[go: up one dir, main page]

CN108632296B - Dynamic encryption and decryption method for network communication - Google Patents

Dynamic encryption and decryption method for network communication Download PDF

Info

Publication number
CN108632296B
CN108632296B CN201810471937.5A CN201810471937A CN108632296B CN 108632296 B CN108632296 B CN 108632296B CN 201810471937 A CN201810471937 A CN 201810471937A CN 108632296 B CN108632296 B CN 108632296B
Authority
CN
China
Prior art keywords
data
key
seed
signature
source data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810471937.5A
Other languages
Chinese (zh)
Other versions
CN108632296A (en
Inventor
曾修建
谢闯
胡刚
罗春水
沈滨
王彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Sports Lottery Technology Development Co ltd
Original Assignee
China Sports Lottery Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Sports Lottery Technology Development Co ltd filed Critical China Sports Lottery Technology Development Co ltd
Priority to CN201810471937.5A priority Critical patent/CN108632296B/en
Publication of CN108632296A publication Critical patent/CN108632296A/en
Application granted granted Critical
Publication of CN108632296B publication Critical patent/CN108632296B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a dynamic encryption and decryption method for network communication, which comprises the following steps: dynamically generating signature source data according to the fixed characters and the time stamps; randomly generating a key seed and an obfuscated value seed; acquiring a key in a key pool according to the key seed, and acquiring an obfuscated value in an obfuscated value pool according to the obfuscated value seed; randomly selecting an encryption algorithm from an encryption algorithm pool, encrypting the signature source data according to the secret key and the confusion value by using the encryption algorithm, and signing the encrypted signature source data to obtain signature encrypted data; encrypting request source data according to the secret key and the confusion value by using the encryption algorithm to obtain request encrypted data; and sending the timestamp, the key seed, the confusion value seed, the signature encryption data and the request encryption data to a server.

Description

Dynamic encryption and decryption method for network communication
Technical Field
The invention relates to the field of network communication, in particular to a dynamic encryption and decryption method for network communication.
Background
Computer network communication technology is widely used in various industries at present, computer networks become indispensable important contents in life of people, dependence of people on the computer networks is continuously improved, and security of computer network communication is paid more and more attention. The data encryption technology is an important technical means and protection strategy for guaranteeing the communication safety of the computer network, and by utilizing the data encryption technology, the integrity and confidentiality of data can be effectively guaranteed, the safety factor of information is improved, and the healthy and ordered development of the computer network communication technology can be guaranteed.
In the prior art, a client and a server need to agree a cryptographic key for encryption and decryption, an obfuscated value for encryption and decryption, and an encryption algorithm in advance, when the client needs to send a request, the client encrypts the requested data by using the agreed cryptographic key, obfuscated value, and encryption algorithm, and sends the encrypted data to the server, and the server receives the requested data and then decrypts by using the agreed algorithm, cryptographic key, and obfuscated value. In the implementation of the technical scheme, the security of the key, the confusion value and the encryption algorithm is ensured, and only if the security of the key is effectively ensured, the symmetric encryption method can be effectively applied, and the security of network communication information is ensured. Once the security of the key cannot be effectively guaranteed, the important function of the symmetric encryption is lost, so that the risk of being cracked is high.
In addition, in the prior art, ssl can be directly used for communication, a hardware key is purchased from a trusted third party, then a tool of the third party is used for generating various certificates of the server and the client, the certificate of the client is written into the key, when the client and the server communicate with each other, the legitimacy of the certificate needs to be checked, the key in the key is used for encrypting data, and the encrypted data is sent to the server. In the implementation of the technical scheme, firstly, the CA of the third party is certain to be credible, the third party is also safe, the dependence on the hardware key is strong, and certain scenes are not very suitable, because a small hardware is provided, the possibility of loss and damage exists, the third party needs to be replaced after the loss and damage, the hardware needs to be purchased, the cost investment is needed for purchasing, especially when a plurality of clients exist, and the cost investment is very high in places where the distribution is difficult.
Disclosure of Invention
In order to solve the problems of poor security, low applicability, high cost and the like of the existing network communication, the embodiment of the invention provides a dynamic encryption and decryption method for network communication. The embodiment of the invention provides a dynamic encryption method for network communication, which comprises the following steps:
dynamically generating signature source data according to the fixed characters and the time stamps;
randomly generating a key seed and an obfuscated value seed;
acquiring a key in a key pool according to the key seed, and acquiring an obfuscated value in an obfuscated value pool according to the obfuscated value seed;
randomly selecting an encryption algorithm from an encryption algorithm pool, encrypting the signature source data according to the secret key and the confusion value by using the encryption algorithm, and signing the encrypted signature source data to obtain signature encrypted data;
encrypting request source data according to the secret key and the confusion value by using the encryption algorithm to obtain request encrypted data;
and sending the timestamp, the key seed, the confusion value seed, the signature encryption data and the request encryption data to a server.
The embodiment of the invention also provides a dynamic decryption method for network communication, which comprises the following steps:
receiving a timestamp, a first key seed, a first confusion value seed, first signature encrypted data and request encrypted data sent by a client;
acquiring a first key in a key pool according to the first key seed, and acquiring a first obfuscated value in an obfuscated value pool according to the first obfuscated value seed;
generating signature source data according to fixed characters and the timestamp, encrypting the signature source data by utilizing algorithms in an encryption algorithm pool according to the first secret key and the first confusion value, and signing the encrypted signature data to obtain a plurality of second signature encrypted data;
sequentially judging whether the first signature encrypted data is consistent with each second signature data; when the first signature encryption data is consistent with the second signature data, taking the algorithm in the encryption algorithm pool as an encryption algorithm;
decrypting the request encrypted data according to the first secret key and the first confusion value by using the encryption algorithm to obtain request source data;
and generating a packet back source data according to the request source data, and sending the packet back source data to the client.
An embodiment of the present invention further provides a client, where the client includes:
the signature source data module is used for dynamically generating signature source data according to the fixed characters and the time stamps;
the seed selection module is used for randomly generating a secret key seed and an confusion value seed;
the parameter selection module is used for acquiring a key in a key pool according to the key seed and acquiring an confusion value in a confusion value pool according to the confusion value seed;
the signature source data encryption module is used for randomly selecting an encryption algorithm from an encryption algorithm pool, encrypting the signature source data according to the secret key and the confusion value by using the encryption algorithm, and signing the encrypted signature source data to obtain first signature encrypted data;
the request source data encryption module is used for encrypting request source data according to the secret key and the confusion value by using the encryption algorithm to obtain request encrypted data;
and the sending module is used for sending the timestamp, the key seed, the confusion value seed, the first signature encryption data and the request encryption data to a server.
An embodiment of the present invention further provides a server, where the server includes:
the data receiving module is used for receiving the timestamp, the first key seed, the first confusion value seed, the first signature encrypted data and the request encrypted data which are sent by the client;
the parameter selection module is used for acquiring a first key in a key pool according to the first key seed and acquiring a first confusion value in a confusion value pool according to the first confusion value seed;
the signature source data encryption module is used for generating signature source data according to fixed characters and the timestamp, encrypting the signature source data respectively by utilizing algorithms in an encryption algorithm pool according to the first secret key and the first confusion value, and signing the encrypted signature data to obtain a plurality of second signature encrypted data;
the judging module is used for sequentially judging whether the first signature encrypted data is consistent with each second signature data;
the algorithm selection module is used for taking the algorithm in the encryption algorithm pool as the encryption algorithm when the first signature encryption data is consistent with the second signature data;
the decryption module is used for decrypting the request encrypted data according to the first secret key and the first confusion value by using the encryption algorithm to obtain request source data;
and the sending module is used for generating a packet returning source data according to the request source data and sending the packet returning source data to the client.
The invention utilizes the dynamic encryption and decryption mode during network communication, so that the key, the encryption algorithm and other important information used by both communication parties have great randomness, the communication safety is greatly improved while the communication efficiency is not influenced, the cost is effectively reduced, and the invention has good applicability in various network communication scenes.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive labor.
Fig. 1 is a flowchart of a dynamic encryption method for network communication according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a dynamic decryption method for network communication according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a client according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a flowchart of a dynamic encryption method for network communication according to an embodiment of the present invention, where the method includes:
step S11, dynamically generating signature source data according to the fixed characters and the time stamps;
step S12, randomly generating a key seed and an obfuscated value seed;
step S13, obtaining a key in the key pool according to the key seed, and obtaining an obfuscated value in the obfuscated value pool according to the obfuscated value seed;
step S14, randomly selecting an encryption algorithm from an encryption algorithm pool, encrypting the signature source data according to the secret key and the confusion value by using the encryption algorithm, and signing the encrypted signature source data to obtain signature encrypted data;
step S15, encrypting request source data according to the secret key and the confusion value by using the encryption algorithm to obtain request encrypted data;
step S16, sending the timestamp, the key seed, the obfuscated value seed, the signed encrypted data, and the request encrypted data to a server.
In this embodiment, the signature source data is generated by fixed characters and time stamps, wherein the fixed characters may be composed of letters, such as "abcd", or numerals, such as "1234", or a combination of letters and numerals, such as "abcd 1234" or "1 a2b3c4 d", and so on. The fixed character length is not limited and can be set according to the actual use condition. And combining the preset fixed characters with the time stamp corresponding to the current time to generate signature source data.
The key seed and the confusion value seed are in one-to-one correspondence with the keys in the key pool and the confusion values in the confusion value pool. The key seed and the obfuscated value seed may be numbers, such as "1", "12", etc., or may be letters "a", "ab", etc. After the key seed and the confusion value seed are randomly selected, the corresponding key and the confusion value can be matched in the key pool storing the plurality of keys and the confusion value pool storing the plurality of confusion values according to the key seed and the confusion value seed.
A plurality of encryption algorithms are stored in the encryption algorithm pool, and one encryption algorithm is randomly selected from the encryption algorithm pool. And according to the encryption algorithm, encrypting the signature source data by using the key and the obfuscated value selected in the step, and signing the encrypted signature source data to obtain the signature encrypted data. And simultaneously, encrypting the request source data by using the key and the confusion value selected in the steps according to the encryption algorithm to obtain the request encrypted data. The request source data is target data to be encrypted and protected. And finally, sending the signature encrypted data, the timestamp, the key seed, the confusion value seed and the request encrypted data to a server side.
As an embodiment of the invention, the method further comprises generating the key pool and the obfuscated value pool according to a predefined rule. The predefined rule may include input data and a preset algorithm, the input data may be, for example, a random number, and the input data is input into the preset algorithm to obtain a plurality of corresponding results, and the plurality of results form a key pool and an obfuscated value pool.
As an embodiment of the present invention, before randomly selecting an encryption algorithm from the encryption algorithm pool, all encryption algorithms in the encryption algorithm pool are verified and loaded. All encryption algorithms need to be checked, namely after bidirectional identity authentication, the encryption algorithms are loaded from the local into an encryption algorithm pool, so that the encryption algorithms are ensured not to be leaked.
In this embodiment, sending the timestamp, the key seed, the obfuscated value seed, the signature encrypted data, and the request encrypted data to a server includes:
converting the timestamp, the key seed, the obfuscated value seed, the signature encrypted data and the request encrypted data into sending data according to an HTTP (hyper text transport protocol);
setting the timestamp, the key seed, the obfuscated value seed and the signature encryption data in a request header of the transmission data, and setting the request encryption data in a request body of the transmission data;
and sending the sending data to a server.
Before data is sent, the sent data needs to be converted, and the timestamp, the key seed, the confusion value seed and the signature encrypted data are arranged in a request header of the sent data according to an HTTP (hyper text transport protocol), so that the server can directly acquire the information from the request header after the information is sent to a server terminal. And setting the request encrypted data in a request body so that the server can decrypt the request encrypted data after acquiring the request encrypted data.
By the method, the source data needing to be requested is encrypted by randomly selecting the key, the confusion value and the encryption algorithm, so that the security of the encrypted data is greatly improved. The method is convenient to realize, has good applicability and can reduce the cost while not influencing the encryption efficiency.
Fig. 2 is a flowchart of a dynamic decryption method for network communication according to an embodiment of the present invention, where the method includes:
step S21, receiving the timestamp, the first key seed, the first confusion value seed, the first signature encrypted data and the request encrypted data sent by the client;
step S22, obtaining a first key in a key pool according to the first key seed, and obtaining a first obfuscated value in an obfuscated value pool according to the first obfuscated value seed;
step S23, generating a signature source data according to the fixed character and the timestamp, respectively encrypting the signature source data by utilizing the algorithm in the encryption algorithm pool according to the first key and the first confusion value, and signing the encrypted signature data to obtain a plurality of second signature encrypted data;
step S24, sequentially determining whether the first signature encrypted data is consistent with each of the second signature data; when the first signature encryption data is consistent with the second signature data, taking the algorithm in the encryption algorithm pool as an encryption algorithm;
step S25, decrypting the request encrypted data according to the first key and the first confusion value by using the encryption algorithm to obtain request source data;
step S26, generating a packet back source data according to the request source data, and sending the packet back source data to the client.
In this embodiment, after receiving the data, according to the received first key seed, the first key matched with the received first key is selected from the key pool, and according to the received first obfuscated value seed, the first obfuscated value matched with the first key is found from the obfuscated value pool. The key seeds are in one-to-one correspondence with the keys in the key pool, and the confusion value seeds are in one-to-one correspondence with the confusion values in the confusion value pool. The key seed and the obfuscated value seed may be numbers, such as "1", "12", etc., or may be letters "a", "ab", etc. Wherein the key pool and the confusion value pool are generated according to a predefined rule, which is consistent with the predefined rule in the client.
The signature source data is generated from the received timestamp and a local fixed character, where the fixed character may be composed of letters, such as "abcd", or numbers, such as "1234", or a combination of letters and numbers, such as "abcd 1234" or "1 a2b3c4 d", etc. The fixed character length is not limited and can be set according to the actual use condition. And combining the preset fixed characters with the received time stamp to generate signature source data. Wherein the fixed character is consistent with the fixed character in the client.
After the signature source data are generated, the signature source data are encrypted according to the first secret key, the first confusion value and the algorithm in the encryption algorithm pool, the encrypted signature source data are signed, and a plurality of second signature encrypted data can be obtained. The encryption process needs to traverse the algorithms in the encryption algorithm pools, namely, the algorithm in each encryption algorithm pool correspondingly generates a second signature encryption data, and the generated second encryption data are compared with the received first signature encryption data one by one. And when the second signature encrypted data is consistent with the first signature encrypted data, the algorithm corresponding to the second encrypted data is an encryption algorithm, and the received request encrypted data is decrypted by using the first secret key and the first confusion value according to the encryption algorithm, so that the request source data is obtained. The request source data is correspondingly processed to obtain the repackaging source data, namely the repackaging source data responding to the request source data, and the repackaging source data is sent to the client.
As an embodiment of the present invention, before sending the loopback source data to the client, the loopback source data is encrypted according to the encryption algorithm, the first key and the first obfuscation value. In order to ensure the security of data returned to the client, the data of the back packet source needs to be encrypted. In this embodiment, the loopback source data is encrypted by using an encryption algorithm, a first key and a first obfuscation value that are used when the client encrypts, and the encrypted loopback source data is sent to the client.
As an embodiment of the present invention, before the repackaging source data is sent to the client, a second key seed and a second confusion value seed are randomly selected, a second key is obtained in a key pool according to the second key seed, and a second confusion value is obtained in a confusion value pool according to the second confusion value seed; and encrypting the repackaging source data by utilizing the second secret key and a second confusion value according to the encryption algorithm.
In this embodiment, when encrypting the loopback source data, the encryption algorithm used in the client encryption is used, but the secret key and the confusion value are reselected. Namely, a second key seed and a second obfuscated value are generated, and a corresponding second key and a corresponding second obfuscated value are found in the key pool and the obfuscated value pool. And encrypting the repackaging source data by using a second secret key and a second confusion value according to an encryption algorithm, and sending the encrypted repackaging source data to the client.
Further, in this embodiment, the encryption algorithm, the key, and the obfuscated value may be replaced at the same time, that is, an encryption algorithm is randomly selected from the encryption algorithm pool again, and the packet source data is encrypted using the newly selected key and obfuscated value. In order to facilitate the client to decrypt the encrypted repackaging source data, a signature encrypted data can be regenerated again according to the encryption method of the client and sent to the client. In addition, the key and the obfuscated value may not be changed, only the encryption algorithm is changed, and then the repackage source data is encrypted, and similarly, a signature encryption data needs to be generated according to the changed encryption algorithm and sent to the client together with the encrypted repackage source data.
In this embodiment, the sending the loopback source data to the client includes:
converting the second key seed, the second confusion value seed and the encrypted loopback source data into loopback data according to an HTTP (hyper text transport protocol);
the second key seed and the second confusion value seed are arranged in a request head of the returned data, and the encrypted packet source data is arranged in a request body of the returned data.
Before sending the encrypted repackaging source data, the returned data needs to be converted, and the second key seed and the second confusion value seed are arranged in a request header of the returned data according to an HTTP protocol, so that the information can be directly obtained from the request header after the information is sent to the client. And setting the encrypted data of the packet returning source in a request body of the returned data so as to facilitate the client to decrypt the data after obtaining the data.
Furthermore, if the encryption algorithm used for encrypting the data of the packet source is changed, the time stamp and the signature encryption data used in encryption are required to be arranged in the request header of the returned data.
As an embodiment of the present invention, the method further includes randomly selecting an encryption algorithm from the encryption algorithm pool as a contract encryption algorithm, and sending the contract encryption algorithm to the client. In order to improve the encryption efficiency, when returning the packet source data, the encryption algorithm used in the next communication can be defined with the client, so that the time spent in the communication is reduced, and the data transmission quantity is reduced.
By the method, the signature encryption data is encrypted by receiving the key and the confusion value sent by the client, so that the encryption algorithm used by the client is found, the request source data is decrypted, and the source data is sent to the client in a packet return manner, so that the complete communication encryption and decryption process is realized. The method of the invention can greatly improve the safety of the encrypted data, is convenient to realize, has good applicability without influencing the encryption efficiency, and can reduce the cost.
Fig. 3 is a schematic structural diagram of a client according to an embodiment of the present invention, where the client shown in the diagram includes:
the signature source data module 11 is configured to dynamically generate signature source data according to the fixed character and the timestamp;
a seed selection module 12, configured to randomly generate a key seed and an alias seed;
the parameter selection module 13 is configured to obtain a key in a key pool according to the key seed, and obtain an obfuscated value in an obfuscated value pool according to the obfuscated value seed;
the signature source data encryption module 14 is configured to randomly select an encryption algorithm from the encryption algorithm pool, encrypt the signature source data according to the secret key and the confusion value by using the encryption algorithm, and sign the encrypted signature source data to obtain first signature encrypted data;
the request source data encryption module 15 is configured to encrypt request source data according to the secret key and the obfuscated value by using the encryption algorithm to obtain request encrypted data;
a sending module 16, configured to send the timestamp, the key seed, the obfuscated value seed, the first signature encrypted data, and the request encrypted data to a server.
In this embodiment, the signature source data is generated by fixed characters and time stamps, wherein the fixed characters may be composed of letters, such as "abcd", or numerals, such as "1234", or a combination of letters and numerals, such as "abcd 1234" or "1 a2b3c4 d", and so on. The fixed character length is not limited and can be set according to the actual use condition. And combining the preset fixed characters with the time stamp corresponding to the current time to generate signature source data.
The key seed and the confusion value seed are in one-to-one correspondence with the keys in the key pool and the confusion values in the confusion value pool. The key seed and the obfuscated value seed may be numbers, such as "1", "12", etc., or may be letters "a", "ab", etc. After the key seed and the confusion value seed are randomly selected, the corresponding key and the confusion value can be matched in the key pool storing the plurality of keys and the confusion value pool storing the plurality of confusion values according to the key seed and the confusion value seed.
A plurality of encryption algorithms are stored in the encryption algorithm pool, and one encryption algorithm is randomly selected from the encryption algorithm pool. And according to the encryption algorithm, encrypting the signature source data by using the key and the obfuscated value selected in the step, and signing the encrypted signature source data to obtain the signature encrypted data. And simultaneously, encrypting the request source data by using the key and the confusion value selected in the steps according to the encryption algorithm to obtain the request encrypted data. The request source data is target data to be encrypted and protected. And finally, sending the signature encrypted data, the timestamp, the key seed, the confusion value seed and the request encrypted data to a server side.
As an embodiment of the present invention, the client further includes a parameter generating module 17, configured to generate the key pool and the confusion value pool according to a predefined rule. The predefined rule may include input data and a preset algorithm, the input data may be, for example, a random number, and the input data is input into the preset algorithm to obtain a plurality of corresponding results, and the plurality of results form a key pool and an obfuscated value pool.
As an embodiment of the present invention, the client further includes a checking module 18, configured to check and load all encryption algorithms in the encryption algorithm pool before randomly selecting an encryption algorithm in the encryption algorithm pool. All encryption algorithms need to be checked, namely after bidirectional identity authentication, the encryption algorithms are loaded from the local into an encryption algorithm pool, so that the encryption algorithms are ensured not to be leaked.
As an embodiment of the present invention, the sending module is further configured to convert the timestamp, the key seed, the obfuscated value seed, the first signature encrypted data, and the request encrypted data into sending data according to an HTTP protocol;
setting the timestamp, the key seed, the obfuscated value seed and the first signed encrypted data in a request header of the transmission data, and setting the request encrypted data in a request body of the transmission data;
and sending the sending data to a server.
Before data is sent, the sent data needs to be converted, and the timestamp, the key seed, the confusion value seed and the signature encrypted data are arranged in a request header of the sent data according to an HTTP (hyper text transport protocol), so that the server can directly acquire the information from the request header after the information is sent to a server terminal. And setting the request encrypted data in a request body so that the server can decrypt the request encrypted data after acquiring the request encrypted data.
By the client side, the source data needing to be requested is encrypted by randomly selecting the key, the confusion value and the encryption algorithm, so that the security of the encrypted data is greatly improved. The encryption process in the client is convenient to realize, the encryption efficiency is not influenced, the applicability is good, and the cost can be reduced.
Fig. 4 is a schematic structural diagram of a server according to an embodiment of the present invention, where the server shown in the diagram includes:
the data receiving module 21 is configured to receive a timestamp, a first key seed, a first confusion value seed, first signature encrypted data, and request encrypted data sent by a client;
the parameter selection module 22 is configured to obtain a first key in a key pool according to the first key seed, and obtain a first confusion value in a confusion value pool according to the first confusion value seed;
the signature source data encryption module 23 is configured to generate signature source data according to a fixed character and the timestamp, encrypt the signature source data by using an algorithm in an encryption algorithm pool according to the first key and the first obfuscated value, and sign the encrypted signature data to obtain a plurality of second signature encrypted data;
a judging module 24, configured to sequentially judge whether the first signature encrypted data is consistent with each of the second signature data;
an algorithm selecting module 25, configured to use, when the first signature encrypted data is consistent with the second signature data, an algorithm in the encryption algorithm pool as an encryption algorithm;
a decryption module 26, configured to decrypt, by using the encryption algorithm, the request encrypted data according to the first key and the first obfuscated value to obtain request source data;
the sending module 27 is configured to generate a packet back source data according to the request source data, and send the packet back source data to the client.
In this embodiment, after the data receiving module 21 receives the data, the first key matched with the received first key seed is selected from the key pool according to the received first key seed, and the first obfuscated value matched with the first key is found from the obfuscated value pool according to the received first obfuscated value seed. The key seeds are in one-to-one correspondence with the keys in the key pool, and the confusion value seeds are in one-to-one correspondence with the confusion values in the confusion value pool. The key seed and the obfuscated value seed may be numbers, such as "1", "12", etc., or may be letters "a", "ab", etc. Wherein the key pool and the confusion value pool are generated according to a predefined rule, which is consistent with the predefined rule in the client.
The signature source data is generated from the received timestamp and a local fixed character, where the fixed character may be composed of letters, such as "abcd", or numbers, such as "1234", or a combination of letters and numbers, such as "abcd 1234" or "1 a2b3c4 d", etc. The fixed character length is not limited and can be set according to the actual use condition. And combining the preset fixed characters with the received time stamp to generate signature source data. Wherein the fixed character is consistent with the fixed character in the client.
After the signature source data are generated, the signature source data are encrypted according to the first secret key, the first confusion value and the algorithm in the encryption algorithm pool, the encrypted signature source data are signed, and a plurality of second signature encrypted data can be obtained. The encryption process needs to traverse the algorithms in the encryption algorithm pools, namely, the algorithm in each encryption algorithm pool correspondingly generates a second signature encryption data, and the generated second encryption data are compared with the received first signature encryption data one by one. And when the second signature encrypted data is consistent with the first signature encrypted data, the algorithm corresponding to the second encrypted data is an encryption algorithm, and the received request encrypted data is decrypted by using the first secret key and the first confusion value according to the encryption algorithm, so that the request source data is obtained. The request source data is correspondingly processed to obtain the repackaging source data, namely the repackaging source data responding to the request source data, and the repackaging source data is sent to the client.
As an embodiment of the present invention, the sending module 27 is further configured to encrypt the loopback data according to the encryption algorithm, the first key and the first obfuscation value before sending the loopback source data to the client. In order to ensure the security of data returned to the client, the data of the back packet source needs to be encrypted. In this embodiment, the loopback source data is encrypted by using an encryption algorithm, a first key and a first obfuscation value that are used when the client encrypts, and the encrypted loopback source data is sent to the client.
As an embodiment of the present invention, the sending module 27 is further configured to, before sending the loopback source data to the client, randomly select a second key seed and a second confusion value seed, obtain a second key in the key pool according to the second key seed, and obtain a second confusion value in the confusion value pool according to the second confusion value seed; and encrypting the repackaging source data by utilizing the second secret key and a second confusion value according to the encryption algorithm.
In this embodiment, when encrypting the loopback source data, the encryption algorithm used in the client encryption is used, but the secret key and the confusion value are reselected. Namely, a second key seed and a second obfuscated value are generated, and a corresponding second key and a corresponding second obfuscated value are found in the key pool and the obfuscated value pool. And encrypting the repackaging source data by using a second secret key and a second confusion value according to an encryption algorithm, and sending the encrypted repackaging source data to the client.
Further, in this embodiment, the encryption algorithm, the key, and the obfuscated value may be replaced at the same time, that is, an encryption algorithm is randomly selected from the encryption algorithm pool again, and the packet source data is encrypted using the newly selected key and obfuscated value. In order to facilitate the client to decrypt the encrypted repackaging source data, a signature encrypted data can be regenerated again according to the encryption method of the client and sent to the client. In addition, the key and the obfuscated value may not be changed, only the encryption algorithm is changed, and then the repackage source data is encrypted, and similarly, a signature encryption data needs to be generated according to the changed encryption algorithm and sent to the client together with the encrypted repackage source data.
In this embodiment, the sending module 27 is further configured to:
converting the second key seed, the second confusion value seed and the encrypted loopback source data into loopback data according to an HTTP (hyper text transport protocol);
the second key seed and the second confusion value seed are arranged in a request head of the returned data, and the encrypted packet source data is arranged in a request body of the returned data.
Before sending the encrypted repackaging source data, the returned data needs to be converted, and the second key seed and the second confusion value seed are arranged in a request header of the returned data according to an HTTP protocol, so that the information can be directly obtained from the request header after the information is sent to the client. And setting the encrypted data of the packet returning source in a request body of the returned data so as to facilitate the client to decrypt the data after obtaining the data.
Furthermore, if the encryption algorithm used for encrypting the data of the packet source is changed, the time stamp and the signature encryption data used in encryption are required to be arranged in the request header of the returned data.
As an embodiment of the present invention, the algorithm selecting module 25 is further configured to randomly select an encryption algorithm from the encryption algorithm pool as an agreed encryption algorithm, and send the agreed encryption algorithm to the sending module 27, where the sending module 27 sends the agreed encryption algorithm to the client.
In this embodiment, in order to improve the encryption efficiency, when returning the packet source data, the client may define the encryption algorithm used in the next communication, so as to reduce the time taken for communication and reduce the data transmission amount.
In addition, the invention can adopt a C/S architecture mode, and in order to ensure the system security under the customized Linux system, when the encryption and decryption method in the invention checks that the customized Linux system is modified, the client needs to send the checked data to the server, thereby ensuring the security of the terminal.
By the server, the signature encryption data are encrypted by receiving the key and the confusion value sent by the client, so that the encryption algorithm used by the client is found, the request source data are decrypted, and the source data are sent to the client in a packet return mode, so that the complete communication encryption and decryption process is realized. The encryption and decryption processes in the client and the server are convenient to realize, the encryption efficiency is not influenced, the applicability is good, and the cost can be reduced.
It will be understood by those skilled in the art that all or part of the steps in the method for implementing the above embodiments may be implemented by relevant hardware instructed by a program, and the program may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (16)

1. A method for dynamic encryption and decryption of network communications, the method comprising:
the client dynamically generates signature source data according to the fixed characters and the time stamps; randomly generating a key seed and an obfuscated value seed; acquiring a key in a key pool according to the key seed, and acquiring an obfuscated value in an obfuscated value pool according to the obfuscated value seed; randomly selecting an encryption algorithm from an encryption algorithm pool, encrypting the signature source data according to the secret key and the confusion value by using the encryption algorithm, and signing the encrypted signature source data to obtain signature encrypted data; encrypting request source data according to the secret key and the confusion value by using the encryption algorithm to obtain request encrypted data; sending the timestamp, the key seed, the obfuscated value seed, the signature encryption data and the request encryption data to a server;
the server receives a timestamp, a first key seed, a first confusion value seed, first signature encrypted data and request encrypted data sent by a client; acquiring a first key in a key pool according to the first key seed, and acquiring a first obfuscated value in an obfuscated value pool according to the first obfuscated value seed; generating signature source data according to fixed characters and the timestamp, encrypting the signature source data by utilizing algorithms in an encryption algorithm pool according to the first secret key and the first confusion value, and signing the encrypted signature source data to obtain a plurality of second signature encrypted data; sequentially judging whether the first signature encrypted data is consistent with each second signature data; when the first signature encryption data is consistent with the second signature data, taking the algorithm in the encryption algorithm pool as an encryption algorithm; decrypting the request encrypted data according to the first secret key and the first confusion value by using the encryption algorithm to obtain request source data; and generating a packet back source data according to the request source data, and sending the packet back source data to the client.
2. The method of claim 1, further comprising: generating the key pool and the obfuscated value pool according to a predefined rule.
3. The method of claim 1, wherein all cryptographic algorithms in the pool of cryptographic algorithms are verified and loaded before a cryptographic algorithm is randomly selected from the pool of cryptographic algorithms.
4. The method of claim 1, wherein sending the timestamp, the key seed, the obfuscated value seed, the signed encrypted data, and the request encrypted data to a server comprises:
converting the timestamp, the key seed, the obfuscated value seed, the signature encrypted data and the request encrypted data into sending data according to an HTTP (hyper text transport protocol);
setting the timestamp, the key seed, the obfuscated value seed and the signature encryption data in a request header of the transmission data, and setting the request encryption data in a request body of the transmission data;
and sending the sending data to a server.
5. The method of claim 1, wherein the loopback source data is encrypted according to the encryption algorithm, a first key, and a first obfuscation value prior to being sent to the client.
6. The method according to claim 1, wherein before sending the loopback source data to the client, a second key seed and a second confusion value seed are randomly selected, a second key is obtained from a key pool according to the second key seed, and a second confusion value is obtained from a confusion value pool according to the second confusion value seed;
and encrypting the repackaging source data by utilizing the second secret key and a second confusion value according to the encryption algorithm.
7. The method of claim 6, wherein sending the packet back source data to the client comprises:
converting the second key seed, the second confusion value seed and the encrypted loopback source data into loopback data according to an HTTP (hyper text transport protocol);
the second key seed and the second confusion value seed are arranged in a request head of the returned data, and the encrypted packet source data is arranged in a request body of the returned data.
8. The method of claim 1, further comprising randomly selecting an encryption algorithm from the pool of encryption algorithms as a default encryption algorithm, and sending the default encryption algorithm to the client.
9. A dynamic encryption and decryption system for network communication, the system comprising a client and a server communicatively coupled to the client, wherein:
the client comprises:
the signature source data module is used for dynamically generating signature source data according to the fixed characters and the time stamps;
the seed selection module is used for randomly generating a secret key seed and an confusion value seed;
the parameter selection module is used for acquiring a key in a key pool according to the key seed and acquiring an confusion value in a confusion value pool according to the confusion value seed;
the signature source data encryption module is used for randomly selecting an encryption algorithm from an encryption algorithm pool, encrypting the signature source data according to the secret key and the confusion value by using the encryption algorithm, and signing the encrypted signature source data to obtain first signature encrypted data;
the request source data encryption module is used for encrypting request source data according to the secret key and the confusion value by using the encryption algorithm to obtain request encrypted data;
a sending module, configured to send the timestamp, the key seed, the obfuscated value seed, the first signature encrypted data, and the request encrypted data to a server;
the server includes:
the data receiving module is used for receiving the timestamp, the first key seed, the first confusion value seed, the first signature encrypted data and the request encrypted data which are sent by the client;
the parameter selection module is used for acquiring a first key in a key pool according to the first key seed and acquiring a first confusion value in a confusion value pool according to the first confusion value seed;
the signature source data encryption module is used for generating signature source data according to fixed characters and the timestamp, encrypting the signature source data respectively by utilizing algorithms in an encryption algorithm pool according to the first secret key and the first confusion value, and signing the encrypted signature source data to obtain a plurality of second signature encrypted data;
the judging module is used for sequentially judging whether the first signature encrypted data is consistent with each second signature data;
the algorithm selection module is used for taking the algorithm in the encryption algorithm pool as the encryption algorithm when the first signature encryption data is consistent with the second signature data;
the decryption module is used for decrypting the request encrypted data according to the first secret key and the first confusion value by using the encryption algorithm to obtain request source data;
and the sending module is used for generating a packet returning source data according to the request source data and sending the packet returning source data to the client.
10. The system according to claim 9, wherein the client further comprises a parameter generation module configured to generate the key pool and the obfuscated value pool according to a predefined rule.
11. The system according to claim 9, wherein said client further comprises a verification module for verifying and loading all encryption algorithms in said pool of encryption algorithms before said randomly selecting an encryption algorithm from said pool of encryption algorithms.
12. The system of claim 9, wherein the sending module is further configured to convert the timestamp, the key seed, the obfuscation value seed, the first signed encrypted data, and the request encrypted data into sending data according to an HTTP protocol;
setting the timestamp, the key seed, the obfuscated value seed and the first signed encrypted data in a request header of the transmission data, and setting the request encrypted data in a request body of the transmission data;
and sending the sending data to a server.
13. The system of claim 9, wherein the sending module is further configured to encrypt the loopback source data according to the encryption algorithm, a first key, and a first obfuscation value before sending the loopback source data to the client.
14. The system according to claim 9, wherein the sending module is further configured to, before sending the loopback source data to the client, randomly select a second key seed and a second confusion value seed, obtain a second key in a key pool according to the second key seed, and obtain a second confusion value in a confusion value pool according to the second confusion value seed;
and encrypting the repackaging source data by utilizing the second secret key and a second confusion value according to the encryption algorithm.
15. The system of claim 14, wherein the sending module is further configured to:
converting the second key seed, the second confusion value seed and the encrypted loopback source data into loopback data according to an HTTP (hyper text transport protocol);
the second key seed and the second confusion value seed are arranged in a request head of the returned data, and the encrypted packet source data is arranged in a request body of the returned data.
16. The system of claim 9, wherein the algorithm selecting module is further configured to randomly select an encryption algorithm from the pool of encryption algorithms as a default encryption algorithm, and send the default encryption algorithm to the sending module, and the sending module sends the default encryption algorithm to the client.
CN201810471937.5A 2018-05-17 2018-05-17 Dynamic encryption and decryption method for network communication Active CN108632296B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810471937.5A CN108632296B (en) 2018-05-17 2018-05-17 Dynamic encryption and decryption method for network communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810471937.5A CN108632296B (en) 2018-05-17 2018-05-17 Dynamic encryption and decryption method for network communication

Publications (2)

Publication Number Publication Date
CN108632296A CN108632296A (en) 2018-10-09
CN108632296B true CN108632296B (en) 2021-08-13

Family

ID=63693475

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810471937.5A Active CN108632296B (en) 2018-05-17 2018-05-17 Dynamic encryption and decryption method for network communication

Country Status (1)

Country Link
CN (1) CN108632296B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109861819B (en) * 2019-03-19 2022-04-15 天津中德应用技术大学 Data encryption method and decryption method based on confusion encryption block algorithm
CN110891061B (en) * 2019-11-26 2021-08-06 中国银联股份有限公司 Data encryption and decryption method and device, storage medium and encrypted file
CN111142484B (en) * 2019-12-24 2021-04-30 南京轩世琪源软件科技有限公司 Industrial control system and control method
CN111245802B (en) * 2020-01-06 2022-06-17 银清科技有限公司 Data transmission security control method, server and terminal
CN114969767B (en) * 2021-02-24 2025-01-28 中国联合网络通信集团有限公司 Method, device and equipment for encrypting and securely transmitting sensitive data
CN113204772B (en) * 2021-04-26 2023-04-28 五八有限公司 Data processing method, device, system, terminal, server and storage medium
CN113315761B (en) * 2021-05-13 2023-01-31 中国经济信息社有限公司 Client and server data transmission method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972237A (en) * 2006-12-06 2007-05-30 胡祥义 VPN system based on dynamic encryption algorithm
CN101572601A (en) * 2009-06-09 2009-11-04 普天信息技术研究院有限公司 Data encryption and transmission method and device thereof
CN105763315A (en) * 2014-12-16 2016-07-13 展讯通信(深圳)有限公司 Data encryption and decryption method and apparatus thereof, and communication system
CN106100842A (en) * 2016-06-22 2016-11-09 广西咪付网络技术有限公司 A kind of dynamic encryption and decryption method and system
CN106559217A (en) * 2015-09-29 2017-04-05 腾讯科技(深圳)有限公司 A kind of dynamic encrypting method, terminal, server
CN106714146A (en) * 2015-11-13 2017-05-24 广西咪付网络技术有限公司 Communication encryption method for Bluetooth BLE devices
CN106850220A (en) * 2017-02-22 2017-06-13 腾讯科技(深圳)有限公司 Data ciphering method, data decryption method and device

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0122169D0 (en) * 2001-09-13 2001-10-31 Ncipher Corp Ltd Digital time stamping system
CN100431297C (en) * 2005-02-28 2008-11-05 胡祥义 Method for preventing user passwords from being stolen by adopting two-factor authentication protocol
CN1819515B (en) * 2006-03-20 2012-07-04 胡祥义 Realizing method of security symmetric coding algorithm
CN102546179A (en) * 2011-12-31 2012-07-04 珠海市君天电子科技有限公司 Identity authentication method applied between server side and client side
CN106953730B (en) * 2016-01-07 2021-01-05 格尔软件股份有限公司 Safety method for realizing Windows code signature containing timestamp under physical isolation network environment
CN105763322B (en) * 2016-04-13 2019-01-25 同济大学 An obfuscated encryption key isolation digital signature method and system
CN107086920A (en) * 2017-06-20 2017-08-22 无锡井通网络科技有限公司 Copyright based on block chain really weighs method
CN107833032A (en) * 2017-10-26 2018-03-23 胡祥义 It is a kind of based on mobile phone without card Bank Account Number implementation method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972237A (en) * 2006-12-06 2007-05-30 胡祥义 VPN system based on dynamic encryption algorithm
CN101572601A (en) * 2009-06-09 2009-11-04 普天信息技术研究院有限公司 Data encryption and transmission method and device thereof
CN105763315A (en) * 2014-12-16 2016-07-13 展讯通信(深圳)有限公司 Data encryption and decryption method and apparatus thereof, and communication system
CN106559217A (en) * 2015-09-29 2017-04-05 腾讯科技(深圳)有限公司 A kind of dynamic encrypting method, terminal, server
CN106714146A (en) * 2015-11-13 2017-05-24 广西咪付网络技术有限公司 Communication encryption method for Bluetooth BLE devices
CN106100842A (en) * 2016-06-22 2016-11-09 广西咪付网络技术有限公司 A kind of dynamic encryption and decryption method and system
CN106850220A (en) * 2017-02-22 2017-06-13 腾讯科技(深圳)有限公司 Data ciphering method, data decryption method and device

Also Published As

Publication number Publication date
CN108632296A (en) 2018-10-09

Similar Documents

Publication Publication Date Title
CN108632296B (en) Dynamic encryption and decryption method for network communication
US20230208627A1 (en) Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
CN111079128B (en) Data processing method and device, electronic equipment and storage medium
CN108377189B (en) Block chain user communication encryption method and device, terminal equipment and storage medium
CA2938174C (en) System and method for performing secure communications
EP3476078B1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
CN101515319B (en) Cipher key processing method, cipher key cryptography service system and cipher key consultation method
CN103036872B (en) The encryption and decryption method of transfer of data, equipment and system
JP2020530726A (en) NFC tag authentication to remote servers with applications that protect supply chain asset management
CN112564906B (en) Block chain-based data security interaction method and system
CN112804205A (en) Data encryption method and device and data decryption method and device
CN104144413A (en) Approval method and system based on mobile terminal
CN101286849A (en) Authentication system and method of a third party based on engagement arithmetic
CN115801232A (en) Private key protection method, device, equipment and storage medium
CN118540163B (en) Anti-quantum security enhancement method for national secret SSL VPN protocol
Luring et al. Analysis of security features in DLMS/COSEM: Vulnerabilities and countermeasures
CN108768958B (en) Verification method for data integrity and source based on no leakage of verified information by third party
CN116707778A (en) Data hybrid encryption transmission method and device and electronic equipment
CN109361506A (en) Information processing method
JP5354656B2 (en) Cryptographic communication system, cryptographic communication method, transmitting apparatus and receiving apparatus
CN109104393B (en) Identity authentication method, device and system
CN118659923B (en) A quantum-resistant security enhancement method for the Simple Authentication and Security Layer protocol
CN118659881B (en) Quantum-resistant security enhancement method for secure shell protocol
CN118713833B (en) Quantum security enhancement method for open identity connection protocol
CN118694529B (en) Quantum-resistant security enhancement method for secure channel protocol of password equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant