CN118573473B - Network data safety transmission method based on trusted platform - Google Patents

Abstract

A network data safety transmission method based on a trusted platform belongs to the technical field of information safety and aims to solve the problem that in the prior art, when transmitted network data is encrypted by a single key, the encryption degree is low and the data is easy to be analyzed and the data is restored and stolen by a processing rule; the method and the device realize the efficient and safe transmission of the data by combining the steps of randomly cutting data fragments, compressing, generating interference data, setting a hidden key and the like and combining a safe communication channel and a safe transmission model, and the sender performs line-of-sight interference and secondary encryption processing by adding the interference data and the hidden key after cutting and compressing the data, thereby enhancing the confidentiality and the safety of the data. The receiver uses the private key to unlock the data, acquires the hidden key in a video mode, and finally recovers and verifies the original data.

Description

Network data safety transmission method based on trusted platform

Technical Field

The invention relates to the technical field of information security, in particular to a network data security transmission method based on a trusted platform.

Background

The network data security transmission refers to a process of ensuring that data is not illegally acquired, tampered or leaked in the transmission process in an internet environment. This process is critical because it involves confidentiality, integrity, and availability of data, which is of great importance to protect personal privacy, enterprise confidentiality, and national security.

The diversified applications of the internet are in a rapid development situation, and the large-scale expansion and development of the network bring a series of new problems, such as high-quality network service requirements, frequently-occurring network security events and the like. Currently, in the prior art, when network data is transmitted, the network data is encrypted through an encryption algorithm (such as RSA, DES, ECC, etc.), so as to prevent data leakage. The CN106506470B discloses a network data security transmission method, which comprises the following steps: the receiver creates a public-private key pair based on a trusted platform module, stores a private key, and generates a public key certificate from the public key through a certification authority; the sender acquires a public key certificate and generates a session key based on a trusted platform module; the sender processes the original data to generate a digital envelope and sends the digital envelope to the receiver; the method comprises the steps of calculating a digital digest A of original data; encrypting the original data and the digital abstract A by using a session key based on a symmetric encryption algorithm to generate ciphertext data; encrypting the session key based on an asymmetric encryption algorithm to generate a ciphertext key; the receiving party receives the digital envelope; and (3) performing treatment: decrypting the ciphertext key by using the private key based on the trusted platform module to obtain a session key; decrypting the ciphertext data by using the session key based on a symmetric encryption algorithm to obtain original data and a digital abstract A; and calculating the digital digest B of the original data, and comparing the digital digests B, A, so that the safety and reliability of network data transmission can be improved. However, in the prior art, the encryption process of the network data by using the single key is simpler, the processing rule of the network data is easily analyzed according to the obtained network data, the network data is restored according to the processing rule, and finally the network resource is threatened by security.

Therefore, a network data security transmission method based on a trusted platform is provided.

Disclosure of Invention

The invention aims to provide a network data security transmission method based on a trusted platform, and aims to solve the problems that in the prior art, when the transmitted network data is encrypted by a single key, the encryption degree is low and the data is easy to be restored and stolen due to the processing rule of the data at an analyzed place.

In order to achieve the above purpose, the present invention provides the following technical solutions: a network data security transmission method based on a trusted platform comprises the following implementation steps:

s1: based on the trusted platform, establishing a secure communication channel for data transmission, randomly dividing the data to be transmitted by a sender on the trusted platform by utilizing a splitting tool to divide the data into different data fragments, and respectively compressing the data fragments into data compression packets;

s2: randomly selecting data compression packets of 1 or 2 data fragments, extracting abstracts, re-engraving 1-2 interference data compression packets according to the abstracts, marking the sequence of the data fragment compression packets, and then performing chaotic sequencing on the data fragment compression packets and the interference data compression packets;

s3: generating a hidden key according to the disordered and ordered data segments, and embedding the hidden key into a data compression packet of one of the data segments, wherein the hidden key links all the data segments;

S4: packaging all the disordered data compression packets and the disturbing data compression packets, encrypting the packets by using a public key, and then sending the packets to a receiver through a secure communication channel, wherein the transmission process utilizes a secure transmission model to schedule the transmission resources of a trusted platform;

S5, after receiving the data, the receiver uses a private key to unlock so as to obtain a data compression packet with disordered ordering, and the receiver obtains a hidden key hidden point and an unlocking password from the sender in a video mode;

S6: unlocking the hidden key by the receiver, unlocking all data compression packets, screening out interference data, recombining data fragments to restore original data, and carrying out integrity verification after the original data is restored.

Further, in the step S1, the establishment of the secure communication channel for data transmission includes the following implementation steps:

S110: the requirement analysis is used for determining the security requirements of both communication parties, including confidentiality, integrity, authentication and availability of data;

s120: selecting a trusted platform, and selecting a trusted platform conforming to a security standard, wherein the platform supports the security functions of key management, identity verification, encryption and decryption;

S130: determining a communication protocol, selecting or defining a protocol for communication, and determining an encryption algorithm and a key exchange mode to be used;

S140: after the identity verification is completed, the two communication parties establish a secure communication channel through a selected communication protocol, and the communication data is encrypted and transmitted by using a secret key when the data is transmitted.

Further, in S140, the authentication of the two communication parties includes the following implementation steps:

S141: generating a key pair, and generating a public key and a private key on a trusted platform, wherein the private key is safely stored by a sender, and the public key is used for data encryption and identity verification;

s142: creating a digital certificate, generating the digital certificate for both communication parties, wherein the digital certificate contains a public key and identity information and is issued by a trusted third party organization;

S143: distributing certificates, namely distributing the certificates to the communication double-sending, so as to ensure that a receiving party can verify the identity of a sending party;

s144: after establishing a channel and determining an encryption algorithm and a key exchange mode through negotiation, the two communication parties establish an encrypted communication channel between the two communication parties by using a TLS or SSL secure transmission protocol.

Further, in the step S2, the step of performing the re-etching of the interference data compression packet includes the following steps:

S210: obtaining an abstract of an original compressed packet, and calculating the abstract of the original data compressed packet by using a hash algorithm SHA1 so as to calculate the original data to obtain a character string with a fixed length;

S220: generating interference data, extracting part of data from the original compressed packet, and modifying to replace some bytes, insert or delete data to generate interference data;

S230: constructing an interference data compression packet, and compressing the generated interference data into the interference data compression packet by using a compression algorithm RAR or 7 z;

s240: adjusting the abstract of the interference data compression packet, and repeatedly trying different interference data combinations and compression parameters to find an abstract similar to the original abstract or meeting specific conditions;

s250: and verifying the interference data compression packet, comparing the abstract of the interference data compression packet with the abstract of the original data compression packet, and ensuring that the generated interference data compression packet is different from the original data compression packet in content, but has certain similarity in the abstract or meets specific conditions.

Further, in the step S6, when the receiving side performs data integrity verification, a hash value verification method is used for verification, and the sending side calculates a hash value of the data as a summary of the data before transmitting the data, and sends the hash value along with the data; after receiving the data, the receiver calculates the hash value of the received data by using the same hash function, compares the hash value with the hash value provided by the sender, and if the hash value is the same, the data is not tampered in the transmission process; otherwise, the data has been tampered with.

Further, in the step S3, the method for generating and setting the hidden key includes the following steps:

S310: generating a hidden key, and generating a random and complex hidden key by using an AES, RSA or ECC security algorithm;

S320: selecting a hidden position, randomly selecting a data compression packet of one data segment from the disordered and ordered data segments as an embedded position of a hidden key, and using a Pseudo Random Number Generator (PRNG) to assist in selecting the hidden position;

S330: embedding a hidden key, encrypting the hidden key by using a lightweight encryption algorithm XOR, and embedding the generated hidden key into a data compression packet of the selected data segment in an encrypted form;

s340: recording hidden information, the sender can also generate an unlocking password or key fragment related to the hidden key and send the unlocking password or key fragment to the receiver in a safe mode, and the unlocking password or key fragment is used for unlocking and extracting the hidden key at the receiving end;

S350: after the hidden key is embedded, the sender shall verify the data compression packet, perform digest calculation on the data compression packet by using a hash algorithm, and compare the digest obtained by calculation with the original digest to verify whether the content of the data compression packet is changed.

Further, in S4, the processing manner for the packed data is as follows:

S41: multilayer encryption, after packaging all the data compression packets and the interference data compression packets which are disordered, does not directly carry out single-layer public key encryption, but adopts a multilayer encryption strategy: firstly, carrying out outer encryption on packed data by using a first layer RSA public key to ensure the overall security of the data; then, independently encrypting each data compression packet by using second-layer AES symmetric encryption;

S42: dynamic key management, introducing a dynamic key management mechanism, and in the transmission process, negotiating in real time between a sender and a receiver through a secure communication channel to generate a session key, wherein the session key is used for second-layer AES symmetric encryption, and each time a transmitted data packet is encrypted by using different session keys;

s43: the method comprises the steps of carrying out fragmented transmission on encrypted data, and cutting the encrypted data into a plurality of smaller fragments when the volume of the encrypted data packet is large, wherein each fragment contains complete encryption information;

S44: redundancy check in the transmission process, a redundancy check mechanism is introduced in the data transmission process, and a plurality of redundancy check information, namely CRC check codes, are added in the encrypted data packet of each data segment except for the encrypted data.

Further, in the step S4, the secure transmission model adopts the network communication data virtualized sampling algorithm to schedule the communication data transmission resource of the trusted platform in real time during the transmission process of the network communication data so as to strengthen the secure communication channel, and the formula is as follows,

In the method, in the process of the invention,On behalf of the center to reconstruct the transmitted data,Representing the time of the reconstruction and,Representing the minimum dimension of the beam,Representing the time at which the initial time of the reconstruction was made,Representing a cloud computing security function,Representing the weighting coefficients.

Further, the network communication data virtualization sampling algorithm model is used for extracting network communication data transmission characteristics, carrying out characteristic random distribution, inputting the network communication data virtualization sampling algorithm model into a cloud computing data resource analysis center of a trusted platform for resource scheduling processing, at the moment, using the model to finish network communication data sampling, storing the sampled data in a cloud computing center resource library, using a host system for processing to finish resource preliminary configuration, at the moment, the cloud computing center resource library of the trusted platform contains a plurality of limited data sets X,，Representing a safe transmission data node, at this time, performing space motion capture to obtain initial characteristics of a cloud computing center resource library of a trusted platform, and performing characteristic evolution, at this time, calculating an evolution peak parameter, a calculation formula Y of which is shown as follows,

In the method, in the process of the invention,Representing the time of the motion capture and,Representing the feature vector of the cloud computing,Representing the parameters of the security matching,Representing the time delay of the sample and,Representing the number of samples.

Further, the peak value parameter is used for judging the fitting relation between the network communication data and the resource, the cloud computing data center safe transmission model C is adopted for computing, the computing formula C is shown as follows,

In the method, in the process of the invention,Representing the normalized frequency of the signal,Representing the real-time traffic of the cloud computing center,Representing a secure transmission constant, the model is used for identifying data center resource information in real time when the non-linear characteristics of network communication data transmission are subjected to resource reorganization and resource decomposition.

Compared with the prior art, the invention has the following beneficial effects:

According to the network data secure transmission method based on the trusted platform, a sender converts data to be transmitted into a plurality of data compression packets by adopting a random slitting and compressing technology on the trusted platform, and enhances the confidentiality of the data by generating the interference data compression packets and the chaotic sequencing mode, misleading is enhanced by mixing the interference data compression packets used for misleading and the real data compression packets, the difficulty of stealing and cracking the compressed packet data in the transmission process is improved, meanwhile, the secondary encryption processing is carried out on the mixed compressed packet data by utilizing the hidden key technology, the fact that only an authorized receiver can correctly unlock and reorganize the data is ensured, the whole transmission process is carried out by combining the public key encryption and a secure communication channel of the trusted platform, and meanwhile, resource scheduling is carried out by combining a secure transmission model, so that the stability and the reliability of data transmission are ensured.

Drawings

FIG. 1 is an overall flow chart of the present invention;

FIG. 2 is a flow chart of the steps performed in the establishment of a secure communication channel in accordance with the present invention;

FIG. 3 is a flow chart of authentication of two parties of a communication at the time of establishment of a secure communication channel in accordance with the present invention;

FIG. 4 is a flowchart illustrating steps performed in the duplication of an interference data compression packet according to the present invention;

FIG. 5 is a flowchart illustrating the steps for generating and setting a hidden key according to the present invention;

fig. 6 is a table of the results of the security test for the interference data compression packet and the hidden key of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

In order to solve the problem of data recovery and theft caused by the processing rule of the data at the analysis place with low encryption degree when the transmitted network data is encrypted by a single key in the prior art, please refer to fig. 1-6, the following preferred technical scheme is provided:

A network data security transmission method based on a trusted platform comprises the following implementation steps:

s1: based on the trusted platform, establishing a secure communication channel for data transmission, randomly dividing the data to be transmitted by a sender on the trusted platform by utilizing a splitting tool to divide the data into different data fragments, and respectively compressing the data fragments into data compression packets;

s2: randomly selecting data compression packets of 1 or 2 data fragments, extracting abstracts, re-engraving 1-2 interference data compression packets according to the abstracts, marking the sequence of the data fragment compression packets, and then performing chaotic sequencing on the data fragment compression packets and the interference data compression packets;

s3: generating a hidden key according to the disordered and ordered data segments, and embedding the hidden key into a data compression packet of one of the data segments, wherein the hidden key links all the data segments;

S4: packaging all the disordered data compression packets and the disturbing data compression packets, encrypting the packets by using a public key, and then sending the packets to a receiver through a secure communication channel, wherein the transmission process utilizes a secure transmission model to schedule the transmission resources of a trusted platform;

S5, after receiving the data, the receiver uses a private key to unlock so as to obtain a data compression packet with disordered ordering, and the receiver obtains a hidden key hidden point and an unlocking password from the sender in a video mode;

S6: unlocking the hidden key by the receiver, unlocking all data compression packets, screening out interference data, recombining data fragments to restore original data, and carrying out integrity verification after the original data is restored.

In S1, the establishment of the secure communication channel for data transmission includes the following implementation steps:

s110, demand analysis

Determining the safety communication requirements of both communication parties, including confidentiality, integrity, authentication and availability of data; determining the identity verification mode of both communication parties, such as identity verification based on a digital certificate;

s120, selecting a trusted platform

Selecting a trusted platform with high security and reliability, wherein the platform should support the security functions of key management, identity verification, encryption and decryption and the like; ensuring that the trusted platform meets relevant security standards and regulations;

S130, key management

Generating a key pair (a public key and a private key) on a trusted platform, and ensuring the safe storage of the private key; the security of the key may be enhanced using a Hardware Security Module (HSM) or a Key Management Service (KMS); the public key may be distributed to the recipients who need to communicate;

S140, identity verification

The two communication parties use the digital certificate to carry out identity verification, so that the identity of the two communication parties is ensured to be credible; both the sender and the receiver need to hold digital certificates issued by trusted third party authorities (e.g., CAs); verifying the validity of the digital certificate through Public Key Infrastructure (PKI);

s150, establishing a secure communication channel

Establishing an encrypted communication channel between the two parties using a secure transport protocol (e.g., TLS/SSL); the two communication parties determine an encryption algorithm and a key exchange mode through negotiation; a public key encryption technology and a private key decryption technology are used for ensuring confidentiality of data in the transmission process;

S160, data integrity check

Before transmitting the data, the sender calculates a hash value (such as SHA-256) of the data as a digest of the data and sends the hash value along with the data; after receiving the data, the receiver calculates the hash value of the received data by using the same hash function and compares the hash value with the hash value provided by the sender; if the hash values are the same, the data is not tampered in the transmission process; otherwise, the data has been tampered with, and the recipient will refuse to receive the data;

S170, logging and monitoring

Recording related logs of the processes of establishing, using, closing and the like of the secure communication channel so as to trace and investigate when problems occur; monitoring the state and performance of a secure communication channel, and timely finding and solving potential security risks;

S180, periodic evaluation and update

The security of the secure communication channel is evaluated regularly, including aspects of security of keys, strength of encryption algorithm, security of transmission protocol and the like; and updating the secret key, the encryption algorithm or the transmission protocol in time according to the evaluation result so as to improve the safety of the safety communication channel.

In S140, the authentication of both communication parties includes the following implementation steps:

S141: generating a key pair, and generating a public key and a private key on a trusted platform, wherein the private key is safely stored by a sender, and the public key is used for data encryption and identity verification;

S142: creating a digital certificate, generating the digital certificate for both communication parties, wherein the digital certificate comprises a public key and identity information and is issued by a trusted third party authority (CA);

S143: distributing certificates, namely distributing the certificates to the communication double-sending, so as to ensure that a receiving party can verify the identity of a sending party;

s144: after establishing a channel and determining an encryption algorithm and a key exchange mode through negotiation, the two communication parties establish an encrypted communication channel between the two communication parties by using a TLS or SSL secure transmission protocol.

In S2, the re-engraving of the interference data compression packet includes the following implementation steps:

S210: obtaining the abstract of the original compressed packet, and calculating the abstract of the original compressed packet by using a hash algorithm (such as SHA 1);

S220: generating interference data randomly: a certain amount of data may be randomly generated, which will be different from the content of the original compressed packet; modifying the original data: partial data may also be extracted from the original compressed packet and modified (e.g., to replace certain bytes, insert or delete data, etc.) to generate interference data;

s230: constructing an interference data compression packet, and compressing the generated interference data into the compression packet by using a compression algorithm (such as RAR, 7z and the like);

S240: adjusting the abstract of the interference data compressed packet, and directly modifying the content of the compressed packet is difficult to lead the abstract to be completely the same as the abstract of the original compressed packet due to the avalanche effect of the hash algorithm; but can be repeated to try different interference data combinations and compression parameters to find the abstract which is similar to the original abstract or meets the specific conditions;

s250: verifying the interference data compression packet ensures that the generated interference data compression packet is different in content from the original compression packet, but has certain similarity in abstract or satisfies specific conditions.

In S3, the hidden key generation setting method includes the following steps:

s310: generating a hidden key

Generating a random and sufficiently complex hidden key using a secure encryption algorithm (e.g., AES, RSA, or ECC, etc.); the length and complexity of the key should be high enough to resist potential hacking attempts; the hidden key can be a string of randomly generated byte sequences, or can be a numerical value or a character string obtained by calculation of a specific algorithm;

S320: selecting a hidden location

Randomly selecting a data compression packet of one data segment from the disordered and ordered data segments as an embedded position of a hidden key; this choice should be random to increase the difficulty for an attacker to find the hidden key; it is contemplated that some sort of pseudo-random number generator (PRNG) may be used to assist in selecting the hidden location, ensuring that the hidden location is different for each transmission;

s330: embedding hidden keys

Embedding the generated hidden key in an encrypted form into the data compression packet of the selected data segment, the hidden key can be encrypted by using a lightweight encryption algorithm (such as XOR encryption, simple alternative password, etc.) to increase the security thereof; the hidden key may begin with a specific tag or identifier so that the recipient can easily identify and extract the hidden key; care should be taken not to destroy the structure or content of the data compression packet when embedding the hidden key to ensure that the data fragment remains intact and recoverable during transmission;

S340: recording hidden information

Recording the embedded location of the hidden key and the encryption mode at the sender so that the receiver can be provided with such information when needed, the records can be stored in a secure storage area of the trusted platform to prevent unauthorized access; the sender may also generate an unlock code or key fragment associated with the hidden key and send it to the receiver in a secure manner (e.g., encrypted message, secure communication channel, etc.); this unlock code or key fragment will be used to unlock and extract the hidden key at the receiving end;

S350: verifying embedding of hidden keys

After embedding the hidden key, the sender shall verify the data compression packet to ensure that the hidden key has been successfully embedded and that the data compression packet still remains intact and recoverable; a hash algorithm (e.g., SHA-256) may be used to digest the data compression packet and compare the computed digest to the original digest to verify that the contents of the data compression packet have changed.

In S4, the processing manner for the packed data is as follows:

S41: multi-layer encryption policy:

After packaging all the data compression packets and the interference data compression packets which are disordered, the public key encryption of a single layer is not directly carried out, and a multi-layer encryption strategy is adopted; firstly, carrying out outer encryption on packed data by utilizing a first layer public key (such as an RSA public key) to ensure the overall security of the data; then, for each data compression packet (including a real data compression packet and an interference data compression packet), performing independent encryption by using second-layer encryption (such as AES symmetric encryption) to increase the security of the data in the transmission process;

S42: dynamic key management:

To further increase security, a dynamic key management mechanism may be introduced; in the transmission process, a session key is generated by real-time negotiation between a sender and a receiver through a secure communication channel and is used for second-layer encryption (AES encryption); the data packet transmitted each time is encrypted by using different session keys, so that the data leakage caused by the fact that the keys are cracked can be effectively prevented;

S43: fragmented transmission of encrypted data:

For the encrypted data packet, if the volume of the encrypted data packet is larger, the data packet can be considered to be transmitted in a fragmented manner; cutting the encrypted data packet into a plurality of smaller fragments, wherein each fragment contains complete encryption information (such as header information, encryption data, check codes and the like); the fragmented transmission can reduce the data volume of single transmission, reduce the risk of network congestion and improve the flexibility of transmission;

s44: redundancy check in transmission process:

In the data transmission process, a redundancy check mechanism can be introduced; in addition to the encrypted data, some redundancy check information (such as CRC check code) may be added to the encrypted data packet of each data segment; after receiving the data packet, the receiver firstly performs redundancy check to ensure the integrity and accuracy of the data; if the verification fails, the sender is requested to resend the data packet;

S45: real-time optimization of the secure transmission model:

When the safe transmission model is utilized to schedule the transmission resources of the trusted platform, a real-time optimization mechanism can be introduced; according to the real-time information such as network state, equipment performance, etc., dynamically adjusting transmission strategies (such as transmission rate, data packetization size, etc.) to maximize transmission efficiency and security; meanwhile, various data (such as transmission delay, packet loss rate and the like) in the transmission process can be collected and analyzed for subsequent optimization of the safe transmission model.

Specifically, the sender converts data to be transmitted into a plurality of data compression packets on the trusted platform by adopting a random slitting and compressing technology, the confidentiality of the data is enhanced by generating an interference data compression packet and a chaotic sequencing mode, misguidance is enhanced by mixing the misled interference data compression packet and a real data compression packet, the difficulty of stealing and cracking the compressed packet data in the transmission process is improved, meanwhile, the mixed compressed packet data is subjected to secondary encryption processing by utilizing a hidden key technology, the fact that only an authorized receiver can correctly unlock and reorganize the data is ensured, the whole transmission process is performed through public key encryption and a secure communication channel of the trusted platform, and meanwhile, resource scheduling is performed by combining a secure transmission model, so that the stability and reliability of data transmission are ensured.

Further, in order to ensure the security of network data transmission, the present embodiment provides the following technical solutions:

s4, the safe transmission model adopts a network communication data virtualization sampling algorithm to schedule the communication data transmission resources of the trusted platform in real time during the transmission process of the network communication data so as to strengthen the safe communication channel, wherein the formula is as follows,

In the method, in the process of the invention,On behalf of the center to reconstruct the transmitted data,Representing the time of the reconstruction and,Representing the minimum dimension of the beam,Representing the time at which the initial time of the reconstruction was made,Representing a cloud computing security function,Representing the weighting coefficients.

Further, the network communication data virtualization sampling algorithm model is used for extracting network communication data transmission characteristics, carrying out characteristic random distribution, inputting the network communication data virtualization sampling algorithm model into a cloud computing data resource analysis center of a trusted platform for resource scheduling processing, at the moment, using the model to finish network communication data sampling, storing the sampled data in a cloud computing center resource library, using a host system for processing to finish resource preliminary configuration, at the moment, the cloud computing center resource library of the trusted platform contains a plurality of limited data sets X,，Representing a safe transmission data node, at this time, performing space motion capture to obtain initial characteristics of a cloud computing center resource library of a trusted platform, and performing characteristic evolution, at this time, calculating an evolution peak parameter, a calculation formula Y of which is shown as follows,

In the method, in the process of the invention,Representing the time of the motion capture and,Representing the feature vector of the cloud computing,Representing the parameters of the security matching,Representing the time delay of the sample and,Representing the number of samples.

Further, the peak value parameter is used for judging the fitting relation between the network communication data and the resource, the cloud computing data center safe transmission model C is adopted for computing, the computing formula C is shown as follows,

In the method, in the process of the invention,Representing the normalized frequency of the signal,Representing the real-time traffic of the cloud computing center,Representing a secure transmission constant, the model is used for identifying data center resource information in real time when the non-linear characteristics of network communication data transmission are subjected to resource reorganization and resource decomposition.

Specifically, the secure transmission model shows excellent performance in the field of network data secure transmission, and by scheduling communication data transmission resources of a trusted platform in real time and combining a network communication data virtualization sampling algorithm and strong computing capacity of a cloud computing center, the model can accurately extract core transmission characteristics of network communication data and optimally allocate the resources. The unique resource scheduling algorithm and the real-time recombination and decomposition capability ensure the safety and stability in the data transmission process, effectively prevent data leakage and illegal interception, and provide high-efficiency, stable and reliable data transmission service for users.

It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.

Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the spirit and scope of the invention as defined by the appended claims and their equivalents.

Claims (6)

1. The network data security transmission method based on the trusted platform is characterized by comprising the following implementation steps:

s1: based on the trusted platform, establishing a secure communication channel for data transmission, randomly dividing the data to be transmitted by a sender on the trusted platform by utilizing a splitting tool to divide the data into different data fragments, and respectively compressing the data fragments into data compression packets;

s2: randomly selecting data compression packets of 1 or 2 data fragments, extracting abstracts, re-engraving 1-2 interference data compression packets according to the abstracts, marking the sequence of the data fragment compression packets, and then performing chaotic sequencing on the data fragment compression packets and the interference data compression packets;

s3: generating a hidden key according to the disordered and ordered data segments, and embedding the hidden key into a data compression packet of one of the data segments, wherein the hidden key links all the data segments;

S4: packaging all the disordered data compression packets and the disturbing data compression packets, encrypting the packets by using a public key, and then sending the packets to a receiver through a secure communication channel, wherein the transmission process utilizes a secure transmission model to schedule the transmission resources of a trusted platform;

S5, after receiving the data, the receiver uses a private key to unlock so as to obtain a data compression packet with disordered ordering, and the receiver obtains a hidden key hidden point and an unlocking password from the sender in a video mode;

s6: unlocking all data compression packets and screening interference data after the receiving party acquires the hidden key, and recombining data fragments to restore original data, and carrying out integrity verification after the original data is restored;

In the step S1, the establishment of the secure communication channel for data transmission includes the following implementation steps:

S110: the requirement analysis is used for determining the security requirements of both communication parties, including confidentiality, integrity, authentication and availability of data;

s120: selecting a trusted platform, and selecting a trusted platform conforming to a security standard, wherein the platform supports the security functions of key management, identity verification, encryption and decryption;

S130: determining a communication protocol, selecting or defining a protocol for communication, and determining an encryption algorithm and a key exchange mode to be used;

S140: after the identity verification is completed, the two communication parties establish a secure communication channel through a selected communication protocol, and encryption transmission is carried out on communication data by using a secret key when the data is transmitted;

in S140, the authentication of the two communication parties includes the following implementation steps:

S141: generating a key pair, and generating a public key and a private key on a trusted platform, wherein the private key is safely stored by a sender, and the public key is used for data encryption and identity verification;

s142: creating a digital certificate, generating the digital certificate for both communication parties, wherein the digital certificate contains a public key and identity information and is issued by a trusted third party organization;

S143: distributing certificates, namely distributing the certificates to the communication double-sending, so as to ensure that a receiving party can verify the identity of a sending party;

S144: after establishing a channel and determining an encryption algorithm and a key exchange mode through negotiation, establishing an encrypted communication channel between the two communication parties by using a TLS or SSL secure transmission protocol;

in S2, the re-etching of the interference data compression packet includes the following implementation steps:

S210: obtaining an abstract of an original compressed packet, and calculating the abstract of the original data compressed packet by using a hash algorithm SHA1 so as to calculate the original data to obtain a character string with a fixed length;

S220: generating interference data, extracting part of data from the original compressed packet, and modifying to replace some bytes, insert or delete data to generate interference data;

S230: constructing an interference data compression packet, and compressing the generated interference data into the interference data compression packet by using a compression algorithm RAR or 7 z;

s240: adjusting the abstract of the interference data compression packet, and repeatedly trying different interference data combinations and compression parameters to find an abstract similar to the original abstract or meeting specific conditions;

S250: verifying an interference data compression packet, comparing the abstract of the interference data compression packet with the abstract of the original data compression packet, and ensuring that the generated interference data compression packet is different from the original data compression packet in content, but has certain similarity in the abstract or meets specific conditions;

in the step S3, the method for generating and setting the hidden key includes the following steps:

S310: generating a hidden key, and generating a random and complex hidden key by using an AES, RSA or ECC security algorithm;

S320: selecting a hidden position, randomly selecting a data compression packet of one data segment from the disordered and ordered data segments as an embedded position of a hidden key, and using a Pseudo Random Number Generator (PRNG) to assist in selecting the hidden position;

S330: embedding a hidden key, encrypting the hidden key by using a lightweight encryption algorithm XOR, and embedding the generated hidden key into a data compression packet of the selected data segment in an encrypted form;

s340: recording hidden information, generating an unlocking password or key fragment related to the hidden key by the sender, and sending the unlocking password or key fragment to the receiver in a safe mode, wherein the unlocking password or key fragment is used for unlocking and extracting the hidden key at the receiving end;

S350: after the hidden key is embedded, the sender shall verify the data compression packet, perform digest calculation on the data compression packet by using a hash algorithm, and compare the digest obtained by calculation with the original digest to verify whether the content of the data compression packet is changed.

2. The network data security transmission method based on the trusted platform as claimed in claim 1, wherein: in the step S6, when the receiving side performs data integrity verification, a hash value verification method is used for verification, and the sending side calculates the hash value of the data as the abstract of the data before transmitting the data and sends the hash value along with the data; after receiving the data, the receiver calculates the hash value of the received data by using the same hash function, compares the hash value with the hash value provided by the sender, and if the hash value is the same, the data is not tampered in the transmission process; otherwise, the data has been tampered with.

3. The network data security transmission method based on the trusted platform as claimed in claim 1, wherein: in S4, the processing manner for the packed data is as follows:

S41: multilayer encryption, after packaging all the data compression packets and the interference data compression packets which are disordered, does not directly carry out single-layer public key encryption, but adopts a multilayer encryption strategy: firstly, carrying out outer encryption on packed data by using a first layer RSA public key to ensure the overall security of the data; then, independently encrypting each data compression packet by using second-layer AES symmetric encryption;

S42: dynamic key management, introducing a dynamic key management mechanism, and in the transmission process, negotiating in real time between a sender and a receiver through a secure communication channel to generate a session key, wherein the session key is used for second-layer AES symmetric encryption, and each time a transmitted data packet is encrypted by using different session keys;

s43: the method comprises the steps of carrying out fragmented transmission on encrypted data, and cutting the encrypted data into a plurality of smaller fragments when the volume of the encrypted data packet is large, wherein each fragment contains complete encryption information;

S44: redundancy check in the transmission process, a redundancy check mechanism is introduced in the data transmission process, and a plurality of redundancy check information, namely CRC check codes, are added in the encrypted data packet of each data segment except for the encrypted data.

4. The network data security transmission method based on the trusted platform as claimed in claim 1, wherein: in the step S4, the secure transmission model adopts a network communication data virtualization sampling algorithm to schedule the communication data transmission resources of the trusted platform in real time during the transmission process of the network communication data so as to strengthen the secure communication channel, and the formula is as follows,

；

In the method, in the process of the invention,On behalf of the center to reconstruct the transmitted data,Representing the time of the reconstruction and,Representing the minimum dimension of the beam,Representing the time at which the initial time of the reconstruction was made,Representing a cloud computing security function,Representing the weighting coefficients.

5. The network data security transmission method based on the trusted platform as claimed in claim 4, wherein: the network communication data virtualization sampling algorithm model is used for extracting network communication data transmission characteristics, carrying out characteristic random distribution, inputting the network communication data virtualization sampling algorithm model into a cloud computing data resource analysis center of a trusted platform for resource scheduling processing, using the model to complete network communication data sampling at the moment, storing the sampled data in a cloud computing center resource library, using a host system for processing to complete resource preliminary configuration, wherein the cloud computing center resource library of the trusted platform contains a plurality of limited data sets X,，Representing a safe transmission data node, at this time, performing space motion capture to obtain initial characteristics of a cloud computing center resource library of a trusted platform, and performing characteristic evolution, at this time, calculating an evolution peak parameter, a calculation formula Y of which is shown as follows,

；

In the method, in the process of the invention,Representing the time of the motion capture and,Representing the feature vector of the cloud computing,Representing the parameters of the security matching,Representing the time delay of the sample and,Representing the number of samples.

6. The network data security transmission method based on the trusted platform as claimed in claim 5, wherein: the peak value parameter is used for judging the fitting relation between the network communication data and the resources, the cloud computing data center safe transmission model C is adopted for computation, the computation formula C is shown as follows,

；

In the method, in the process of the invention,Representing the normalized frequency of the signal,Representing the real-time traffic of the cloud computing center,Representing a secure transmission constant, the model is used for identifying data center resource information in real time when the non-linear characteristics of network communication data transmission are subjected to resource reorganization and resource decomposition.