[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN114095156B - Data protection method for rail transit mobile terminal - Google Patents

Data protection method for rail transit mobile terminal Download PDF

Info

Publication number
CN114095156B
CN114095156B CN202111244907.9A CN202111244907A CN114095156B CN 114095156 B CN114095156 B CN 114095156B CN 202111244907 A CN202111244907 A CN 202111244907A CN 114095156 B CN114095156 B CN 114095156B
Authority
CN
China
Prior art keywords
data
mobile terminal
key
encryption
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111244907.9A
Other languages
Chinese (zh)
Other versions
CN114095156A (en
Inventor
黄辉
王美茜
韩熠
华晟
周学兵
苏阿峰
马钰昕
刘螺辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Casco Signal Cherngdu Ltd
Original Assignee
Casco Signal Cherngdu Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Casco Signal Cherngdu Ltd filed Critical Casco Signal Cherngdu Ltd
Priority to CN202111244907.9A priority Critical patent/CN114095156B/en
Publication of CN114095156A publication Critical patent/CN114095156A/en
Application granted granted Critical
Publication of CN114095156B publication Critical patent/CN114095156B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a data protection method of a track traffic mobile terminal, which relates to the technical field of track traffic data protection and comprises a server side operation step, a mobile terminal initialization step and a mobile terminal operation step, wherein the method is used for optimizing encryption and decryption processes in the process of storing and transmitting mobile application data, and simultaneously adopting a one-machine-one-secret mechanism when data of a plurality of mobile terminals are transmitted back to a server side, namely realizing that one mobile terminal uses a pair of public and private keys of the mobile terminal and a public key of the server side, greatly improving the difficulty of acquiring and cracking the secret key, storing and transmitting back the track traffic mobile application data by selecting a domestic encryption algorithm, and ensuring the safety of the mobile application data.

Description

Data protection method for rail transit mobile terminal
Technical Field
The invention relates to the technical field of rail transit data protection, in particular to a method for protecting data of a rail transit mobile terminal.
Background
With the development of urban smart subways, mobile technology in rail transit is also increasingly widely applied, such as mobile terminal equipment used in intelligent operation and maintenance and intelligent operation and maintenance APP application programs developed on the mobile terminal equipment, and the mobile terminal equipment exchanges data with internet connection in real time.
In the intelligent operation and maintenance APP, the data on the mobile terminal equipment needs to be stored safely, and meanwhile, the data also needs to be transmitted back to the background server for data analysis, and the data storage of the mobile application adopts an encryption mode which is the safest method, but because the open wireless network communication is used during data back transmission, the safe call between the mobile terminal equipment and the hardware encryption machine cannot be realized.
Namely, under the use environment of the mobile terminal device, the data of the intelligent operation and maintenance APP application program is stored in a plaintext mode, and the mobile terminal device and the server side interact through a public or wireless network, and in this case, the user is worried about whether the data of the user are safely protected, are used or modified by unauthorized parties and are illegally leaked. Therefore, for the safety consideration, a typical technical solution in the prior art is to use an encryption technology to encrypt and store data, and transmit back a copy to a server to store the encrypted data and a password, namely, develop a software encryption and decryption module in a mobile terminal device, and use the encryption and decryption module to encrypt and transmit back the data, however, the rail transit operation data is very easy to be stolen or tampered by an attacker in the transmission process of the public network with higher network security risk, once the data is hijacked and tampered, important operation data of the rail transit operation system is leaked, and the operation security of the rail transit system is further affected.
Therefore, when the mobile terminal device is adopted to transmit the rail transit data in the public network, the public network needs to be ensured by an encryption technology with good anti-hijacking and anti-decoding functions.
Disclosure of Invention
The invention aims at solving the problem of insufficient safety in the process of data transmission in the public network of the existing mobile terminal equipment, and provides a data protection method which optimizes encryption and decryption processes in the process of storing and transmitting mobile application data, adopts a one-machine-one-encryption mechanism when data of a plurality of mobile terminals are transmitted back to a server, namely, realizes that one mobile terminal uses a pair of public and private keys of the mobile terminal and a public key of the server, greatly improves the difficulty of acquiring and cracking the secret key, stores and transmits back the mobile application data of rail transit through selecting a domestic encryption algorithm and ensures the safety of the mobile application data.
The invention aims at realizing the following technical scheme:
a data protection method of a rail transit mobile terminal comprises the following steps:
the method comprises the steps of running a server side, running a server side program of an intelligent operation and maintenance APP application program, collecting various track traffic operation data, calling an encryption platform to generate a random symmetric key, encrypting the track traffic operation data by using an SM4 symmetric algorithm in a domestic encryption algorithm and using the symmetric key, and storing the encrypted track traffic operation data in a local database, meanwhile, calculating an abstract of a client side program of the intelligent operation and maintenance APP application program by using an SM3 in the domestic encryption algorithm by the server side, storing the abstract by the server side, and then publishing the client side program to mobile terminal equipment by the server side.
In the operation step of the server side, the encryption platform is called to generate a random symmetric key, specifically, the intelligent operation and maintenance APP application program calls an SDK interface function of the encryption platform adopting a domestic cryptographic algorithm and executes a random session key negotiation flow to generate the random symmetric key.
A mobile terminal initializing step, namely running the client program released in the server running step in the mobile terminal equipment, randomly generating a pair of symmetric keys by the mobile terminal equipment and encrypting and uploading the symmetric keys to the server by mk, correspondingly generating another group of public and private key pairs by the server, sending the public keys to the mobile terminal equipment as the public keys of subsequent digital envelopes, completing one-machine-one-secret key initialization, then carrying out copyright verification on the client program, and carrying out copyright verification so as to complete mutual trust authentication between the mobile terminal equipment and the server, thereby preventing the secondary packaged village APP from stealing data;
later, in the mobile terminal initializing step, one-machine-one-secret key initialization is completed, and the method specifically comprises the following steps:
step 1, in the initialization process of running a client program, a mobile terminal device creates an MSK library, generates a master key Mk and encrypts with an initial public key of an intelligent operation and maintenance APP application program;
step 2, the mobile terminal equipment randomly generates a pair of asymmetric keys, stores the private key of the asymmetric keys in a secure storage area, and uploads the public key PK_APP of the asymmetric keys, the master key MK encrypted by the initial public key in the step 1 and the ID of the mobile terminal equipment to a server side;
step 3, the server side calls a private key in a random symmetric key generated by an encryption platform, decrypts the master key Mk and converts the private key to be encrypted by a master key Lmk of the server side, and stores the encrypted private key in the encryption platform, and the server side calls the encryption platform to store the public key PK_APP;
step 4, the mobile terminal equipment randomly generates a pair of symmetric keys, encrypts the symmetric keys by the master key MK and then sends the encrypted symmetric keys to a server;
step 5, the server side calls the encryption platform to import the symmetric key in the step 4 into the encryption platform for storage;
step 6, the server side calls the encryption platform to generate another group of public and private key pairs, encrypts the public key PK_ESSC by using the public key PK_APP and returns the encrypted public key PK_ESSC to the mobile terminal equipment;
step 7, the mobile terminal equipment decrypts to obtain the public key PK_ESSC, stores the PK_ESSC and serves as the public key of the subsequent digital envelope, and meanwhile, the public key also provides key guarantee for bidirectional authentication;
step 8, the server side calls the encryption platform to generate seeds and returns the seeds to the mobile terminal equipment;
and 9, the mobile terminal equipment imports the seeds to finish one-machine-one-password of the mobile terminal.
In this process, pk_app is randomly generated by mobile terminals, and is unique in that each mobile terminal uses a different pk_app, while pk_essc is also generated for ID information of the mobile terminals, each mobile terminal uses a different pk_essc. The process thus completes one-machine-one-secret key initialization.
Preferably, in the mobile terminal initializing step, the performing the authentication on the client program includes the following steps:
step 1, a client program operated by mobile terminal equipment calls a legal verification interface of a mobile encryption module SMTP to obtain a dynamic signature and sends the dynamic signature to a server;
and step 2, the server side calls the encryption platform signature, and after the encryption platform signature passes, the user of the mobile terminal equipment can see the interactive interface.
A mobile terminal operation step, namely requesting the rail transit operation data from a server terminal through a client program operated by mobile terminal equipment, generating an SM2 public and private KEY pair and a random KEY SESSION_KEY of an SM4 algorithm and encrypting the data after the server terminal invokes the corresponding rail transit operation data in a local database of the server terminal, transmitting the encrypted data to the client program operated by the mobile terminal equipment, and displaying an operation state on the mobile terminal equipment; generating new operation data by a client program operated by mobile terminal equipment, calling a mobile encryption module SMTP to generate an SM2 public-private KEY pair (public KEY PUB_KEY_APP, private KEY PRI_KEY_APP), generating a random KEY SESSION_KEY of an SM4 algorithm and storing the KEY SESSION_KEY in a safe storage area, encrypting the new operation data by the random KEY SESSION_KEY and transmitting the new operation data back to a server, and classifying the new operation data and establishing a table by the server for encryption storage;
further, in the mobile terminal operation step, the new operation data includes user registration information, service data and operation log.
More specifically, in the mobile terminal operation step, after receiving encrypted rail transit operation data of the server, the mobile terminal device performs integrity verification by using a domestic encryption algorithm, decrypts a random key by using an asymmetric encryption algorithm SM2 to obtain a random key, and then performs data decryption on the rail transit operation data by using the random key.
More preferably, in the mobile terminal operation step, the server terminal classifies the new operation data and establishes a table for encryption storage, and specifically includes the following steps:
a table building step, wherein a table is built and stored, and the table comprises an encrypted column name and a non-encrypted column name;
a data defining step of classifying and defining data to be stored in new operation data, wherein the data to be stored comprises user information, service data and logs, the data belonging to secret information is defined to an encrypted column name, and the data belonging to common information is defined to a non-encrypted column name;
a data ID creation step of creating a corresponding data ID for each item of data belonging to the secret information or the data of the common information and storing the data in the data, wherein each data ID is a randomly generated encrypted column name or an unencrypted column name which is different from each other and is associated with the corresponding data ID;
a data encryption step of screening a data ID corresponding to an encryption column name from a table, and calling an encryption platform to encrypt secret information corresponding to the data ID and generate encrypted data by identifying the data ID in the data;
and data storage, namely according to the classification definition of the new operation data by the data definition step, taking the business data and the log as secret information, carrying out encryption storage by using a national secret SM4 algorithm, taking the user information as common information, and carrying out abstract calculation storage by using the national secret SM3 algorithm.
Compared with the prior art, the scheme has the following technical advantages:
the invention adopts the domestic encryption algorithm to safely store the data at the mobile terminal and the server terminal which are provided with the APP special for rail transit operation, calculates the abstract by using the SM3 based on the domestic encryption algorithm and completes the legal verification of the APP when the APP of the mobile terminal is initialized, thereby achieving the aims of resisting replay attack and resisting unauthorized user access.
After authentication is completed between the mobile terminal provided with the APP special for rail traffic operation and the service end of the rail traffic operation system, the mobile terminal randomly generates a pair of random public and private key pairs belonging to the mobile end (the private keys are placed in a safe storage area), and further obtains random and independent public keys belonging to the mobile end from the service end in a safe mode, so that a mobile terminal uses a pair of public and private keys of the mobile end and a public key of the service end to form a key characteristic of 'one machine one secret'. The secret key of 'one machine one secret' can effectively protect confidentiality of operation data of the rail transit system, and even if an attacker acquires a certain secret key, the secret key is randomly generated and belongs to only one mobile terminal, so that the risk of leakage of the operation data can be effectively reduced. Because the encrypted data message is filled with the message digest field for integrity check before being sent, the attack of malicious tampering of operation data can be effectively resisted.
The rail traffic mobile application can complete the secure communication and data transmission of APP data encryption storage and a server through the mobile secure terminal, and the method is based on a domestic cryptographic algorithm, overcomes the defects of an international standard encryption algorithm and realizes autonomous controllability; the home password is used for realizing the mobile APP authentication, preventing an attacker from replaying, and ensuring reliable communication; one machine is used for one cipher in the data transmission process, and a random symmetric key is used for encrypting data in each transmission, so that the confidentiality of the transmitted data is ensured; and after receiving the data, the integrity check is carried out, so that the data is prevented from being tampered in the middle, and the integrity of data transmission is ensured.
Drawings
The foregoing and the following detailed description of the invention will become more apparent when read in conjunction with the following drawings in which:
FIG. 1 is a schematic diagram of the overall technical scheme of the invention;
FIG. 2 is a schematic diagram of a mobile terminal device and a server according to the present invention;
FIG. 3 is a schematic diagram of the "one-machine-one-pad" logic of the present invention.
Detailed Description
The following embodiments are used to further illustrate the technical solution for achieving the object of the present invention, and it should be noted that the technical solution claimed in the present invention includes but is not limited to the following embodiments.
Example 1
As a specific implementation scheme of the invention, the embodiment provides a data protection method of a rail transit mobile terminal, which comprises a server-side operation step, a mobile-side initialization step and a mobile-side operation step.
Specifically, as shown in fig. 1 and 2, the server runs the steps, runs the server program of the intelligent operation and maintenance APP application program, collects various rail transit operation data, invokes the encryption platform to generate a random symmetric key, encrypts the rail transit operation data by using an SM4 symmetric algorithm in a domestic encryption algorithm and using the symmetric key, and stores the encrypted data in a local database, and meanwhile, the server calculates the abstract of the client program of the intelligent operation and maintenance APP application program by using an SM3 in the domestic encryption algorithm and stores the abstract by the server, and then the server issues the client program to the mobile terminal device.
The mobile terminal initializing step, in which the client program released in the server operating step is operated in the mobile terminal device, as shown in fig. 3, the mobile terminal device randomly generates a symmetric key and encrypts and uploads the symmetric key to the server in mk, the server correspondingly generates another public-private key pair, sends the public key to the mobile terminal device as the public key of a subsequent digital envelope, completes one-machine-one-secret key initialization, and then performs a legal verification on the client program, wherein the legal verification is performed for completing mutual trust authentication between the mobile terminal device and the server to prevent the secondary packaged village APP from stealing data;
the mobile terminal operation step, the server side generates an SM2 public and private KEY pair and a random KEY SESSION_KEY of an SM4 algorithm and encrypts the data after the server side calls the corresponding track traffic operation data in a local database thereof through a client program operated at the mobile terminal device to request the track traffic operation data from the server side, and the encrypted data are sent to the client program operated at the mobile terminal device and display the operation state on the mobile terminal device; generating new operation data by a client program operated by mobile terminal equipment, calling a mobile encryption module SMTP to generate an SM2 public-private KEY pair (public KEY PUB_KEY_APP, private KEY PRI_KEY_APP), generating a random KEY SESSION_KEY of an SM4 algorithm and storing the KEY SESSION_KEY in a safe storage area, encrypting the new operation data by the random KEY SESSION_KEY and transmitting the new operation data back to a server, and classifying the new operation data and establishing a table by the server for encryption storage;
in the technical scheme of the embodiment, the mobile terminal and the server terminal provided with the special APP for rail transit operation adopt the domestic encryption algorithm to safely store data, and when the APP application program of the mobile terminal is initialized, the SM3 based on the domestic encryption algorithm is used for calculating the abstract and completing the legal verification of the APP application program, so that the purposes of resisting replay attack and resisting unauthorized user access can be realized. After authentication is completed between the mobile terminal provided with the APP special for rail traffic operation and the service end of the rail traffic operation system, the mobile terminal randomly generates a pair of random public and private key pairs belonging to the mobile end (the private keys are placed in a safe storage area), and further obtains random and independent public keys belonging to the mobile end from the service end in a safe mode, so that a mobile terminal uses a pair of public and private keys of the mobile end and a public key of the service end to form a key characteristic of 'one machine one secret'. The secret key of 'one machine one secret' can effectively protect confidentiality of operation data of the rail transit system, and even if an attacker acquires a certain secret key, the secret key is randomly generated and belongs to only one mobile terminal, so that the risk of leakage of the operation data can be effectively reduced. Because the encrypted data message is filled with the message digest field for integrity check before being sent, the attack of malicious tampering of operation data can be effectively resisted.
Example 2
As a specific implementation manner of the present invention, this embodiment provides a method for protecting data of a rail transit mobile terminal, as shown in fig. 1 and 2, including the following steps:
the method comprises the steps of running an application APP program at a server, collecting various track traffic operation data, calling an encryption platform to generate a random symmetric key, encrypting the track traffic operation data by using an SM4 symmetric algorithm in a domestic encryption algorithm and using the symmetric key, and storing the encrypted track traffic operation data in a local database, meanwhile, calculating an abstract of the application APP program by using an SM3 in the domestic encryption algorithm at the server, storing the abstract by the server, and then issuing the running application APP program to mobile terminal equipment by the server.
In the operation step of the server side, the encryption platform is called to generate a random symmetric key, specifically, the intelligent operation and maintenance APP application program calls an SDK interface function of the encryption platform adopting a domestic cryptographic algorithm and executes a random session key negotiation flow to generate the random symmetric key.
A mobile terminal initializing step, namely running the client program released in the server running step in the mobile terminal equipment, randomly generating a pair of symmetric keys by the mobile terminal equipment and encrypting and uploading the symmetric keys to the server by mk, correspondingly generating another group of public and private key pairs by the server, sending the public keys to the mobile terminal equipment as the public keys of subsequent digital envelopes, completing one-machine-one-secret key initialization, then carrying out copyright verification on the client program, and carrying out copyright verification so as to complete mutual trust authentication between the mobile terminal equipment and the server, thereby preventing the secondary packaged village APP from stealing data;
later, in the mobile terminal initializing step, one-machine-one-secret key initialization is completed, specifically, as shown in fig. 3, the method comprises the following steps:
step 1, in the initialization process of running a client program, a mobile terminal device creates an MSK library, generates a master key Mk and encrypts with an initial public key of an intelligent operation and maintenance APP application program;
step 2, the mobile terminal equipment randomly generates a pair of asymmetric keys, stores the private key of the asymmetric keys in a secure storage area, and uploads the public key PK_APP of the asymmetric keys, the master key MK encrypted by the initial public key in the step 1 and the ID of the mobile terminal equipment to a server side;
step 3, the server side calls a private key in a random symmetric key generated by an encryption platform, decrypts the master key Mk and converts the private key to be encrypted by a master key Lmk of the server side, and stores the encrypted private key in the encryption platform, and the server side calls the encryption platform to store the public key PK_APP;
step 4, the mobile terminal equipment randomly generates a pair of symmetric keys, encrypts the symmetric keys by the master key MK and then sends the encrypted symmetric keys to a server;
step 5, the server side calls the encryption platform to import the symmetric key in the step 4 into the encryption platform for storage;
step 6, the server side calls the encryption platform to generate another group of public and private key pairs, encrypts the public key PK_ESSC by using the public key PK_APP and returns the encrypted public key PK_ESSC to the mobile terminal equipment;
step 7, the mobile terminal equipment decrypts to obtain the public key PK_ESSC, stores the PK_ESSC and serves as the public key of the subsequent digital envelope, and meanwhile, the public key also provides key guarantee for bidirectional authentication;
step 8, the server side calls the encryption platform to generate seeds and returns the seeds to the mobile terminal equipment;
and 9, the mobile terminal equipment imports the seeds to finish one-machine-one-password of the mobile terminal.
In this process, pk_app is randomly generated by mobile terminals, and is unique in that each mobile terminal uses a different pk_app, while pk_essc is also generated for ID information of the mobile terminals, each mobile terminal uses a different pk_essc. The process thus completes one-machine-one-secret key initialization.
Preferably, in the mobile terminal initializing step, the performing the authentication on the client program includes the following steps:
step 1, a client program operated by mobile terminal equipment calls a legal verification interface of a mobile encryption module SMTP to obtain a dynamic signature and sends the dynamic signature to a server;
and step 2, the server side calls the encryption platform signature, and after the encryption platform signature passes, the user of the mobile terminal equipment can see the interactive interface.
A mobile terminal operation step, namely requesting the rail transit operation data from a server terminal through a client program operated by mobile terminal equipment, generating an SM2 public and private KEY pair and a random KEY SESSION_KEY of an SM4 algorithm and encrypting the data after the server terminal invokes the corresponding rail transit operation data in a local database of the server terminal, transmitting the encrypted data to the client program operated by the mobile terminal equipment, and displaying an operation state on the mobile terminal equipment; generating new operation data by a client program operated by mobile terminal equipment, calling a mobile encryption module SMTP to generate an SM2 public-private KEY pair (public KEY PUB_KEY_APP, private KEY PRI_KEY_APP), generating a random KEY SESSION_KEY of an SM4 algorithm and storing the KEY SESSION_KEY in a safe storage area, encrypting the new operation data by the random KEY SESSION_KEY and transmitting the new operation data back to a server, and classifying the new operation data and establishing a table by the server for encryption storage;
further, in the mobile terminal operation step, the new operation data includes user registration information, service data and operation log.
More specifically, in the mobile terminal operation step, after receiving encrypted rail transit operation data of the server, the mobile terminal device performs integrity verification by using a domestic encryption algorithm, decrypts a random key by using an asymmetric encryption algorithm SM2 to obtain a random key, and then performs data decryption on the rail transit operation data by using the random key.
More preferably, in the mobile terminal operation step, the server terminal classifies the new operation data and establishes a table for encryption storage, and specifically includes the following steps:
a table building step, wherein a table is built and stored, and the table comprises an encrypted column name and a non-encrypted column name;
a data defining step of classifying and defining data to be stored in new operation data, wherein the data to be stored comprises user information, service data and logs, the data belonging to secret information is defined to an encrypted column name, and the data belonging to common information is defined to a non-encrypted column name;
a data ID creation step of creating a corresponding data ID for each item of data belonging to the secret information or the data of the common information and storing the data in the data, wherein each data ID is a randomly generated encrypted column name or an unencrypted column name which is different from each other and is associated with the corresponding data ID;
a data encryption step of screening a data ID corresponding to an encryption column name from a table, and calling an encryption platform to encrypt secret information corresponding to the data ID and generate encrypted data by identifying the data ID in the data;
and data storage, namely according to the classification definition of the new operation data by the data definition step, taking the business data and the log as secret information, carrying out encryption storage by using a national secret SM4 algorithm, taking the user information as common information, and carrying out abstract calculation storage by using the national secret SM3 algorithm.

Claims (7)

1. The data protection method of the rail transit mobile terminal is characterized by comprising the following steps of:
the method comprises the steps that a server side operates, a server side operates a server side program of an intelligent operation and maintenance APP application program, various track traffic operation data are collected, an encryption platform is called to generate a random symmetric key, the track traffic operation data are encrypted by an SM4 symmetric algorithm in a domestic encryption algorithm and then stored in a local database, meanwhile, the server side calculates an abstract of a client side program of the intelligent operation and maintenance APP application program by an SM3 in the domestic encryption algorithm and is stored by the server side, and then the server side issues the client side program to mobile terminal equipment;
a mobile terminal initializing step, namely running the client program released in the server running step in the mobile terminal equipment, randomly generating a pair of symmetric keys by the mobile terminal equipment, encrypting and uploading the symmetric keys to the server by mk, correspondingly generating another group of public and private key pairs by the server, sending the public keys to the mobile terminal equipment as the public keys of subsequent digital envelopes, completing one-machine-one-secret key initialization, and then carrying out copyright verification on the client program;
a mobile terminal operation step, namely requesting the rail transit operation data from a server terminal through a client program operated by mobile terminal equipment, generating an SM2 public and private KEY pair and a random KEY SESSION_KEY of an SM4 algorithm and encrypting the data after the server terminal invokes the corresponding rail transit operation data in a local database of the server terminal, transmitting the encrypted data to the client program operated by the mobile terminal equipment, and displaying an operation state on the mobile terminal equipment; the client program operated by the mobile terminal equipment generates new operation data, calls a mobile encryption module SMTP to generate SM2 public private KEY pairs (public KEY PUB_KEY_APP, private KEY PRI_KEY_APP), generates a random KEY SESSION_KEY of an SM4 algorithm and stores the random KEY SESSION_KEY in a safe storage area, encrypts the new operation data through the random KEY SESSION_KEY and transmits the new operation data back to a server, and the server classifies the new operation data and establishes a table for encryption storage.
2. The method for protecting the data of the rail transit mobile terminal according to claim 1, wherein the method comprises the following steps: and calling the encryption platform to generate a random symmetric key, specifically, calling an SDK interface function of the encryption platform adopting a domestic cryptographic algorithm by the intelligent operation and maintenance APP application program, and executing a random session key negotiation flow to generate the random symmetric key.
3. The method for protecting data of a mobile terminal for rail transit according to claim 1, wherein in the step of initializing the mobile terminal, one-machine-one-secret key initialization is completed, and the method specifically comprises the following steps:
step 1, in the initialization process of running a client program, a mobile terminal device creates an MSK library, generates a master key Mk and encrypts with an initial public key of an intelligent operation and maintenance APP application program;
step 2, the mobile terminal equipment randomly generates a pair of asymmetric keys, stores the private key of the asymmetric keys in a secure storage area, and uploads the public key PK_APP of the asymmetric keys, the master key MK encrypted by the initial public key in the step 1 and the ID of the mobile terminal equipment to a server side;
step 3, the server side calls a private key in a random symmetric key generated by an encryption platform, decrypts the master key Mk and converts the private key to be encrypted by a master key Lmk of the server side, and stores the encrypted private key in the encryption platform, and the server side calls the encryption platform to store the public key PK_APP;
step 4, the mobile terminal equipment randomly generates a pair of symmetric keys, encrypts the symmetric keys by the master key MK and then sends the encrypted symmetric keys to a server;
step 5, the server side calls the encryption platform to import the symmetric key in the step 4 into the encryption platform for storage;
step 6, the server side calls the encryption platform to generate another group of public and private key pairs, encrypts the public key PK_ESSC by using the public key PK_APP and returns the encrypted public key PK_ESSC to the mobile terminal equipment;
step 7, the mobile terminal equipment decrypts to obtain the public key PK_ESSC, stores the PK_ESSC and serves as the public key of the subsequent digital envelope, and meanwhile, the public key also provides key guarantee for bidirectional authentication;
step 8, the server side calls the encryption platform to generate seeds and returns the seeds to the mobile terminal equipment;
and 9, the mobile terminal equipment imports the seeds to finish one-machine-one-password of the mobile terminal.
4. The method for protecting data of a rail transit mobile terminal according to claim 1, wherein in the step of initializing the mobile terminal, the client program is authenticated, comprising the steps of:
step 1, a client program operated by mobile terminal equipment calls a legal verification interface of a mobile encryption module SMTP to obtain a dynamic signature and sends the dynamic signature to a server;
and step 2, the server side calls the encryption platform signature, and after the encryption platform signature passes, the user of the mobile terminal equipment can see the interactive interface.
5. The method for protecting the data of the rail transit mobile terminal according to claim 1, wherein the method comprises the following steps: in the mobile terminal operation step, the new operation data comprises user registration information, service data and operation logs.
6. The method for protecting the data of the rail transit mobile terminal according to claim 1, wherein the method comprises the following steps: in the mobile terminal operation step, after receiving encrypted rail transit operation data of a server terminal, the mobile terminal equipment performs integrity verification by utilizing a domestic encryption algorithm, adopts an asymmetric encryption algorithm SM2 to perform random key decryption to obtain a random key, and then performs data decryption on the rail transit operation data by using the random key.
7. The method for protecting data of a mobile terminal for rail transit according to claim 1, wherein in the step of operating the mobile terminal, the server classifies new operation data and establishes a table for encryption storage, specifically comprising the steps of:
a table building step, wherein a table is built and stored, and the table comprises an encrypted column name and a non-encrypted column name;
a data defining step of classifying and defining data to be stored in new operation data, wherein the data to be stored comprises user information, service data and logs, the data belonging to secret information is defined to an encrypted column name, and the data belonging to common information is defined to a non-encrypted column name;
a data ID creation step of creating a corresponding data ID for each item of data belonging to the secret information or the data of the common information and storing the data in the data, wherein each data ID is a randomly generated encrypted column name or an unencrypted column name which is different from each other and is associated with the corresponding data ID;
a data encryption step of screening a data ID corresponding to an encryption column name from a table, and calling an encryption platform to encrypt secret information corresponding to the data ID and generate encrypted data by identifying the data ID in the data;
and data storage, namely according to the classification definition of the new operation data by the data definition step, taking the business data and the log as secret information, carrying out encryption storage by using a national secret SM4 algorithm, taking the user information as common information, and carrying out abstract calculation storage by using the national secret SM3 algorithm.
CN202111244907.9A 2021-10-26 2021-10-26 Data protection method for rail transit mobile terminal Active CN114095156B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111244907.9A CN114095156B (en) 2021-10-26 2021-10-26 Data protection method for rail transit mobile terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111244907.9A CN114095156B (en) 2021-10-26 2021-10-26 Data protection method for rail transit mobile terminal

Publications (2)

Publication Number Publication Date
CN114095156A CN114095156A (en) 2022-02-25
CN114095156B true CN114095156B (en) 2023-05-12

Family

ID=80297625

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111244907.9A Active CN114095156B (en) 2021-10-26 2021-10-26 Data protection method for rail transit mobile terminal

Country Status (1)

Country Link
CN (1) CN114095156B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018074750A1 (en) * 2016-10-18 2018-04-26 주식회사 유니온플레이스 Train information managing device
CN109688585A (en) * 2018-12-28 2019-04-26 卡斯柯信号有限公司 Vehicle-ground wireless communication encryption method and device applied to train monitoring system
CN112020037A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic communication encryption method suitable for rail transit
CN112020038A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic encryption terminal suitable for rail transit mobile application
CN112565285A (en) * 2020-12-16 2021-03-26 卡斯柯信号(成都)有限公司 Communication encryption method suitable for rail transit

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3248359A4 (en) * 2015-01-22 2018-09-05 Visa International Service Association Method and system for establishing a secure communication tunnel

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018074750A1 (en) * 2016-10-18 2018-04-26 주식회사 유니온플레이스 Train information managing device
CN109688585A (en) * 2018-12-28 2019-04-26 卡斯柯信号有限公司 Vehicle-ground wireless communication encryption method and device applied to train monitoring system
CN112020037A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic communication encryption method suitable for rail transit
CN112020038A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic encryption terminal suitable for rail transit mobile application
CN112565285A (en) * 2020-12-16 2021-03-26 卡斯柯信号(成都)有限公司 Communication encryption method suitable for rail transit

Also Published As

Publication number Publication date
CN114095156A (en) 2022-02-25

Similar Documents

Publication Publication Date Title
CN101005361B (en) Server and software protection method and system
CN112073375A (en) Isolation device and isolation method suitable for power Internet of things client side
CN102024123B (en) Method and device for importing mirror image of virtual machine in cloud calculation
CN104796265A (en) Internet-of-things identity authentication method based on Bluetooth communication access
CN105162808B (en) A kind of safe login method based on national secret algorithm
CN110519046A (en) Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
CN106973056A (en) The safety chip and its encryption method of a kind of object-oriented
CN108323230B (en) Method for transmitting key, receiving terminal and distributing terminal
JPH07325785A (en) Network user identifying method, ciphering communication method, application client and server
CN112020038A (en) Domestic encryption terminal suitable for rail transit mobile application
CN114006736B (en) Instant communication message protection system and method based on hardware password equipment
KR20170047717A (en) Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device
CN113472793A (en) Personal data protection system based on hardware password equipment
CN114567470B (en) SDK-based multi-system key splitting verification system and method
CN106411926A (en) Data encryption communication method and system
CN104424446A (en) Safety verification and transmission method and system
CN111600948B (en) Cloud platform application and data security processing method, system, storage medium and program based on identification password
CN108809936B (en) Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof
CN112685786A (en) Financial data encryption and decryption method, system, equipment and storage medium
CN112865965B (en) Train service data processing method and system based on quantum key
JP3348753B2 (en) Encryption key distribution system and method
CN114401087B (en) Passive lock identity authentication and key agreement system based on state cryptographic algorithm
CN113591109B (en) Method and system for communication between trusted execution environment and cloud
CN110519222A (en) Outer net access identity authentication method and system based on disposable asymmetric key pair and key card
CN110289961A (en) Tele-medicine authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant