CN116599755A - Secure communication and authentication method and device based on Soc chip - Google Patents
Secure communication and authentication method and device based on Soc chip Download PDFInfo
- Publication number
- CN116599755A CN116599755A CN202310683134.7A CN202310683134A CN116599755A CN 116599755 A CN116599755 A CN 116599755A CN 202310683134 A CN202310683134 A CN 202310683134A CN 116599755 A CN116599755 A CN 116599755A
- Authority
- CN
- China
- Prior art keywords
- service data
- soc chip
- server
- authentication
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006854 communication Effects 0.000 title claims abstract description 67
- 238000004891 communication Methods 0.000 title claims abstract description 65
- 238000000034 method Methods 0.000 title claims abstract description 25
- OTZZZISTDGMMMX-UHFFFAOYSA-N 2-(3,5-dimethylpyrazol-1-yl)-n,n-bis[2-(3,5-dimethylpyrazol-1-yl)ethyl]ethanamine Chemical compound N1=C(C)C=C(C)N1CCN(CCN1C(=CC(C)=N1)C)CCN1C(C)=CC(C)=N1 OTZZZISTDGMMMX-UHFFFAOYSA-N 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a secure communication and authentication method and device based on a Soc chip, wherein the method comprises the following steps: s1, receiving service data by a Soc chip, and encrypting the service data; s2, the Soc chip transmits the encrypted service data to a disguised server through a private communication channel; s3, the disguised server decrypts, authenticates and authenticates the encrypted service data, and after the encrypted service data passes through decryption, authentication and authentication, the disguised server sends the decrypted service data to a real target server; s4, the real target server processes the decrypted service data and returns the decrypted service data to the disguised server; s5, the disguising server encrypts the returned service data and sends the service data to the Soc chip through a private communication channel; s6, the Soc chip decrypts the service data encrypted in the step S5 and sends the service data to the client. The safety and the communication convenience of communication data are improved.
Description
Technical Field
The invention relates to the field of communication data encryption, in particular to a secure communication and authentication method and device based on a Soc chip.
Background
In modern communication networks, security is a very important issue. In the communication process, the transmission of information can be intercepted or tampered, and the traditional encryption mechanism and the identity authentication mode have some defects, namely a confidence user identification method and system based on a unified gateway, and the application number is as follows: CN202111527072.8, whose main structure and principle is to use a unified security module to perform network interaction, after the application server is in network protection, check App, and place application to be modified; through user behavior identification, illegal user operation is prevented; the private protocol is adopted to carry out service interaction with the unified gateway, so that the network packet capturing is prevented; problems and disadvantages exist including that the user still needs to memorize and input the user name password; communication data can still be obtained by a man-in-the-middle mode; the intermediate encryption mode can be cracked through decompilation; the real server cannot be hidden and can still be directly accessed or attacked.
Disclosure of Invention
The invention aims to overcome the defects in the prior art and provides a secure communication and authentication method and device based on a Soc chip.
In order to achieve the above object, the present invention provides the following technical solutions:
a secure communication and authentication method based on Soc chip includes the following steps:
s1, receiving service data from a client by a Soc chip, and encrypting the service data through a dynamic double encryption generation mechanism;
s2, the Soc chip transmits the encrypted service data to a disguised server through a private communication channel;
s3, the disguised server decrypts, authenticates and authenticates the received encrypted service data, and after the decryption, authentication and authentication are performed, the disguised server sends the decrypted service data to the real target server;
s4, the real target server processes the received decrypted service data and returns the service data to the disguised server;
s5, the disguised server encrypts the service data processed by the real target server through a dynamic double encryption mechanism and sends the service data to the Soc chip through a private communication channel;
s6, the Soc chip decrypts the service data encrypted in the step S5 and sends the service data to the client.
Preferably, in step S1, the dynamic dual encryption mechanism is that the disguising server generates a key according to a request of the Soc chip, and the disguising server performs asymmetric encryption on the generated key and issues the key to an encryption authentication module embedded in the Soc chip and encrypts the service data by adopting different algorithms.
Preferably, the encryption authentication module encrypts the service data using a key that is asymmetrically encrypted.
Preferably, the secret key generated by the masquerading server according to the request of the Soc chip is dynamic, one secret key is generated correspondingly once each communication, and the secret key is different from the secret key generated before.
Preferably, the encryption of the service data by using different algorithms is that of the service data by using an RSA asymmetric encryption algorithm and a TDEA encryption algorithm.
Preferably, in step S2, a private communication channel is created inside the Soc chip.
Preferably, in step S3, the decryption operation is to decrypt the public key by using the private key of the RSA asymmetric encryption algorithm to obtain the ciphertext, and then decrypt the ciphertext again by using the key generated in the TDEA encryption algorithm.
A secure communication and authentication device based on a Soc chip comprises a client, the Soc chip, a disguised server and a real target server, wherein the client is in communication connection with the Soc chip, the Soc chip is in communication connection with the disguised server, and the disguised server is in communication connection with the client and the real target server.
Preferably, the encryption authentication module is embedded in the Soc chip, and a private communication channel is created in the Soc chip, and communication among the client, the Soc chip, the disguised server, and the real target server is performed only in the private communication channel.
Preferably, the real target server is placed in a trusted computing environment.
Compared with the prior art, the invention has the beneficial effects that:
1. all the service data are transmitted through the private communication channel, so that the service data are prevented from being cracked in a decompiling mode, the service data cannot be obtained in a man-in-the-middle mode, and the real target server is hidden in the private communication channel, so that the safety of the real target server and the service data in the communication process is fully ensured;
2. the service data is encrypted by adopting a dynamic double encryption mechanism, the corresponding key is dynamically generated, the corresponding key is generated when communication is carried out every time, and the key is different from the key generated before, so that the safety of the communication data is enhanced;
3. the encryption authentication module embedded in the Soc chip authenticates the secret key, so that communication between the client and the real target server is realized, the client does not need to memorize and input a user name and a password, and the communication convenience is enhanced.
Drawings
FIG. 1 is a data flow chart of the present invention
Detailed Description
The present invention will be described in further detail with reference to test examples and specific embodiments. It should not be construed that the scope of the above subject matter of the present invention is limited to the following embodiments, and all techniques realized based on the present invention are within the scope of the present invention.
Examples
As shown in fig. 1, a secure communication and authentication method based on a Soc chip includes the following steps:
s1, receiving service data from a client by a Soc chip, and encrypting the service data through a dynamic double encryption generation mechanism;
s2, the Soc chip transmits the encrypted service data to a disguised server through a private communication channel;
s3, the disguised server decrypts, authenticates and authenticates the received encrypted service data, and after the decryption, authentication and authentication are performed, the disguised server sends the decrypted service data to the real target server;
s4, the real target server processes the received decrypted service data and returns the service data to the disguised server;
s5, the disguised server encrypts the service data processed by the real target server through a dynamic double encryption mechanism and sends the service data to the Soc chip through a private communication channel;
s6, the Soc chip decrypts the service data encrypted in the step S5 and sends the service data to the client.
In step S1, service data of a client is sent to a Soc chip through a serial port, a disguise server generates a key according to a request of the Soc chip, the disguise server performs asymmetric encryption on the generated key, and sends the key to an encryption authentication module embedded in the Soc chip, the encryption authentication module encrypts the service data by adopting different algorithms, the encryption of the service data by adopting different algorithms is performed for the first time by adopting a TDEA encryption algorithm, the encryption of the service data by adopting an RSA asymmetric encryption algorithm is performed for the second time, during each communication, the Soc chip dynamically requests a private key to the disguise server, the encryption authentication module in the Soc chip decrypts the private key issued by the disguise server according to the encryption key implanted in the Soc chip when the Soc chip is issued, so that a correct secondary key, namely, the key of the TDEA encryption algorithm is obtained, the service data is encrypted for the first time by using the key, and then the secondary encryption of the service data is performed by using the key in the asymmetric encryption algorithm.
In step S2, a private communication channel is created in the Soc chip, and the channel forcibly takes over all communications applied to resist DNS pollution and hide a real target server, where the private communication channel is different from a channel from an original client to the real server, and the channel is three-party, namely, a client, a disguised server, and a real target server, and through a unique channel from the disguised server to the real server and a mutual trust mechanism, the client can realize data communication with the target server only through the disguised server. In order to ensure that the transmission of communication data is only carried out in a private communication channel, a mutual trust mechanism is arranged between a disguised server and a real target server, the outside of the mutual trust mechanism cannot be perceived, the disguised server and a client are ensured by Soc, a unique certificate is arranged in the Soc when the internal issuing is carried out, the certificate cannot be decompiled and obtained due to the particularity of the Soc, the security of the data is ensured due to the security of the certificate, the data is prevented from being stolen or tampered by an intermediate, and the certificate is actually a public key corresponding to an initial key.
In step S3, the specific processes of decryption, authentication and authentication are: the decryption operation is to decrypt the public key by using the middle private key of the RSA asymmetric encryption algorithm to obtain the ciphertext, then decrypt the ciphertext again by using the key dynamically generated in the TDEA encryption algorithm, after the decryption of the service data is completed, the identity authentication of the client is also passed, because an encryption key is implanted in the chip when the Soc chip is issued, the encryption key also represents the identity of the client, after the decryption operation of the service data is completed, the implanted encryption key is naturally decrypted, the identity of the client is authenticated, the authentication is that after the authentication is passed, the interface in the Soc chip is matched with the authentication interface defined before in the real target server, if the authentication is not completed, the authentication fails, the client does not have operation authority, the decrypted service data cannot be transmitted to the real target server, the disguised server returns the service data directly to the client, and the disguised server returns the service data directly to the client when the decryption fails.
The encryption process in step S5 is consistent with that in step S1, and after receiving the data processed by the real target server, the client in step S6 stores the data and waits for further processing.
The method is only used for a secure communication and authentication system based on the Soc chip, because Soc is issued to a user after being preprocessed in an off-line manner, is bound with the user one by one, and realizes a secure confidentiality mechanism through invisibility of Soc, and the encryption process, the related secret key, the related encryption algorithm and the private communication channel using the encryption module are encrypted, so that other means are prevented from being cracked.
The secure communication and authentication device based on the Soc chip comprises a client, the Soc chip, a disguised server and a real target server, wherein the client is in communication connection with the Soc chip, the Soc chip is in communication connection with the disguised server, the disguised server is in communication connection with the client and the real target server, an encryption authentication module is embedded in the Soc chip, a private communication channel is created in the Soc chip, communication among the client, the Soc chip, the disguised server and the real target server is only carried out in the private communication channel, the real target server is placed in a trusted computing environment, and the client cannot directly establish the communication channel for access in the environment.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.
Claims (10)
1. The secure communication and authentication method based on the Soc chip is characterized by comprising the following steps:
s1, receiving service data from a client by a Soc chip, and encrypting the service data through a dynamic double encryption generation mechanism;
s2, the Soc chip transmits the encrypted service data to a disguised server through a private communication channel;
s3, the disguised server decrypts, authenticates and authenticates the received encrypted service data, and after the decryption, authentication and authentication are performed, the disguised server sends the decrypted service data to the real target server;
s4, the real target server processes the received decrypted service data and returns the service data to the disguised server;
s5, the disguised server encrypts the service data processed by the real target server through a dynamic double encryption mechanism and sends the service data to the Soc chip through a private communication channel;
s6, the Soc chip decrypts the service data encrypted in the step S5 and sends the service data to the client.
2. The method of claim 1, wherein in step S1, the dynamic double encryption mechanism is that the disguising server generates a key according to the request of the Soc chip, and the disguising server performs asymmetric encryption on the generated key and issues the key to the encryption authentication module embedded in the Soc chip and encrypts the service data by using different algorithms.
3. The method for secure communication and authentication based on a Soc chip as claimed in claim 2, wherein the encryption and authentication module encrypts the service data using a key which is asymmetrically encrypted.
4. The method for secure communication and authentication based on a Soc chip as claimed in claim 2, wherein the secret key generated by the masquerading server according to the request of the Soc chip is dynamic, one secret key is generated for each communication, and the secret key is different from the previously generated secret key.
5. The method for secure communication and authentication based on a Soc chip as claimed in claim 2, wherein the encryption of the service data using different algorithms is performed using RSA asymmetric encryption algorithm and TDEA encryption algorithm.
6. The method of claim 1, wherein in step S2, the private communication channel is created inside the Soc chip.
7. The method of claim 5, wherein in step S3, the decryption operation is to decrypt the public key by using the private key of the RSA asymmetric encryption algorithm to obtain the ciphertext, and then decrypt the ciphertext again by using the key generated in the TDEA encryption algorithm.
8. The secure communication and authentication device based on a Soc chip according to any one of claims 1 to 7, comprising a client, a Soc chip, a masquerading server and a real target server, wherein the client is in communication connection with the Soc chip, the Soc chip is in communication connection with the masquerading server, and the masquerading server is in communication connection with the client and the real target server.
9. The device of claim 8, wherein the encryption and authentication module is embedded in the Soc chip, and wherein the private communication channel is created in the Soc chip, and the communication between the client, the Soc chip, the disguised server, and the real target server is performed only in the private communication channel.
10. The device of claim 9, wherein the real target server is located in a trusted computing environment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310683134.7A CN116599755A (en) | 2023-06-09 | 2023-06-09 | Secure communication and authentication method and device based on Soc chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310683134.7A CN116599755A (en) | 2023-06-09 | 2023-06-09 | Secure communication and authentication method and device based on Soc chip |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116599755A true CN116599755A (en) | 2023-08-15 |
Family
ID=87589929
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310683134.7A Pending CN116599755A (en) | 2023-06-09 | 2023-06-09 | Secure communication and authentication method and device based on Soc chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116599755A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060005237A1 (en) * | 2003-01-30 | 2006-01-05 | Hiroshi Kobata | Securing computer network communication using a proxy server |
| KR20090098542A (en) * | 2008-03-14 | 2009-09-17 | 주식회사 엑스큐어넷 | Encryption data communication system using proxy and method for encryption data communication thereof |
| CN102882856A (en) * | 2012-09-10 | 2013-01-16 | 广东电网公司电力科学研究院 | Terminal password device based on system on chip (SoC) |
| US20140344945A1 (en) * | 2013-05-15 | 2014-11-20 | Broadcom Corporation | Thin-Client Embedded Secure Element |
| US20200162247A1 (en) * | 2018-11-15 | 2020-05-21 | Iot And M2M Technologies, Llc | Secure firmware transfer from a server to a primary platform |
-
2023
- 2023-06-09 CN CN202310683134.7A patent/CN116599755A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060005237A1 (en) * | 2003-01-30 | 2006-01-05 | Hiroshi Kobata | Securing computer network communication using a proxy server |
| KR20090098542A (en) * | 2008-03-14 | 2009-09-17 | 주식회사 엑스큐어넷 | Encryption data communication system using proxy and method for encryption data communication thereof |
| CN102882856A (en) * | 2012-09-10 | 2013-01-16 | 广东电网公司电力科学研究院 | Terminal password device based on system on chip (SoC) |
| US20140344945A1 (en) * | 2013-05-15 | 2014-11-20 | Broadcom Corporation | Thin-Client Embedded Secure Element |
| US20200162247A1 (en) * | 2018-11-15 | 2020-05-21 | Iot And M2M Technologies, Llc | Secure firmware transfer from a server to a primary platform |
Non-Patent Citations (1)
| Title |
|---|
| 黄益彬;刘强;: "安全通信协议设计及其芯片化实现", 电力信息与通信技术, no. 09, pages 27 - 30 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109728909B (en) | Identity authentication method and system based on USBKey | |
| US7231526B2 (en) | System and method for validating a network session | |
| US8074264B2 (en) | Secure key distribution to internet clients | |
| US20030196084A1 (en) | System and method for secure wireless communications using PKI | |
| CN101772024B (en) | User identification method, device and system | |
| KR20090061915A (en) | Method and apparatus for deterrence of secure communication using one time password | |
| CN103248479A (en) | Cloud storage safety system, data protection method and data sharing method | |
| JP6548172B2 (en) | Terminal authentication system, server device, and terminal authentication method | |
| CN105553666B (en) | Intelligent power terminal safety authentication system and method | |
| JP2000083018A (en) | Method for transmitting information needing secrecy by first using communication that is not kept secret | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN107026823B (en) | Access authentication method and terminal applied to Wireless Local Area Network (WLAN) | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| WO2005088892A1 (en) | A method of virtual challenge response authentication | |
| CN113612797A (en) | Kerberos identity authentication protocol improvement method based on state cryptographic algorithm | |
| WO2022143030A1 (en) | National key identification cryptographic algorithm-based private key distribution system | |
| CN113918967A (en) | Data transmission method, system, computer equipment and medium based on security check | |
| CN114513339A (en) | Security authentication method, system and device | |
| CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
| KR20090012013A (en) | Method and system for providing mutual authentication using kerberos | |
| KR19990038925A (en) | Secure Two-Way Authentication Method in a Distributed Environment | |
| JP4372403B2 (en) | Authentication system | |
| CN116599755A (en) | Secure communication and authentication method and device based on Soc chip | |
| JP2002051036A (en) | Key escrow system | |
| KR20020040378A (en) | Method for Authentication without Password Transmission on the basis of Public Key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |