[go: up one dir, main page]

CN114531235A - End-to-end encrypted communication method and system - Google Patents

End-to-end encrypted communication method and system Download PDF

Info

Publication number
CN114531235A
CN114531235A CN202210193962.8A CN202210193962A CN114531235A CN 114531235 A CN114531235 A CN 114531235A CN 202210193962 A CN202210193962 A CN 202210193962A CN 114531235 A CN114531235 A CN 114531235A
Authority
CN
China
Prior art keywords
terminal
information
token
access
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210193962.8A
Other languages
Chinese (zh)
Other versions
CN114531235B (en
Inventor
王建民
雒海波
武延军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN202210193962.8A priority Critical patent/CN114531235B/en
Publication of CN114531235A publication Critical patent/CN114531235A/en
Application granted granted Critical
Publication of CN114531235B publication Critical patent/CN114531235B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种端对端加密的通信方法及系统,涉及互联网信息通信技术领域。所述方法包括:在可信环境下,获取第二终端的公钥key2与认证信息;第一密文信息发送至第二终端,以获取第二终端返回的access_token、对称密钥和相应对称加密算法;将access_token与第二密文信息发送至第二终端,以获取第二终端返回的第三密文信息;使用所述对称密钥和相应对称加密算法解密所述第三密文信息,得到所述数据响应信息。本发明在传输过程中基于对称加密算法实现双方数据安全传递,并在准备阶段预设了加密方案,从而消除了第三方以及数据传输平台从中间层截取数据包来获得用户数据的风险,数据安全得到双重保护。

Figure 202210193962

The invention discloses an end-to-end encrypted communication method and system, and relates to the technical field of Internet information communication. The method includes: in a trusted environment, obtaining the public key key2 and authentication information of the second terminal; sending the first ciphertext information to the second terminal to obtain the access_token, symmetric key and corresponding symmetric encryption returned by the second terminal algorithm; send the access_token and the second ciphertext information to the second terminal to obtain the third ciphertext information returned by the second terminal; use the symmetric key and the corresponding symmetric encryption algorithm to decrypt the third ciphertext information to obtain The data response information. The invention realizes the safe transmission of data between the two parties based on the symmetric encryption algorithm in the transmission process, and presets the encryption scheme in the preparation stage, thereby eliminating the risk of the third party and the data transmission platform intercepting data packets from the middle layer to obtain user data, and the data is safe. Get double protection.

Figure 202210193962

Description

一种端对端加密的通信方法及系统End-to-end encrypted communication method and system

技术领域technical field

本发明涉及互联网信息通信技术领域,具体涉及一种端对端加密的通信方法及系统。The present invention relates to the technical field of Internet information communication, in particular to an end-to-end encrypted communication method and system.

背景技术Background technique

在互联网时代,数据信息是个人最重要的财产,而数据的安全传输是保护个人隐私的重要手段。为保护数据传输安全,在通信网络中通常需要进行加密,现有技术中提供的数据加密传输方案涉及关键信息加密、网络层加密机制、应用层加密机制等多种加密方式。这些方案仍不能很好地避免第三方介入截取破解信息的风险,数据安全并未得到安全保护。In the Internet era, data information is the most important property of individuals, and the secure transmission of data is an important means to protect personal privacy. In order to protect the security of data transmission, encryption is usually required in the communication network. The data encryption transmission scheme provided in the prior art involves key information encryption, network layer encryption mechanism, application layer encryption mechanism and other encryption methods. These schemes still cannot well avoid the risk of third-party intervention to intercept and crack information, and data security has not been securely protected.

发明内容SUMMARY OF THE INVENTION

针对上述问题,本发明公开了一种端对端加密的通信方法及系统,以实现数据的安全传输。In view of the above problems, the present invention discloses an end-to-end encrypted communication method and system, so as to realize the safe transmission of data.

本发明的技术方案包括:The technical scheme of the present invention includes:

一种端对端加密的通信方法,应用于第一终端,其步骤包括:An end-to-end encrypted communication method, applied to a first terminal, the steps of which include:

在可信环境下,获取第二终端的公钥key2与认证信息;In a trusted environment, obtain the public key key2 and authentication information of the second terminal;

将第一密文信息发送至第二终端,以获取第二终端返回的access_token、对称密钥和相应对称加密算法,其中,所述第一密文信息包括:使用所述公钥key2加密的所述认证信息,所述access_token中包含由公钥key2加密的所述对称密钥;Send the first ciphertext information to the second terminal to obtain the access_token, the symmetric key and the corresponding symmetric encryption algorithm returned by the second terminal, wherein the first ciphertext information includes: all encrypted data encrypted by using the public key key2. Described authentication information, described access_token includes described symmetric key encrypted by public key key2;

将access_token与第二密文信息发送至第二终端,以获取第二终端返回的第三密文信息,其中所述第二密文信息包括:使用所述对称密钥加密的数据请求信息,所述第三密文信息基于所述第二密文信息与所述access_token中包含由公钥key2加密的所述对称密钥得到,且所述第三密文信息包括:加密的数据响应信息;Send the access_token and the second ciphertext information to the second terminal to obtain the third ciphertext information returned by the second terminal, wherein the second ciphertext information includes: data request information encrypted by using the symmetric key, so The third ciphertext information is obtained based on the second ciphertext information and the access_token including the symmetric key encrypted by the public key key2, and the third ciphertext information includes: encrypted data response information;

使用所述对称密钥和相应对称加密算法解密所述第三密文信息,得到所述数据响应信息。Decrypt the third ciphertext information by using the symmetric key and the corresponding symmetric encryption algorithm to obtain the data response information.

进一步地,所述第一终端包括:客户端、PC端或Web端。Further, the first terminal includes: a client terminal, a PC terminal or a Web terminal.

进一步地,当所述第一终端为客户端时,所述获取第二终端的公钥key2与认证信息,包括:Further, when the first terminal is a client, the obtaining the public key key2 and authentication information of the second terminal includes:

创建公私钥对;Create a public-private key pair;

将公私钥对中的公钥key1与第一终端身份信息发送至第二客户端,以获取第二终端的公钥key2与认证信息。The public key key1 in the public-private key pair and the identity information of the first terminal are sent to the second client to obtain the public key key2 and authentication information of the second terminal.

进一步地,当所述第一终端为客户端时,所述获取第二终端返回的access_token、对称密钥和相应对称加密算法,包括:Further, when the first terminal is a client, obtaining the access_token, symmetric key and corresponding symmetric encryption algorithm returned by the second terminal includes:

将所述第一密文信息发送至第二终端,所述第一密文信息还包括:使用所述公钥key2加密的第一终端统一唯一识别码;sending the first ciphertext information to the second terminal, where the first ciphertext information further includes: a unified unique identification code of the first terminal encrypted by using the public key key2;

获取access_token与第四密文信息,所述第四密文信息包括:使用公钥key1加密的对称密钥和相应对称加密算法;Obtain access_token and fourth ciphertext information, where the fourth ciphertext information includes: a symmetric key encrypted with the public key key1 and a corresponding symmetric encryption algorithm;

使用私钥key A解码所述第四密文信息,得到对称密钥和相应对称加密算法。Use the private key key A to decode the fourth ciphertext information to obtain a symmetric key and a corresponding symmetric encryption algorithm.

进一步地,当所述第一终端为PC端或Web端时,所述获取第二终端的公钥key2与认证信息,包括:Further, when the first terminal is a PC terminal or a Web terminal, the obtaining the public key key2 and authentication information of the second terminal includes:

与一第三客户端建立连接,其中,所述第三客户端与所述第二终端已建立信任关系;establishing a connection with a third client, wherein the third client has established a trust relationship with the second terminal;

接收所述第三客户端发送的认证信息,其中该认证信息为第二终端生成的授权码或邀请码,所述授权码或邀请码包含所述公钥key2。Receive the authentication information sent by the third client, where the authentication information is an authorization code or an invitation code generated by the second terminal, and the authorization code or the invitation code includes the public key key2.

进一步地,当所述第一终端为PC端或Web端时,所述获取第二终端返回的access_token、对称密钥和相应对称加密算法,包括:Further, when the first terminal is a PC terminal or a Web terminal, obtaining the access_token, symmetric key and corresponding symmetric encryption algorithm returned by the second terminal includes:

生成一组临时对称密钥;generate a set of ephemeral symmetric keys;

在可信环境下,将所述第一密文信息发送至第三客户端,以使第二终端基于第三客户端发送的所述第一密文信息与第一终端的识别信息,生成access_token,并将access_token、对称密钥及相应对称加密算法发送至第一终端,其中,所述第一密文信息还包括:使用所述公钥key2加密的所述临时对称密钥。In a trusted environment, the first ciphertext information is sent to the third client, so that the second terminal generates an access_token based on the first ciphertext information sent by the third client and the identification information of the first terminal , and send the access_token, the symmetric key and the corresponding symmetric encryption algorithm to the first terminal, wherein the first ciphertext information further includes: the temporary symmetric key encrypted with the public key key2.

进一步地,所述第三密文信息基于所述第二密文信息与所述access_token中包含由公钥key2加密的所述对称密钥得到:Further, the third ciphertext information is obtained based on the second ciphertext information and the access_token containing the symmetric key encrypted by the public key key2:

验证所述access_token中的第一终端身份信息;Verify the first terminal identity information in the access_token;

对通过验证的所述access_token,使用所述公钥key2相应的私钥keyB,解密所述access_token中的由公钥key2加密的所述对称密钥;For the access_token passing the verification, use the corresponding private key keyB of the public key key2 to decrypt the symmetric key encrypted by the public key key2 in the access_token;

使用所述对称密钥解密所述第二密文信息,以得到所述数据请求信息;decrypting the second ciphertext information using the symmetric key to obtain the data request information;

基于所述数据请求信息,得到数据响应信息;Based on the data request information, obtain data response information;

使用所述对称密钥及相应对称加密算法加密数据响应信息,以生成第三密文信息。The data response information is encrypted using the symmetric key and the corresponding symmetric encryption algorithm to generate third ciphertext information.

一种存储介质,所述存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行以上任一所述方法。A storage medium in which a computer program is stored, wherein the computer program is configured to execute any one of the above methods when running.

一种终端,其特征在于,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行以上任一所述方法。A terminal is characterized by comprising a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to run the computer program to execute any one of the above methods.

一种端对端加密的通信系统,包括第一终端和第二终端,An end-to-end encrypted communication system includes a first terminal and a second terminal,

第一终端,用于在可信环境下,获取第二终端的公钥key2与认证信息;将第一密文信息发送至第二终端,以获取第二终端返回的access_token、对称密钥和相应对称加密算法,所述第一密文信息包括:使用所述公钥key2加密的所述认证信息,所述access_token中包含由公钥key2加密的所述对称密钥;将access_token与第二密文信息发送至第二终端,以获取第二终端返回的第三密文信息,所述第二密文信息包括:使用所述对称密钥加密的数据请求信息;使用所述对称密钥和相应对称加密算法解密所述第三密文信息,得到所述数据响应信息;The first terminal is used to obtain the public key key2 and authentication information of the second terminal in a trusted environment; send the first ciphertext information to the second terminal to obtain the access_token, symmetric key and corresponding Symmetric encryption algorithm, the first ciphertext information includes: the authentication information encrypted by using the public key key2, the access_token contains the symmetric key encrypted by the public key key2; the access_token and the second ciphertext The information is sent to the second terminal to obtain third ciphertext information returned by the second terminal, where the second ciphertext information includes: data request information encrypted by using the symmetric key; using the symmetric key and corresponding symmetric key An encryption algorithm decrypts the third ciphertext information to obtain the data response information;

第二终端,用于生成公私钥对;根据第一密文信息,得到access_token、对称密钥和相应对称加密算法;基于所述第二密文信息与所述access_token中包含由公钥key2加密的所述对称密钥,得到所述第三密文信息。The second terminal is used to generate a public-private key pair; according to the first ciphertext information, the access_token, the symmetric key and the corresponding symmetric encryption algorithm are obtained; based on the second ciphertext information and the access_token, the access_token contains the data encrypted by the public key key2 The symmetric key is used to obtain the third ciphertext information.

与现有技术相比,本发明至少具有以下优点:Compared with the prior art, the present invention has at least the following advantages:

1、本发明在数据传输的准备阶段预设了加密方案,从而保证数据在开始传输前便处于一个相对安全环境;1. The present invention presets an encryption scheme in the preparation stage of data transmission, thereby ensuring that the data is in a relatively safe environment before starting transmission;

2、本发明在传输过程中,利用对称加密算法实现双方数据安全传递,从而消除了第三方以及数据传输平台从中间层截取数据包来获得用户数据的风险,数据安全得到双重保护。2. In the transmission process of the present invention, the symmetric encryption algorithm is used to realize the safe transmission of data between the two parties, thereby eliminating the risk of the third party and the data transmission platform intercepting data packets from the middle layer to obtain user data, and data security is double protected.

附图说明Description of drawings

图1本发明的系统图。Fig. 1 is a system diagram of the present invention.

图2本发明的方法流程图。Fig. 2 is a flow chart of the method of the present invention.

具体实施方式Detailed ways

下面将结合附图,对本发明实施方式中的技术方案进行清楚、完整地描述,显然,所描述的实施方式仅仅是本发明特定实施方式,而不是全部的实施方式。基于本发明中的实施方式,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施方式,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only specific embodiments of the present invention, rather than all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

本发明提供一种端对端加密通信系统,如图1所示,包括第一终端、第二终端,所述第一终端与第二终端建立通信连接的对侧终端,包括但不限于客户端、PC端或Web端;所述第二终端为与第一终端建立通信连接的对侧终端,其为一可存储并在操作系统中运行的服务,可包括但不限于为一具有处理器和存储器的电子设备或一计算机可读取的存储介质。The present invention provides an end-to-end encrypted communication system, as shown in FIG. 1 , including a first terminal and a second terminal, and the opposite terminal that establishes a communication connection between the first terminal and the second terminal includes but is not limited to a client , PC terminal or Web terminal; the second terminal is the opposite terminal that establishes a communication connection with the first terminal, which is a service that can be stored and run in the operating system, including but not limited to a service with a processor and a Memory An electronic device or a computer-readable storage medium.

本发明提供的加密通信方法,如图2所示,包括:The encrypted communication method provided by the present invention, as shown in Figure 2, includes:

步骤110:在可信环境下,获取第二终端的公钥key2与认证信息。Step 110: In a trusted environment, obtain the public key key2 and authentication information of the second terminal.

在一示例中,当第一终端为客户端时,经过初始化的第一终端在可信环境下与第二终端进行配对连接。可选地,该可信环境可为基于蓝牙功能或U盘传输实现。In an example, when the first terminal is a client, the initialized first terminal is paired and connected with the second terminal in a trusted environment. Optionally, the trusted environment may be implemented based on Bluetooth function or U disk transmission.

当两端完成连接后,第一终端创建密钥key1(公钥)、key A(私钥)、第二终端创建密钥key2(公钥)、key B(私钥)。After the two ends are connected, the first terminal creates keys key1 (public key), key A (private key), and the second terminal creates keys key2 (public key) and key B (private key).

此时,在可信环境下,第一终端向第二终端发送其公钥key1和身份信息等内容,第二终端接收后将公钥key2和认证信息等内容发送至第一终端。At this time, in a trusted environment, the first terminal sends its public key key1 and identity information to the second terminal, and the second terminal sends the public key key2 and authentication information to the first terminal after receiving it.

在另一示例中,当第一终端为除客户端外的其他终端形式时,例如PC端或Web端,由于第一终端不具备蓝牙功能,上述的可信环境也可基于一个第三客户端完成。即先选取一个与第二终端基于可信环境建立信任关系的第三客户端。In another example, when the first terminal is in the form of a terminal other than a client, such as a PC terminal or a web terminal, since the first terminal does not have the Bluetooth function, the above-mentioned trusted environment can also be based on a third client Finish. That is, first select a third client that establishes a trust relationship with the second terminal based on the trusted environment.

之后,第二终端创建密钥key2(公钥)、key B(私钥),并将携带公钥key2的一认证信息(例如授权码或邀请码),发送至第三客户端。After that, the second terminal creates keys key2 (public key) and key B (private key), and sends an authentication information (eg, authorization code or invitation code) carrying the public key key2 to the third client.

第一终端通过从第三客户端获取的该认证信息,得到公钥key2。The first terminal obtains the public key key2 through the authentication information obtained from the third client.

步骤120:将第一密文信息发送至第二终端,以获取第二终端返回的access_token、对称密钥和相应对称加密算法。Step 120: Send the first ciphertext information to the second terminal to obtain the access_token, symmetric key and corresponding symmetric encryption algorithm returned by the second terminal.

在一示例中,当第一终端为客户端时,第一终端使用RSA非对称加密算法,用公钥key2加密认证信息(例如auth_key)和client-UUID(终端统一唯一识别码),得到第一密文信息,并将该第一密文信息发送至第二终端处。In an example, when the first terminal is a client, the first terminal uses the RSA asymmetric encryption algorithm, encrypts the authentication information (for example, auth_key) and the client-UUID (terminal unified unique identification code) with the public key key2, and obtains the first ciphertext information, and send the first ciphertext information to the second terminal.

第二终端收到第一密文信息后,生成access_token,其中access_token中包含由公钥key2加密的所述对称密钥,并返回访问凭证access_token、公钥key1加密的对称密钥和AES(Advanced Encryption Standard)对称加密的算法信息,据此两端建立相互连接访问信任关系。After receiving the first ciphertext information, the second terminal generates an access_token, wherein the access_token contains the symmetric key encrypted by the public key key2, and returns the access credential access_token, the symmetric key encrypted by the public key key1, and AES (Advanced Encryption Standard) symmetric encryption algorithm information, according to which the two ends establish a mutual connection and access trust relationship.

在另一示例中,当第一终端为除客户端外的其他终端形式时,第一终端会生成一组临时对称密钥,并使用公钥key2加密该组临时对称密钥和授权码/邀请码发送至第二终端。In another example, when the first terminal is in the form of a terminal other than a client, the first terminal will generate a set of temporary symmetric keys, and use the public key key2 to encrypt the set of temporary symmetric keys and the authorization code/invitation code to the second terminal.

第二终端验证其身份后生成访问凭证access_token,其中access_token中包含由公钥key2加密的所述对称密钥,并在可信环境下,将access_token、对称密钥和对称加密算法信息返回至第一终端,据此两端建立相互连接访问信任关系。The second terminal generates an access credential access_token after verifying its identity, wherein the access_token contains the symmetric key encrypted by the public key key2, and returns the access_token, symmetric key and symmetric encryption algorithm information to the first terminal in a trusted environment The terminal, according to which the two ends establish a mutual connection and access trust relationship.

在上述的两个示例中,对称加密算法信息用于后续数据传输时第一终端解密时使用的算法信息,包括该算法的公式信息等基本内容;可选地,该对称算法信息可以为AES(Advanced EncryptionStandard)、DES(Data Encryption Standard)等。In the above two examples, the symmetric encryption algorithm information is used for the algorithm information used when the first terminal decrypts the subsequent data transmission, including basic content such as formula information of the algorithm; optionally, the symmetric algorithm information may be AES ( Advanced Encryption Standard), DES (Data Encryption Standard), etc.

步骤130:将access_token与第二密文信息发送至第二终端,以获取第二终端返回的第三密文信息。Step 130: Send the access_token and the second ciphertext information to the second terminal to obtain the third ciphertext information returned by the second terminal.

经过步骤110-120后,第一终端与第二终端已建立相互信任关系,此时,第一终端可以凭借已获取到的access_token可以与对应的第二终端进行数据传输,具体包括:After steps 110-120, the first terminal and the second terminal have established a mutual trust relationship. At this time, the first terminal can perform data transmission with the corresponding second terminal by virtue of the obtained access_token, which specifically includes:

步骤1301:第一终端使用对称密钥加密的数据请求信息,得到第二密文信息,并将access_token与第二密文信息发送至第二终端;Step 1301: the first terminal uses the data request information encrypted by the symmetric key to obtain the second ciphertext information, and sends the access_token and the second ciphertext information to the second terminal;

步骤1302:第二终端接收access_token和第二密文信息后,验证access_token和该access_token中包含的第一终端身份信息,以判断第一终端的身份;Step 1302: After receiving the access_token and the second ciphertext information, the second terminal verifies the access_token and the identity information of the first terminal contained in the access_token to determine the identity of the first terminal;

步骤1303:验证通过后,使用私钥keyB解密access_token,以获取对称密钥;Step 1303: After the verification is passed, use the private key keyB to decrypt the access_token to obtain the symmetric key;

步骤1304:使用对称密钥解密第一密文信息,得到数据请求信息;Step 1304: Decrypt the first ciphertext information using the symmetric key to obtain data request information;

步骤1305:生成数据请求信息的数据响应信息;Step 1305: Generate data response information of the data request information;

步骤1306:使用对称密钥加密数据响应信息,生成并向第一终端第三密文信息。Step 1306: Use the symmetric key to encrypt the data response information, and generate third ciphertext information to the first terminal.

步骤140:使用对称密钥和相应对称加密算法解密第三密文信息,得到数据响应信息。Step 140: Decrypt the third ciphertext information using the symmetric key and the corresponding symmetric encryption algorithm to obtain data response information.

第一终端收到第三密文后,使用对称密钥和相应对称加密算法解密第三密文信息,从而得到第二终端生成的数据相应信息。After receiving the third ciphertext, the first terminal decrypts the third ciphertext information by using the symmetric key and the corresponding symmetric encryption algorithm, thereby obtaining the corresponding information of the data generated by the second terminal.

以上所述仅为本发明的较佳实施方式而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included in the present invention. within the scope of protection.

Claims (10)

1. A communication method of end-to-end encryption is applied to a first terminal, and the steps comprise:
under a trusted environment, acquiring a public key2 and authentication information of the second terminal;
sending the first ciphertext information to the second terminal to obtain an access _ token, a symmetric key and a corresponding symmetric encryption algorithm returned by the second terminal, wherein the first ciphertext information comprises: the authentication information encrypted using the public key2, the access token having the symmetric key therein encrypted by a public key 2;
sending the access _ token and the second ciphertext information to the second terminal to obtain third ciphertext information returned by the second terminal, wherein the second ciphertext information comprises: data request information encrypted by using the symmetric key, wherein the third ciphertext information is obtained based on the second ciphertext information and the symmetric key included in the access _ token and encrypted by using the public key2, and the third ciphertext information comprises: encrypted data response information;
and decrypting the third ciphertext information by using the symmetric key and a corresponding symmetric encryption algorithm to obtain the data response information.
2. The method of claim 1, wherein the first terminal comprises: client, PC end or Web end.
3. The method as claimed in claim 2, wherein when the first terminal is a client, the obtaining 2 the public key and the authentication information of the second terminal includes:
creating a public and private key pair;
and sending the public key1 in the public and private key pair and the identity information of the first terminal to the second client so as to obtain a public key2 and authentication information of the second terminal.
4. The method of claim 3, wherein when the first terminal is a client, the obtaining of the access _ token, the symmetric key and the corresponding symmetric encryption algorithm returned by the second terminal comprises:
sending the first ciphertext information to a second terminal, where the first ciphertext information further includes: the first terminal uniform unique identification code encrypted by using the public key 2;
obtaining access _ token and fourth ciphertext information, wherein the fourth ciphertext information comprises: a symmetric key and corresponding symmetric encryption algorithm encrypted using public key 1;
and decoding the fourth ciphertext information by using the private key A to obtain a symmetric key and a corresponding symmetric encryption algorithm.
5. The method as claimed in claim 2, wherein when the first terminal is a PC terminal or a Web terminal, the obtaining the public key2 and the authentication information of the second terminal includes:
establishing connection with a third client, wherein the third client and the second terminal establish a trust relationship;
and receiving authentication information sent by the third client, wherein the authentication information is an authorization code or an invitation code generated by the second terminal, and the authorization code or the invitation code includes the public key 2.
6. The method of claim 5, wherein when the first terminal is a PC terminal or a Web terminal, the obtaining of the access _ token, the symmetric key and the corresponding symmetric encryption algorithm returned by the second terminal comprises:
generating a set of temporary symmetric keys;
under the trusted environment, the first ciphertext information is sent to the third client, so that the second terminal generates an access _ token based on the first ciphertext information sent by the third client and the identification information of the first terminal, and sends the access _ token, the symmetric key and the corresponding symmetric encryption algorithm to the first terminal, wherein the first ciphertext information further comprises: the temporary symmetric key encrypted using the public key 2.
7. The method of claim 1, wherein the third ciphertext information is derived based on the second ciphertext information and the symmetric key included in the access token that is encrypted by a public key 2:
verifying the first terminal identity information in the access _ token;
decrypting the symmetric key encrypted by the public key2 in the authenticated access _ token by using a private key keyB corresponding to the public key 2;
decrypting the second ciphertext information using the symmetric key to obtain the data request information;
obtaining data response information based on the data request information;
and encrypting the data response information by using the symmetric key and the corresponding symmetric encryption algorithm to generate third ciphertext information.
8. A storage medium having a computer program stored thereon, wherein the computer program is arranged to, when executed, perform the method of any of claims 1-6.
9. A terminal, characterized in that it comprises a memory in which a computer program is stored and a processor arranged to run the computer program to perform the method according to any of claims 1-6.
10. A communication system for end-to-end encryption comprises a first terminal and a second terminal,
the first terminal is used for acquiring a public key2 and authentication information of the second terminal in a trusted environment; sending the first ciphertext information to the second terminal to obtain an access _ token, a symmetric key and a corresponding symmetric encryption algorithm returned by the second terminal, wherein the first ciphertext information comprises: the authentication information encrypted using the public key2, the access token having the symmetric key therein encrypted by a public key 2; sending the access _ token and the second ciphertext information to the second terminal to obtain third ciphertext information returned by the second terminal, wherein the second ciphertext information comprises: data request information encrypted using the symmetric key; decrypting the third ciphertext information using the symmetric key and a corresponding symmetric encryption algorithm to obtain the data response information;
the second terminal is used for generating a public and private key pair; obtaining an access _ token, a symmetric key and a corresponding symmetric encryption algorithm according to the first ciphertext information; and obtaining the third ciphertext information based on the second ciphertext information and the symmetric key encrypted by the public key2 contained in the access _ token.
CN202210193962.8A 2022-03-01 2022-03-01 Communication method and system for end-to-end encryption Active CN114531235B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210193962.8A CN114531235B (en) 2022-03-01 2022-03-01 Communication method and system for end-to-end encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210193962.8A CN114531235B (en) 2022-03-01 2022-03-01 Communication method and system for end-to-end encryption

Publications (2)

Publication Number Publication Date
CN114531235A true CN114531235A (en) 2022-05-24
CN114531235B CN114531235B (en) 2023-06-13

Family

ID=81626135

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210193962.8A Active CN114531235B (en) 2022-03-01 2022-03-01 Communication method and system for end-to-end encryption

Country Status (1)

Country Link
CN (1) CN114531235B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506470A (en) * 2016-10-31 2017-03-15 大唐高鸿信安(浙江)信息科技有限公司 network data security transmission method
US20170208045A1 (en) * 2014-09-24 2017-07-20 Samsung Electronics Co., Ltd. Method, apparatus and system for secure data communication
CN108809936A (en) * 2018-04-20 2018-11-13 山东大学 A kind of intelligent mobile terminal auth method and its realization system based on Hybrid Encryption algorithm
US20200059470A1 (en) * 2012-02-02 2020-02-20 Josiah Johnson Umezurike Industrial internet encryption system
CN111193695A (en) * 2019-07-26 2020-05-22 腾讯科技(深圳)有限公司 Encryption method and device for third party account login and storage medium
CN111556025A (en) * 2020-04-02 2020-08-18 深圳壹账通智能科技有限公司 Data transmission method, system and computer equipment based on encryption and decryption operations
CN113225352A (en) * 2021-05-28 2021-08-06 国网绿色能源有限公司 Data transmission method and device, electronic equipment and storage medium
CN113489585A (en) * 2021-07-02 2021-10-08 北京明朝万达科技股份有限公司 Identity authentication method and system of terminal equipment, storage medium and electronic equipment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200059470A1 (en) * 2012-02-02 2020-02-20 Josiah Johnson Umezurike Industrial internet encryption system
US20170208045A1 (en) * 2014-09-24 2017-07-20 Samsung Electronics Co., Ltd. Method, apparatus and system for secure data communication
CN106506470A (en) * 2016-10-31 2017-03-15 大唐高鸿信安(浙江)信息科技有限公司 network data security transmission method
CN108809936A (en) * 2018-04-20 2018-11-13 山东大学 A kind of intelligent mobile terminal auth method and its realization system based on Hybrid Encryption algorithm
CN111193695A (en) * 2019-07-26 2020-05-22 腾讯科技(深圳)有限公司 Encryption method and device for third party account login and storage medium
CN111556025A (en) * 2020-04-02 2020-08-18 深圳壹账通智能科技有限公司 Data transmission method, system and computer equipment based on encryption and decryption operations
CN113225352A (en) * 2021-05-28 2021-08-06 国网绿色能源有限公司 Data transmission method and device, electronic equipment and storage medium
CN113489585A (en) * 2021-07-02 2021-10-08 北京明朝万达科技股份有限公司 Identity authentication method and system of terminal equipment, storage medium and electronic equipment

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
LAI X: "International Data Encryption Algorithm", HEPATOLOGY *
任一新;: "网络信息安全中加密算法及应用研究", 中国信息化, no. 11 *
奚宇航;黄一平;苏检德;王淑沛;: "基于国密算法的即时通信加密软件系统的设计与实现", 计算机应用与软件, no. 06 *
孙建伟;樊柯辛;张守晨;: "智能燃气系统中的通信加密方法", 计算机系统应用, no. 06 *
濮琳;罗伟凡;夏喜林;王博;: "一种混合型数据传输加密技术研究", 信息技术与标准化, no. 11 *

Also Published As

Publication number Publication date
CN114531235B (en) 2023-06-13

Similar Documents

Publication Publication Date Title
US7379551B2 (en) Method and system for recovering password protected private data via a communication network without exposing the private data
KR101054970B1 (en) A system, apparatus, method, and computer readable recording medium for authenticating a communication party using an electronic certificate containing personal information
US9819666B2 (en) Pass-thru for client authentication
CN100574184C (en) Method and apparatus for establishing a security context for communicating messages between computer systems
US9847882B2 (en) Multiple factor authentication in an identity certificate service
US7688975B2 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US10554393B2 (en) Universal secure messaging for cryptographic modules
JP4617763B2 (en) Device authentication system, device authentication server, terminal device, device authentication method, and device authentication program
US6993652B2 (en) Method and system for providing client privacy when requesting content from a public server
US7139918B2 (en) Multiple secure socket layer keyfiles for client login support
US20020038420A1 (en) Method for efficient public key based certification for mobile and desktop environments
TW200402981A (en) Methods for remotely changing a communications password
CN113726523B (en) Multiple identity authentication method and device based on Cookie and DR identity cryptosystem
CN110519304A (en) HTTPS mutual authentication method based on TEE
CN104767766B (en) Web Service interface verification method, Web Service server and client
CN103312671B (en) Method and system for verifying server
CN114531235A (en) End-to-end encrypted communication method and system
JP2003224562A (en) Personal authentication system and program
WO2020037958A1 (en) Gba-based client registration and key sharing method, device, and system
CN116684169A (en) Application layer data security transmission method and system based on network identity
Rao A Fixed Network Transmission Based on Kerberos Authentication Protocol
CHOUHAN et al. Privacy Preservation and Data Security on Internet Using Mutual SSL
WO2005055516A1 (en) Method and apparatus for data certification by a plurality of users using a single key pair
Babu et al. Risk assessment mitigation of Kerberos protocol using public key cryptography
TW202110129A (en) Client verification system and its verification method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant