Nothing Special   »   [go: up one dir, main page]

CN117118763B - Method, device and system for data transmission - Google Patents

Method, device and system for data transmission Download PDF

Info

Publication number
CN117118763B
CN117118763B CN202311386573.8A CN202311386573A CN117118763B CN 117118763 B CN117118763 B CN 117118763B CN 202311386573 A CN202311386573 A CN 202311386573A CN 117118763 B CN117118763 B CN 117118763B
Authority
CN
China
Prior art keywords
data
server
key
client
transmission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311386573.8A
Other languages
Chinese (zh)
Other versions
CN117118763A (en
Inventor
张楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ziguang Tongxin Microelectronics Co Ltd
Original Assignee
Ziguang Tongxin Microelectronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ziguang Tongxin Microelectronics Co Ltd filed Critical Ziguang Tongxin Microelectronics Co Ltd
Priority to CN202311386573.8A priority Critical patent/CN117118763B/en
Publication of CN117118763A publication Critical patent/CN117118763A/en
Application granted granted Critical
Publication of CN117118763B publication Critical patent/CN117118763B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to the technical field of network communication security, and discloses a method for data transmission, which is applied to a client and comprises the following steps: under the condition of establishing a secure transmission protocol connection with a server, generating a session key and sending the session key to the server; performing double-layer encryption processing on application layer data by using a chip key and a session key to obtain target transmission data; and sending the target transmission data to the server, so that the server carries out double-layer decryption processing on the target transmission data according to the session key and the encryption key to obtain second decryption data. The method can effectively prevent the observer from tracking the server or the user according to the interactive information when the security transmission protocol is connected, and ensure the security and the reliability of data communication. The application also discloses a device and a system for data transmission.

Description

Method, device and system for data transmission
Technical Field
The present invention relates to the field of network communication security technologies, and for example, to a method, an apparatus, and a system for data transmission.
Background
Currently, with the rapid development of the internet and various network applications, data communication security issues are becoming more and more interesting. Conventional network security schemes, such as TLS (Transport Layer Security, secure transport layer protocol) and SSL (Secure Socket Layer ), have become fundamental techniques for securing data during transmission. However, these conventional security measures also suffer from a number of drawbacks and limitations. For example, a Server Name Indication (SNI) in the TLS handshake process may be used by the watcher to identify and track the network behavior of the user. Therefore, in the process of secure connection, how to avoid the identification and tracking of the observer to ensure the security of the data communication becomes a technical problem to be solved.
In order to ensure the security of communication during TLS handshake, the related art discloses a method for protecting the key security of a server side in the TLS handshake process, which comprises the following steps: sending an asymmetric key generation request to the password equipment; receiving an asymmetric key pair generated by the password device, wherein a private key in the asymmetric key pair is encrypted by the password device; obtaining a server certificate according to the asymmetric key pair; establishing a handshake relationship with a client; sending a calculation request to the password equipment according to the key exchange parameters of the client; receiving a cipher text form key unit fed back by the cipher equipment; after the cipher device encrypts the application data according to the key unit, the application data in the form of ciphertext is sent to the client.
In the process of implementing the embodiments of the present disclosure, it is found that at least the following problems exist in the related art:
in the related art, although a secure connection is established between a client and a server based on a secure transport layer protocol, a corresponding secure connection channel is created by adopting corresponding key negotiation and identity authentication between the client and the server, when an observer has strong cracking capability, the observer has the possibility of successfully stealing an asymmetric key pair, thereby influencing the data transmission of communication in a TLS handshake process and reducing the security and reliability of TLS handshake communication.
It should be noted that the information disclosed in the foregoing background section is only for enhancing understanding of the background of the present application and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.
Disclosure of Invention
The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview, and is intended to neither identify key/critical elements nor delineate the scope of such embodiments, but is intended as a prelude to the more detailed description that follows.
The embodiment of the disclosure provides a method, a device and a system for data transmission, so as to ensure the safety and reliability of TLS handshake communication.
In some embodiments, a method, applied to a client, includes: under the condition of establishing a secure transmission protocol connection with a server, generating a session key and sending the session key to the server; performing double-layer encryption processing on application layer data by using a chip key and a session key to obtain target transmission data; and sending the target transmission data to the server, so that the server carries out double-layer decryption processing on the target transmission data according to the session key and the encryption key to obtain second decryption data.
In some embodiments, in the case of establishing a secure transport protocol connection with a server, generating the session key includes: sending a handshake request to a server; wherein the handshake request includes a masquerading identifier; receiving a security transmission layer protocol disguise certificate sent by a server, and establishing security transmission protocol connection with the server based on the security transmission layer protocol disguise certificate; the secure transport layer protocol disguised certificate is a transport layer protocol disguised certificate matched by the server according to disguised identification; after the secure transport protocol connection is completed, a session key is generated.
In some embodiments, establishing a secure transport protocol connection with a server based on a secure transport layer protocol disguised certificate includes: determining a target certificate key associated with the secure transport layer protocol disguised certificate; performing key verification on the key by using the target certificate key; and under the condition that the key verification is successful, establishing a secure transmission protocol connection with the server.
In some embodiments, performing double-layer encryption processing on application layer data by using a chip key and a session key to obtain target transmission data, and obtaining the target transmission data includes: carrying out hardware encryption processing on application layer data by using a chip key to obtain first encrypted data; and carrying out software encryption processing on the first encrypted data by using the session key to obtain target transmission data.
In some embodiments, further comprising: receiving response data generated based on the target transmission data and sent by a server; and carrying out hardware decryption processing on the first decrypted data by using the chip key to obtain target response data.
In some embodiments, a method, applied to a server, comprises: receiving a session key sent by a client under the condition of establishing a secure transmission protocol connection with the client; the session key is generated after the client establishes a secure transmission protocol connection with the server; receiving target transmission data sent by a client; the target transmission data is obtained by performing double-layer encryption processing on application layer data by using a chip key and a session key by a client; and carrying out double-layer decryption processing on the target transmission data according to the session key and the encryptor key to obtain second decrypted data.
In some embodiments, in the case of establishing a secure transport protocol connection with a client, receiving a session key sent by the client includes: responding to a handshake request sent by a client to obtain a security transport layer protocol disguised certificate matched with the handshake request; wherein the handshake request includes a masquerading identifier; sending a secure transport layer protocol disguised certificate to the client to establish a secure transport protocol connection with the client; and after the secure transmission protocol connection is completed, receiving the session key sent by the client.
In some embodiments, further comprising: generating response data to be transmitted according to the second decryption data; performing hardware encryption processing on response data to be transmitted by using an encryption key to obtain second encrypted data; performing software encryption processing on the second encrypted data by using the session key to obtain response data; and sending response data to the client.
In some embodiments, an apparatus for data transmission includes a first processor and a first memory storing program instructions, the first processor being configured to perform a method for data transmission as previously described when the program instructions are executed.
In some embodiments, a system for data transmission, comprises: a client device configured with a security chip; a server configured with an encryption engine; and, an apparatus for data transmission as previously described.
The method, the device and the system for data transmission provided by the embodiment of the disclosure can realize the following technical effects:
under the condition that the client establishes secure transmission protocol connection with the server, generating a session key and sending the session key to the server so that the server performs data encryption processing according to the session key; then, performing double-layer encryption processing on the application layer data based on the chip key and the session key to obtain target transmission data; and finally, sending the target transmission data to the server, so that the server carries out double-layer decryption processing on the target transmission data according to the session key and the encryption key to obtain second decryption data. Therefore, the target transmission data generated by the client can be encrypted at a hardware level to block potential data leakage risk, and then encrypted at a software level to enhance the security of the target transmission data in the data transmission process, so that observers are effectively prevented from tracking a server or a user according to interaction information when the observers are connected according to a secure transmission protocol, and the security and the reliability of data communication are ensured.
The foregoing general description and the following description are exemplary and explanatory only and are not restrictive of the application.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which like reference numerals refer to similar elements, and in which:
FIG. 1 is an environmental schematic of a system implementation environment for data transmission;
fig. 2 is a schematic diagram of a method for data transmission provided by an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of another method for data transmission provided by an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of another method for data transmission provided by an embodiment of the present disclosure;
fig. 5 is a schematic diagram of another method for data transmission provided by an embodiment of the present disclosure;
fig. 6 is a schematic diagram of another method for data transmission provided by an embodiment of the present disclosure;
fig. 7 is a schematic diagram of another method for data transmission provided by an embodiment of the present disclosure;
fig. 8 is a schematic diagram of another method for data transmission provided by an embodiment of the present disclosure;
Fig. 9 is a schematic diagram of another method for data transmission provided by an embodiment of the present disclosure;
FIG. 10 is a schematic illustration of an application of an embodiment of the present disclosure;
fig. 11 is a schematic diagram of an apparatus for data transmission provided by an embodiment of the present disclosure;
fig. 12 is a schematic diagram of another apparatus for data transmission provided by an embodiment of the present disclosure.
Detailed Description
So that the manner in which the features and techniques of the disclosed embodiments can be understood in more detail, a more particular description of the embodiments of the disclosure, briefly summarized below, may be had by reference to the appended drawings, which are not intended to be limiting of the embodiments of the disclosure. In the following description of the technology, for purposes of explanation, numerous details are set forth in order to provide a thorough understanding of the disclosed embodiments. However, one or more embodiments may still be practiced without these details. In other instances, well-known structures and devices may be shown simplified in order to simplify the drawing.
The terms first, second and the like in the description and in the claims of the embodiments of the disclosure and in the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe embodiments of the present disclosure. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion.
The term "plurality" means two or more, unless otherwise indicated.
In the embodiment of the present disclosure, the character "/" indicates that the front and rear objects are an or relationship. For example, A/B represents: a or B.
The term "and/or" is an associative relationship that describes an object, meaning that there may be three relationships. For example, a and/or B, represent: a or B, or, A and B.
The term "corresponding" may refer to an association or binding relationship, and the correspondence between a and B refers to an association or binding relationship between a and B.
FIG. 1 is an environmental schematic of a system implementation environment of an embodiment of the present disclosure. The system for data transmission includes a client 100, a router 200, and a server 300.
As shown in fig. 1, the implementation environment may include a client 100, a router 200, and a server 300.
The client 100 may be an electronic device. The electronic device includes a mobile device or a home appliance. For example, the client 110 may be a smart phone, a tablet computer, or other mobile devices supporting information input, or may be home appliances. The household appliance can be intelligent household appliances integrated with Wi-Fi modules, such as televisions, refrigerators, washing machines and the like. The smart phone is an electronic device with a wireless connection function, and can be in communication connection with the home appliance through connecting with the internet, or can be in communication connection with the home appliance through Bluetooth, wi-Fi (Wireless Fidelity ) and other modes. The household electrical appliance is a household electrical appliance formed by introducing a microprocessor, a sensor technology and a network communication technology into the household electrical appliance, has the characteristics of intelligent control, intelligent perception and intelligent application, and the operation process of the household electrical appliance often depends on the application and processing of modern technologies such as the Internet of things, the Internet, an electronic chip and the like, for example, the household electrical appliance can realize the remote control and management of the household electrical appliance by connecting the electronic equipment. The electronic device or the household electrical appliance comprises an NFC module or a Wi-Fi module, wherein the Wi-Fi module is a transmission switching product, and connection with the Internet can be established by utilizing the Wi-Fi module.
Router 200 is a device connected to each of the local area network and wide area network in the internet, and automatically selects and sets a route according to the channel conditions, and transmits signals in order of the best route. The aforementioned electronic device may establish a communication connection with the server 300 through the router 200.
The server 400 may be a server, a server cluster formed by a plurality of servers, or a cloud computing service center, which is not limited in the embodiments of the present disclosure.
It should be appreciated that the number of clients, routers, and servers in fig. 1 is merely illustrative, and that any number of clients, routers, and servers may be provided as desired.
It should be noted that, the method for data transmission provided by the embodiments of the present disclosure is generally performed by a client, a router and a server, and accordingly, the apparatus for data transmission is generally disposed in the client, the router and the server.
In the disclosed embodiment, the client 100 is configured with a security chip. The security chip is configured with a security encryption algorithm, the security encryption algorithm sets a chip key, and meanwhile, the security chip is protected by physics and logic and passes security authentication. The security chip is used for carrying out hardware encryption processing on the data by utilizing a chip key of an encryption algorithm. Thus, the client can utilize the security chip to carry out hardware-level encryption processing on the data, thereby blocking potential data leakage risks.
Alternatively, the security chip may be an eSE (Embedded Secure Element, embedded security element) chip, a TPM (Trusted Platform Module) security chip, or an HSM (Hardware Security Module ). By adopting the eSE chip or the TPM security chip, the integrity and confidentiality in the data transmission process can be ensured, and the tampering and eavesdropping attacks can be effectively resisted. The HSM has strong encryption capability, and can further ensure confidentiality in the data transmission process.
In the disclosed embodiment, the server 300 is configured with an encryption engine. The encryptor is configured with a preset encryption algorithm and the above-described encryptor key. The preset encryption algorithm is matched with a security encryption algorithm configured by a security chip. In a specific example, the interaction step between the client 100 and the server 300 comprises the following five phases: an initialization phase, a TLS handshake phase, a data transmission phase, a response phase and a data receiving phase. The encryptor is used for decrypting the data decrypted by the session key in the data transmission stage, or is used for encrypting the response data in the response stage.
Based on the above environmental schematic, referring to fig. 2, an embodiment of the disclosure provides a method for data transmission, applied to a client, including:
S01, the client generates a session key and sends the session key to the server under the condition that the client establishes a secure transmission protocol connection with the server.
S02, the client performs double-layer encryption processing on the application layer data by using the chip key and the session key to obtain target transmission data.
In this step, the client obtains the chip key as follows: and the client controls the starting of the security chip under the condition of being in an initialization stage, and obtains a chip key.
And S03, the client sends the target transmission data to the server, so that the server carries out double-layer decryption processing on the target transmission data according to the session key and the encryption key to obtain second decryption data.
By adopting the method for data transmission provided by the embodiment of the disclosure, the client generates a session key under the condition that the client establishes secure transmission protocol connection with the server, and sends the session key to the server so that the server performs data encryption processing according to the session key; then, performing double-layer encryption processing on the application layer data based on the chip key and the session key to obtain target transmission data; and finally, sending the target transmission data to the server, so that the server carries out double-layer decryption processing on the target transmission data according to the session key and the encryption key to obtain second decryption data. Therefore, the target transmission data generated by the client can be encrypted at a hardware level to block potential data leakage risk, and then encrypted at a software level to enhance the security of the target transmission data in the data transmission process, so that observers are effectively prevented from tracking a server or a user according to interaction information when the observers are connected according to a secure transmission protocol, and the security and the reliability of data communication are ensured.
Optionally, as shown in connection with fig. 3, the client generates a session key in case of establishing a secure transport protocol connection with the server, including:
s11, the client sends a handshake request to the server. Wherein the handshake request includes a masquerading identification.
In this step, the masquerading identifier is a unique identifier of the server. The disguised identification includes a disguised SNI (Server Name Indication ). Optionally, the camouflage SNI is a website domain name. In one specific example, the camouflage SNI may be a popular website domain name. By setting the disguised SNI instead of the server address that the actual client needs to access, the observer can be effectively prevented from tracking the server or the user according to the interactive information when the observer is connected according to the secure transmission protocol.
S12, the client receives the secure transport layer protocol disguised certificate sent by the server, and establishes secure transport protocol connection with the server based on the secure transport layer protocol disguised certificate. The secure transport layer protocol disguised certificate is a transport protocol disguised certificate matched by the server according to disguised identification.
In this step, the installation transport layer protocol disguise certificate is obtained by the server as follows: the server matches a target protocol disguised certificate from a protocol certificate library according to the disguised identifier, determines the target protocol disguised certificate to be a secure transport layer protocol disguised certificate matched with the handshake request, and the protocol certificate library comprises a preset disguised identifier and a protocol disguised certificate matched with the preset disguised identifier.
S13, after the client finishes the secure transmission protocol connection, a session key is generated.
Thus, the client sends a handshake request to the server to establish a secure transport protocol connection with the server, and the handshake request includes the masquerading identifier. After receiving the handshake request, the server matches the security transport layer protocol disguised certificate according to the disguised identifier. Therefore, the embodiment of the disclosure replaces the traditional TLS fingerprint by the security transport layer protocol disguised certificate, so that the client and the server are prevented from utilizing the TLS fingerprint to perform information interaction in the TLS handshake process, observers are effectively prevented from identifying and tracking the server or the user according to the TLS fingerprint during the TLS handshake, and the security and reliability of data communication are ensured. At the same time, the privacy of the user is effectively protected. In addition, the disguised identifier is the unique identifier of the server, so that the client can effectively prevent attack and certificate forging of an observer even if the client performs information interaction with the server in a complex network environment, and further the safety and reliability of data communication are ensured.
Optionally, the secure transport layer protocol disguised certificate includes a key. The secret key comprises a public key; alternatively, the key comprises a public key and a private key. By setting the secret key, the client can carry out secret key verification on the secure transport layer protocol disguised certificate based on the public key, and communication with a correct server is ensured.
Optionally, as shown in connection with fig. 4, the client establishes a secure transport protocol connection with the server based on the secure transport layer protocol disguised certificate, including:
s21, the client determines a target certificate key associated with the secure transport layer protocol disguised certificate.
S22, the client uses the target certificate key to carry out key verification on the key.
S23, the client establishes a secure transmission protocol connection with the server under the condition that the key verification is successful.
In this way, the client determines the target certificate key associated with the secure transport layer protocol disguised certificate, and then uses the target certificate key to perform key verification on the key. And when the client determines that the key verification is successful, establishing a secure transmission protocol connection with the server. In this way, by introducing the disguised identifier and the TLS fingerprint cancellation, the embodiment of the disclosure avoids the client and the server from utilizing the TLS fingerprint to perform information interaction in the TLS handshake process, so that observers such as a network monitor or a potential attacker and the like are difficult to identify or track a specific server or user, and the safety and reliability of data communication are ensured.
Optionally, the client determines a target certificate key associated with the secure transport layer protocol disguised certificate, including:
before the client establishes a secure transmission protocol connection with the server, the client receives a protocol certificate library sent by the server and generates a local protocol certificate library based on the configuration of the protocol certificate library, wherein a protocol disguise certificate in the protocol certificate library comprises a certificate key. Wherein the client generates a local protocol certificate library based on the protocol certificate library configuration, comprising: and the client builds a local protocol certificate library which is the same as the protocol certificate library according to the protocol certificate library.
The client matches a target certificate key associated with the secure transport layer protocol disguised certificate from the local protocol certificate library.
In this way, before the client establishes a secure transport protocol connection with the server, the client receives the protocol database sent by the server and generates a local protocol certificate library based on the protocol certificate library configuration to perform subsequent key verification, so as to match a target certificate key associated with the secure transport layer protocol disguised certificate from the local protocol certificate library, thereby ensuring the accuracy of subsequent key verification on the target certificate key.
Optionally, the client performs key verification on the key by using the target certificate key, including: the client determines that the key verification is successful under the condition that the target certificate key is the same as the key; or the client determines that the key verification fails under the condition that the target certificate key is different from the key.
Optionally, as shown in fig. 5, the client performs double-layer encryption processing by using the chip key and the session key corresponding to the application layer data to obtain target transmission data, and the obtaining the target transmission data includes:
s31, the client performs hardware encryption processing on the application layer data by using the chip key to obtain first encrypted data.
S32, the client performs software encryption processing on the first encrypted data by using the session key to obtain target transmission data.
In this way, after the client establishes the secure transmission protocol connection with the server, the client firstly uses the chip key to carry out hardware encryption processing on the application layer data to obtain first encrypted data, and then uses the session key to carry out software encryption processing on the first encrypted data to obtain target transmission data so as to realize double-layer encryption of the application layer data. Therefore, the security of data transmission is ensured, and the privacy and network security of users are effectively protected.
As shown in conjunction with fig. 6, an embodiment of the present disclosure provides another method for data transmission, applied to a client, including:
s41, the client generates a session key under the condition that the client establishes a secure transmission protocol connection with the server.
S42, the client performs double-layer encryption processing on the application layer data by using the chip key and the session key to obtain target transmission data, and the target transmission data is obtained.
And S43, the client sends the target transmission data to the server, so that the server carries out double-layer decryption processing on the target transmission data according to the session key and the encryption key to obtain second decryption data.
S44, the client receives response data generated based on the target transmission data and sent by the server.
In this step, the response data is generated by the server as follows: and performing double-layer decryption processing on the received target transmission data by using the session key and the encryption secret key to generate second decrypted data, and performing double-layer encryption processing on the second decrypted data by using the encryption secret key and the session key to generate response data.
S45, the client uses the session key to conduct software decryption processing on the response data, and first decrypted data is obtained.
S46, the client performs hardware decryption processing on the first decrypted data by using the chip key to obtain target response data.
By adopting the method for data transmission provided by the embodiment of the disclosure, the client performs double-layer encryption processing on the application layer data by using the chip key and the session key under the condition that the secure transmission protocol connection is established with the server, so as to obtain target transmission data, and sends the target transmission data to the server. And after receiving the response data generated based on the target transmission data and sent by the server, the client sequentially carries out software decryption processing and hardware decryption processing on the response data by using the session key and the chip key so as to obtain the target response data. Therefore, under the condition that the secure transmission protocol connection is established, data transmission can be freely carried out between the client and the server, and the security and the reliability of data communication are ensured.
As shown in conjunction with fig. 7, an embodiment of the present disclosure provides another method for data transmission, applied to a server, the method including:
s51, the server receives the session key sent by the client under the condition that the server establishes a secure transmission protocol connection with the client. The session key is generated after the client establishes a secure transmission protocol connection with the server.
S52, the server receives target transmission data sent by the client. The target transmission data is obtained by performing double-layer encryption processing on application layer data by using a chip key and a session key by the client.
In this step, the server obtains the chip key as follows: and the server controls the encryption machine to start under the condition of receiving a chip start instruction of the client, and obtains an encryption machine key, wherein the chip start instruction is generated when the client controls the security chip to start and obtain the chip key in an initialization stage. In this way, the server controls the encryptor to start in the initialization stage to perform decryption processing on the data decrypted by the session key in the data transfer stage or to perform encryption processing on the response data in the response stage.
And S53, the server carries out double-layer decryption processing on the target transmission data according to the session key and the encryption key to obtain second decrypted data.
In the step, the server performs double-layer decryption processing on the target transmission data according to the session key and the encryptor key to obtain second decrypted data, including: the server performs software decryption processing on the target transmission data by using the session key to obtain third decrypted data; and the server performs hardware decryption processing on the third decrypted data by using the encryption key to obtain second decrypted data.
By adopting the method for data transmission provided by the embodiment of the disclosure, the server receives the session key sent by the client under the condition that the server establishes the secure transmission protocol connection with the client; and then, the server receives the target transmission data sent by the client, and performs double-layer encryption processing on the target transmission data by using the session key and the encryptor key to obtain second decrypted data. Therefore, the security of the target transmission data in the decryption process of the server side can be enhanced, so that observers are effectively prevented from carrying out server tracking according to the interaction information when the security transmission protocol is connected, and the security and the reliability of data communication are ensured.
Optionally, as shown in connection with fig. 8, in a case where the server establishes a secure transport protocol connection with the client, receiving a session key sent by the client includes:
S61, the server responds to the handshake request sent by the client to obtain a secure transport layer protocol disguised certificate matched with the handshake request. Wherein the handshake request includes a masquerading identification.
S62, the server sends the security transport layer protocol disguise certificate to the client to establish the security transport protocol connection with the client.
S63, after the server completes the secure transmission protocol connection, the server receives the session key sent by the client.
In this way, the server responds to the handshake request sent by the client under the condition of establishing the secure transmission protocol connection with the client, and obtains a secure transmission layer protocol disguised certificate matched with the handshake request according to the disguised identifier; and then, sending the security transport layer protocol disguised certificate to the client. Because the handshake request received by the server carries the disguised identifier and the protocol certificate returned to the client is the secure transport layer protocol disguised certificate, the embodiment of the disclosure replaces the traditional TLS fingerprint through the secure transport layer protocol disguised certificate, avoids the information interaction between the server and the client by utilizing the TLS fingerprint in the TLS handshake process, effectively prevents an observer from identifying and tracking the server or the user according to the TLS fingerprint during the TLS handshake, and is beneficial to improving the safety and reliability of data communication.
Optionally, the server responds to the handshake request sent by the client to obtain a secure transport layer protocol disguised certificate matched with the handshake request, including:
and the server matches the target protocol disguise certificate from the protocol certificate library according to the disguise identifier. The protocol certificate library is configured and generated by the client and comprises a preset disguised identifier and a protocol disguised certificate matched with the preset disguised identifier.
The server determines the target protocol disguised certificate as a secure transport layer protocol disguised certificate that matches the handshake request.
The protocol certificate library is a certificate library which is generated in advance before the server and the client establish the secure transmission protocol connection. The protocol certificate library comprises a plurality of preset disguised identifiers and protocol disguised certificates respectively matched with the preset disguised identifiers.
In this way, after receiving the handshake request, the server obtains the target protocol disguise certificate matched with the disguise identifier from the protocol certificate library according to the disguise identifier carried by the handshake request, and determines that the target protocol disguise certificate is the security transport layer protocol disguise certificate matched with the handshake request. According to the embodiment of the disclosure, by introducing the camouflage identification and TLS fingerprint elimination, the network monitor or the potential attacker and other observers are difficult to identify or track the specific server or the user, so that the safety and reliability of data communication are greatly improved, and meanwhile, the protection capability of user privacy is improved.
As shown in conjunction with fig. 9, an embodiment of the present disclosure provides another method for data transmission, applied to a server, the method including:
s71, the server receives the session key sent by the client under the condition that the server establishes a secure transmission protocol connection with the client. The session key is generated after the client establishes a secure transmission protocol connection with the server.
S72, the server receives target transmission data sent by the client. The target transmission data is obtained by performing double-layer encryption processing on application layer data by using a chip key and a session key by the client.
S73, the server carries out double-layer decryption processing on the target transmission data according to the session key and the encryption key to obtain second decrypted data.
S74, the server generates response data to be transmitted according to the second decryption data.
In the step, the server generates response data to be transmitted according to the second decryption data, including: the server performs data verification on the second decrypted data to obtain response data to be transmitted, and/or performs data analysis processing on the second decrypted data according to application requirements to generate the response data to be transmitted. Wherein the application requirements are determined by the specific requirements under the secure transport protocol connection. Optionally, the data verification includes data integrity verification and/or data validity verification. Data analysis processing includes, but is not limited to, database query operations and data computation.
And S75, the server performs hardware encryption processing on the response data to be transmitted by using the encryption key to obtain second encrypted data.
S76, the server performs software encryption processing on the second encrypted data by using the session key to obtain response data.
S77, the server transmits the response data to the client.
By adopting the method for data transmission provided by the embodiment of the disclosure, the server receives the session key sent by the client under the condition that the server establishes the secure transmission protocol connection with the client; and then, the server receives the target transmission data sent by the client, and performs double-layer encryption processing on the target transmission data by using the session key and the encryptor key to obtain second decrypted data. And thirdly, after generating response data to be transmitted according to the second decrypted data, the server sequentially carries out hardware encryption processing and software encryption processing on the response data to be transmitted by utilizing the encryption secret key and the session secret key so as to generate the response data. Finally, the server sends the response data to the client. Therefore, the method is beneficial to enhancing the safety of the response data to be transmitted in the response stage, avoiding the information interaction between the server and the client by utilizing the TLS fingerprint in the response stage, effectively preventing the observer from identifying and tracking the server or the user according to the TLS fingerprint during the TLS handshake, and ensuring the safety and the reliability of data communication.
In practical application, as shown in fig. 1, the system for data transmission includes a client 100, a router 200, and a server 300. The client 100 establishes a communication connection with the server 300 through the router 200. The client 100 is configured with eSE chips. The eSE chip configures a secure encryption algorithm and the secure encryption algorithm sets a chip key. The server 300 is configured with an encryptor. The encryptor is configured with a preset encryption algorithm and an encryptor key. The preset encryption algorithm is matched with the secure encryption algorithm configured by the eSE chip.
Based on the environmental schematic of the system implementation environment shown in fig. 1, as shown in fig. 10, the method for data transmission specifically performs the following steps:
step S100, when the client is in the initialization stage, the eSE chip is controlled to start and obtain the chip key, and then a chip start instruction is sent to the server.
Step S101, under the condition that a chip starting instruction is received, controlling the starting of the encryptor and obtaining the encryptor key.
In the TLS handshake phase, steps S102 to S106 are performed.
In step S102, the client sends a handshake request, which includes a disguised SNI.
Step S103, the server matches the target protocol disguise certificate from the protocol certificate library according to the disguise SNI, and determines the target protocol disguise certificate as the security transmission layer protocol disguise certificate matched with the handshake request.
Step S104, the server sends the security transmission layer protocol disguise certificate and establishes the security transmission protocol connection.
Step S105, the client receives the disguised certificate of the secure transport layer protocol, matches a target certificate key associated with the disguised certificate of the secure transport layer protocol from a local protocol certificate library, and verifies the key of the disguised certificate of the secure transport layer protocol by using the target certificate key; and when the key verification is successful, establishing a secure transmission protocol connection with the server.
In step S106, the client transmits the session key.
In the data transmission stage, steps S107 to S111 are performed.
In step S107, the client encrypts the application layer data with the chip key to obtain first encrypted data.
In step S108, the client performs software encryption on the first encrypted data by using the session key to obtain the target transmission data.
In step S109, the client transmits the target transmission data.
In step S110, the server performs software decryption processing on the target transmission data by using the session key, and obtains third decrypted data.
In step S111, the server performs hardware decryption processing on the third decrypted data by using the encryptor key, and obtains second decrypted data.
In the response phase, steps S112 to S115 are performed.
In step S112, the server performs data analysis processing on the second decrypted data, and generates response data to be transmitted.
In step S113, the server performs hardware encryption processing on the response data to be transmitted by using the encryptor key, and obtains second encrypted data.
In step S114, the server performs software encryption processing on the second encrypted data using the session key, and obtains response data.
In step S115, the server transmits the response data.
In the data reception stage, steps S116 to S117 are performed.
In step S116, the client performs software decryption processing on the response data by using the session key, to obtain first decrypted data.
In step S117, the client performs hardware decryption processing on the first decrypted data by using the chip key, and obtains target response data.
As shown in connection with fig. 11, an embodiment of the present disclosure provides an apparatus 70 for data transmission, including a first processor (processor) 700 and a first memory (memory) 701. Optionally, the apparatus 70 may further comprise a first communication interface (Communication Interface) 702 and a first bus 703. The first processor 700, the first communication interface 702, and the first memory 701 may communicate with each other through the first bus 703. The first communication interface 702 may be used for information transfer. The first processor 700 may call logic instructions in the first memory 701 to perform the method for data transmission of the above-described embodiments.
As shown in connection with fig. 12, an embodiment of the present disclosure provides an apparatus 80 for data transmission, including a second processor (processor) 800 and a second memory (memory) 801. Optionally, the apparatus 80 may further comprise a second communication interface (Communication Interface) 802 and a second bus 803. The second processor 800, the second communication interface 802, and the second memory 801 may communicate with each other through the second bus 803. The second communication interface 802 may be used for information transfer. The second processor 800 may call logic instructions in the second memory 801 to perform the method for data transfer of the above-described embodiments.
Further, the logic instructions in the memory 701 (801) described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product.
The memory 701 (801) is a computer readable storage medium, and may be used to store a software program, a computer executable program, such as program instructions/modules corresponding to the methods in the embodiments of the present disclosure. The processor 700 executes the functional applications and data processing by executing the program instructions/modules stored in the memory 701 (801), i.e., implements the method for data transmission in the above-described embodiments.
The memory 701 (801) may include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for functions; the storage data area may store data created according to the use of the terminal device, etc. Further, the memory 701 (801) may include a high-speed random access memory, and may also include a nonvolatile memory.
The embodiment of the disclosure provides a server, comprising: a server body, and the above-described apparatus 80 for data transmission. The means 80 for data transmission are mounted to the server body. The mounting relationship described herein is not limited to being placed inside the server body, but includes mounting connections with other components of the server, including but not limited to physical connections, electrical connections, or signal transmission connections, etc. Those skilled in the art will appreciate that the means 80 for data transmission may be adapted to the available product bodies, thereby enabling other possible embodiments.
The disclosed embodiments provide a system for data transmission, comprising: client device, server, and apparatus 70 for data transmission as described above (80). And the client device is configured with a security chip. And a server configured with an encryption machine.
Embodiments of the present disclosure provide a computer-readable storage medium storing computer-executable instructions configured to perform the above-described method for data transmission.
Embodiments of the present disclosure may be embodied in a software product stored on a storage medium, including one or more instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of a method according to embodiments of the present disclosure. While the aforementioned storage medium may be a non-transitory storage medium, such as: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, or the like, which can store program codes.
The above description and the drawings illustrate embodiments of the disclosure sufficiently to enable those skilled in the art to practice them. Other embodiments may involve structural, logical, electrical, process, and other changes. The embodiments represent only possible variations. Individual components and functions are optional unless explicitly required, and the sequence of operations may vary. Portions and features of some embodiments may be included in, or substituted for, those of others. Moreover, the terminology used in the present application is for the purpose of describing embodiments only and is not intended to limit the claims. As used in the description of the embodiments and the claims, the singular forms "a," "an," and "the" (the) are intended to include the plural forms as well, unless the context clearly indicates otherwise. Similarly, the term "and/or" as used in this application is meant to encompass any and all possible combinations of one or more of the associated listed. Furthermore, when used in this application, the terms "comprises," "comprising," and/or "includes," and variations thereof, mean that the stated features, integers, steps, operations, elements, and/or components are present, but that the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof is not precluded. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of other like elements in a process, method or apparatus comprising such elements. In this context, each embodiment may be described with emphasis on the differences from the other embodiments, and the same similar parts between the various embodiments may be referred to each other. For the methods, products, etc. disclosed in the embodiments, if they correspond to the method sections disclosed in the embodiments, the description of the method sections may be referred to for relevance.
Those of skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. The skilled artisan may use different methods for each particular application to achieve the described functionality, but such implementation should not be considered to be beyond the scope of the embodiments of the present disclosure. It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the embodiments disclosed herein, the disclosed methods, articles of manufacture (including but not limited to devices, apparatuses, etc.) may be practiced in other ways. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the units may be merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form. The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to implement the present embodiment. In addition, each functional unit in the embodiments of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. In the description corresponding to the flowcharts and block diagrams in the figures, operations or steps corresponding to different blocks may also occur in different orders than that disclosed in the description, and sometimes no specific order exists between different operations or steps. For example, two consecutive operations or steps may actually be performed substantially in parallel, they may sometimes be performed in reverse order, which may be dependent on the functions involved. Each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Claims (8)

1. A method for data transmission, applied to a client, comprising:
under the condition of establishing a secure transmission protocol connection with a server, generating a session key and sending the session key to the server;
performing double-layer encryption processing on application layer data by using a chip key and a session key to obtain target transmission data;
the target transmission data is sent to the server, so that the server carries out double-layer decryption processing on the target transmission data according to the session key and the encryption key to obtain second decryption data;
in the case of establishing a secure transport protocol connection with a server, generating a session key includes:
sending a handshake request to a server; wherein the handshake request includes a masquerading identifier;
receiving a security transmission layer protocol disguise certificate sent by a server, and establishing security transmission protocol connection with the server based on the security transmission layer protocol disguise certificate; the secure transport layer protocol disguised certificate is a transport layer protocol disguised certificate matched by the server according to disguised identification;
after the secure transport protocol connection is completed, a session key is generated.
2. The method of claim 1, wherein the secure transport layer protocol disguised certificate comprises a key; establishing a secure transport protocol connection with a server based on a secure transport layer protocol disguised certificate, comprising:
Determining a target certificate key associated with the secure transport layer protocol disguised certificate;
performing key verification on the key by using the target certificate key;
and under the condition that the key verification is successful, establishing a secure transmission protocol connection with the server.
3. The method according to claim 1 or 2, wherein performing a double-layer encryption process on the application layer data using the chip key and the session key to obtain the target transmission data comprises:
carrying out hardware encryption processing on application layer data by using a chip key to obtain first encrypted data;
and carrying out software encryption processing on the first encrypted data by using the session key to obtain target transmission data.
4. The method according to claim 1 or 2, further comprising:
receiving response data generated based on the target transmission data and sent by a server;
performing software decryption processing on the response data by using the session key to obtain first decrypted data;
and carrying out hardware decryption processing on the first decrypted data by using the chip key to obtain target response data.
5. A method for data transmission, applied to a server, comprising:
receiving a session key sent by a client under the condition of establishing a secure transmission protocol connection with the client; the session key is generated after the client establishes a secure transmission protocol connection with the server;
Receiving target transmission data sent by a client; the target transmission data is obtained by performing double-layer encryption processing on application layer data by using a chip key and a session key by a client;
performing double-layer decryption processing on the target transmission data according to the session key and the encryptor key to obtain second decrypted data;
in the case of establishing a secure transport protocol connection with a client, receiving a session key sent by the client, including:
responding to a handshake request sent by a client to obtain a security transport layer protocol disguised certificate matched with the handshake request; wherein the handshake request includes a masquerading identifier;
sending a secure transport layer protocol disguised certificate to the client to establish a secure transport protocol connection with the client;
and after the secure transmission protocol connection is completed, receiving the session key sent by the client.
6. The method as recited in claim 5, further comprising:
generating response data to be transmitted according to the second decryption data;
performing hardware encryption processing on response data to be transmitted by using an encryption key to obtain second encrypted data;
performing software encryption processing on the second encrypted data by using the session key to obtain response data;
And sending response data to the client.
7. An apparatus for data transmission comprising a first processor and a first memory storing program instructions, wherein the first processor is configured to perform the method for data transmission of any of claims 1 to 6 when the program instructions are executed.
8. A system for data transmission, comprising:
a client device configured with a security chip;
a server configured with an encryption engine; and, a step of, in the first embodiment,
the apparatus for data transmission of claim 7.
CN202311386573.8A 2023-10-25 2023-10-25 Method, device and system for data transmission Active CN117118763B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311386573.8A CN117118763B (en) 2023-10-25 2023-10-25 Method, device and system for data transmission

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311386573.8A CN117118763B (en) 2023-10-25 2023-10-25 Method, device and system for data transmission

Publications (2)

Publication Number Publication Date
CN117118763A CN117118763A (en) 2023-11-24
CN117118763B true CN117118763B (en) 2024-03-01

Family

ID=88809646

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311386573.8A Active CN117118763B (en) 2023-10-25 2023-10-25 Method, device and system for data transmission

Country Status (1)

Country Link
CN (1) CN117118763B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117596076B (en) * 2024-01-18 2024-04-02 北京华耀科技有限公司 Session data transmission method, system, device, equipment and storage medium
CN118157907A (en) * 2024-01-26 2024-06-07 重庆嗨客网络科技有限公司 Intelligent interaction method and system for serving big data information security of financial institution

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107508796A (en) * 2017-07-28 2017-12-22 北京明朝万达科技股份有限公司 A kind of data communications method and device
CN110971616A (en) * 2019-12-24 2020-04-07 广州市百果园信息技术有限公司 Connection establishing method based on secure transport layer protocol, client and server
CN112861148A (en) * 2021-01-28 2021-05-28 北京深思数盾科技股份有限公司 Data processing method, server, client and encryption machine
CN115102754A (en) * 2022-06-20 2022-09-23 中银金融科技有限公司 Data transmission method and system, storage medium and electronic equipment
CN116361849A (en) * 2023-02-27 2023-06-30 杭州锘崴信息科技有限公司 Backup data encryption and decryption method and device for encrypted database

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11283774B2 (en) * 2015-09-17 2022-03-22 Secturion Systems, Inc. Cloud storage using encryption gateway with certificate authority identification

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107508796A (en) * 2017-07-28 2017-12-22 北京明朝万达科技股份有限公司 A kind of data communications method and device
CN110971616A (en) * 2019-12-24 2020-04-07 广州市百果园信息技术有限公司 Connection establishing method based on secure transport layer protocol, client and server
CN112861148A (en) * 2021-01-28 2021-05-28 北京深思数盾科技股份有限公司 Data processing method, server, client and encryption machine
CN115102754A (en) * 2022-06-20 2022-09-23 中银金融科技有限公司 Data transmission method and system, storage medium and electronic equipment
CN116361849A (en) * 2023-02-27 2023-06-30 杭州锘崴信息科技有限公司 Backup data encryption and decryption method and device for encrypted database

Also Published As

Publication number Publication date
CN117118763A (en) 2023-11-24

Similar Documents

Publication Publication Date Title
CN107040369B (en) Data transmission method, device and system
CN107465689B (en) Key management system and method of virtual trusted platform module in cloud environment
CN105162772B (en) A kind of internet of things equipment certifiede-mail protocol method and apparatus
Sood et al. A secure dynamic identity based authentication protocol for multi-server architecture
CN117118763B (en) Method, device and system for data transmission
CN105007577B (en) A kind of virtual SIM card parameter management method, mobile terminal and server
CN109167802B (en) Method, server and terminal for preventing session hijacking
US9917692B2 (en) Key exchange system, key exchange method, key exchange device, control method thereof, and recording medium for storing control program
CN110059458B (en) User password encryption authentication method, device and system
CN108243176B (en) Data transmission method and device
CN108111497B (en) Mutual authentication method and device for camera and server
CN112751821B (en) Data transmission method, electronic equipment and storage medium
US9374221B1 (en) Distributed protection of credential stores utilizing multiple keys derived from a master key
EP3808025B1 (en) Decentralised authentication
CN112351037B (en) Information processing method and device for secure communication
CN108809633B (en) Identity authentication method, device and system
CN105959648B (en) A kind of encryption method, device and video monitoring system
CN114143108B (en) Session encryption method, device, equipment and storage medium
CN111191217B (en) Password management method and related device
CN110493367A (en) The non-public server of unaddressed IPv6, client computer and communication means
CN113141333B (en) Communication method, device, server, system and storage medium of network access device
CN110519222B (en) External network access identity authentication method and system based on disposable asymmetric key pair and key fob
CN113434837B (en) Method and device for equipment identity authentication and smart home system
CN208707655U (en) Distribution automation key negotiation system
KR20190038632A (en) Method for provisioning a first communication device using a second communication device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant