity period corresponding to the second device. The validity period may be determined according to a time when the first device and the second device start determining the session key last time, for example, a time when the public parameter is acquired. The validity period may be determined manually based on the time when the first device last started to determine the session key with the second device, or may be determined according to the time when the first device last started to determine the session key with the second device, and a preset period of time. After the timestamp carried in the first verification information is obtained based on the embodiment, the validity period corresponding to the second device can be obtained, and whether the timestamp is within the validity period corresponding to the second device is judged. If the time stamp is determined to be within the corresponding validity period of the second device, it may be determined that the first encryption information has not expired.
In the actual application process, the situation that the illegal device repeatedly uses the first encrypted message to interact with the first device may exist. Therefore, in the embodiment of the present application, the first device stores a sequence number (denoted as a reference sequence number) corresponding to the first encrypted message of each interaction. After the sequence number carried in the first verification information is obtained based on the above embodiment, the sequence number may be matched with each reference sequence number stored in advance. If the sequence number is not matched with each pre-stored reference sequence number, the first encrypted message can be determined not to be recycled.
For example, if the first verification information includes the device information, the timestamp, and the serial number, determining that the first verification information passes includes:
determining that the equipment information is matched with any one of the pre-stored compliance equipment information;
determining that the time stamp is in the validity period corresponding to the second device;
and determining that the serial number is not matched with each pre-stored reference serial number.
In one possible implementation, if the first authentication information includes a sequence number, the sequence number may be added to the reference sequence number after determining that the first authentication information passes.
When the first device determines that the first verification information passes based on the above embodiment, it may determine that the first public key carried in the first encrypted message is legal, and then the first public key may be processed to determine the session key.
In one example, the first device may determine a public key according to the first public key, a second private key determined by the first device, and a preset session key generation algorithm, and directly determine the public key as the session key.
For example, according to the first public key, the second private key determined by the first device, and a preset session key generation algorithm, determining the session key may be determined by the following formula:
Figure BDA0003450988720000101
wherein Y is B Representing a first public key, X A And a second private key determined by the first device is represented, and p is a public parameter.
In another example, the public key may be determined based on the first public key, a second private key determined by the first device, and a preset session key generation algorithm. The encrypted hash value is determined based on a predetermined hash encryption algorithm (e.g., SM3 hash algorithm) and the public key. And splicing the public key and the encrypted hash value, so as to obtain a spliced key, and determining a session key according to the spliced key.
The first device may directly determine the spliced key as a session key, or may determine the shifted key as the session key by shifting at least one character in the spliced key. Illustratively, each character included in the spliced key is displaced by a preset displacement amount through an exclusive or displacement operation.
It should be noted that, the process of verifying the second verification information by the second device is the same as the process of verifying the first verification information by the first device, and repeated parts are not repeated.
When the second device determines that the second verification information passes based on the above embodiment, it may determine that the second public key carried in the second encrypted message is legal, and then the second public key may be processed to determine the session key.
In one example, the public key may be determined according to the second public key, the first private key determined by the second device, and a preset session key generation algorithm, and the public key may be directly determined as the session key.
For example, according to the second public key, the first private key determined by the second device, and a preset session key generation algorithm, determining the session key may be determined by the following formula:
Figure BDA0003450988720000111
Wherein Y is A Representing a second public key, X B And a first private key determined by the second device is represented, and p is a public parameter.
In another example, the public key may be determined based on the second public key, the first private key determined by the second device, and a preset session key generation algorithm. The encrypted hash value is determined based on a predetermined hash encryption algorithm (e.g., SM3 hash algorithm) and the public key. And splicing the public key and the encrypted hash value, so as to obtain a spliced key, and determining a session key according to the spliced key.
The second device may directly determine the spliced key as a session key, or may determine the shifted key as the session key by shifting at least one character in the spliced key. Illustratively, each character included in the spliced key is displaced by a preset displacement amount through an exclusive or displacement operation.
It should be noted that, by the above method, it may be achieved that the session keys determined by the first device and the second device are the same, so that it is beneficial for the subsequent first device and the second device to encrypt the data to be transmitted respectively based on the session keys.
S104: and if the first verification information does not pass, disconnecting the communication connection with the first equipment.
And after the first device acquires the first verification information, verifying the first verification information. If the first verification information is determined not to pass, and the first public key is not legal, the communication connection with the two devices is disconnected, so that the information is not stolen by the second device, and the information security is ensured.
In one example, determining that the first authentication information does not pass includes the following:
in the first case, if the first verification information includes the device information, it is determined that the device information is not matched with each piece of pre-stored compliance device information, that is, the second device is not a legal device, and it is determined that the first verification information does not pass.
And in the second case, if the first verification information comprises a time stamp, determining that the time stamp is not in the validity period corresponding to the second device, indicating that the first verification information is expired, and determining that the first verification information does not pass.
And thirdly, if the first verification information comprises a serial number, determining that the serial number is matched with any pre-stored reference serial number, wherein the first encryption information is possibly sent repeatedly, and determining that the first verification information does not pass.
Because the second device and the first device send the first public key to the first device through the first encryption message in the process of exchanging the first public key, and the first encryption message is obtained after the first public key and the first verification information are encrypted through the preset first encryption algorithm, only the compliant device can decrypt the first encryption message to obtain the first public key in the first encryption message, and the security of the first public key in the transmission process is ensured. And after the first device acquires the first verification information in the first encrypted message, the first device can verify the first verification information, and when the first verification information is determined to pass, the first public key is determined to be legal, so that the problem of man-in-the-middle attack is avoided, and the first public key is ensured to be sent by the first device with compliance, thereby further ensuring the safety and the legality of the acquired first public key.
Example 2:
the following describes the data processing method provided in the present application in detail by means of a specific embodiment, and fig. 2 is a schematic diagram of a specific data processing flow provided in some embodiments of the present application, where the flow includes three parts of bidirectional authentication, key negotiation, and encrypted communication, and the following description is provided for each part:
A first part: and (5) bidirectional authentication.
S201: the second device sends registration information to the first device.
S202: after receiving the registration information, the first device sends a welcome message to the second device, and sends a notification message carrying the identity information of the first device and the encryption algorithm supported by the first device to the second device.
S203: the second device sends reply information to the first device, so that the communication mode adopted by the reply information and the first device is determined to be https, the signature algorithm adopted by the second device is an SM2 encryption algorithm, the key negotiation algorithm adopted by the second device is a DH exchange algorithm, and the communication encryption algorithm adopted by the second device is an SM4 encryption algorithm.
S204: the first device sends to the second device a certificate issued by the CA for the first device.
Wherein the certificate carries the SM2 signature of the first device.
S205: the second device verifies the certificate transmitted by the first device through the pre-stored CA public key, disconnects the communication with the first device if the certificate verification is not passed, and performs S206 if the certificate verification is passed.
S206: the second device sends to the first device a certificate issued by the CA for the second device.
S207: the first device verifies the certificate transmitted by the second device, disconnects the communication with the second device if the certificate verification is not passed, and performs S208 if the certificate verification is passed.
S208: the first device sends a randomly generated string to the second device.
S209: after the second device receives the character string, the second device signs the character string with the SM2 private key of the second device, and sends the message and the signature to the first device.
S210: the first device verifies the signature sent by the second device through the SM2 public key carried in the certificate of the second device, if the signature verification is not passed, the first device disconnects the communication with the second device, and if the signature verification is passed, S211 is executed.
A second part: key agreement.
S211: the first device determines a second encrypted message and sends the second encrypted message to the second device.
Wherein the process of the first device determining the second encrypted message comprises: and determining a second public key and second verification information, and encrypting the second public key and the second verification information based on a preset second encryption algorithm to obtain a second encrypted message.
In one example, the process of the first device determining the second public key includes: the first device determines a second private key based on the obtained public parameters; and determining a second public key based on the public parameter and the second private key through a preset public key generation algorithm.
Fig. 3 is a schematic diagram of a specific process for determining a public key according to some embodiments of the present application, where, as shown in fig. 3, a first device obtains a public parameter, where the public parameter includes a prime number p and an integer a, and a is a primitive root of p. The first device randomly selects a value X smaller than p A The value X is calculated A A second private key is determined as itself. The first device uses the public parameters a, p and the second private key X A Substitution public key generation algorithm
Figure BDA0003450988720000141
In determining the second public key Y A
Wherein the first device sends the public parameter to the second device before sending the second encrypted message to the second device.
S212: after receiving the second encrypted message, the second device decrypts the second encrypted message according to a second decryption algorithm corresponding to the second encryption algorithm, obtains a second public key and second verification information carried in the second encrypted message, determines whether the second verification information passes verification, if so, executes S213, otherwise, disconnects communication with the first device.
S213: the second device determines a first encrypted message and sends the first encrypted message to the first device.
It should be noted that, the manner of determining the first encrypted message by the second device is similar to the manner of determining the second encrypted message by the first device, and detailed description thereof is omitted herein.
As shown in fig. 3, the second device acquires a disclosure parameter including a prime number p and an integer a, a being a primitive root of p. The second device randomly selects a value X smaller than p B The value X is calculated B A first private key is determined as itself. The second device uses the public parameters a, p and the first private key X B Substitution public key generation algorithm
Figure BDA0003450988720000142
In determining the first public key Y B
S214: after the first device receives the first encrypted message, decrypting the first encrypted message according to a first decryption algorithm corresponding to the first encryption algorithm, obtaining a first public key and first verification information carried in the first encrypted message, determining whether the first verification information passes verification, if so, executing S215, otherwise, disconnecting communication with the second device.
S215: the first device and the second device determine a session key.
Wherein the process of determining the session key by the first device comprises: and determining a public key according to the first public key, a second private key determined by the first device and a preset session key generation algorithm. The encrypted hash value is determined based on a predetermined hash encryption algorithm (e.g., SM3 hash algorithm) and the public key. And splicing the public key and the encrypted hash value, so as to obtain a spliced key, and determining a session key according to the spliced key.
It should be noted that, the process of determining the session key by the second device is similar to the process of determining the session key by the first device, which is not described herein.
As shown in fig. 3, the first device will first public key Y B And a second private key X determined by the first device A Substituted session key generation algorithm
Figure BDA0003450988720000151
In the process, a public key K is acquired. The second device uses the second public key Y A And a first private key X determined by the second device B Substitution of Session Key Generation Algorithm->
Figure BDA0003450988720000152
Figure BDA0003450988720000153
In the process, a public key K is acquired.
Third section: the communication is encrypted.
S216: SM4 encrypted communication is performed between the first device and the second device based on the determined session key.
Example 3:
the embodiment of the application further provides a data processing device, and fig. 4 is a schematic structural diagram of a data processing device provided in some embodiments of the application, where the device includes:
a receiving unit 41, configured to obtain a first encrypted message sent by the second device; wherein the first encrypted message is determined by the second device based on a preset first encryption algorithm;
a decryption unit 42, configured to decrypt the first encrypted message according to a first decryption algorithm corresponding to the first encryption algorithm, to obtain a first public key and first verification information carried in the first encrypted message;
And a verification unit 43, configured to determine that the first public key is legal if the first verification information passes.
In some possible embodiments, the apparatus further comprises: an encryption unit and a transmission unit;
the encryption unit is used for determining a second public key and second verification information; encrypting the second public key and the second verification information based on a preset second encryption algorithm to obtain a second encrypted message;
the sending unit is configured to send the second encrypted message to the second device, so that the second device obtains the second public key and the second verification information carried in the second encrypted message based on a second decryption algorithm corresponding to the second encryption algorithm, and determines whether the second public key is legal according to whether the second verification information passes verification.
In some possible embodiments, the apparatus further comprises: a generating unit;
the generating unit is used for determining a public key based on the private key and the first public key; determining an encryption hash value according to a preset hash encryption algorithm and the public key; splicing the public key and the encrypted hash value; and determining a session key according to the spliced key.
In some possible embodiments, the verification unit 43 is specifically configured to determine that the device information matches any one of the pre-saved compliance device information if the first verification information includes the device information, the timestamp, and the serial number; determining that the time stamp is in the validity period corresponding to the second device; and determining that the serial number is not matched with each pre-stored reference serial number.
In some possible embodiments, the verification unit 43 is further configured to disconnect the communication connection with the second device if the first verification information does not pass.
Because the second device and the first device send the first public key to the first device through the first encryption message in the process of exchanging the first public key, and the first encryption message is obtained after the first public key and the first verification information are encrypted through the preset first encryption algorithm, only the compliant device can decrypt the first encryption message to obtain the first public key in the first encryption message, and the security of the first public key in the transmission process is ensured. And after the first device acquires the first verification information in the first encrypted message, the first device can verify the first verification information, and when the first verification information is determined to pass, the first public key is determined to be legal, so that the problem of man-in-the-middle attack is avoided, and the first public key is ensured to be sent by the first device with compliance, thereby further ensuring the safety and the legality of the acquired first public key.
Example 4:
on the basis of the foregoing embodiments, an electronic device is further provided in the embodiments of the present application, and fig. 5 is a schematic structural diagram of an electronic device provided in some embodiments of the present application, as shown in fig. 5, including: the processor 51, the communication interface 52, the memory 53 and the communication bus 54, wherein the processor 51, the communication interface 52 and the memory 53 complete the communication with each other through the communication bus 54;
the memory 53 stores a computer program which, when executed by the processor 51, causes the processor 51 to perform the steps of:
acquiring a first encrypted message sent by second equipment; wherein the first encrypted message is determined by the second device based on a preset first encryption algorithm;
decrypting the first encrypted message according to a first decryption algorithm corresponding to the first encryption algorithm to obtain a first public key and first verification information carried in the first encrypted message;
and if the first verification information passes, determining that the first public key is legal.
Since the principle of the electronic device for solving the problem is similar to that of the data processing method, the implementation of the electronic device may refer to the embodiment of the method, and the repetition is not repeated.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface 52 is used for communication between the above-described electronic device and other devices.
The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit, a network processor (Network Processor, NP), etc.; but also digital instruction processors (Digital Signal Processing, DSP), application specific integrated circuits, field programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
Because the second device and the first device send the first public key to the first device through the first encryption message in the process of exchanging the first public key, and the first encryption message is obtained after the first public key and the first verification information are encrypted through the preset first encryption algorithm, only the compliant device can decrypt the first encryption message to obtain the first public key in the first encryption message, and the security of the first public key in the transmission process is ensured. And after the first device acquires the first verification information in the first encrypted message, the first device can verify the first verification information, and when the first verification information is determined to pass, the first public key is determined to be legal, so that the problem of man-in-the-middle attack is avoided, and the first public key is ensured to be sent by the first device with compliance, thereby further ensuring the safety and the legality of the acquired first public key.
Example 5:
on the basis of the above embodiments, the embodiments of the present application further provide a computer readable storage medium, in which a computer program executable by a processor is stored, which when executed on the processor causes the processor to perform the steps of:
Acquiring a first encrypted message sent by second equipment; wherein the first encrypted message is determined by the second device based on a preset first encryption algorithm;
decrypting the first encrypted message according to a first decryption algorithm corresponding to the first encryption algorithm to obtain a first public key and first verification information carried in the first encrypted message;
and if the first verification information passes, determining that the first public key is legal.
Since the principle of the above-mentioned computer readable storage medium for solving the problem is similar to that of the data processing method, the implementation of the above-mentioned computer readable storage medium may refer to the embodiment of the method, and the repetition is omitted.
Because the second device and the first device send the first public key to the first device through the first encryption message in the process of exchanging the first public key, and the first encryption message is obtained after the first public key and the first verification information are encrypted through the preset first encryption algorithm, only the compliant device can decrypt the first encryption message to obtain the first public key in the first encryption message, and the security of the first public key in the transmission process is ensured. And after the first device acquires the first verification information in the first encrypted message, the first device can verify the first verification information, and when the first verification information is determined to pass, the first public key is determined to be legal, so that the problem of man-in-the-middle attack is avoided, and the first public key is ensured to be sent by the first device with compliance, thereby further ensuring the safety and the legality of the acquired first public key.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (10)

1. A method of data processing, the method being applied to a first device, the method comprising:
acquiring a first encrypted message sent by second equipment; wherein the first encrypted message is determined by the second device based on a preset first encryption algorithm;
decrypting the first encrypted message according to a first decryption algorithm corresponding to the first encryption algorithm to obtain a first public key and first verification information carried in the first encrypted message;
and if the first verification information passes, determining that the first public key is legal.
2. The method according to claim 1, wherein the method further comprises:
determining a second public key and second authentication information;
encrypting the second public key and the second verification information based on a preset second encryption algorithm to obtain a second encrypted message;
and sending the second encrypted message to the second device, so that the second device obtains the second public key and the second verification information carried in the second encrypted message based on a second decryption algorithm corresponding to the second encryption algorithm, and determines whether the second public key is legal according to whether the second verification information passes verification.
3. The method according to claim 1, wherein the method further comprises:
determining a public key based on the private key and the first public key;
determining an encryption hash value according to a preset hash encryption algorithm and the public key;
splicing the public key and the encrypted hash value;
and determining a session key according to the spliced key.
4. A method according to any of claims 1-3, wherein the first authentication information comprises one or more of the following: device information, a timestamp, and a sequence number of the first encrypted message.
5. The method of claim 4, wherein if the first authentication information includes the device information, the timestamp, and the serial number, determining that the first authentication information passes comprises:
determining that the equipment information is matched with any one of the pre-stored compliance equipment information;
determining that the time stamp is in the validity period corresponding to the second device;
and determining that the serial number is not matched with each pre-stored reference serial number.
6. The method according to claim 1, wherein the method further comprises:
And if the first verification information does not pass, disconnecting the communication connection with the second equipment.
7. A data processing apparatus, the apparatus being applied to a first device, the apparatus comprising:
the receiving unit is used for acquiring a first encrypted message sent by the second equipment; wherein the first encrypted message is determined by the second device based on a preset first encryption algorithm;
the decryption unit is used for decrypting the first encrypted message according to a first decryption algorithm corresponding to the first encryption algorithm to obtain a first public key and first verification information carried in the first encrypted message;
and the verification unit is used for determining that the first public key is legal if the first verification information passes.
8. The apparatus of claim 7, wherein the apparatus further comprises: an encryption unit and a transmission unit;
the encryption unit is used for determining a second public key and second verification information; encrypting the second public key and the second verification information based on a preset second encryption algorithm to obtain a second encrypted message;
the sending unit is configured to send the second encrypted message to the second device, so that the second device obtains the second public key and the second verification information carried in the second encrypted message based on a second decryption algorithm corresponding to the second encryption algorithm, and determines whether the second public key is legal according to whether the second verification information passes verification.
9. The apparatus of claim 7, wherein the apparatus further comprises: a generating unit;
the generating unit is used for determining a public key based on the private key and the first public key; determining an encryption hash value according to a preset hash encryption algorithm and the public key; splicing the public key and the encrypted hash value; and determining a session key according to the spliced key.
10. The apparatus according to claim 7, wherein the verification unit is specifically configured to determine that the device information matches any one of the pre-stored compliance device information if the first verification information includes the device information, the timestamp, and the serial number; determining that the time stamp is in the validity period corresponding to the second device; and determining that the serial number is not matched with each pre-stored reference serial number.
CN202111663749.0A 2021-12-31 2021-12-31 Data processing method, device, equipment and medium Pending CN116415268A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111663749.0A CN116415268A (en) 2021-12-31 2021-12-31 Data processing method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111663749.0A CN116415268A (en) 2021-12-31 2021-12-31 Data processing method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN116415268A true CN116415268A (en) 2023-07-11

Family

ID=87058321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111663749.0A Pending CN116415268A (en) 2021-12-31 2021-12-31 Data processing method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116415268A (en)

Similar Documents

Publication Publication Date Title
CN109714167B (en) Identity authentication and key agreement method and equipment suitable for mobile application signature
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
CN109309565B (en) Security authentication method and device
US11533297B2 (en) Secure communication channel with token renewal mechanism
KR102015201B1 (en) Efficient start-up for secured connections and related services
CN109150897B (en) End-to-end communication encryption method and device
CN111030814B (en) Secret key negotiation method and device
CN113806772A (en) Information encryption transmission method and device based on block chain
CN109818747B (en) Digital signature method and device
CN112351037B (en) Information processing method and device for secure communication
CN109309566B (en) Authentication method, device, system, equipment and storage medium
CN102811224A (en) Method, device and system for implementation of SSL (secure socket layer)/TLS (transport layer security) connection
JPWO2019093478A1 (en) Key exchange device, key exchange system, key exchange method, and key exchange program
CN110635901A (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN115378587B (en) Key acquisition method, device, equipment and readable storage medium
KR102591826B1 (en) Apparatus and method for authenticating device based on certificate using physical unclonable function
CN114553441B (en) Electronic contract signing method and system
CN115499250A (en) Data encryption method and device
WO2022135391A1 (en) Identity authentication method and apparatus, and storage medium, program and program product
CN114520726A (en) Processing method and device based on block chain data, processor and electronic equipment
US20240106633A1 (en) Account opening methods, systems, and apparatuses
CN110611679A (en) Data transmission method, device, equipment and system
CN111565108B (en) Signature processing method, device and system
CN117436043A (en) Method and device for verifying source of file to be executed and readable storage medium
US9876774B2 (en) Communication security system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination