CN118802143A - Data transmission method and device and electronic equipment - Google Patents
Data transmission method and device and electronic equipment Download PDFInfo
- Publication number
- CN118802143A CN118802143A CN202411002948.0A CN202411002948A CN118802143A CN 118802143 A CN118802143 A CN 118802143A CN 202411002948 A CN202411002948 A CN 202411002948A CN 118802143 A CN118802143 A CN 118802143A
- Authority
- CN
- China
- Prior art keywords
- encrypted
- data
- key
- encryption
- receiving end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 129
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000012545 processing Methods 0.000 claims abstract description 13
- 238000012795 verification Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 7
- 230000007246 mechanism Effects 0.000 description 8
- 238000007726 management method Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The disclosure relates to a data transmission method, a data transmission device and electronic equipment, and relates to the technical field of data transmission, wherein the method comprises the following steps: generating a random number, and generating a first encryption key based on the random number; encrypting the target request data by using the first encryption key to obtain encrypted data; determining a second encryption key based on the elliptic curve, and carrying out encryption processing on the first encryption key by using the second encryption key to obtain an encrypted ciphertext; encrypting the encrypted data and the encrypted ciphertext by using a first target public key of the receiving end, and transmitting the encrypted data and the encrypted ciphertext to the receiving end, so that the receiving end decrypts the encrypted data and the encrypted ciphertext by using a first target private key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain target request data. In this way, data security risks can be greatly reduced.
Description
Technical Field
The present application relates to the field of data transmission technologies, and in particular, to a data transmission method, a data transmission device, and an electronic device.
Background
With the rapid development of the big data age, the data become an indispensable core resource for enterprise operation, scientific research and daily life. However, the security problem of data in the transmission process is increasingly prominent, and becomes an important bottleneck for restricting the full play of the value of the data. Data disclosure may not only lead to infringement of personal privacy, but may also lead to disclosure of business secrets of enterprises, thereby causing significant economic loss and reputation damage.
In order to ensure the safety of data in the transmission process, the currently commonly adopted technical means is to encrypt the data and transmit the encrypted data. The encryption transmission mode improves the security of data transmission to a certain extent, and effectively prevents the data from being directly read by an unauthorized third party in the transmission process.
However, in the existing encryption transmission scheme, once both communication parties determine an encryption and decryption key, the encryption and decryption key is adopted to encrypt and decrypt data in each transmission process, and the static key management mechanism simplifies the complexity of key management, but once the key is illegally stolen or leaked, even if the encrypted data is transmitted, an attacker can use the key to slightly parse out the data content, so that the data security risk is greatly increased.
Disclosure of Invention
In view of this, the application provides a data transmission method, a data transmission device and an electronic device, and mainly aims to solve the technical problem that the data security risk is greatly increased due to the fact that the same encryption and decryption key is adopted to encrypt and decrypt data in each transmission process at present.
According to a first aspect of the present disclosure, there is provided a data transmission method applied to a transmitting side for execution, including:
generating a random number, and generating a first encryption key based on the random number;
Encrypting the target request data by using the first encryption key to obtain encrypted data;
Determining a second encryption key based on an elliptic curve, and carrying out encryption processing on the first encryption key by using the second encryption key to obtain an encrypted ciphertext;
Encrypting the encrypted data and the encrypted ciphertext by using a first target public key of a receiving end, and transmitting the encrypted data and the encrypted ciphertext to the receiving end, so that the receiving end decrypts the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain the target request data.
According to a second aspect of the present disclosure, there is provided a data transmission method applied to a receiving end side for execution, including:
receiving encrypted data and encrypted ciphertext which are sent by a sending end and are encrypted by a first target public key;
decrypting the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext;
Decrypting the encrypted ciphertext based on an elliptic curve encryption algorithm to obtain a first decryption key;
and decrypting the encrypted data by using the first decryption key to obtain target request data.
According to a third aspect of the present disclosure, there is provided a data transmission apparatus applied to a transmitting end side, including:
the generation module is used for generating a random number and generating a first encryption key based on the random number;
The first encryption module is used for encrypting the target request data by using the first encryption key to obtain encrypted data;
A second encryption module for determining a second encryption key based on an elliptic curve, using the following
The second encryption key carries out encryption processing on the first encryption key to obtain an encrypted ciphertext;
The third encryption module is used for encrypting the encrypted data and the encrypted ciphertext by using a first target public key of a receiving end, and transmitting the encrypted data and the encrypted ciphertext to the receiving end so that the receiving end decrypts the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain the target request data.
According to a fourth aspect of the present disclosure, there is provided a data transmission apparatus applied to a receiving end side, including:
the second receiving module is used for receiving the encrypted data and the encrypted ciphertext which are sent by the sending end and are encrypted by the first target public key;
The second decryption module is used for decrypting the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext;
The third decryption module is used for decrypting the encrypted ciphertext based on an elliptic curve encryption algorithm to obtain a first decryption key;
And the fourth decryption module is used for decrypting the encrypted data by using the first decryption key to obtain target request data.
According to a fifth aspect of the present disclosure, there is provided an electronic device comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of the first aspect or the method of the second aspect.
According to a sixth aspect of the present disclosure, there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of the first aspect or to perform the method of the second aspect.
According to a seventh aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the method of the first aspect described above, or implements the method of the second aspect described above.
Compared with the prior art, the data transmission method, the data transmission device and the electronic equipment generate the first encryption key based on the random number by generating the random number; encrypting the target request data by using the first encryption key to obtain encrypted data; determining a second encryption key based on the elliptic curve, and carrying out encryption processing on the first encryption key by using the second encryption key to obtain an encrypted ciphertext; encrypting the encrypted data and the encrypted ciphertext by using a first target public key of the receiving end, and transmitting the encrypted data and the encrypted ciphertext to the receiving end, so that the receiving end decrypts the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain target request data. By applying the technical scheme of the present disclosure, by introducing a dynamic key management mechanism, namely generating a random number and generating a first encryption key based on the random number, it is ensured that the encryption key used for each transmission is unique, thereby avoiding the security risk possibly caused by using a fixed key. By introducing a multi-layer encryption policy, i.e. a first layer encryption: and encrypting the target request data by using the first encryption key to obtain encrypted data, so that the basic security of the data in the transmission process is ensured. Second layer encryption: and determining a second encryption key based on an elliptic curve algorithm, and encrypting the first encryption key by using the second encryption key to obtain an encrypted ciphertext, so that additional security protection is provided for the first encryption key. Third layer encryption: and re-encrypting the encrypted data and the encrypted ciphertext by using the first target public key of the receiving end, and integrally transmitting the encrypted data to the receiving end. By utilizing the security of public key encryption, even if encrypted data and encrypted ciphertext are intercepted in the transmission process, the encrypted data cannot be decrypted without a corresponding private key, so that the data security risk is greatly reduced.
The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
For a clearer description of an embodiment of the application or of a technical application in the prior art, the drawings which are used in the description of the embodiment or of the prior art will be briefly described, it being obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flow chart of a data transmission method according to an embodiment of the disclosure;
Fig. 2 is a flowchart of another data transmission method according to an embodiment of the disclosure;
Fig. 3 is a schematic structural diagram of a data transmission device according to an embodiment of the disclosure;
Fig. 4 is a schematic structural diagram of another data transmission device according to an embodiment of the disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
The following describes a data transmission method, a data transmission device and electronic equipment according to the embodiments of the present disclosure with reference to the accompanying drawings.
The disclosure provides a data transmission method, a data transmission device and electronic equipment, and mainly aims to solve the technical problem that the data is encrypted and decrypted by adopting the same encryption and decryption key in each transmission process at present, so that the security risk of the data is greatly increased.
As shown in fig. 1, an embodiment of the present disclosure provides a data transmission method applied to a transmitting end side, where the method may include:
step 101, generating a random number, and generating a first encryption key based on the random number.
The random number may be a number randomly generated at each data transmission to ensure the uniqueness of the first encryption key used at each data transmission.
The first encryption key may be a key generated based on a random number for encrypting the target request data during data transmission. The first encryption key generated based on the random number also has a high degree of security due to the unpredictability of the random number, making it more difficult for an attacker to access or tamper with the transmitted data by cracking the key.
For the disclosed embodiments, the system may randomly generate a random number prior to each data transmission. A unique encryption key for this data transmission may be generated by some algorithm, such as the key derivation function KDF. In this way, different keys are used for each transmission, and the risk of batch decryption of data after the keys are stolen is greatly reduced.
For the disclosed embodiments, prior to generating the random number, generating the first encryption key based on the random number, the method further comprises:
receiving a data transmission request sent by a receiving end and encrypted by a second target public key of the sending end;
decrypting the encrypted data transmission request by using a second target private key corresponding to the second target public key to obtain a decrypted data transmission request, wherein the data transmission request comprises user authentication information, a receiving end IP address and a data identifier;
Verifying the user authentication information;
if the verification is passed, generating a random number, and generating a first encryption key based on the random number;
and if the verification is not passed, sending authentication failure information to the receiving end.
In a specific application scenario, for convenience of description, the implementation flow of the present application will be described in detail below by taking an example that the user a requests the data a (i.e. the target request data) stored on the terminal B (i.e. the data transmitting end) through the terminal a (i.e. the data receiving end).
The user a sends a data transmission request to the terminal B (as a data transmitting end) through the terminal a (as a data receiving end), wherein the request content of the data transmission request can include user authentication information, a receiving end IP address and a data identifier.
The user authentication information may be, for example, a user name, a user password, or other forms of authentication token or certificate, etc., used to verify the identity and authority of the user a, ensuring that only legitimate users can request data.
The receiving end IP address (i.e., the IP address of the terminal a) may be used as the transmitting address of the terminal B (i.e., the data transmitting end).
The data identification (i.e., the identification of data a) can be used to explicitly request specific data, avoiding sending erroneous data. The data identification may be a file name, database record ID, or other information capable of uniquely identifying the data.
In order to ensure the security of the data transmission request during the transmission process, and prevent the data transmission request from being stolen or tampered by an unauthorized third party, the data transmission request is encrypted with the public key of the terminal B (i.e., the data transmitting end) (i.e., the second target public key).
The public key encryption is an asymmetric encryption mode, and the public key is public, but the private key is only held by the terminal B (namely the data transmitting end). The data encrypted by the public key can be decrypted only by the corresponding private key, thereby ensuring the security of data transmission.
Specifically, before sending the data transmission request, the terminal a (i.e. the data receiving end) may encrypt sensitive information (such as user authentication information, the IP address of the receiving end and/or the data identifier) in the data transmission request by using the public key (i.e. the second target public key) of the terminal B (i.e. the data sending end), where the encrypted data transmission request may become a random-looking messy code, and only the second target private key corresponding to the second target public key may be used to decrypt and restore the original information.
When the terminal B (i.e., the data transmitting end) receives the data transmission request from the terminal a (i.e., the data receiving end), the data transmission request can be parsed first to extract the user authentication information, the receiving end IP address, the data identifier, etc. from the data transmission request.
The terminal B (i.e. the data transmitting end) may verify the user authentication information provided by the user a by using a preset authentication mechanism (such as database query, password hash ratio, etc.), so as to confirm the identity and authority of the user a, and ensure that the user a is qualified to request the data a.
If the user authentication information of the user A passes the verification, the identity and the authority of the user A are legal, and the user A has the authority of requesting the data A. At this time, the terminal B performs the subsequent data processing steps, such as generating a random number, and generating the first encryption key based on the random number.
If the user authentication information of the user a is not verified, it is indicated that the identity or authority of the user a is problematic, and the user a does not have enough authority to request the data a. In this case, terminal B may feed back an authentication failed information to terminal a. The authentication failed information may contain a certain error code or description so that user a knows why the request was denied and may be guided to re-initiate the request after obtaining the corresponding data acquisition rights.
For the embodiment of the present disclosure, verifying the user authentication information may specifically include:
Verifying the user authentication information by using a blockchain, wherein the blockchain is used for storing a user authentication record;
If the user authentication record matched with the user authentication information is not stored in the block chain, the verification is not passed;
If the block chain stores the user authentication record matched with the user authentication information, acquiring the user access right, and acquiring the accessed right of the target request data based on the user access right;
comparing the user access rights with the accessed rights;
If the user access authority is greater than or equal to the accessed authority, determining that the verification is passed;
If the user access rights are smaller than the accessed rights, the verification is determined not to pass.
In a specific application scenario, user a, at registration, is stored on the blockchain with its username, password, and data access rights assigned to it. The non-tamper-evident and de-centralised nature of the blockchain ensures the security and trustworthiness of this information.
When the terminal B (i.e. the data transmitting end) authenticates the user authentication information of the user a, the user authentication information (user name and password) of the user a is transmitted to the blockchain network for verification. If content matching the user authentication information provided by user A is stored on the blockchain, the blockchain may feed back the data access rights of user A. If no matching content is found, a data verification failure message is fed back.
If the terminal B (i.e. the data transmitting end) receives the verification failure message, the authentication failure information of the user A is confirmed to be failed, and the authentication failure information is fed back to the terminal A (i.e. the data receiving end).
If the verification is successful, the terminal B (namely the data transmitting end) can acquire the accessed right of the data A. The access rights may be set by the data owner (e.g., user a or other user) at the time of data a generation, indicating what access rights the user may access the data.
The terminal B (i.e., the data transmitting end) may compare the data access right of the user a received from the block link with the accessed right of the data a. If the received data access right is not lower than the accessed right, the terminal B (i.e. the data transmitting end) can confirm that the user A has the right to request the data, and the subsequent steps are continued.
If the received data access right is lower than the accessed right, the terminal B (i.e., the data transmitting end) may confirm that the authentication of the user a is failed (although the identity of the user a may be authentic, the right is insufficient to access the data a), and feedback authentication failure information to the terminal a.
For the embodiments of the present disclosure, generating the first encryption key based on the random number may specifically include:
acquiring the IP address of a receiving end and the number of nodes on a transmission path between a transmitting end and the receiving end;
Performing product operation on the random number and the number of the nodes to obtain a disturbance code;
respectively carrying out hash operation on the disturbance code and the IP address of the receiving end to obtain a first hash value and a second hash value;
The sum of the first hash value and the second hash value is determined as the first encryption key.
In the scheme of the application, the encryption password is not a preset fixed value, but is generated in real time according to dynamic change factors. The dynamic change factor may include a receiving end IP address, the number of nodes on a transmission path between a transmitting end and a receiving end, and the like. This mechanism ensures that the encryption keys used for each data transfer are unique.
Since the IP address used each time a terminal transmits is different, even if the same IP address is used for both transmissions, it may result in a difference in encryption password if the terminal itself is different (e.g., different devices or network configurations are used).
Or the current network condition changes to cause the change of the transmission paths between the terminal A and the terminal B, so that the number of nodes of the transmission paths selected each time is also possibly different, thus the encryption passwords adopted in each time of transmission are different, or the encryption passwords adopted in each time of transmission are irregular, under the condition that a certain encryption password is stolen, after the encrypted data is obtained, the probability of successfully restoring the original data again through the encryption password is extremely small, and the final data security is ensured.
Compared with the prior art, the encryption password generation mechanism has obvious advantages. Existing schemes typically use a fixed encryption password, and once the password is stolen, all subsequent encrypted data is at risk of being restored. The application effectively avoids the security hole by introducing dynamic factors to generate the encryption password, thereby improving the security in the data transmission process and reducing the security risk caused by the fact that the encryption password is stolen.
Specifically, before starting the encryption process, the user B first generates a random number R, which can be used to increase the complexity and security of the encryption process.
The user B may obtain the IP address IP A of the terminal a, which may be a unique identifier of a device on the network, for ensuring the specificity of the encryption password. The number N of nodes on the transmission path may be acquired, where the transmission path may refer to a path where the terminal a sends a data transmission request to the terminal B and finally transmits the data a. When a connection (such as a TCP connection) is established, terminal a and terminal B send handshake data to each other, and the number N of nodes present on the path between them can be determined by the routing information. The number of nodes N includes terminal a and terminal B itself.
The user B can multiply the random number R with the node number N to obtain a disturbance code D, namely
D=R*N
Finally, the user B performs hash operation (hash) on the IP address IP A and the disturbance code D, and adds the two hash values to obtain the symmetric key encryption key1 (i.e., the first encryption key). The hash operation can be a one-way function, can convert an input with any length into an output with a fixed length, and is difficult to reversely push out the input from the output. By combining the hash values of IP A and D, key1 becomes a complex password that contains both device identification and network topology information.
Accordingly, symmetric key encryption ciphers
In addition, as another possible implementation, the IP address IP A may also be replaced with a MAC address to provide another form of device unique identification.
The number of nodes N may be replaced with the size of the currently transmitted data packet. To achieve this, however, the packet size may be transmitted to terminal B in some secure manner (e.g., encrypted using the public key of terminal B) so that terminal B can generate the same encryption key.
The overall process ensures that the encryption keys used at each data transmission are generated based on a variety of dynamic factors, which may include random numbers, IP addresses (or MAC addresses), network topology (as embodied by the number of nodes), and optionally packet size. The design ensures that the encryption password has high irregularity, thereby improving the security of data transmission.
And 102, encrypting the target request data by using the first encryption key to obtain encrypted data.
For the embodiment of the present disclosure, after the terminal B obtains the data a, encryption processing may be performed on the data a (i.e., the target request data) based on the key1 (i.e., the first encryption key), to obtain encrypted data1 after encryption.
And 103, determining a second encryption key based on the elliptic curve, and carrying out encryption processing on the first encryption key by using the second encryption key to obtain an encrypted ciphertext.
For the presently disclosed embodiments, an elliptic curve E (a, b) may be first determined, where a may be the distance from any point to two foci on the ellipse and/or 2,C may be the distance/2 of the two foci of the ellipse.
Any point No on the elliptic curve can be randomly determined, as well as a large prime number or prime number P and a random number k.
Wherein, P can be a large prime number or prime number, and the larger the P value is, the larger the cracking difficulty is, so that the large prime number can be selected.
Prime numbers, also known as prime numbers, are natural numbers greater than 1 and have no other factors other than 1 and itself.
Large prime numbers refer to very large prime numbers. In the fields of cryptography and information security, large prime numbers are often used as moduli to ensure that operations are performed within a finite field, thereby enhancing security.
A symmetric encryption key (i.e., a second encryption key) may be generated based on the elliptic curve as follows:
key2=PNo
accordingly, determining the second encryption key based on the elliptic curve may specifically include:
determining any random point, prime number and random number of the elliptic curve;
The second encryption key is determined based on the random point, the prime number, and the random number.
The key 1 (i.e., the first encryption key) is encrypted by the key 2 (i.e., the second encryption key) to obtain the encrypted ciphertext data 2={kNo,key1+kkey2.
And taking the data 2, the No, the k, the P and the data 1 as final data, and encrypting the final data through the public key of the terminal A to obtain data to be transmitted.
104, Encrypting the encrypted data and the encrypted ciphertext by using a first target public key of the receiving end, and transmitting the encrypted data and the encrypted ciphertext to the receiving end, so that the receiving end decrypts the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain target request data.
The first target public key may be a public key used by the receiving end to decrypt data or verify a digital signature.
For the embodiment of the disclosure, the first target public key of the receiving end can be utilized to encrypt the encrypted data and the encrypted ciphertext, and the encrypted data and the encrypted ciphertext are transmitted to the receiving end, so that the receiving end utilizes the first target private key corresponding to the first target public key to decrypt the encrypted data and the encrypted ciphertext, and the encrypted data and the encrypted ciphertext are obtained; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain target request data.
Specifically, in the adapting embodiment step 103, data 2, no, k, P and data 1 may be used as final data, and the final data is encrypted by the public key of the terminal a to obtain data to be transmitted, so that the terminal B transmits the data to be transmitted to the terminal a.
Correspondingly, the first target public key of the receiving end is utilized to encrypt the encrypted data and the encrypted ciphertext, and the encrypted data and the encrypted ciphertext after being encrypted are transmitted to the receiving end, which comprises the following steps:
and encrypting the encrypted data, the encrypted ciphertext, the random point, the prime number and the random number by using the first target public key of the receiving end, and transmitting the encrypted data, the encrypted ciphertext, the random point, the prime number and the random number to the receiving end.
In summary, compared with the prior art, the data transmission method provided by the present disclosure generates a random number, and generates a first encryption key based on the random number; encrypting the target request data by using the first encryption key to obtain encrypted data; determining a second encryption key based on the elliptic curve, and carrying out encryption processing on the first encryption key by using the second encryption key to obtain an encrypted ciphertext; encrypting the encrypted data and the encrypted ciphertext by using a first target public key of the receiving end, and transmitting the encrypted data and the encrypted ciphertext to the receiving end, so that the receiving end decrypts the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain target request data. By applying the technical scheme of the present disclosure, by introducing a dynamic key management mechanism, namely generating a random number and generating a first encryption key based on the random number, it is ensured that the encryption key used for each transmission is unique, thereby avoiding the security risk possibly caused by using a fixed key. By introducing a multi-layer encryption policy, i.e. a first layer encryption: and encrypting the target request data by using the first encryption key to obtain encrypted data, so that the basic security of the data in the transmission process is ensured. Second layer encryption: and determining a second encryption key based on an elliptic curve algorithm, and encrypting the first encryption key by using the second encryption key to obtain an encrypted ciphertext, so that additional security protection is provided for the first encryption key. Third layer encryption: and re-encrypting the encrypted data and the encrypted ciphertext by using the first target public key of the receiving end, and integrally transmitting the encrypted data to the receiving end. By utilizing the security of public key encryption, even if encrypted data and encrypted ciphertext are intercepted in the transmission process, the encrypted data cannot be decrypted without a corresponding private key, so that the data security risk is greatly reduced.
The foregoing embodiment is a data transmission process described at the transmitting side, and further, to fully explain implementation of the embodiment, the embodiment further provides another data transmission method, which may be applied to the receiving side for execution. As shown in fig. 2, the method includes:
step 201, receiving the encrypted data and the encrypted ciphertext which are sent by the sending end and are encrypted by the first target public key.
The first target public key may be a public key used by the receiving end to decrypt data or verify a digital signature.
For the embodiment of the present disclosure, the receiving end may receive the encrypted data (i.e., data 1), the encrypted ciphertext (i.e., data 2), the random point (i.e., no), the prime number (i.e., P), and the random number (i.e., k) sent by the sending end and encrypted by the first target public key.
Before receiving the encrypted data, the encrypted ciphertext, the random point, the prime number and the random number which are sent by the sending end and are encrypted by the first target public key, the method further comprises the following steps:
Acquiring a data transmission request, wherein the data transmission request can comprise user authentication information, a receiving end IP address and a data identifier;
encrypting the data transmission request by using a second target public key of the transmitting end to obtain an encrypted data transmission request;
And sending the encrypted data transmission request to the sending end, so that the sending end decrypts the encrypted data transmission request by using a second target private key corresponding to the second target public key to obtain the decrypted data transmission request.
In this way, confidentiality and integrity of the data during transmission can be ensured while preventing unauthorized access.
And 202, decrypting the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext.
For the embodiment of the disclosure, the terminal a (i.e., the data receiving end) may perform decryption processing on the encrypted data (i.e., data 1), the encrypted ciphertext (i.e., data 2), the random point (i.e., no), the prime number (i.e., P), and the random number (i.e., k) by using the first target private key corresponding to the first target public key, to obtain the encrypted data (i.e., data 1), the encrypted ciphertext (i.e., data 2), the random point (i.e., no), the prime number (i.e., P), and the random number (i.e., k).
And 203, decrypting the encrypted ciphertext based on the elliptic curve encryption algorithm to obtain a first decryption key.
For the embodiment of the disclosure, the terminal a (i.e., the data receiving end) may decrypt the encrypted ciphertext (i.e., the data 2) through the random point (i.e., no), the prime number (i.e., P), and the random number (i.e., k) by the following formula to obtain the first decryption key 1
key1+kkey2-P(kNo)=key1+P(kNo)-P(kNo)=key1
And 204, decrypting the encrypted data by using the first decryption key to obtain the target request data.
For the embodiment of the present disclosure, the terminal a (i.e., the data receiving end) may decrypt the encrypted data (i.e., the data 1) by using the first decryption key 1 to obtain the target request data (i.e., the data a).
In summary, compared with the prior art, the data transmission method provided by the present disclosure generates a random number, and generates a first encryption key based on the random number; encrypting the target request data by using the first encryption key to obtain encrypted data; determining a second encryption key based on the elliptic curve, and carrying out encryption processing on the first encryption key by using the second encryption key to obtain an encrypted ciphertext; encrypting the encrypted data and the encrypted ciphertext by using a first target public key of the receiving end, and transmitting the encrypted data and the encrypted ciphertext to the receiving end, so that the receiving end decrypts the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain target request data. By applying the technical scheme of the present disclosure, by introducing a dynamic key management mechanism, namely generating a random number and generating a first encryption key based on the random number, it is ensured that the encryption key used for each transmission is unique, thereby avoiding the security risk possibly caused by using a fixed key. By introducing a multi-layer encryption policy, i.e. a first layer encryption: and encrypting the target request data by using the first encryption key to obtain encrypted data, so that the basic security of the data in the transmission process is ensured. Second layer encryption: and determining a second encryption key based on an elliptic curve algorithm, and encrypting the first encryption key by using the second encryption key to obtain an encrypted ciphertext, so that additional security protection is provided for the first encryption key. Third layer encryption: and re-encrypting the encrypted data and the encrypted ciphertext by using the first target public key of the receiving end, and integrally transmitting the encrypted data to the receiving end. By utilizing the security of public key encryption, even if encrypted data and encrypted ciphertext are intercepted in the transmission process, the encrypted data cannot be decrypted without a corresponding private key, so that the data security risk is greatly reduced.
Based on the specific implementation of the method shown in fig. 1, this embodiment provides a data transmission device applicable to a sender side, as shown in fig. 3, where the device includes: a generating module 31, a first encrypting module 32, a second encrypting module 33, and a third encrypting module 34;
A generation module 31 for generating a random number, based on which a first encryption key is generated;
A first encryption module 32, configured to encrypt the target request data with the first encryption key to obtain encrypted data;
a second encryption module 33, configured to determine a second encryption key based on an elliptic curve, and encrypt the first encryption key with the second encryption key to obtain an encrypted ciphertext;
A third encryption module 34, configured to encrypt the encrypted data and the encrypted ciphertext with a first target public key of a receiving end, and transmit the encrypted data and the encrypted ciphertext to the receiving end, so that the receiving end decrypts the encrypted data and the encrypted ciphertext with a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain the target request data.
In a specific application scenario, as shown in fig. 3, the apparatus further includes: a first receiving module 35, a first decrypting module 36, a verifying module 37;
a first receiving module 35, configured to receive a data transmission request sent by the receiving end and encrypted with a second target public key of the sending end;
A first decryption module 36, configured to decrypt the encrypted data transmission request with a second target private key corresponding to the second target public key, to obtain a decrypted data transmission request, where the data transmission request includes user authentication information, a receiving end IP address, and a data identifier;
a verification module 37, configured to verify the user authentication information; if the verification is passed, generating a random number, and generating a first encryption key based on the random number; and if the verification is not passed, sending authentication failure information to the receiving end.
In a specific application scenario, the verification module 37 may be configured to verify the user authentication information by using a blockchain, where the blockchain is used to store a user authentication record;
if the user authentication record matched with the user authentication information is not stored in the blockchain, the verification is not passed;
If the blockchain stores the user authentication record matched with the user authentication information, acquiring user access rights, and acquiring the accessed rights of the target request data based on the user access rights;
comparing the user access rights with the accessed rights; if the user access authority is greater than or equal to the accessed authority, determining that the verification is passed; and if the user access authority is smaller than the accessed authority, determining that the verification is not passed.
In a specific application scenario, the generating module 31 may be configured to obtain the IP address of the receiving end and the number of nodes on a transmission path between the sending end and the receiving end;
Performing product operation on the random number and the node number to obtain a disturbance code;
respectively carrying out hash operation on the disturbance code and the IP address of the receiving end to obtain a first hash value and a second hash value;
and determining the sum of the first hash value and the second hash value as the first encryption key.
In a specific application scenario, the second encryption module 33 may be configured to determine any random point, prime number and random number of the elliptic curve;
The second encryption key is determined based on the random point, the prime number, and the random number.
In a specific application scenario, the third encryption module 34 may be configured to encrypt the encrypted data, the encrypted ciphertext, the random point, the prime number, and the random number with a first target public key of a receiving end, and transmit the encrypted data, the encrypted ciphertext, the random point, the prime number, and the random number to the receiving end.
It should be noted that, in the other corresponding descriptions of the functional units related to the data transmission device provided in the present embodiment, which may be applied to the transmitting end side, reference may be made to the corresponding descriptions of the method in fig. 1, which are not repeated herein.
Further, as a specific implementation of the method shown in fig. 2, the present embodiment provides a data transmission apparatus applicable to a receiving end side, as shown in fig. 4, where the apparatus includes:
a second receiving module 41, configured to receive the encrypted data and the encrypted ciphertext sent by the sending end and encrypted by the first target public key;
a second decryption module 42, configured to decrypt the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key, to obtain the encrypted data and the encrypted ciphertext;
A third decryption module 43, configured to decrypt the encrypted ciphertext based on an elliptic curve cryptography algorithm to obtain a first decryption key;
And a fourth decryption module 44, configured to decrypt the encrypted data with the first decryption key to obtain target request data.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: an acquisition module 45, a fourth encryption module 46, a transmission module 47;
An obtaining module 45, configured to obtain a data transmission request, where the data transmission request includes user authentication information, a receiving end IP address, and a data identifier;
a fourth encryption module 46, configured to encrypt the data transmission request with a second target public key of the transmitting end, so as to obtain an encrypted data transmission request;
and a sending module 47, configured to send the encrypted data transmission request to a sending end, so that the sending end decrypts the encrypted data transmission request with a second target private key corresponding to the second target public key, to obtain the decrypted data transmission request.
It should be noted that, in the description of the corresponding description of the method in fig. 1, the corresponding description of each functional unit related to the data transmission device provided in this embodiment may be referred to, and will not be repeated here.
Based on the above-described methods as shown in fig. 1 and 2, the present disclosure also provides a computer-readable storage medium having a computer program stored thereon, which when executed by a processor, implements the above-described methods as shown in fig. 1 and 2.
Based on such understanding, the technical solution of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.), and includes several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to execute the method of each implementation scenario of the present disclosure.
Based on the methods shown in fig. 1 and fig. 2 and the virtual device embodiments shown in fig. 3 and fig. 4, in order to achieve the above objects, the embodiments of the present disclosure further provide an electronic device that may be configured on an end side of a vehicle (such as an electric automobile), where the device includes a storage medium and a processor; a storage medium storing a computer program; a processor for executing a computer program to implement the method as shown in fig. 1 and 2 described above.
Optionally, the physical device may further include a user interface, a network interface, a camera, radio frequency (RadioFrequency, RF) circuitry, sensors, audio circuitry, WI-FI modules, and so on. The user interface may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
It will be appreciated by those skilled in the art that the above-described physical device structure provided by the present disclosure is not limiting of the physical device, and may include more or fewer components, or may combine certain components, or a different arrangement of components.
The storage medium may also include an operating system, a network communication module. The operating system is a program that manages the physical device hardware and software resources described above, supporting the execution of information handling programs and other software and/or programs. The network communication module is used for realizing communication among all components in the storage medium and communication with other hardware and software in the information processing entity equipment.
From the above description of embodiments, it will be apparent to those skilled in the art that the present disclosure may be implemented by means of software plus necessary general hardware platforms, or may be implemented by hardware. Compared with the prior art, the data transmission method, the data transmission device and the electronic equipment generate the first encryption key based on the random number by generating the random number; encrypting the target request data by using the first encryption key to obtain encrypted data; determining a second encryption key based on the elliptic curve, and carrying out encryption processing on the first encryption key by using the second encryption key to obtain an encrypted ciphertext; encrypting the encrypted data and the encrypted ciphertext by using a first target public key of the receiving end, and transmitting the encrypted data and the encrypted ciphertext to the receiving end, so that the receiving end decrypts the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain target request data. By applying the technical scheme of the present disclosure, by introducing a dynamic key management mechanism, namely generating a random number and generating a first encryption key based on the random number, it is ensured that the encryption key used for each transmission is unique, thereby avoiding the security risk possibly caused by using a fixed key. By introducing a multi-layer encryption policy, i.e. a first layer encryption: and encrypting the target request data by using the first encryption key to obtain encrypted data, so that the basic security of the data in the transmission process is ensured. Second layer encryption: and determining a second encryption key based on an elliptic curve algorithm, and encrypting the first encryption key by using the second encryption key to obtain an encrypted ciphertext, so that additional security protection is provided for the first encryption key. Third layer encryption: and re-encrypting the encrypted data and the encrypted ciphertext by using the first target public key of the receiving end, and integrally transmitting the encrypted data to the receiving end. By utilizing the security of public key encryption, even if encrypted data and encrypted ciphertext are intercepted in the transmission process, the encrypted data cannot be decrypted without a corresponding private key, so that the data security risk is greatly reduced.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
The above is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (13)
1. A data transmission method, applied to a transmitting end side, the method comprising:
generating a random number, and generating a first encryption key based on the random number;
Encrypting the target request data by using the first encryption key to obtain encrypted data;
Determining a second encryption key based on an elliptic curve, and carrying out encryption processing on the first encryption key by using the second encryption key to obtain an encrypted ciphertext;
Encrypting the encrypted data and the encrypted ciphertext by using a first target public key of a receiving end, and transmitting the encrypted data and the encrypted ciphertext to the receiving end, so that the receiving end decrypts the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain the target request data.
2. The method of claim 1, wherein prior to the generating the random number, generating the first encryption key based on the random number, the method further comprises:
Receiving a data transmission request sent by the receiving end and encrypted by using a second target public key of the sending end;
Decrypting the encrypted data transmission request by using a second target private key corresponding to the second target public key to obtain the decrypted data transmission request, wherein the data transmission request comprises user authentication information, a receiving end IP address and a data identifier;
Verifying the user authentication information;
If the verification is passed, generating a random number, and generating a first encryption key based on the random number;
and if the verification is not passed, sending authentication failure information to the receiving end.
3. The method of claim 2, wherein verifying the user authentication information comprises:
Verifying the user authentication information by using a blockchain, wherein the blockchain is used for storing a user authentication record;
if the user authentication record matched with the user authentication information is not stored in the blockchain, the verification is not passed;
If the blockchain stores the user authentication record matched with the user authentication information, acquiring user access rights, and acquiring the accessed rights of the target request data based on the user access rights;
Comparing the user access rights with the accessed rights;
if the user access authority is greater than or equal to the accessed authority, determining that the verification is passed;
And if the user access authority is smaller than the accessed authority, determining that the verification is not passed.
4. The method of claim 2, wherein the generating a first encryption key based on the random number comprises:
Acquiring the IP address of the receiving end and the number of nodes on a transmission path between the transmitting end and the receiving end;
Performing product operation on the random number and the node number to obtain a disturbance code;
respectively carrying out hash operation on the disturbance code and the IP address of the receiving end to obtain a first hash value and a second hash value;
and determining the sum of the first hash value and the second hash value as the first encryption key.
5. The method of claim 1, wherein the determining the second encryption key based on the elliptic curve comprises:
determining any random point, prime number and random number of the elliptic curve;
The second encryption key is determined based on the random point, the prime number, and the random number.
6. The method according to claim 5, wherein encrypting the encrypted data and the encrypted ciphertext using the first target public key of the receiving end and transmitting the encrypted data and the encrypted ciphertext to the receiving end comprises:
And encrypting the encrypted data, the encrypted ciphertext, the random point, the prime number and the random number by using a first target public key of a receiving end, and transmitting the encrypted data, the encrypted ciphertext, the random point, the prime number and the random number to the receiving end.
7. A data transmission method, applied to a receiving end side, the method comprising:
receiving encrypted data and encrypted ciphertext which are sent by a sending end and are encrypted by a first target public key;
decrypting the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext;
Decrypting the encrypted ciphertext based on an elliptic curve encryption algorithm to obtain a first decryption key;
and decrypting the encrypted data by using the first decryption key to obtain target request data.
8. The method of claim 7, wherein prior to the receiving the encrypted data and the encrypted ciphertext transmitted by the transmitting end that are encrypted with the first target public key, the method further comprises:
Acquiring a data transmission request, wherein the data transmission request comprises user authentication information, a receiving end IP address and a data identifier;
Encrypting the data transmission request by using a second target public key of the transmitting end to obtain the encrypted data transmission request;
And sending the encrypted data transmission request to a sending end, so that the sending end decrypts the encrypted data transmission request by using a second target private key corresponding to the second target public key to obtain the decrypted data transmission request.
9. A data transmission apparatus, characterized by being applied to a transmitting end side, comprising:
the generation module is used for generating a random number and generating a first encryption key based on the random number;
The first encryption module is used for encrypting the target request data by using the first encryption key to obtain encrypted data;
The second encryption module is used for determining a second encryption key based on an elliptic curve, and carrying out encryption processing on the first encryption key by utilizing the second encryption key to obtain an encrypted ciphertext;
The third encryption module is used for encrypting the encrypted data and the encrypted ciphertext by using a first target public key of a receiving end, and transmitting the encrypted data and the encrypted ciphertext to the receiving end so that the receiving end decrypts the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext; decrypting the encrypted ciphertext to obtain a first decryption key; and decrypting the encrypted data by using the first decryption key to obtain the target request data.
10. A data transmission apparatus, characterized in that it is applied to a receiving end side, said apparatus comprising:
the second receiving module is used for receiving the encrypted data and the encrypted ciphertext which are sent by the sending end and are encrypted by the first target public key;
The second decryption module is used for decrypting the encrypted data and the encrypted ciphertext by using a first target private key corresponding to the first target public key to obtain the encrypted data and the encrypted ciphertext;
The third decryption module is used for decrypting the encrypted ciphertext based on an elliptic curve encryption algorithm to obtain a first decryption key;
And the fourth decryption module is used for decrypting the encrypted data by using the first decryption key to obtain target request data.
11. An electronic device, comprising:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1 to 6 or any one of claims 7 to 8.
12. A computer readable storage medium, which when executed by a processor of an electronic device, causes the electronic device to perform the method of any one of claims 1 to 6, or the method of any one of claims 7 to 8.
13. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 6, or the method according to any one of claims 7 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411002948.0A CN118802143A (en) | 2024-07-25 | 2024-07-25 | Data transmission method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411002948.0A CN118802143A (en) | 2024-07-25 | 2024-07-25 | Data transmission method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118802143A true CN118802143A (en) | 2024-10-18 |
Family
ID=93033594
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411002948.0A Pending CN118802143A (en) | 2024-07-25 | 2024-07-25 | Data transmission method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118802143A (en) |
-
2024
- 2024-07-25 CN CN202411002948.0A patent/CN118802143A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109088889B (en) | SSL encryption and decryption method, system and computer readable storage medium | |
| US7681033B2 (en) | Device authentication system | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| TWI288552B (en) | Method for implementing new password and computer readable medium for performing the method | |
| US20090240936A1 (en) | System and method for storing client-side certificate credentials | |
| US10594479B2 (en) | Method for managing smart home environment, method for joining smart home environment and method for connecting communication session with smart device | |
| CA2879910C (en) | Terminal identity verification and service authentication method, system and terminal | |
| JP2009529832A (en) | Undiscoverable, ie secure data communication using black data | |
| CN109618341A (en) | A kind of digital signature authentication method, system, device and storage medium | |
| US10263782B2 (en) | Soft-token authentication system | |
| CN109716725B (en) | Data security system, method of operating the same, and computer-readable storage medium | |
| CN107920052B (en) | Encryption method and intelligent device | |
| DK2414983T3 (en) | Secure computer system | |
| CN111510288B (en) | Key management method, electronic device and storage medium | |
| CN117675285A (en) | Identity verification method, chip and equipment | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| JP6533542B2 (en) | Secret key replication system, terminal and secret key replication method | |
| US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
| CN114826702B (en) | Database access password encryption method and device and computer equipment | |
| RU2698424C1 (en) | Authorization control method | |
| CN110572392A (en) | Identity authentication method based on HyperLegger network | |
| EP2359525B1 (en) | Method for enabling limitation of service access | |
| US20240039707A1 (en) | Mobile authenticator for performing a role in user authentication | |
| CN114553557B (en) | Key calling method, device, computer equipment and storage medium | |
| JPWO2020166066A1 (en) | Token protection methods, authorization systems, devices, and program recording media |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |