[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN109361511A - Data transmission method, the network equipment and computer storage medium - Google Patents

Data transmission method, the network equipment and computer storage medium Download PDF

Info

Publication number
CN109361511A
CN109361511A CN201811324704.9A CN201811324704A CN109361511A CN 109361511 A CN109361511 A CN 109361511A CN 201811324704 A CN201811324704 A CN 201811324704A CN 109361511 A CN109361511 A CN 109361511A
Authority
CN
China
Prior art keywords
network node
key
data
encryption
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811324704.9A
Other languages
Chinese (zh)
Inventor
熊磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201811324704.9A priority Critical patent/CN109361511A/en
Publication of CN109361511A publication Critical patent/CN109361511A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses data transmission methods, applied in the storage system including first network node and the second network node, this method comprises: the second network node generates the key pair including the encryption key of the second network node and decruption key according to TPM, second network node receives the first request that first network node is sent, encryption key for the second network node of request, the encryption key that the second network node is sent to first network node is requested in response first, receive the second ciphertext data that first network node is sent, the second ciphertext data are the encryption key using the second network node to the data obtained after the first clear data to be synchronized encryption, using the decruption key of the second network node to the second ciphertext data deciphering.By implementing the embodiment of the present invention, it can be realized the safe transmission of data, promote the safety and reliability of data transmission.

Description

Data transmission method, the network equipment and computer storage medium
Technical field
The present invention relates to field of computer technology more particularly to data transmission method, the network equipment and computer storage to be situated between Matter.
Background technique
With the development of computer technology, information security is particularly important.Currently, being to provide information in computer system Security mechanism uses the key informations such as a large amount of symmetric key, unsymmetrical key and shared key, these key informations Sensitive data is belonged to, once leakage will seriously affect the safety of storage information.
For the confidentiality for protecting sensitive data, the prior art proposes the structural representation of Multilayered encryption mechanism as shown in Figure 1 Figure.Such as Fig. 1, which includes root key, master key and working key.Wherein, root key is located at Multilayered encryption mechanism Bottom end, be mainly used for for upper layer key (such as master key) provide Confidentiality protection, such as root key be used to master key carry out Encryption storage.Master key is used to provide Confidentiality protection for upper layer working key, while the protection for root key of experiencing certainly.For example, Master key is used to carry out encrypting storing to working key.Working key is used for directly to sensitive data, business datum and user The data such as data carry out encrypting storing etc., which includes but is not limited to encryption key and shared key etc..
However demand for security for data, the peace of sensitive data how is realized between each network node of storage system It is complete shared, it is one and needs to study and solve the problems, such as.
Summary of the invention
The embodiment of the invention discloses data transmission method, relevant device and computer storage mediums, are able to solve existing The problems such as safety and reliability present in data transmission scheme is not high.
In a first aspect, the embodiment of the present invention, which discloses, provides a kind of data transmission method, applying is including first network section In storage system including point and the second network node, which comprises the second network node is according to credible platform module TPM The second key pair is generated, which includes that the decryption of the encryption key and the second network node of the second network node is close Key.The TPM is for realizing the secure storage of data, and the decruption key of the second network node is for decrypting ciphertext data.First net Network node sends the first request to the second network node, and the encryption of first request for the second network node of request is close Key.Correspondingly, the first request of the second network node response, the encryption key of the second network node is sent to first network node, The encryption key of second network node encrypts the first clear data to be synchronized for first network node.
With reference to first aspect, in the first possible embodiment of first aspect, the second network node calls TPM's Creatwrapkey function generates the second key pair.
With reference to first aspect or the first possible embodiment of first aspect, second in first aspect are possible In embodiment, after first network node obtains the encryption key of the second network node, the encryption according to the second network node is close Key encrypts the first clear data to be synchronized and obtains the first ciphertext data.First network node sends the to the second network node One ciphertext data.Correspondingly, the second network node receives the first ciphertext data.Second network node is according to the second network node Decruption key obtains the first clear data to the first ciphertext data deciphering.For the correctness for verifying synchrodata, the second network section Point can encrypt the first clear data according to the encryption key of first network node and obtain the second ciphertext data, by the second ciphertext number According to being sent to first network node.Convenient for first network node according to the corresponding second plaintext data of the second ciphertext data and first Clear data determines the synchronization that the first clear data whether is completed between two network nodes.
With reference to first aspect or the first or second of possible embodiment of first aspect, in the third of first aspect In the possible embodiment of kind, the encryption key of the encryption key of first network node and the second network node is different.The The decruption key of two network nodes and the decruption key of first network node are different.
With reference to first aspect or first aspect the first to any possible embodiment in the third, first In 4th kind of possible embodiment of aspect, the decruption key of the second network node is presented in the form of the second key handles. The corresponding relationship being stored in second network node between the decruption key of the second network node and the second key handles, the second net Network node can get the solution of corresponding second network node of the second key handles according to second key handles and the corresponding relationship Key.
With reference to first aspect or first aspect the first to any possible embodiment in the 4th kind, first In 5th kind of possible embodiment of aspect, the decruption key of first network node can be in the form of first key handle It is existing.The corresponding relationship being stored in first network node between the decruption key of first network node and first key handle, the One network node can get the corresponding first network node of first key handle according to the first key handle and the corresponding relationship Decruption key.
Second aspect, the embodiment of the present invention provide a kind of data transmission method, are applied to first network node side, this method It include: first network node according to TPM generation first key pair, the first key is to the encryption key including first network node With the decruption key of first network node.The TPM for realizing data secure storage.The decruption key of the first network node For decrypting ciphertext data.Second network node sends the second request to first network node, which obtains for requesting Take the encryption key of first network node.Correspondingly, the second request of first network node response sends the to the second network node The encryption key of one network node, the encryption key of the first network node are used for first network node to the second network node Synchronous the first clear data encryption.
In conjunction with second aspect, in the first possible embodiment of second aspect, first network node calls TPM's Creatwrapkey function generates first key pair.
In conjunction with the possible embodiment of the first of second aspect or second aspect, second in second aspect is possible In embodiment, first network node sends the first request to the second network node, which is used for request second The encryption key of network node.The encryption key of second network node is generated by the TPM of the second network node.First network Node receives the encryption key for the second network node that the second network node is sent, and first network node is according to the second network node Encryption key the first clear data to be synchronized is encrypted, obtain the first ciphertext data.And then the first ciphertext data are sent To the second network node, with synchronous first ciphertext data.
In conjunction with the first or second of possible embodiment of second aspect or second aspect, in the third of second aspect In the possible embodiment of kind, first network node receives the second ciphertext data that the second network node is sent, second ciphertext Data are that the second network node obtains the encryption of the first clear data according to the encryption key of first network node.First network Node, to the second ciphertext data deciphering, obtains second plaintext data according to the decruption key of first network node.In turn, the first net Whether network node determines complete between first network node and the second network node according to the first clear data and second plaintext data At the synchronization of the first clear data.Specifically, then first network node can when the first clear data is identical with second plaintext data Determine the synchronization that the first clear data is completed between the two network nodes.If the first clear data and second plaintext data Not identical, then first network node can determine the synchronization that the first clear data is not completed between the two network nodes.
In conjunction with the first of second aspect or second aspect into the third any possible embodiment, in second party In the 4th kind of possible embodiment in face, the encryption key of the encryption key of first network node and the second network node is mutually not It is identical.The decruption key of second network node and the decruption key of first network node are different.About the embodiment of the present invention In the content that is not shown or does not describe, for details, reference can be made to the correlations in embodiment described in aforementioned first aspect to illustrate, here no longer It repeats.
The third aspect, the embodiment of the invention provides a kind of first network equipment, the network equipment includes for executing The functional module or unit of method described in any possible embodiment of second aspect or second aspect as above.
Fourth aspect, the embodiment of the invention provides a kind of second network equipments, and the network equipment includes for executing The functional module or unit of method described in any possible embodiment of first aspect or first aspect as above.
5th aspect, the embodiment of the invention provides a kind of first network equipment, comprising: processor, memory, communication connect Mouth and bus;Processor, communication interface, memory are in communication with each other by bus;Communication interface, for sending and receiving data; Memory, for storing instruction;Processor executes above-mentioned second aspect or second aspect for calling the instruction in memory Any possible embodiment described in method.
6th aspect, the embodiment of the invention provides a kind of second network equipments, comprising: processor, memory, communication connect Mouth and bus;Processor, communication interface, memory are in communication with each other by bus;Communication interface, for sending and receiving data; Memory, for storing instruction;Processor executes above-mentioned first aspect or first aspect for calling the instruction in memory Any possible embodiment described in method.
7th aspect, the embodiment of the invention provides a kind of storage systems, including first network node and the second network section Point, wherein first network node is used to execute to be retouched in any possible embodiment of second aspect or second aspect as above The method stated;Second network node is used to execute to be retouched in any possible embodiment of first aspect or first aspect as above The method stated.About the content for being not shown in the embodiment of the present invention or not describing, reference can be made to the related elaboration in previous embodiment, Which is not described herein again.
Eighth aspect, provides a kind of non-transient (non-transitory) storage medium of computer, and the computer is non- Transient state storage medium stores the program code for data transmission.Said program code includes for executing above-mentioned first aspect Or the instruction of method described in any possible embodiment of first aspect.
9th aspect, provides a kind of non-transient (non-transitory) storage medium of computer, the computer is non- Transient state storage medium stores the program code for data transmission.Said program code includes for executing above-mentioned second aspect Or the instruction of method described in any possible embodiment of second aspect.
Tenth aspect, provides a kind of chip product, to execute any possible of above-mentioned first aspect or first aspect Method in embodiment.
On the one hand tenth, provides a kind of chip product, to execute any possibility of above-mentioned second aspect or second aspect Embodiment in method.
The present invention can also be further combined on the basis of the implementation that above-mentioned various aspects provide to provide more More implementations.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described.
Fig. 1 is a kind of structural schematic diagram of the Multilayered encryption mechanism provided in the prior art.
Fig. 2 is a kind of schematic diagram of the data synchronous transfer provided in the prior art.
Fig. 3 is a kind of network frame schematic diagram of storage system provided in an embodiment of the present invention.
Fig. 4 A is a kind of flow diagram of data transmission method provided in an embodiment of the present invention.
Fig. 4 B is the flow diagram of another data transmission method provided in an embodiment of the present invention.
Fig. 5 is the flow diagram of another data transmission method provided in an embodiment of the present invention.
Fig. 6 is a kind of structural schematic diagram of network equipment provided in an embodiment of the present invention.
Fig. 7 is the structural schematic diagram of another network equipment provided in an embodiment of the present invention.
Specific embodiment
With reference to the accompanying drawing, the embodiment of the present invention is described.
Applicant proposes to find during the application: known to figure 1 above within the storage system, root key is to guarantee entirely The root of trust of storage system safety, the safety of root key determine the security level of entire storage system.Here with sensitive number For for root key, it is described below and how realizes that the safety of sensitive data is total between each network node within the storage system It enjoys.
In existing root key synchronous transfer scheme, using same key pair root key plaintext encrypted transmission to be synchronized, To guarantee the safety of root key.Specifically, if Fig. 2 is for including node A and node B in storage system.Node A and node Synchronization module is deployed in B, which is used for synchronisation key, such as the Advanced Encryption Standard by Software Create (advanced encryption standard, AES) key.It, can be by can after node A obtains root key plaintext to be synchronized Believe console module (trusted platform module, TPM) encrypting storing into disk.Meanwhile node A can be by root key It synchronizes in plain text and is sent to node B, specifically, node A obtains AES key from synchronization module, it is bright to root key using AES key Text encryption, and the root key ciphertext that encryption obtains is sent to node B.Correspondingly, after Node-B receiver root key ciphertext, from section AES key is obtained in the synchronization module of point B, root key ciphertext is decrypted using the AES key, it is bright to obtain root key Text, to realize the synchronous transfer of the root key plaintext between node A and node B.
However in practice, it has been found that the encryption and decryption secret keys that sensitive data (such as the root key in this example is in plain text) uses are section The key of point itself storage, and the encryption and decryption secret keys that each node uses are identical.As it can be seen that in this wise there is peace in data synchronization scheme The full problem that property is lower, reliability is not high.
To solve the problems such as safety and reliability present in available data transmission plan is not high, the present invention proposes one kind Data transmission method, the method applicable network frame and relevant device.
Firstly, being a kind of network frame schematic diagram provided in an embodiment of the present invention referring to Fig. 3.Network frame as shown in Figure 3 Frame schematic diagram 100 includes: n network node, and any two network node in n network node can pass through network phase intercommunication Letter.It is deployed with credible platform module TPM 102 in each network node, specifically includes TPM hardware (also referred to as in the TPM 102 TPM chip) 1021, TPM driving 1022 and TPM application interface 1023.Optionally, it is single that storage is also deployed in each memory node Member 104.N is the positive integer of the customized setting of system.It wherein, may include processor, RSA key generation list in TPM chip 1021 Member, RSA signature and encryption unit, tandom number generator and internal storage.Wherein, RSA key generation unit is used for according to RSA Algorithm generates key, which includes but is not limited to asymmetric cryptographic key, signature key and working key etc..RSA signature It is used for the operation such as signed, encrypted according to data key with encryption unit, concretely system to be customized for the data Data, such as user data, business datum and private data etc..Tandom number generator is used to generate random number, according to The random number that system requirements tandom number generator generates can be used as key (such as root key), it can also be used to data cover, data Verification etc., the present invention and without limitation.
Processing implement body may include but be not limited to central processing unit (central processing unit, CPU), general Processor, digital signal processor (digital signal processor, DSP), specific integrated circuit (application- Specific integrated circuit, ASIC), field programmable gate array (field programmable gate Array, FPGA) either other programmable logic device, transistor logic, hardware component or any combination thereof.It can To realize or execute various illustrative logic blocks, module and circuit in conjunction with described in the disclosure of invention.The processing Device is also possible to realize the combination of computing function, such as combines comprising one or more microprocessors, the group of DSP and microprocessor Close etc., the embodiment of the present invention and without limitation.
Internal storage, for storing data and program code in TPM chip.Processor can call in internal storage Program code, execute the corresponding instruction of the program code.
TPM driving 1022, for driving TPM chip.Specifically, TPM driving provides the operation interface towards TPM chip, TPM chip is directly operated by the operation interface completes correspondingly feature operation, such as the operation of data encryption operation, data deciphering Etc..
TPM application interface 1024 provides the communication interface of TPM chip for application program-oriented method.Specifically, network node Data to be transmitted can be sent to TPM application interface 1024 by the application program of middle installation.It is to be transmitted that the TPM application interface receives this After data, application program can be returned to data encryption to be transmitted, and then by encrypted ciphertext data.
In the present invention, TPM application interface 1024 be particularly used in realize data encrypt and decrypt operation, such as using The encryption key that TPM is generated encrypts clear data to obtain ciphertext data.Optionally, TPM application interface 1024 may be used also Ciphertext data are decrypted to obtain correspondingly clear data in the decruption key generated using TPM.
In practical applications, TPM application interface 1024 can be the communication interface of integrated encryption function and decryption functions, The multiple interfaces that can also be split for encryption function and decryption function.For example, the TPM application interface may include encryption interface and decryption Interface, the encryption interface for realizing data cryptographic operation.Decryption oprerations etc. of the decryption interface for realizing data, this hair It is bright and without limitation.
Clear data involved in the present invention refers to the data of unencryption.Ciphertext data and clear data be it is opposite, it is close Literary data specifically refer to the data obtained after clear data is encrypted using certain Encryption Algorithm.It is of the present invention Encryption Algorithm includes but is not limited to any one of following or multinomial combination: data encryption standard algorithm (data Encryption standard, DES), 3DES algorithm, be to be carried out to a block number according to three different keys based on DES algorithm Tertiary infilling, international data encryption algorithm (international data encryption algorithm, IDEA), number Signature algorithm (digital signature algorithm, DSA) and Advanced Encryption Standard (advanced encryption Standard, AES) etc..
When network node powers on, in credible platform module TPM initialization procedure, system can call TPM driving to provide Operation interface, using TPM_createwrapkey function generate correspondingly key pair, the key of the cipher key pair can specifically wrap It includes but is not limited to symmetric key and unsymmetrical key.By taking unsymmetrical key as an example, which includes public key and private key, Middle public key is supported to share, and is disclosed key, other network nodes in storage system would know that the public key of the network node. Private key is that network node itself retains underground key, other nodes in storage system are unknowable.To guarantee private key Safety, usual network node can call the key loading interface TPM_loadkey2 of TPM module, private key are loaded into TPM mould In block, corresponding private key handle (wrapkey handle) is obtained, and externally presents or stores in the form of private key handle.I.e. It is that the corresponding relationship of private key and private key handle is stored in network node.It, need to be according to private key when network node need to use private key Handle and the corresponding relationship, obtain the corresponding private key of private key handle.
In practical applications, since the confidentiality requirement of private key is higher, usual private key is used as the decruption key of ciphertext data. Correspondingly, for private key, the confidentiality requirement of public key is lower, therefore the encryption that public key can be used as clear data is close Key.For example, the more demanding clear data of storage security, such as private data, the business datum of user within network nodes Etc., network node saves corresponding ciphertext data after encrypting using the public key of the network node itself to clear data, with Promote the safety of data storage.Correspondingly, when network node need to use the clear data, using network node itself Private key to obtain correspondingly clear data, and then handles the clear data to the ciphertext data deciphering of storage.
Specifically, network node can first obtain the private key handle of own node storage, then according to private key handle and private key Between corresponding relationship obtain the corresponding private key of private key handle.Then recycle the private key of acquisition to ciphertext data deciphering to obtain Obtain correspondingly clear data.
Storage unit 104, it is bright after the data in network node, such as encrypted ciphertext data, decryption for storing Literary data etc..The storage unit may include but be not limited to memory, hard disk (or disk), caching or other have store function Functional module or equipment.
Fig. 4 A is referred to, is a kind of flow diagram of data transmission method provided in an embodiment of the present invention.Such as Fig. 4 A institute The data transmission method shown is applied in storage system, includes n network node in the storage system, each network node portion There is credible platform module TPM in administration.The present invention hereafter to be including first network node and the second network node in n network node Example carries out the elaboration of related content.This method specifically may include that step is implemented as follows:
Step S301, first network node is according to the encryption key of the second network node to the first clear data to be synchronized Encryption, obtains the first ciphertext data, and the encryption key of the second network node is generated by TPM.
In the present invention, the first clear data is data to be synchronized, concretely the customized clear data of system, should Data include but is not limited to user data, business datum and sensitive data etc..Wherein, sensitive data is also known as private data, is Refer to it is sensitive to user (or enterprise), need data to be protected, such as the bank card account number of user, bank password, wechat account with And unlocking pin etc..The encryption key of second network node can also can be the to be pre-stored in first network node What one network node was obtained from the second network node immediately, specifically it is detailed below in the present invention.
Step S302, first network node sends the first ciphertext data to the second network node.Correspondingly, the second network section Point receives the first ciphertext data.
Step S303, the second network node is obtained according to the decruption key of the second network node to the first ciphertext data deciphering Obtain the first clear data.
In each network node of storage system during synchronous first clear data, current network node need to be utilized down The encryption key of one network node encrypts clear data, obtains corresponding ciphertext data.Correspondingly, next network node can be straight It connects and ciphertext data is decrypted using the decruption key of own node, to realize the synchronous transfer of clear data.Compared to existing There is technology to realize the encryption and decryption of data to be synchronized using same key, the safety and reliability of data transmission can be promoted.For example, Shown in above-mentioned steps of embodiment of the present invention S301-S303, first network node using the second network node encryption key pair First clear data encryption to be synchronized, to obtain the first ciphertext data.Further, first network node is to the second network section Point sends the first ciphertext data.Correspondingly, after the second network node receives the first ciphertext data, using the second network node Decruption key is to the first ciphertext data deciphering, to obtain correspondingly the first clear data.
In an alternative embodiment, the second network node need to obtain the decruption key of the second network node before step S303. Specifically, being stored with decruption key in the second network node for the safety for guaranteeing decruption key and decrypting pair of key handles It should be related to, and externally be presented in the form of decruption key handle.It is that the second network node need to obtain the second network node When decruption key, decruption key handle can be first directly obtained from the second network node, it is then close according to decruption key and decryption The corresponding relationship of key handle obtains the corresponding decruption key of decruption key handle, the i.e. decruption key of the second network node.Into One step, the second network node recycles the decruption key of the second network node to the first ciphertext data deciphering, bright to obtain first Literary data.
In an alternative embodiment, during data encrypting and deciphering, network node is specifically (specific using TPM application interface Interface or TPM decryption interface can be encrypted for TPM) realize the encryption and decryption of data.For example, first network node is adjustable in step S301 Interface is encrypted with TPM, the first clear data to be synchronized is encrypted using the encryption key of the second network node, to obtain first Ciphertext data, and then it is sent to the second network node.Correspondingly, the second network node can call TPM solution contiguity in step S303 Mouthful, using the decruption key of the second network node to the first ciphertext data deciphering, to obtain the first ciphertext data.
Step S304, the second network node encrypts the first clear data according to the encryption key of first network node, obtains The second ciphertext data are obtained, the encryption key of first network node is generated by TPM.The encryption key of the first network node can be the It is pre-stored in two network nodes, it can also be obtained from first network node immediately for the second network node, specifically at this Invention is detailed below.
Step S305, the second network node sends the second ciphertext data to first network node.Correspondingly, first network section Point receives the second ciphertext data.
Step S306, first network node is obtained according to the decruption key of first network node to the second ciphertext data deciphering Obtain second plaintext data.
Step S307, first network node determines first network node according to the first clear data and second plaintext data And second whether complete the first clear data between network node synchronization.
It is intelligible, for verifying first network node to the second network node encryption send the first clear data whether and First clear data to be synchronized is identical, and the second network node, can after decrypting the first ciphertext data and obtaining the first clear data Verify the first clear data of the decryption again to first network node.Specifically, the second network node is decrypting the first ciphertext After data obtain the first clear data, the first clear data can be encrypted using the encryption key of first network node again, obtained Obtain the second ciphertext data.Second network node sends the second ciphertext data to first network node.Correspondingly, first network node After receiving the second ciphertext data, using the decruption key of first network node to the second ciphertext data deciphering, it is bright to obtain second Literary data.The decruption key that first network node how is obtained about first network node specifically refers to above mentioned step S3 03 It is related illustrate, which is not described herein again.Similarly, about network node (concretely first network node or the second network section Point) encryption and decryption how to realize data, it can correspond to and illustrate with reference to above mentioned step S3 01 are related in S303, it is no longer superfluous here It states.
Further, whether first network node can identical according to the first clear data and second plaintext data, determines this Whether the synchronization of to be synchronized first clear data is completed between two network nodes.Specifically, when the first clear data and the When two clear datas are identical, first network node, which can determine, to be currently completed between first network node and the second network node The synchronization of first clear data.When the first clear data and not identical second plaintext data, first network node be can determine not Complete the synchronization that the first clear data is directed between first network node and the second network node.Is not completed about network node The synchronous reason of one clear data has very much, the present invention and without limitation, such as key used in encryption or decryption process is not Correctly, mistake etc. occurs when ciphertext data deciphering.
In an alternative embodiment, before step S301, it may also include the correlation step of method flow as shown in Figure 4 B.It please join See Fig. 4 B, is the flow diagram of another data transmission method provided in an embodiment of the present invention.This method includes being implemented as follows Step:
Step S401, first network node generates first key pair according to TPM, and the first key is to including first network The encryption key of node and the decruption key of first network node.
In the present invention, first key generates concretely first network node using the TPM disposed in it, specifically , first network node can call the creatwrapkey function of the operation interface provided in TPM by TPM driving to generate first Key pair, the first key is to encryption key and decruption key including first network node.Optionally, the first key to It can be generated for first network node by software mode.For example, first network node can call preset key function to generate First key pair, the preset key function are system customized setting, such as AES function etc., the present invention and without limitation.
In practical applications, the first key is to concretely symmetric key pair or asymmetric key pair.In general, should First key specifically may include encrypted public key and decrypted private key, i.e., described in the embodiment of the present invention to for asymmetric key pair Encryption key and decruption key.
Step S402, the second network node generates the second key pair according to TPM, and second key pair includes the second network The decruption key of the encryption key of node and the second network node.
In the present invention, the second key pair is what the second network node was generated by software mode, or according to the second network section What the TPM disposed in point was generated, for details, reference can be made to the correlations in step S401 to illustrate which is not described herein again.The first key pair Can be identical with the second key pair, can not also be identical, the present invention does not limit.In practical applications, the safety to guarantee data Property, the usually corresponding key pair generated of each network node is different, such as first key here to and the second key pair not It is identical.It is that the encryption key of the encryption key of first network node and the second network node is different.And/or first net The decruption key of the decruption key of network node and the second network node is different.
Step S403, first network node sends the first request to the second network node, which obtains for requesting Take the encryption key of the second network node.Correspondingly, the second network node receives first request.
Step S404, the second network node response first request, sends the second network node to first network node Encryption key.Correspondingly, first network node receives the encryption key of the second network node.
Step S405, the second network node sends the second request to first network node, which obtains for requesting Take the encryption key of first network node.Correspondingly, first network node receives the second request.
Step S406, the second request of first network node response sends adding for first network node to the second network node Key.Correspondingly, the second network node receives the encryption key of first network node.
In practical applications, can be disappeared by shifting to an earlier date interaction request response between first network node and the second network node Breath, to know the encryption key of correspondent network node.For example, first network node can send the first request to the second network node Message, the encryption key for request first network node.Correspondingly, the second network node receives first request and disappears Breath, and correspondingly the first response message is sent to first network node, the second network node is carried in first response message Encryption key.It optionally, can be by the second network node after first network node obtains the encryption key of second network node Encryption key be stored in own node, directly used from local obtain convenient for subsequent first network node.
Similarly, the second network node can send the second request message to first network node, be used for request second The encryption key of network node.Correspondingly, first network node receives and responds the second request message, sends out to the second network node The second response message is sent, the encryption key of first network node is carried in second response message.Optionally, the second network section After point obtains the encryption key of the first network node, the encryption key of first network node can be stored in own node, It is directly used from local obtain convenient for subsequent second network node.
Optionally, above-mentioned steps S403-S404 of the present invention is that the encryption of first network node the second network node of acquisition is close The step of key, concretely first network node implements acquisition in advance, can also be the present invention above in first network node It need to use and implement to obtain before the encryption key (step S301) of the second network node, the embodiment of the present invention is without limitation.Equally The step of ground, above-mentioned steps S405-S406 step of the present invention is the encryption key that the second network node obtains first network node, It can implement in advance acquisition for the second network node, can also need to use first network in the second network node above for the present invention Implement before the encryption key (step S304) of node to obtain, the embodiment of the present invention and without limitation.Wherein, the embodiment of the present invention Without limitation, such as step S403-S404 can be placed on the implementation sequence of middle above-mentioned steps S403-S404 and step S405-S406 It is executed behind step S405-S406, the present invention and without limitation.
It should be noted that in the embodiment of the present invention, the quantity for the network node for including in storage system and without limitation. The present invention only by taking two network nodes as an example, realizes the first clear data between exemplary elaboration any two network node above Synchronous embodiment.Correspondingly, it is real between n network node when the quantity n for the network node for including within the storage system is greater than 2 When the synchronization of existing first clear data, current network node equally need to be using the encryption key of next network node to clear data Encryption obtains ciphertext data.Directly ciphertext data are solved using the decruption key of own node convenient for next network node It is close, to complete the synchronous transfer of clear data.And so on, in the last one network node, (network node n) decryption obtains bright After literary data, for the synchronous correctness of verifying clear data, network node n is also using the encryption key pair of first network node The clear data of decryption encrypts, and the ciphertext data obtained after encryption are sent to first network node.First network node utilizes The decruption key of own node obtains correspondingly clear data to received ciphertext data deciphering, further determines that decryption obtains Clear data and clear data to be synchronized it is whether identical, if identical, it is determined that complete plaintext number between n network node According to synchronization.
Illustratively, the synchronous related embodiment of data is illustrated by taking n=3 as an example below.Fig. 5 is referred to, is of the invention real The flow diagram of another data transmission method of example offer is provided.Data transmission method as shown in Figure 5 is applied to storage system In system, which includes 3 network nodes, respectively first network node, the second network node and third network section Point.Each network node is deployed with the TPM for generating key pair.This method may include that step is implemented as follows:
Step S501, each network node in storage system generates corresponding key pair, the cipher key pair packet according to TPM Include the encryption key of the network node and the decruption key of the network node.
In the embodiment of the present invention, each network node in storage system can be according to the TPM of network node itself deployment Generate corresponding key pair.Specifically, first network node can generate first key pair, the first key centering packet according to TPM Include the encryption key of first network node and the decruption key of first network node.Similarly, the second network node can be according to TPM The second key pair is generated, the second key pair includes the encryption key of the second network node and the decruption key of the second network node. Third network node generates third key pair according to TPM, which includes the encryption key and the of third network node The decruption key of three network nodes.
Optionally, any two key pair of three cipher key pairs can be identical involved in the embodiment of the present invention, can also It is not identical.In practical applications, usual first key is different to, the second key pair and third key pair, can specifically join The related elaboration in embodiment described in Fig. 4 B is stated before examination, and which is not described herein again.
Step S502, first network node sends the first request to the second network node, which obtains for requesting Take the encryption key of the second network node.Correspondingly, the second network node receives the first request.
Step S503, the first request of the second network node response sends adding for the second network node to first network node Key.
Step S504, the second network node sends the second request to third network node, which obtains for requesting Take the encryption key of third network node.Correspondingly, third network node receives the second request.
Step S505, the second request of third network node response sends adding for third network node to the second network node Key.
Step S506, third network node sends third request to first network node, and third request is obtained for requesting Take the encryption key of first network node.Correspondingly, first network node receives third request.
Step S507, first network node response third request sends adding for first network node to third network node Key.
Specifically, above-mentioned steps S502-S503 is the reality for the encryption key that first network node obtains the second network node Apply step.Step S504-S505 is the implementation steps for the encryption key that the second network node obtains third network node.Step S506-S507 is the implementation steps for the encryption key that third network node obtains first network node.About above-mentioned steps S502- For details, reference can be made to the correlations of abovementioned steps S403-S406 to illustrate which is not described herein again by S507.
Step S508, first network node is according to the encryption key of the second network node to the first clear data to be synchronized Encryption obtains the first ciphertext data.
Specifically, first network node can be treated together using TPM encryption interface according to the encryption key of the second network node The first clear data encryption of step, to obtain the first ciphertext data.
Step S509, first network node sends the first ciphertext data to the second network node.Correspondingly, the second network section Point receives the first ciphertext data.
Step S510, the second network node is obtained according to the decruption key of the second network node to the first ciphertext data deciphering Obtain the first clear data.Second network node encrypts the first clear data according to the encryption key of third network node, obtains Second ciphertext data.
Specifically, the second network node can utilize TPM decryption interface according to the decruption key of the second network node to first Ciphertext data deciphering, to obtain the first clear data.Further, the adding according to third network node using TPM encryption interface Close the first clear data of key pair encryption, to obtain the second ciphertext data.In practical applications, TPM encrypts interface and TPM decryption Interface can be the interface for being integrated with encryption and decryption function, can also be two interfaces etc. that function is split, for details, reference can be made to aforementioned The related of Fig. 3 embodiment illustrates which is not described herein again.
Step S511, the second network node sends the second ciphertext data to third network node.Correspondingly, third network section Point receives the second ciphertext data.
Step S512, third network node is obtained according to the decruption key of third network node to the second ciphertext data deciphering Obtain second plaintext data.
In the present invention, step S508-S512 is three network nodes (specially first network nodes, the second network node And third network node) between synchronous first clear data process.The encryption and decryption of data how is realized about network node For details, reference can be made to the correlations in embodiment described in earlier figures 4B to illustrate which is not described herein again.
Step S513, third network node is obtained according to the encryption key of first network node to second plaintext data encryption Obtain third ciphertext data.
Step S514, third network node sends third ciphertext data to first network node.Correspondingly, first network section Point receives third ciphertext data.
Step S515, first network node is obtained according to the decruption key of first network node to third ciphertext data deciphering Obtain third clear data.First network node according to the first clear data and third clear data, determine three network nodes it Between whether complete the synchronization of the first clear data.
The synchronous safety and reliability of data between guarantee network node, also needs the plaintext synchronized between verifying network node Whether data are consistent.Specifically, it is bright that the parsing of third network node obtains second as described in the implementation steps of the invention S513-S515 After literary data, using the encryption key of first network node to second plaintext data encryption, third ciphertext data are obtained, concurrently Give first network node.Correspondingly, first network node is close to received third according to the decruption key of first network node Literary data deciphering obtains third clear data.Then, first network node judges the first clear data and third clear data is It is no identical, if identical, it can determine these three network sections of first network node, the second network node and third network node The synchronization for the first clear data is completed between point., whereas if it is not identical, then it can determine these three network nodes not Complete the synchronization of the first clear data.About the content not described in the embodiment of the present invention, can correspond to referring to described in earlier figures 4B Related elaboration in embodiment, which is not described herein again.
By implement the embodiment of the present invention, be able to solve safety and reliability present in available data synchronization scheme compared with The problems such as low, so as to promote the safety and reliability of data transmission.
The applicable network equipment of the present invention is described below in associated description in the embodiment in conjunction with described in figure 1 above-Fig. 5.Please It is a kind of structural schematic diagram of network equipment provided in an embodiment of the present invention referring to Fig. 6.The network equipment 600 includes communication module 602 and processing module 604.
In a kind of possible embodiment, which is first network equipment.Wherein, processing module 604 can be used It is controlled and is managed in the movement to first network equipment 600.For example, processing module 604 is used to execute the step in Fig. 4 A S302, S306 and S307, the step S508 and S515 in step S401, Fig. 5 in Fig. 4 B, and/or for executing text institute The other content of the technology of description.Communication module 602 with other modules or equipment for being communicated, for example, communication module 602 For executing step S403 and S406 in step S302, Fig. 4 B in Fig. 4 A, step S502 and S509 in Fig. 5, and/or it is used for Execute the other content of technology described in text.
In alternatively possible embodiment, which is second network equipment.Wherein, processing module 604 can It is controlled and is managed for the movement to first network equipment 600.For example, processing module 604 is for executing above method reality It applies using any network node in addition to first network node as the correlation step of executing subject in example, such as with the second network node It is specific executable such as step in step S402, Fig. 5 in step S303 and step S304, Fig. 4 B in Fig. 4 A for executing subject S510, and/or the other content for executing technology described in text.Communication module 602 is used for and other modules or equipment It is communicated, for example, communication module 602 is for executing in above method embodiment with any network in addition to first network node Step S404 in node and the mutual correlation step of other network nodes, such as executable Fig. 4 A in step S305, Fig. 4 B, figure Step S503, S504 and S511 in 5, and/or the other content for executing technology described in text.
Optionally, which may also include memory module 606.The memory module 606 is used for storage networking device 600 program code and data, such as program code of the storage for data transmission.Processing module 604 is for calling the storage Program code in module 606 is to realize in embodiment of the method as above with any network node (such as first network node or second Network node) be executing subject implementation steps, and/or the other content step for executing technology described in text.
Wherein, processing module 604 can be processor or controller, such as can be central processing unit (central Processing unit, CPU), general processor, digital signal processor (digital signal processor, DSP), Specific integrated circuit (application-specific integrated circuit, ASIC), field programmable gate array It is (field programmable gate array, FPGA) or other programmable logic device, transistor logic, hard Part component or any combination thereof.It may be implemented or execute to combine and various illustratively patrol described in the disclosure of invention Collect box, module and circuit.The processor is also possible to realize the combination of computing function, such as includes one or more micro- places Manage device combination, DSP and the combination of microprocessor etc..Communication module 602 can be communication interface, transceiver, transmission circuit etc., Wherein, communication interface is to be referred to as, and may include one or more interfaces, such as interface between communication module and processing module, Interface etc. between load balancing apparatus and user equipment.Memory module 606 can be memory or other are deposited for providing Store up the service or module of function.
When processing module 604 is processor, communication module 602 is communication interface, when memory module 606 is memory, this The network equipment involved by inventive embodiments can be the network equipment shown in Fig. 7.
Shown in Figure 7, the network equipment 700 includes one or more processors 701, communication interface 702 and memory 703, processor 701, communication interface 702 and memory 703 can be connected by bus or other way, the embodiment of the present invention with For being connected by bus 704.Wherein:
Processor 701 can be made of one or more general processor, such as central processing unit (Central Processing Unit, CPU).Processor 701 can be used for running any one of following or multiple function in relevant program code The program of module: communication module, processing module and memory module etc..That is, processor 701 execute program code can be with Realize any one of functional modules such as communication module and processing module or multinomial function.Wherein, about the communication mould For details, reference can be made to the correlations in previous embodiment to illustrate for block and processing module.
Communication interface 702 can be wireline interface (such as Ethernet interface) or wireless interface (such as cellular network interface Or use wireless lan interfaces), for being communicated with other module/equipment.For example, communication interface in the embodiment of the present invention 702 are particularly used in the ciphertext data for receiving the transmission of other network nodes, or send ciphertext data etc. to other network nodes.
Memory 703 may include volatile memory (volatile memory), such as random access memory (random access memory, RAM);Memory also may include nonvolatile memory (non-volatile ), such as read-only memory (read-only memory, ROM), flash memory (flash memory), hard disk memory (hard disk drive, HDD) or solid state hard disk (solid-state drive, SSD);Memory 703 can also include upper State the combination of the memory of type.Memory 703 can be used for storing batch processing code, store in order to which processor 701 calls The program code stored in device 703 is to realize the function of communication module involved in the embodiment of the present invention and/or processing module.
It should be noted that Fig. 6 or Fig. 7 are only a kind of possible implementation of the embodiment of the present application, in practical application, The network equipment can also include more or fewer components, here with no restriction.About being not shown in the embodiment of the present invention or not The content of description, reference can be made to the related elaboration in aforementioned either method embodiment, which is not described herein again.
The embodiment of the present invention also provides a kind of computer non-transitory storage media, in the computer non-transitory storage media It is stored with instruction, when it runs on a processor, side described in any one of Fig. 4 A, Fig. 4 B and Fig. 5 embodiment Method process is achieved.
The embodiment of the present invention also provides a kind of computer program product, when the computer program product is transported on a processor When row, method flow described in any one of Fig. 4 A, Fig. 4 B and Fig. 5 embodiment is achieved.
The step of method in conjunction with described in disclosure of the embodiment of the present invention or algorithm, can be come real in a manner of hardware It is existing, it is also possible to execute the mode of software instruction by processor to realize.Software instruction can be made of corresponding software module, Software module can be stored on random access memory (random access memory, RAM), flash memory, read-only memory (read only memory, ROM), Erasable Programmable Read Only Memory EPROM (erasable programmable ROM, EPROM), Electrically Erasable Programmable Read-Only Memory (electrically EPROM, EEPROM), register, hard disk, movement are hard In the storage medium of disk, CD-ROM (CD-ROM) or any other form well known in the art.A kind of illustrative storage Medium couples to enable a processor to from the read information, and can be written to the storage medium and believe to processor Breath.Certainly, storage medium is also possible to the component part of processor.Pocessor and storage media can be located in ASIC.In addition, The ASIC can be located in the network equipment.Certainly, pocessor and storage media, which can also be used as discrete assembly and be present in network, sets In standby.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in computer-readable storage medium In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.And storage medium above-mentioned include: ROM, The various media that can store program code such as RAM, magnetic or disk.

Claims (10)

1. a kind of data transmission method, which is characterized in that be applied to the second network node, which comprises
The second key pair is generated according to credible platform module TPM, second key pair includes adding for second network node The decruption key of key and second network node;
The first request that first network node is sent is received, first request is for the second network node described in request Encryption key;
The encryption key of second network node is sent to the first network node;
The first ciphertext data that the first network node is sent are received, the first ciphertext data are to use second network The encryption key of node is to the encrypted data of the first clear data to be synchronized;
Using the decruption key of second network node by the first ciphertext data deciphering.
2. the method according to claim 1, wherein the decruption key using second network node will Before the first ciphertext data deciphering, the method also includes:
The corresponding pass between the decruption key and key handles of second network node is stored in second network node System, the key handles are used to identify the decruption key of second network node;
Second network node obtains the decryption of second network node according to the key handles and the corresponding relationship Key.
3. method according to claim 1 or 2, which is characterized in that the method also includes:
The second request is sent to the first network node, second request is for first network node described in request Encryption key;
The encryption key for receiving the first network node that the first network node is sent, according to the first network node Encryption key to after the decryption the first clear data encrypt, obtain the second ciphertext data;
The second ciphertext data are sent to the first network node, it is close according to described second convenient for the first network node The literary corresponding second plaintext data of data and first clear data, determine the first network node and second network Whether the synchronization of first clear data is completed between node.
4. method according to any one of claim 1-3, which is characterized in that the encryption key of the first network node It is different with the encryption key of second network node, the decruption key of the first network node and second network The decruption key of node is different.
5. a kind of storage system, which is characterized in that the storage system includes first network node and the second network node, In,
The first network node, for sending the first request to second network node, first request is for requesting Obtain the encryption key of second network node;
Second network node, for generating the second key pair, second key pair according to credible platform module TPM module The decruption key of encryption key and the second network node including the second network node;
Second network node is also used to receive first request, sends second net to the first network node The encryption key of network node;
The first network node is also used to receive the encryption key of second network node, uses the second network section The the first clear data encryption to be synchronized of the encryption key of point obtains the first ciphertext data, sends institute to second network node State the first ciphertext data;
Second network node is also used to receive the first ciphertext data, and the decryption using second network node is close Key is to the first ciphertext data deciphering.
6. system according to claim 5, which is characterized in that
The first network node is also used to generate first key pair, the first key according to credible platform module TPM module To include first network node encryption key and first network node decruption key, the TPM for realizing data peace Full storage, the decruption key of the first network node is for decrypting ciphertext data;
Second network node is also used to send the second request to the first network node, and second request is for asking Seek the encryption key for obtaining the first network node;
The first network node is also used to receive second request, sends first net to second network node The encryption key of network node;
Second network node, the encryption for being also same as receiving the first network node that the first network node is sent are close Key obtains the second ciphertext number to the first clear data encryption after the decryption using the encryption key of the first network node According to first network node transmission the second ciphertext data;
The first network node is also used to receive the second ciphertext data, and the decryption using the first network node is close Key obtains second plaintext data to the second ciphertext data deciphering;
The first network node is also used under first clear data and the identical situation of the second plaintext data, Determine the synchronization that first clear data is completed between the first network node and second network node.
7. system according to claim 6, which is characterized in that the first network node is also used for first net Before the decruption key of network node is to the second ciphertext data deciphering,
The first network node is also used to store between the decruption key and first key handle of the first network node Corresponding relationship, the first key handle are used to identify the decruption key of the first network node;
The first network node is also used to obtain first net according to the first key handle and the corresponding relationship The decruption key of network node.
8. the system according to any one of claim 5-7, which is characterized in that second network node is also used for Before the decruption key of second network node is to the first ciphertext data deciphering,
Second network node is also used to store between the decruption key and the second key handles of second network node Corresponding relationship, second key handles are used to identify the decruption key of second network node;
Second network node is also used to obtain second net according to second key handles and the corresponding relationship The decruption key of network node.
9. the system according to any one of claim 5-8, which is characterized in that the encryption key of the first network node It is different with the encryption key of second network node, the decruption key of the first network node and second network The decruption key of node is different.
10. a kind of network equipment, which is characterized in that including processor, memory, communication interface and bus;The processor, institute It states communication interface and the memory is in communication with each other by bus;The communication interface, for sending and receiving data;It is described to deposit Reservoir, for storing instruction;The processor executes in claim 1-4 as above for calling the instruction in the memory Any one the method.
CN201811324704.9A 2018-11-08 2018-11-08 Data transmission method, the network equipment and computer storage medium Pending CN109361511A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811324704.9A CN109361511A (en) 2018-11-08 2018-11-08 Data transmission method, the network equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811324704.9A CN109361511A (en) 2018-11-08 2018-11-08 Data transmission method, the network equipment and computer storage medium

Publications (1)

Publication Number Publication Date
CN109361511A true CN109361511A (en) 2019-02-19

Family

ID=65344666

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811324704.9A Pending CN109361511A (en) 2018-11-08 2018-11-08 Data transmission method, the network equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN109361511A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378195A (en) * 2021-06-21 2021-09-10 上海盛付通电子支付服务有限公司 Method, apparatus, medium, and program product for encrypted communication

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120198235A1 (en) * 2011-02-01 2012-08-02 Microsoft Corporation Secure messaging with read-undeniability and deletion-verifiability
US20140089658A1 (en) * 2012-09-27 2014-03-27 Yeluri Raghuram Method and system to securely migrate and provision virtual machine images and content
CN104320248A (en) * 2014-11-14 2015-01-28 中国建设银行股份有限公司 Method and system for inter-system secret key synchronization
CN106790242A (en) * 2017-01-22 2017-05-31 济南浪潮高新科技投资发展有限公司 A kind of communication means, communication equipment, computer-readable recording medium and storage control
CN107959567A (en) * 2016-10-14 2018-04-24 阿里巴巴集团控股有限公司 Date storage method, data capture method, apparatus and system
CN108075890A (en) * 2016-11-16 2018-05-25 中兴通讯股份有限公司 Data sending terminal, data receiver, data transmission method and system
CN108667608A (en) * 2017-03-28 2018-10-16 阿里巴巴集团控股有限公司 The guard method of data key, device and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120198235A1 (en) * 2011-02-01 2012-08-02 Microsoft Corporation Secure messaging with read-undeniability and deletion-verifiability
US20140089658A1 (en) * 2012-09-27 2014-03-27 Yeluri Raghuram Method and system to securely migrate and provision virtual machine images and content
CN104320248A (en) * 2014-11-14 2015-01-28 中国建设银行股份有限公司 Method and system for inter-system secret key synchronization
CN107959567A (en) * 2016-10-14 2018-04-24 阿里巴巴集团控股有限公司 Date storage method, data capture method, apparatus and system
CN108075890A (en) * 2016-11-16 2018-05-25 中兴通讯股份有限公司 Data sending terminal, data receiver, data transmission method and system
CN106790242A (en) * 2017-01-22 2017-05-31 济南浪潮高新科技投资发展有限公司 A kind of communication means, communication equipment, computer-readable recording medium and storage control
CN108667608A (en) * 2017-03-28 2018-10-16 阿里巴巴集团控股有限公司 The guard method of data key, device and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378195A (en) * 2021-06-21 2021-09-10 上海盛付通电子支付服务有限公司 Method, apparatus, medium, and program product for encrypted communication

Similar Documents

Publication Publication Date Title
EP3286867B1 (en) Method, apparatus, and system for cloud-based encryption machine key injection
US10785019B2 (en) Data transmission method and apparatus
CN111448779B (en) System, device and method for hybrid secret sharing
US8059818B2 (en) Accessing protected data on network storage from multiple devices
EP3123657B1 (en) Method and apparatus for cloud-assisted cryptography
US9703965B1 (en) Secure containers for flexible credential protection in devices
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
US9992017B2 (en) Encrypting and storing data
CN110635901B (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
WO2016210347A1 (en) System, method, and apparatus for electronic prescription
CN104902138B (en) Encryption/deciphering system and its control method
CN110505055B (en) External network access identity authentication method and system based on asymmetric key pool pair and key fob
CN109309566B (en) Authentication method, device, system, equipment and storage medium
CN111191217B (en) Password management method and related device
US20220038283A1 (en) Hub-based token generation and endpoint selection for secure channel establishment
CN110519222B (en) External network access identity authentication method and system based on disposable asymmetric key pair and key fob
US11463251B2 (en) Method for secure management of secrets in a hierarchical multi-tenant environment
CN106257859A (en) A kind of password using method
CN110417722B (en) Business data communication method, communication equipment and storage medium
CN109361511A (en) Data transmission method, the network equipment and computer storage medium
JP5745493B2 (en) Key sharing system, key sharing method, program
CN115941185A (en) Method and device for offline downloading and electronic equipment
CN118214559A (en) Federal learning security aggregation method, device, equipment and medium
CN118944867A (en) Authentication key negotiation method based on password and electronic equipment
Limmanee et al. Hybrid Encryption Scheme for Digital Content with Key Partitioning and Secret Mixing: Design and Implementation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190219

RJ01 Rejection of invention patent application after publication