CN118101298A - Data encryption transmission method, device, computer equipment, medium and program product - Google Patents

Abstract

The present application relates to the field of distributed data management technology, and discloses a data encryption transmission method, device, computer equipment, medium and program product, the method comprising receiving a ciphertext to be decrypted sent by a first application; parsing a protocol header according to a preset ciphertext transmission protocol, and sending the parsed protocol header to a security center, so that the security center decrypts the first original key in the protocol header based on its own private key, and encrypts the first original key using a first device public key, and returns the encrypted first original key; decrypting the encrypted first original key according to a device private key corresponding to the first device public key to obtain the first original key; decrypting the encrypted data according to the first original key and a preset ciphertext transmission protocol to obtain plaintext data, and transmitting the plaintext data to the first application. Realize key negotiation exchange, increase the difficulty of key deciphering, and ensure the security and reliability of data transmission in a distributed management system.

Description

Data encryption transmission method, device, computer equipment, medium and program product

Technical Field

The present application relates to the field of distributed data management technology, and specifically to data encryption transmission methods, devices, computer equipment, media and program products.

Background technique

As the artery of modern transportation, the highway industry undertakes the important mission of connecting cities and promoting economic development. The industry uses a distributed management system to manage data at various management levels, among which the transmission and sharing of data from the toll station management level to the road section management level, provincial management level and/or national management level is crucial.

Existing data encryption transmission methods often lack unified standards and specifications. Different encryption technologies and standards may exist between various management levels and application systems. Once an error occurs in a certain link, it may lead to the breakdown of the entire data transmission chain, thereby endangering the security of the entire system. Moreover, the keys in the existing data encryption transmission methods are easily tampered or intercepted by a third party, thus affecting the security and reliability of data in the entire highway industry.

Therefore, how to ensure the security and reliability of data transmission in a distributed management system has become a technical problem that needs to be solved urgently.

Summary of the invention

In view of this, the present application provides a data encryption transmission method, apparatus, computer equipment, medium and program product to solve the problem of how to ensure the security and reliability of data transmission in a distributed management system.

In a first aspect, the present application provides a data encryption transmission method, which is applied to a distributed data security system, the system comprising a security center and a plurality of security devices, the method being executed by a first security device, the method comprising:

receiving a ciphertext to be decrypted sent by a first application, the ciphertext to be decrypted is a ciphertext sent by a second application to the first application, the ciphertext to be decrypted includes a protocol header and encrypted data, the first security device is any one of a plurality of security devices, the first application is an application bound to the first security device, and the second application is an application bound to any security device among the plurality of security devices except the first security device;

Parse the protocol header according to the preset ciphertext transmission protocol, and send the parsed protocol header to the security center, so that the security center can decrypt the first original key in the protocol header based on its own private key, encrypt the first original key with the first device public key, and return the encrypted first original key, where the first device public key is the public key generated by the first security device, and the first original key is the symmetric key generated by the security device corresponding to the second application;

Decrypting the encrypted first original key according to the device private key corresponding to the first device public key to obtain the first original key;

According to the first original key and the preset ciphertext transmission protocol, the encrypted data is decrypted to obtain the plaintext data, and the plaintext data is transmitted to the first application.

In the above technical solution, after the first application corresponding security device parses the protocol header in the ciphertext to be decrypted based on the preset ciphertext transmission protocol, the security center will decrypt the first original key in the protocol header based on its own public key, and encrypt and decrypt the first original key based on the first device public key, so as to return the encrypted first original key to the security device, so that the original key is encrypted data when it is transmitted from the application end and the security center end to the security device, and the original key changes the encrypted public key through the security center, so as to realize the key negotiation exchange in the process of data encryption transmission, increase the difficulty of key decryption, and thus ensure the security and reliability of data transmission in the distributed management system. In addition, after receiving the encrypted first original key and decrypting it into the first original key, the security device decrypts the encrypted data in the ciphertext to be decrypted according to the preset ciphertext transmission protocol, so as to transmit the decrypted plaintext data to the first application, complete the data encryption transmission between the first application and the second application, and also use the preset ciphertext transmission protocol to stipulate the standards and specifications of data transmission, improve the robustness of the entire data transmission chain, and thus ensure the security and reliability of data transmission in the distributed management system.

In some optional implementations, parsing the protocol header according to a preset ciphertext transmission protocol includes:

Determining whether there is an access relationship between the second application and the first application according to the pre-acquired access relationship configuration information;

If there is an access relationship, the address that is the same as the preset protocol header address in the preset ciphertext transmission protocol is searched in the ciphertext to be decrypted, and the content recorded in the found address is determined as the protocol header;

If there is no access relationship, it is determined that the protocol header parsing has failed and the data encryption transmission process ends.

Specifically, the access relationship between applications that need to transmit data in the system is limited so that the security device can only parse the ciphertext sent by the applications that are bound to it and have an access relationship, thereby preventing the security device from parsing the ciphertext sent by all the applications bound to it to leak important data.

In some optional implementations, the method further includes:

receiving plaintext data to be sent sent by a third application, where the third application is any application bound to the first security device;

Encrypting the plaintext data to be sent based on the pre-generated second original key to obtain encrypted data to be sent;

Encrypting the second original key based on the public key of the security center to obtain an encrypted key;

According to the preset ciphertext transmission protocol, the encrypted data to be sent and the encrypted key are assembled into ciphertext;

The ciphertext is sent to a third application so that the third application transmits the assembled ciphertext to other applications as ciphertext to be decrypted.

Specifically, when an application needs to send data to other applications, the application will send the plaintext data to be sent to the security device to which it is bound. The security device uses the original key generated by itself to encrypt the plaintext data, and uses the public key of the security center to encrypt the original key. At the same time, based on the preset ciphertext transmission protocol, the encrypted plaintext data and the original key are combined into ciphertext and returned to the application so that the application can send the ciphertext out. In this way, the data encryption operation is concentrated in the security device, which not only realizes data encryption transmission but also saves the computing power resources of the device where the application is located, making it easier for the device where the application is located to perform other tasks, thereby improving business processing efficiency. Moreover, the original key generated by the security device is a symmetric key, but the public key of the security center is actually an asymmetric key, which realizes the double encryption operation of data combined with symmetric encryption and asymmetric encryption algorithms, increases the difficulty of data decryption, and thus ensures the security and reliability of data transmission.

In some optional embodiments, before sending the plaintext data to the first application, the method further includes:

Generate a first signature to be verified based on the plaintext data;

The first signature to be verified is sent to the first application, so that the first application verifies the legality and validity of the plaintext data based on the first signature to be verified.

In a second aspect, the present application provides a data encryption transmission method, which is applied to a distributed data security system. The system includes a security center and multiple security devices. The method is executed by the security center. The method includes:

Receive a protocol header in the ciphertext to be decrypted sent by the first security device, parse a first key from the protocol header, the first key is a first original key encrypted by a public key of the security center, the first original key is a symmetric key generated by a security device corresponding to the second application, the second application is an application that sends the ciphertext to be decrypted to the first application, the first application is an application bound to the first security device, the first security device is any one of multiple security devices, and the ciphertext to be decrypted includes a protocol header and encrypted data;

Decrypt the first key based on its own private key to obtain a first original key;

The first original key is encrypted according to the first device public key uploaded by the first security device, and the encrypted first original key is sent to the first security device, so that the first security device can decrypt the encrypted first original key according to the device private key corresponding to the first device public key to obtain the first original key, and decrypt the encrypted data according to the first original key to obtain plaintext data, and transmit the plaintext data to the first application.

In a third aspect, the present application provides a distributed data security system, the system comprising a security center, a first security device and a second security device, the first security device being bound to a first application, and the second security device being bound to a second application;

The first application is used to send the received ciphertext to be decrypted to the first security device;

The first security device is used to parse the protocol header in the ciphertext to be decrypted according to the preset ciphertext transmission protocol, and send the parsed protocol header to the security center, receive the encrypted first original key sent by the security center, decrypt the encrypted first original key according to its own device private key to obtain the first original key, decrypt the encrypted data according to the first original key to obtain the plaintext data, and transmit the plaintext data to the first application; and send the pre-generated first device public key to the security center; the first original key is a symmetric key generated by the second security device, and the ciphertext to be decrypted includes the protocol header and the encrypted data;

The second security device is used to encrypt the first original key according to the public key of the security center to obtain the first key, and encrypt the plaintext data sent by the second application according to the first original key to obtain encrypted data, and assemble the encrypted data and the first key into a ciphertext to be decrypted based on a preset ciphertext transmission protocol, and send the ciphertext to be decrypted to the second application;

The second application is used to send the ciphertext to be decrypted to the first application and to send the plaintext data to the second security device;

The security center is used to decrypt the first key in the protocol header into a first original key according to its own private key, encrypt the first original key using the first device public key, send the first encrypted original key to the first security device, and send its own public key to the second security device.

In a fourth aspect, the present application provides a data encryption transmission device, which is applied to a distributed data security system. The system includes a security center and multiple security devices. The device is executed by a first security device, and the device includes:

A first receiving module is used to receive a ciphertext to be decrypted sent by a first application, the ciphertext to be decrypted is a ciphertext sent by a second application to the first application, the ciphertext to be decrypted includes a protocol header and encrypted data, the first security device is any one of a plurality of security devices, the first application is an application bound to the first security device, and the second application is an application bound to any security device among the plurality of security devices except the first security device;

A parsing module, used to parse the protocol header according to a preset ciphertext transmission protocol, and send the parsed protocol header to the security center, so that the security center can decrypt the first original key in the protocol header based on its own private key, encrypt the first original key with the first device public key, and return the encrypted first original key, where the first device public key is a public key generated by the first security device, and the first original key is a symmetric key generated by the security device corresponding to the second application;

A first decryption module, used to decrypt the encrypted first original key according to the device private key corresponding to the first device public key to obtain the first original key;

The second decryption module is used to decrypt the encrypted data according to the first original key and the preset ciphertext transmission protocol to obtain the plaintext data, and transmit the plaintext data to the first application.

In a fifth aspect, the present application provides a data encryption transmission device, which is applied to a distributed data security system. The system includes a security center and multiple security devices. The device is executed by the security center, and the device includes:

A second receiving module is used to receive a protocol header in the ciphertext to be decrypted sent by the first security device, and parse a first key from the protocol header, where the first key is a first original key encrypted by a public key of a security center, and the first original key is a symmetric key generated by a security device corresponding to a second application, the second application is an application that sends the ciphertext to be decrypted to the first application, the first application is an application bound to the first security device, and the first security device is any one of a plurality of security devices, and the ciphertext to be decrypted includes a protocol header and encrypted data;

A third decryption module, used to decrypt the first key based on its own private key to obtain a first original key;

An encryption module is used to encrypt a first original key according to a first device public key uploaded by a first security device, and send the encrypted first original key to the first security device, so that the first security device can decrypt the encrypted first original key according to a device private key corresponding to the first device public key to obtain the first original key, and decrypt the encrypted data according to the first original key to obtain plaintext data, and transmit the plaintext data to the first application.

In a sixth aspect, the present application provides a computer device, comprising: a memory and a processor, the memory and the processor being communicatively connected to each other, computer instructions being stored in the memory, and the processor executing the data encryption transmission method of any embodiment of the first or second aspect above by executing the computer instructions.

In a seventh aspect, the present application provides a computer-readable storage medium having computer instructions stored thereon, the computer instructions being used to enable a computer to execute the data encryption transmission method of any one of the embodiments of the first aspect or the second aspect above.

In an eighth aspect, the present application provides a computer program product, comprising computer instructions, and the computer instructions are used to enable a computer to execute the data encryption transmission method of any embodiment of the first aspect or the second aspect above.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the specific implementation methods of the present application or the technical solutions in the prior art, the drawings required for use in the specific implementation methods or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are some implementation methods of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

FIG1 is a schematic diagram of the structure of a distributed data security system according to an embodiment of the present application;

FIG2 is a schematic diagram of a flow chart of a data encryption transmission method according to an embodiment of the present application;

FIG3 is a schematic diagram of a flow chart of another data encryption transmission method according to an embodiment of the present application;

FIG4 is a schematic diagram of a flow chart of another data encryption transmission method according to an embodiment of the present application;

FIG5 is a schematic diagram of a flow chart of another data encryption transmission method according to an embodiment of the present application;

FIG6 is a timing diagram of data encryption transmission in an application scenario;

FIG7 is a structural block diagram of a data encryption transmission device according to an embodiment of the present application;

FIG8 is a schematic diagram of the hardware structure of a computer device according to an embodiment of the present application.

Detailed ways

In order to make the purpose, technical solution and advantages of the embodiments of the present application clearer, the technical solution in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those skilled in the art without creative work are within the scope of protection of the present application.

The highway industry refers to a collection of economic activities that use highways as assets to provide society with efficient, fast, comfortable, economical and safe travel services. It generally includes three major links: construction, operation and maintenance. Each link contains many economic activities. For example, the construction link includes line construction, tree planting along the line, etc., and the operation link includes road transportation and provision of other services in service areas.

Generally, the operation and management structure of the highway industry is a hierarchical structure, which is mainly divided into the department center (national management level) - provincial center (provincial management level) - toll stations and gantries (toll station management level and road section management level). The department center is the industry center, which is suitable for assuming the functions of the application security center and forming a trusted center for the industry. The data flow of the highway industry is from low to high, from toll stations to provincial and department centers, and there are also information events released from provincial and department centers to highway gantries.

In order to ensure data security while the highway industry can operate normally, data encryption transmission is required when sharing and transmitting data at various management levels. However, there is currently no unified data encryption transmission system suitable for highway industry applications to ensure the security and reliability of data transmission.

To solve the above problems, the embodiment of the present application proposes a data encryption transmission method, which is applied to a distributed data security system. The security device parses the ciphertext to be decrypted sent by its corresponding application and transmitted by other applications, and sends the parsed protocol header including the encrypted original key to the security center, so that the encrypted original key can be decrypted and then encrypted in the security center, so as to realize the key negotiation and exchange between different applications and different security devices, increase the difficulty of key decryption, and ensure the security of data transmission. And formulate a preset ciphertext transmission protocol to unify the transmission specifications and standards of ciphertext in the process of data encryption transmission, to ensure that only ciphertext that complies with the preset ciphertext transmission protocol can be parsed by the security device, and ensure the reliability of data transmission. The data encryption transmission method and distributed data security system proposed in this application are introduced in detail below.

Figure 1 is a structural diagram of a distributed data security system of an embodiment of the present application. As shown in Figure 1, the system includes a security center, a first security device and a second security device. The first security device is bound to a first application, and the second security device is bound to a second application.

Among them, the security center is communicated with the first security device and the second security device respectively. The first security device and the second security device belong to different local area networks respectively, which are shown as local area network 1 and local area network 2 in Figure 1. The first application and the second application are two different application programs in the distributed data security system. An access relationship is configured between the first application and the second application, that is, data can be exchanged between the first application and the second application. The security center is a third-party security authentication platform, such as the road network business smart security center in the highway industry. The first security device and the second security device can be computer devices with data transmission and analysis functions, such as servers, desktop computers or laptops. It can be understood that the first security device and the second security device can be bound to multiple applications.

With reference to the schematic flow chart of a data encryption transmission method shown in FIG2 , the first application is used to send the received ciphertext to be decrypted to the first security device.

The first security device is used to parse the protocol header in the ciphertext to be decrypted according to the preset ciphertext transmission protocol, and send the parsed protocol header to the security center, receive the encrypted first original key sent by the security center, decrypt the encrypted first original key according to its own device private key to obtain the first original key, decrypt the encrypted data according to the first original key to obtain the plaintext data, and transmit the plaintext data to the first application; and send the pre-generated first device public key to the security center; the first original key is a symmetric key generated by the second security device, and the ciphertext to be decrypted includes the protocol header and the encrypted data.

The second security device is used to encrypt the first original key according to the public key of the security center to obtain the first key, and to encrypt the plaintext data sent by the second application according to the first original key to obtain encrypted data, and based on a preset ciphertext transmission protocol, assemble the encrypted data and the first key into ciphertext to be decrypted, and send the ciphertext to be decrypted to the second application.

The second application is used to send the ciphertext to be decrypted to the first application and to send the plaintext data to the second security device.

The security center is used to decrypt the first key in the protocol header into a first original key according to its own private key, encrypt the first original key using the first device public key, send the first encrypted original key to the first security device, and send its own public key to the second security device.

Optionally, the system may include more than two security devices, all of which are communicatively connected to the security center, each security device can be bound to multiple applications, the first security device is any one of the multiple security devices, the first application is any one of the multiple applications bound to the first security device, and the second security device is a security device bound to the second application.

Optionally, in order to improve the security of key exchange, the security center is also used to respond to the online instruction of the target security device, parse the identity authentication information of the target security device in the online instruction, and authenticate the target security device based on the parsed identity authentication information; if the identity authentication result of the target security device is passed, it is determined that the target security device is online to the security center, the security center's own public key is sent to the target security device, and the target security device uploads its own device public key. If the identity authentication result of the target security device is not passed, a prompt message indicating that the identity authentication result is not passed is returned to the preset user terminal.

Among them, the preset user terminal can be an electronic device such as a mobile phone, tablet, and computer that is connected to the security center for communication, and the embodiments of the present application do not impose specific restrictions. The identity verification information can be the device ID or device identifier of the security device. The security device is authenticated in the security center, and only the security device that has passed the identity verification can exchange public keys with the security center, so that the security center can subsequently decrypt the key in the protocol header based on the device public key uploaded by the security device and the security device can encrypt the original key based on the public key of the security center, thereby completing the key exchange operation between different security devices. For security devices that have not passed the identity verification, a prompt message will be returned to the preset user terminal for user verification to prevent other devices that have not passed the identity verification of the security center from illegally stealing the stored data of the security center, thereby improving the security of key exchange.

It is understandable that both the first security device and the second security device have been online to the security center.

Optionally, the security center is further configured to respond to a registration instruction of a target security device, parse the identity authentication information of the target security device in the registration instruction, and record the identity authentication information of the target security device in a list of registered security devices to facilitate subsequent on-line of the target security device.

Optionally, the second security device is also used to transmit the first key to the security center to back up the key in the security center. After the second security device is attacked, the first key in the security center can be used to restore the encrypted data, thereby improving the system's data disaster recovery capabilities.

Optionally, the second security device is also used to periodically update the first original key, and use the updated first original key as the first original key to achieve regular updating of the original key, thereby enhancing the security of the key and thus improving the security and reliability of data encryption transmission.

Optionally, wired or wireless communication can be performed between the security center and the security device and the preset user terminal through communication technologies such as 4G (Fourth Generation, fourth generation mobile communication technology) or 5G (Fifth Generation, fifth generation mobile communication technology).

Optionally, the first security device may generate a digital signature based on the decrypted plaintext data, and send the generated digital signature to the first application so that the first application can verify the legitimacy and validity of the plaintext data. The second security device may also generate a digital signature based on the plaintext data, and send the generated digital signature to the second application so that the second application can verify the legitimacy and validity of the secret text to be decrypted generated based on the plaintext data.

In the distributed data security system in the embodiment of the present application, when data is transmitted between the second application and the first application, the second application will first send the plaintext data to be sent to the first application to the second security device, and the second security device will use the symmetric key generated by itself, that is, the first original key to encrypt the plaintext data to obtain encrypted data, and use the public key of the security center to encrypt the first original key and the first key, and finally generate a protocol header including the encrypted data and the first key. The ciphertext to be decrypted is returned to the second application. The second application can then send the encrypted ciphertext to the first application, and realize the encryption of the data to be transmitted using the symmetric key generated by the security device and the asymmetric public key of the security center, and ensure that the data transmitted from the second application to the first application includes not only the encrypted data but also the encrypted symmetric key, thereby increasing the difficulty of data decryption and ensuring the reliability and security of data transmission in the distributed management system.

After the first application receives the ciphertext to be decrypted, the first application sends the ciphertext to the first security device, which performs the parsing and decryption operations on the ciphertext. The first security device performs the decryption operation on the ciphertext by first sending the protocol header including the first key to the security center, so that the security center decrypts the first key in the protocol header based on its own public key, and encrypts the first key after decryption based on the first device public key uploaded by the first security device, that is, encrypts the first original key, and returns the encrypted first original key to the first security device, so that the first security device can decrypt the returned key based on its own device private key to decrypt the encrypted data. The key negotiation exchange is completed in the third-party security center outside the security device and application, and the subsequent decryption of encrypted data is supported to realize data encryption transmission. At the same time, when the first security device is attacked, it can also ensure that only the key that passes through the security center and returns in the device can be deciphered as much as possible, and the deciphering difficulty of the remaining keys is higher, which reduces the amount of data that can be stolen in the distributed management system and further ensures the reliability and security of data transmission in the distributed management system.

A data encryption transmission method provided by the present application is described in detail below. It should be noted that the steps shown in the flowchart of the accompanying drawings can be executed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowchart, in some cases, the steps shown or described can be executed in an order different from that shown here.

In an embodiment of the present application, a data encryption transmission method is provided, which can be used in the distributed data security system in the embodiment described in FIG. 1. The system includes a security center and multiple security devices. The method is executed by a first security device. FIG. 2 is a flow chart of a data encryption transmission method according to an embodiment of the present application. As shown in FIG. 2, the process includes the following steps:

Step S201, receiving a ciphertext to be decrypted sent by a first application.

Among them, the ciphertext to be decrypted is the ciphertext sent by the second application to the first application, the ciphertext to be decrypted includes a protocol header and encrypted data, the first security device is any one of multiple security devices, the first application is an application bound to the first security device, the second application is an application bound to any security device other than the first security device among the multiple security devices, and the local area networks to which the security devices corresponding to the first application and the second application belong are different. The security device bound to the second application is the second security device in the embodiment shown in Figure 1. After receiving the ciphertext to be decrypted sent by the second application, the first application will send the ciphertext to be decrypted to the first security device, thereby receiving the ciphertext to be decrypted.

Step S202, parse the protocol header according to the preset ciphertext transmission protocol, and send the parsed protocol header to the security center, so that the security center can decrypt the first original key in the protocol header based on its own private key, encrypt the first original key using the first device public key, and return the encrypted first original key.

Among them, the first device public key is the public key generated by the first security device, the first original key is the symmetric key generated by the security device corresponding to the second application, and the protocol header includes the first original key encrypted based on the public key of the security center. The first security device will send the first device public key to the security center in advance. The preset ciphertext transmission protocol specifies the content that the protocol header in the ciphertext should include and the address range where the protocol header in the ciphertext is located. Therefore, the first security device can extract the content recorded in the address range from the ciphertext to be decrypted based on the address range of the protocol header specified in the preset ciphertext transmission protocol, and determine the extracted content as the protocol header and send it to the security center.

After receiving the protocol header, the security center will use the preset asymmetric encryption algorithm and its own private key to decrypt the first original key encrypted based on the public key of the security center in the protocol header, obtain the first original key, and use the preset asymmetric encryption algorithm to encrypt the first original key based on the first device public key, and return the encrypted first original key to the first security device. The preset asymmetric encryption algorithm is used to generate the public key and private key of the security center and the device public key and device private key of the security device respectively. The preset asymmetric encryption algorithm can be an algorithm used for asymmetric encryption in the national secret algorithm, such as the SM2 algorithm.

Step S203: decrypt the encrypted first original key according to the device private key corresponding to the first device public key to obtain the first original key.

The first security device will use a preset asymmetric encryption algorithm and a device private key corresponding to the first device public key to perform a decryption operation on the encrypted first original key to obtain the first original key.

Step S204: decrypt the encrypted data according to the first original key and the preset ciphertext transmission protocol to obtain plaintext data, and transmit the plaintext data to the first application.

The preset ciphertext transmission protocol specifies the address range where the encrypted data should be located. The first security device extracts the content within the address range from the ciphertext to be decrypted as the encrypted data, and uses the preset symmetric encryption algorithm and the first original key to decrypt the encrypted data, obtains the plaintext data, and transmits the plaintext data to the first application, thereby completing the data encryption transmission process between the second application and the first application. The preset symmetric encryption algorithm can be an algorithm used for symmetric encryption in the national secret algorithm, for example, SM1 or SM4.

It should be noted that the first security device cannot parse ciphertexts that follow other ciphertext transmission protocols. In this way, only encrypted data and the first original key encrypted based on the public key of the security center can be assembled according to the preset ciphertext protocol to be parsed. Combining the key management system of the security center and multiple security devices, the key encryption negotiation exchange and the private ciphertext transmission protocol are combined to constrain data transmission from two technical dimensions. It is suitable for information system cryptographic application transformation and data encryption transmission in industries such as the highway industry that apply distributed management systems, and improves the security and reliability of data transmission.

In the embodiment of the present application, after the first application corresponding security device parses the protocol header in the ciphertext to be decrypted based on the preset ciphertext transmission protocol, the security center will decrypt the first original key in the protocol header based on its own public key, and encrypt and decrypt the first original key based on the first device public key, so as to return the encrypted first original key to the security device, so that the original key is encrypted data when it is transmitted from the application end and the security center end to the security device, and the original key changes the encrypted public key through the security center, so as to realize the key negotiation exchange in the process of data encryption transmission, increase the difficulty of key decryption, and thus ensure the security and reliability of data transmission in the distributed management system. In addition, after receiving the encrypted first original key and decrypting it into the first original key, the security device decrypts the encrypted data in the ciphertext to be decrypted according to the preset ciphertext transmission protocol, so as to transmit the decrypted plaintext data to the first application, complete the data encryption transmission between the first application and the second application, and also use the preset ciphertext transmission protocol to stipulate the standards and specifications of data transmission, improve the robustness of the entire data transmission chain, and thus ensure the security and reliability of data transmission in the distributed management system.

FIG3 is a flow chart of another method for data encryption transmission according to an embodiment of the present application, which can be used in the distributed data security system in the embodiment shown in FIG1 . The system includes a security center and multiple security devices. The method is executed by a first security device. As shown in FIG3 , the process includes the following steps:

Step S301: receiving a ciphertext to be decrypted sent by a first application.

The details of step S301 refer to step S201 in the embodiment shown in FIG. 2 , and are not described in detail here.

Step S302: Determine whether there is an access relationship between the second application and the first application according to the pre-acquired access relationship configuration information.

The access relationship configuration information is used to indicate whether data can be exchanged between applications in a distributed data security system. If the access relationship configuration information indicates that there is an access relationship between two applications, the two applications cannot transmit data. The access relationship configuration information includes application identification pairs, and each application identification pair indicates two applications with an access relationship. The access relationship configuration information can be pre-configured in each security device. When the second application sends the ciphertext to be decrypted to the first application, it will also send its own application identification (hereinafter referred to as the second application identification). The first application will send its own application identification and the application identification of the second application to the first security device. The first security device will search for the application identification pair corresponding to the application identification of the second application in the access relationship configuration information, and search for the application identification of the first application in the found application identification pair. If it is found, it is determined that there is an access relationship between the second application and the first application. If it is not found, it is determined that there is no access relationship between the second application and the first application.

Step S303, if there is an access relationship, search the ciphertext to be decrypted for an address that is the same as the preset protocol header address in the preset ciphertext transmission protocol, and determine the content recorded in the found address as the protocol header, and enter step S304; if there is no access relationship, determine that the protocol header parsing has failed and end the data encryption transmission process.

The preset protocol header address is the address range of the protocol header specified in the preset ciphertext transmission protocol.

Step S304, sending the determined protocol header to the security center, so that the security center decrypts the first original key in the protocol header based on its own private key, encrypts the first original key using the first device public key, and returns the encrypted first original key.

Step S304 is detailed in step S202 in the embodiment shown in FIG. 2 , and will not be described in detail here.

Step S305: decrypt the encrypted first original key according to the device private key corresponding to the first device public key to obtain the first original key.

Step S306: decrypt the encrypted data according to the first original key and the preset ciphertext transmission protocol to obtain plaintext data.

Steps S304 to S306 are described in detail with reference to steps S202 to S204 in the embodiment shown in FIG. 2 , and are not described in detail here.

Step S307: Generate a first signature to be verified based on the plaintext data.

The first security device may generate a digital signature from the plaintext data using a preset asymmetric encryption algorithm, and use the generated digital signature as the first signature to be verified.

Step S308: Send the first signature to be verified to the first application, and transmit the plaintext data to the first application, so that the first application verifies the legality and validity of the plaintext data based on the first signature to be verified.

The first application can verify the first signature to be verified based on a preset asymmetric encryption algorithm and the received plaintext data. If the verification result of the first signature to be verified is passed, the first application confirms that the plaintext data is legal and valid; if the verification result of the first signature to be verified is failed, the received plaintext data is determined to be invalid data.

In the embodiment of the present application, the access relationship between applications that need to transmit data in the system is limited, so that the security device can only parse the ciphertext sent by the application that is bound to it and has an access relationship, avoiding the security device from parsing the ciphertext sent by all the applications bound to it to leak important data. The decryption operation of the ciphertext to be decrypted is set in the security device. When the security device sends the decrypted plaintext data to the application, the signature to be verified generated based on the plaintext data is also sent to the first application to determine the legitimacy and validity of the plaintext data, avoiding the application from receiving data sent by a counterfeit and forged device, and determining that the data from the security center device is safe data, effectively reducing the risk of data theft, and further improving the security and reliability of data transmission.

Figures 2 and 3 introduce the specific decryption operation of the ciphertext after the application bound to the security device in the distributed data security system receives the encrypted ciphertext. The following is combined with Figure 4 to introduce the specific method of sending data by the application bound to the security device in the distributed data security system.

FIG4 is a flow chart of another method for data encryption transmission according to an embodiment of the present application, which can be used in the distributed data security system in the embodiment shown in FIG1 . The system includes a security center and multiple security devices. The method is executed by a first security device. As shown in FIG4 , the process includes the following steps:

Step S401: receiving plaintext data to be sent from a third application.

The third application is any application bound to the first security device. When the third application needs to send data to other applications, the third application sends the plaintext data to be sent and the plaintext data to be sent to the first security device.

Step S402: Encrypt the plaintext data to be sent based on the pre-generated second original key to obtain encrypted data to be sent.

The second original key is a symmetric key generated by the first security device based on a preset symmetric encryption algorithm. The first security device encrypts the plaintext data to be sent based on the second original key using the preset symmetric encryption algorithm, and the encrypted plaintext data to be sent is the encrypted data to be sent.

Optionally, in order to further enhance the security of data transmission, the first security device may also periodically update the second original key. The first security device may also upload the second original key encrypted by the security center to the security center to back up the original key to facilitate data disaster recovery.

Step S403: encrypt the second original key based on the public key of the security center to obtain an encrypted key.

The public key of the security center can be configured in advance in the first security device. The first security device encrypts the second original key based on the public key of the security center using a preset asymmetric encryption algorithm, and the encrypted second original key is the encrypted key.

It can be understood that the first security device is a registered and online security device in the security center, and the public key of the security center can be pre-configured in each security device in the registered security device list.

Step S404: assemble the encrypted data to be sent and the encrypted key into ciphertext according to the preset ciphertext transmission protocol.

The first security device will fill the encrypted data to be sent and the encrypted key in the corresponding positions based on the content that the protocol header should include as specified in the preset ciphertext transmission protocol, the address range where the protocol header in the ciphertext is located, and the address range where the encrypted data in the ciphertext is located to obtain the ciphertext.

Step S405: Send the assembled ciphertext to the third application so that the third application transmits the assembled ciphertext as the ciphertext to be decrypted to other applications.

Optionally, before step S405, the first security device may also generate a second signature to be verified based on the plaintext data to be sent, and send the second signature to be verified to the third application, so that the third application verifies the validity and legality of the ciphertext based on the second signature to be verified. The third application may verify the second signature to be verified based on a preset asymmetric algorithm and the plaintext data to be sent. If the verification result of the second signature to be verified is passed, the third application determines that the received ciphertext includes encrypted data encrypted based on legal and valid plaintext data, thereby determining that the received ciphertext is valid and legal. If the verification result of the second signature to be verified is failed, it is determined that the received ciphertext is invalid.

In the embodiment of the present application, when an application needs to send data to other applications, the application will send the plaintext data to be sent to the security device to which it is bound. The security device uses the original key generated by itself to encrypt the plaintext data, and uses the public key of the security center to encrypt the original key. At the same time, based on the preset ciphertext transmission protocol, the encrypted plaintext data and the original key are combined into a ciphertext and returned to the application so that the application can send the ciphertext out. In this way, the data encryption operation is concentrated in the security device, and while realizing data encryption transmission, it also saves the computing power resources of the device where the application is located, which is convenient for the device where the application is located to perform other tasks, thereby improving business processing efficiency. Moreover, the original key generated by the security device is a symmetric key, but the public key of the security center is actually an asymmetric key, which realizes the double encryption operation of data combined with symmetric encryption and asymmetric encryption algorithms, increases the difficulty of data decryption, and thus ensures the security and reliability of data transmission.

2 to 4 introduce the specific operation process of the security device side during the data encryption transmission process in the distributed data security system. The operation process of the security center side is introduced below. Specifically, a flow chart of another data encryption transmission method according to an embodiment of the present application as shown in FIG5 can be used for the distributed data security system in the embodiment shown in FIG1. The system includes a security center and multiple security devices. The method is executed by the security device. As shown in FIG5, the process includes the following steps:

Step S501: receiving a protocol header in a ciphertext to be decrypted sent by a first security device, and parsing a first key from the protocol header.

Among them, the first key is the first original key encrypted by the public key of the security center, the first original key is the symmetric key generated by the security device corresponding to the second application, the second application is the application that sends the ciphertext to be decrypted to the first application, the first application is the application bound to the first security device, the first security device is any one of the multiple security devices, and the ciphertext to be decrypted includes the protocol header and the encrypted data. The security device corresponding to the second application is the second security device in the embodiment shown in Figure 1.

Step S502: decrypt the first key based on its own private key to obtain a first original key.

Step S503, encrypt the first original key according to the first device public key uploaded by the first security device, and send the encrypted first original key to the first security device, so that the first security device can decrypt the encrypted first original key according to the device private key corresponding to the first device public key to obtain the first original key, and decrypt the encrypted data according to the first original key to obtain plaintext data, and transmit the plaintext data to the first application.

For steps S501 to S503, reference may be made to the process executed by the security center in the embodiments shown in FIGS. 2 to 4 , and no further description will be given here.

In one application scenario, the data in the distributed management system of the highway industry is encrypted for transmission. The plaintext data transmitted between the applications at each management level in the distributed management system needs to be encrypted by the security devices that have been registered and online in the security center, and the key negotiation exchange is completed through the security center. The security device will generate the corresponding symmetric key, asymmetric public key and asymmetric private key (that is, the device public key and device private key), and can use the public key of the security center.

The specific data encryption transmission workflow can be shown in Figure 6, taking application A as the second application, application B as the first application, security device A as the second security device, security device B as the first security device, the road network business intelligent security center as the security center, the public key PKA as the device public key of the second security device, the public key PKB as the first device public key, the symmetric key KEY1 as the first original key, the data information as plain text data, the ciphertext A' as the ciphertext to be decrypted, the public key PK as the public key of the security center, the PK-encrypted KEY1 as the first original key encrypted based on the public key of the security center, that is, the first key, the PKB-encrypted KEY1 as the encrypted first original key, and the ciphertext data A as the encrypted data as an example.

Security device A and security device B are registered and launched in the road network business intelligent security center. The access relationship between the bound applications A and B is configured. Security device A and security device B belong to different local area networks, and data needs to be transmitted between applications A and B.

Step ①, application A sends data information to security device A, which uses symmetric key KEY1 to encrypt the data to form ciphertext data A, and then uses public key PK to encrypt KEY1. Ciphertext data A and PK-encrypted KEY1 form ciphertext A' according to the protocol (the protocol is the preset ciphertext transmission protocol).

Security device A also has the function of using the summary and signature of the national secret algorithm (that is, the preset asymmetric encryption algorithm), and uses the national secret algorithm to generate a signature for the data information content to be sent, which is used to verify the legitimacy and validity of the information content at the receiving end, that is, the application end.

Step ②: Security device A transmits ciphertext A’ back to application A.

Step ③, application A transmits ciphertext A’ to application B.

Step ④, application B transmits ciphertext A’ to security device B.

Step ⑤, security device B parses ciphertext A' to obtain ciphertext data A and protocol header, which includes KEY1 encrypted by PK. The protocol header is sent to the road network business smart security center, which decrypts KEY1 encrypted by PK in the protocol header with its own private key to obtain KEY1.

Step ⑥, the road network business intelligent security center uses the public key PKB to encrypt KEY1 and sends it to security device B. Security device B uses its own private key to decrypt KEY1 encrypted by PKB to obtain KEY1, and then uses KEY1 to decrypt the ciphertext data A to obtain the data information.

Step ⑦, security device B sends the decrypted data information to application B.

The encrypted key is negotiated and exchanged through the intelligent security center of the road network business. The intelligent security center of the road network business plays a vital role in the whole process. Security device A will also regularly update the PK-encrypted KEY1 in the intelligent security center of the road network business. The distributed management of data transmission keys in the highway industry is realized by combining symmetric and asymmetric encryption algorithms, and the symmetric key is updated regularly, which is more secure. The security device needs to register and go online in the security center for identity authentication. Only after the authentication is passed can the key exchange be completed with other devices; the security device needs to be bound to the application and configure the access relationship between the applications, so that the application can use the security device to complete the encryption and decryption process; a set of ciphertext transmission protocols is formulated, that is, the ciphertext data needs to be assembled according to the protocol before it can be parsed. A key management system of 1 security center-N security devices is constructed, and a set of private ciphertext transmission protocols are designed. Through the technical constraints of two dimensions, it is suitable for the national secret transformation for highway industry applications, thereby further improving the security guarantee capability of data transmission.

In the embodiment of the present application, the security center receives the identity authentication request of the second security device, so that the second security device verifies the identity of the security center and generates a ciphertext to be decrypted and sends it to the second application, so that the second application can send the ciphertext to be decrypted to the first application, so that the first security device receives the ciphertext to be decrypted and parses the protocol header therein to the security center. The security center decrypts and re-encrypts the encrypted first original key, and sends the second encrypted first original key to the first security device, so as to facilitate the decryption of subsequent data and realize the secure transmission of data. By deploying a distributed data security system with a security center and multiple security devices, the exchange of key encryption benchmarks in the security center realizes key negotiation exchange, so that the key expressions of the second security device and the first security device are different, and the difficulty of key decryption is increased. The encryption and decryption process of the data is handed over to the security center and the security device, and the data between the security center and the security device are all encrypted data. While supporting the data transmission chain of the entire data secure transmission, the difficulty of data decryption is increased, and the security and reliability of data transmission are guaranteed.

In the embodiments of the present application, a data encryption transmission device is also provided, which is used to implement the above embodiments and preferred implementation modes, and the descriptions that have been made will not be repeated. As used below, the term "module" can implement a combination of software and/or hardware of a predetermined function. Although the devices described in the following embodiments are preferably implemented in software, the implementation of hardware, or a combination of software and hardware, is also possible and conceivable.

The present application embodiment provides a data encryption transmission device, as shown in FIG7, which is applied to a distributed data security system. The system includes a security center and multiple security devices. The device is executed by a first security device. The device includes:

The first receiving module 710 is used to receive a ciphertext to be decrypted sent by the first application, the ciphertext to be decrypted is the ciphertext sent by the second application to the first application, the ciphertext to be decrypted includes a protocol header and encrypted data, the first security device is any one of the multiple security devices, the first application is an application bound to the first security device, and the second application is an application bound to any security device among the multiple security devices except the first security device;

A parsing module 720, configured to parse the protocol header according to a preset ciphertext transmission protocol, and send the parsed protocol header to the security center, so that the security center decrypts the first original key in the protocol header based on its own private key, encrypts the first original key using the first device public key, and returns the encrypted first original key, where the first device public key is a public key generated by the first security device, and the first original key is a symmetric key generated by the security device corresponding to the second application;

A first decryption module 730, configured to decrypt the encrypted first original key according to a device private key corresponding to the first device public key to obtain the first original key;

The second decryption module 740 is used to decrypt the encrypted data according to the first original key and the preset ciphertext transmission protocol to obtain plaintext data, and transmit the plaintext data to the first application.

In some optional embodiments, the parsing module includes:

A first determining unit, configured to determine whether an access relationship exists between the second application and the first application according to the pre-acquired access relationship configuration information;

The first determining unit is further configured to search, in the ciphertext to be decrypted, for an address that is the same as a preset protocol header address in a preset ciphertext transmission protocol if an access relationship exists, and determine the content recorded in the found address as the protocol header;

If there is no access relationship, it is determined that the protocol header parsing has failed and the data encryption transmission process ends.

In some optional embodiments, the device further comprises:

A third receiving module, used to receive the plaintext data to be sent sent by a third application, where the third application is any application bound to the first security device;

A first encryption module, used for encrypting the plaintext data to be sent based on the pre-generated second original key to obtain the encrypted data to be sent;

A second encryption module, used to encrypt the second original key based on the public key of the security center to obtain an encrypted key;

An assembly module, used to assemble the encrypted data to be sent and the encrypted key into ciphertext according to a preset ciphertext transmission protocol;

The sending module is used to send the ciphertext to the third application so that the third application transmits the assembled ciphertext as the ciphertext to be decrypted to other applications.

In some optional embodiments, the device further comprises:

A generating module, used to generate a first signature to be verified based on the plaintext data;

The sending module is further used to send the first signature to be verified to the first application, so that the first application verifies the legality and validity of the plaintext data based on the first signature to be verified.

FIG7 also shows a data encryption transmission device executed by a security center, which is applied to a distributed data security system. The device includes:

The second receiving module 750 is used to receive a protocol header in the ciphertext to be decrypted sent by the first security device, and parse the first key from the protocol header, where the first key is a first original key encrypted by a public key of the security center, and the first original key is a symmetric key generated by the security device corresponding to the second application, the second application is an application that sends the ciphertext to be decrypted to the first application, the first application is an application bound to the first security device, and the first security device is any one of multiple security devices, and the ciphertext to be decrypted includes a protocol header and encrypted data;

The third decryption module 760 is used to decrypt the first key based on its own private key to obtain a first original key;

The encryption module 770 is used to encrypt the first original key according to the first device public key uploaded by the first security device, and send the encrypted first original key to the first security device, so that the first security device can decrypt the encrypted first original key according to the device private key corresponding to the first device public key to obtain the first original key, and decrypt the encrypted data according to the first original key to obtain plaintext data, and transmit the plaintext data to the first application.

The further functional description of each of the above modules and units is the same as that of the above corresponding embodiments and will not be repeated here.

The data encryption transmission device in the embodiment of the present application is presented in the form of a functional unit, where the unit refers to an ASIC (Application Specific Integrated Circuit) circuit, a processor and memory that executes one or more software or fixed programs, and/or other devices that can provide the above-mentioned functions.

The embodiment of the present application also provides a computer device having the data encryption transmission device shown in FIG. 7 above.

Please refer to Figure 8, which is a schematic diagram of the structure of a computer device provided by an optional embodiment of the present application. As shown in Figure 8, the computer device includes: one or more processors 10, a memory 20, and interfaces for connecting various components, including high-speed interfaces and low-speed interfaces. The various components are connected to each other using different buses for communication, and can be installed on a common motherboard or installed in other ways as needed. The processor can process instructions executed in the computer device, including instructions stored in or on the memory to display graphical information of the GUI on an external input/output device (such as a display device coupled to the interface). In some optional embodiments, if necessary, multiple processors and/or multiple buses can be used together with multiple memories and multiple memories. Similarly, multiple computer devices can be connected, and each device provides some necessary operations (for example, as a server array, a group of blade servers, or a multi-processor system). In Figure 8, a processor 10 is taken as an example.

The processor 10 may be a central processing unit, a network processor or a combination thereof. The processor 10 may further include a hardware chip. The hardware chip may be a dedicated integrated circuit, a programmable logic device or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general purpose array logic or any combination thereof.

The memory 20 stores instructions executable by at least one processor 10, so that the at least one processor 10 executes the method shown in the above embodiment.

The memory 20 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application required by at least one function; the data storage area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include a high-speed random access memory, and may also include a non-transient memory, such as at least one disk storage device, a flash memory device, or other non-transient solid-state storage device. In some optional embodiments, the memory 20 may optionally include a memory remotely arranged relative to the processor 10, and these remote memories may be connected to the computer device via a network. Examples of the above-mentioned network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

The memory 20 may include a volatile memory, such as a random access memory; the memory may also include a non-volatile memory, such as a flash memory, a hard disk or a solid state drive; the memory 20 may also include a combination of the above types of memory.

The computer device further comprises a communication interface 30 for the computer device to communicate with other devices or a communication network.

The embodiment of the present application also provides a computer-readable storage medium. The above method according to the embodiment of the present application can be implemented in hardware, firmware, or implemented as a computer code that can be recorded in a storage medium, or is implemented as a computer code that is originally stored in a remote storage medium or a non-temporary machine-readable storage medium and will be stored in a local storage medium through a network download, so that the method described herein can be stored in such software processing on a storage medium using a general-purpose computer, a dedicated processor, or programmable or dedicated hardware. Among them, the storage medium can be a magnetic disk, an optical disk, a read-only storage memory, a random access memory, a flash memory, a hard disk or a solid-state hard disk, etc.; further, the storage medium can also include a combination of the above types of memories. It can be understood that a computer, a processor, a microprocessor controller, or programmable hardware includes a storage component that can store or receive software or computer code. When the software or computer code is accessed and executed by a computer, a processor, or hardware, the method shown in the above embodiment is implemented.

Part of the present application may be applied as a computer program product, such as a computer program instruction, which, when executed by a computer, can call or provide the method and/or technical solution according to the present application through the operation of the computer. Those skilled in the art should understand that the existence of computer program instructions in computer-readable media includes but is not limited to source files, executable files, installation package files, etc., and accordingly, the way in which computer program instructions are executed by a computer includes but is not limited to: the computer directly executes the instruction, or the computer compiles the instruction and then executes the corresponding compiled program, or the computer reads and executes the instruction, or the computer reads and installs the instruction and then executes the corresponding installed program. Here, the computer-readable medium can be any available computer-readable storage medium or communication medium accessible to the computer.

Although the embodiments of the present application are described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the present application, and such modifications and variations are all within the scope defined by the appended claims.

Claims (11)

1. A data encryption transmission method applied to a distributed data security system, the system including a security center and a plurality of security devices, the method performed by a first security device, the method comprising:

Receiving a ciphertext to be decrypted sent by the first application, wherein the ciphertext to be decrypted is a ciphertext sent by a second application to the first application, the ciphertext to be decrypted comprises a protocol header and encrypted data, the first security device is any one of a plurality of security devices, the first application is an application bound by the first security device, and the second application is an application bound by any one of the plurality of security devices except the first security device;

Analyzing the protocol header according to a preset ciphertext transmission protocol, and sending the analyzed protocol header to the security center, so that the security center decrypts a first original key in the protocol header based on a private key of the security center, encrypts the first original key by using a first equipment public key, and returns the encrypted first original key, wherein the first equipment public key is a public key generated by the first security equipment, and the first original key is a symmetric key generated by the second application corresponding security equipment;

decrypting the encrypted first original key according to the device private key corresponding to the first device public key to obtain the first original key;

and decrypting the encrypted data according to the first original key and the preset ciphertext transmission protocol to obtain plaintext data, and transmitting the plaintext data to the first application.

2. The method of claim 1, wherein parsing the protocol header according to a preset ciphertext transmission protocol comprises:

Determining whether an access relationship exists between the second application and the first application according to the pre-acquired access relationship configuration information;

if an access relation exists, searching an address which is the same as a preset protocol header address in the preset ciphertext transmission protocol in the ciphertext to be decrypted, and determining the content recorded in the searched address as the protocol header;

If the access relation does not exist, determining that the protocol header analysis fails to finish the data encryption transmission flow.

3. The method according to claim 1, wherein the method further comprises:

Receiving plaintext data to be transmitted, which is transmitted by a third application, wherein the third application is any application bound by the first security device;

Encrypting the plaintext data to be transmitted based on a pre-generated second original key to obtain encrypted data to be transmitted;

encrypting the second original key based on the public key of the security center to obtain an encrypted key;

according to the preset ciphertext transmission protocol, the encrypted data to be sent and the encrypted secret key are assembled into ciphertext;

And sending the assembled ciphertext to the third application, so that the third application can transmit the assembled ciphertext to other applications as the ciphertext to be decrypted.

4. A method according to any one of claims 1 to 3, wherein prior to sending the plaintext data to the first application, the method further comprises:

generating a first signature to be verified based on the plaintext data;

and sending the first signature to be verified to the first application so that the first application verifies the validity and the validity of the plaintext data based on the first signature to be verified.

5. A data encryption transmission method applied to a distributed data security system, the system including a security center and a plurality of security devices, the method performed by the security center, the method comprising:

Receiving a protocol header in a ciphertext to be decrypted, which is sent by a first security device, resolving a first key from the protocol header, wherein the first key is a first original key encrypted by a public key of the security center, the first original key is a symmetric key generated by a second application corresponding to the security device, the second application is an application for sending the ciphertext to be decrypted to the first application, the first application is an application bound by the first security device, the first security device is any one of a plurality of security devices, and the ciphertext to be decrypted comprises the protocol header and encrypted data;

decrypting the first key based on the private key of the user to obtain the first original key;

Encrypting the first original key according to a first device public key uploaded by the first security device, and sending the encrypted first original key to the first security device, so that the first security device decrypts the encrypted first original key according to a device private key corresponding to the first device public key to obtain the first original key, decrypts the encrypted data according to the first original key to obtain plaintext data, and transmits the plaintext data to the first application.

6. A distributed data security system, the system comprising a security center, a first security device, and a second security device, the first security device having a first application bound thereto, the second security device having a second application bound thereto;

The first application is used for sending the received ciphertext to be decrypted to the first security device;

The first security device is configured to parse a protocol header in the to-be-decrypted text according to a preset ciphertext transmission protocol, send the parsed protocol header to a security center, receive an encrypted first original key sent by the security center, decrypt the encrypted first original key according to a device private key of the first security device to obtain a first original key, decrypt encrypted data according to the first original key to obtain plaintext data, and transmit the plaintext data to the first application; and sending the pre-generated first device public key to the security center; the first original key is a symmetric key generated by the second security device, and the ciphertext to be decrypted comprises the protocol header and the encrypted data;

The second security device is configured to encrypt the first original key according to a public key of the security center to obtain a first key, encrypt plaintext data sent by the second application according to the first original key to obtain encrypted data, assemble the encrypted data and the first key into the ciphertext to be decrypted based on a preset ciphertext transmission protocol, and send the ciphertext to be decrypted to the second application;

The second application is used for sending the ciphertext to be decrypted to the first application and sending plaintext data to the second security device;

The security center is used for decrypting the first key in the protocol header into a first original key according to the private key of the security center, encrypting the first original key by using the public key of the first device, transmitting the first encrypted original key to the first security device, and transmitting the public key of the security center to the second security device.

7. A data encryption transmission apparatus for use in a distributed data security system, the system comprising a security center and a plurality of security devices, the apparatus being executable by a first security device, the apparatus comprising:

the first receiving module is used for receiving a ciphertext to be decrypted sent by the first application, wherein the ciphertext to be decrypted is a ciphertext sent by a second application to the first application, the ciphertext to be decrypted comprises a protocol header and encrypted data, the first security device is any one of the plurality of security devices, the first application is an application bound by the first security device, and the second application is an application bound by any one of the plurality of security devices except the first security device;

the analysis module is used for analyzing the protocol header according to a preset ciphertext transmission protocol, and sending the analyzed protocol header to the security center, so that the security center decrypts a first original key in the protocol header based on a private key of the security center, encrypts the first original key by using a first equipment public key, and returns the encrypted first original key, wherein the first equipment public key is a public key generated by the first security equipment, and the first original key is a symmetric key generated by the second application corresponding security equipment;

the first decryption module is used for decrypting the encrypted first original key according to the device private key corresponding to the first device public key to obtain the first original key;

And the second decryption module is used for decrypting the encrypted data according to the first original key and the preset ciphertext transmission protocol to obtain plaintext data and transmitting the plaintext data to the first application.

8. A data encryption transmission apparatus for use in a distributed data security system, the system comprising a security center and a plurality of security devices, the apparatus being implemented by the security center, the apparatus comprising:

The second receiving module is used for receiving a protocol header in a ciphertext to be decrypted, which is sent by the first security device, resolving a first key from the protocol header, wherein the first key is a first original key encrypted by a public key of the security center, the first original key is a symmetric key generated by a second application corresponding to the security device, the second application is an application for sending the ciphertext to be decrypted to the first application, the first application is an application bound by the first security device, the first security device is any one of a plurality of security devices, and the ciphertext to be decrypted comprises the protocol header and encrypted data;

the third decryption module is used for decrypting the first key based on the private key of the third decryption module to obtain the first original key;

The encryption module is used for encrypting the first original key according to the first equipment public key uploaded by the first safety equipment, and sending the encrypted first original key to the first safety equipment, so that the first safety equipment decrypts the encrypted first original key according to the equipment private key corresponding to the first equipment public key, obtains the first original key, decrypts the encrypted data according to the first original key, obtains plaintext data, and transmits the plaintext data to the first application.

9. A computer device, comprising:

A memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the data encryption transmission method of any one of claims 1 to 4 or 5.

10. A computer-readable storage medium having stored thereon computer instructions for causing a computer to execute the data encryption transmission method according to any one of claims 1 to 4 or 5.

11. A computer program product comprising computer instructions for causing a computer to perform the data encryption transmission method of any one of claims 1 to 4 or 5.