CN111600903A - A communication method, system, device and readable storage medium - Google Patents

A communication method, system, device and readable storage medium Download PDF

Info

Publication number
CN111600903A
CN111600903A CN202010470870.0A CN202010470870A CN111600903A CN 111600903 A CN111600903 A CN 111600903A CN 202010470870 A CN202010470870 A CN 202010470870A CN 111600903 A CN111600903 A CN 111600903A
Authority
CN
China
Prior art keywords
key
communication
ciphertext
identity
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010470870.0A
Other languages
Chinese (zh)
Inventor
许鑫
吴保锡
刘刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
IEIT Systems Co Ltd
Original Assignee
Inspur Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Electronic Information Industry Co Ltd filed Critical Inspur Electronic Information Industry Co Ltd
Priority to CN202010470870.0A priority Critical patent/CN111600903A/en
Publication of CN111600903A publication Critical patent/CN111600903A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a communication method, a system, a device and a readable storage medium. In the application, the first equipment and the second equipment in the data center are both authenticated by the equipment identity authentication center and issue a public key certificate and a corresponding identity key certificate for the equipment identity authentication center, so that the safety of the data center is improved. Before the first device and the second device communicate, the first device and the second device perform mutual identity authentication, so that the identity security of the devices of the two parties which are about to communicate can be ensured. After the first device and the second device mutually perform identity authentication, the first device and the second device exchange communication keys, so that the communication key of the other side can be used for encrypting transmission information to be sent, the data can be kept in an encrypted state in the transmission process, and the safety of the communication data is improved. Accordingly, the communication system, the device and the readable storage medium provided by the application also have the technical effects.

Description

一种通信方法、系统、设备及可读存储介质A communication method, system, device and readable storage medium

技术领域technical field

本申请涉及计算机技术领域,特别涉及一种通信方法、系统、设备及可读存储介质。The present application relates to the field of computer technology, and in particular, to a communication method, system, device, and readable storage medium.

背景技术Background technique

随着云计算的兴起,核心计算资源由分散式向集中式发展,即核心计算任务在一个或多个数据中心(如公有云)中完成,例如:租户租赁公有云中的计算资源、存储资源和网络资源等来运行业务系统、存放业务数据。因此数据中心的安全性至关重要。With the rise of cloud computing, core computing resources are developing from decentralized to centralized, that is, core computing tasks are completed in one or more data centers (such as public clouds), for example: tenants leasing computing resources and storage resources in public clouds and network resources to run business systems and store business data. Therefore, the security of the data center is very important.

数据中心中的资源多是采用池化的方式管理,如计算池、存储池等。这意味着一台虚拟机运行时需要的资源(如虚拟存储、虚拟网卡、虚拟CPU等)可以运行在不同的设备中,因此数据中心中各个设备之间存在频繁的数据交互。Most of the resources in the data center are managed in a pooled manner, such as computing pools and storage pools. This means that the resources (such as virtual storage, virtual network card, virtual CPU, etc.) required for a virtual machine to run can run in different devices, so there is frequent data interaction between various devices in the data center.

为保证数据中心中的各个设备之间通信的安全性,可以在软件层面实现的通信双方通道的加密,比如使用开源的Openssl实现。但是,由于软件层面的通信通道加密与设备身份无关,因此软件层面的通信通道加密机制无法保障数据中心中的每个设备的身份安全性,故而会降低数据中心的安全性以及通信数据的安全性。In order to ensure the security of communication between various devices in the data center, the encryption of both communication channels can be implemented at the software level, for example, using the open source Openssl implementation. However, since the communication channel encryption at the software level has nothing to do with the device identity, the communication channel encryption mechanism at the software level cannot guarantee the identity security of each device in the data center, thus reducing the security of the data center and the security of communication data .

因此,如何提高数据中心的安全性以及通信数据的安全性,是本领域技术人员需要解决的问题。Therefore, how to improve the security of the data center and the security of the communication data is a problem to be solved by those skilled in the art.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本申请的目的在于提供一种通信方法、系统、设备及可读存储介质,以提高数据中心的安全性以及通信数据的安全性。其具体方案如下:In view of this, the purpose of the present application is to provide a communication method, system, device and readable storage medium, so as to improve the security of the data center and the security of the communication data. Its specific plan is as follows:

第一方面,本申请提供了一种通信方法,包括:In a first aspect, the present application provides a communication method, including:

数据中心中的第一设备发送认证请求至第二设备,以使第二设备发送自身的第二身份密钥证书至第一设备;第二设备为数据中心中除第一设备以外的其他设备;The first device in the data center sends an authentication request to the second device, so that the second device sends its own second identity key certificate to the first device; the second device is other devices in the data center except the first device;

第一设备利用预先存储的公钥证书验证第二身份密钥证书通过后,存储第二身份密钥证书,并发送自身的第一身份密钥证书至第二设备,以使第二设备利用预先存储的公钥证书验证第一身份密钥证书通过后,存储第一身份密钥证书;After the first device uses the pre-stored public key certificate to verify that the second identity key certificate passes, it stores the second identity key certificate, and sends its own first identity key certificate to the second device, so that the second device can use the pre-stored public key certificate. After the stored public key certificate has passed the verification of the first identity key certificate, the first identity key certificate is stored;

第一设备和第二设备互相获取对方的通信密钥;The first device and the second device obtain each other's communication key;

第一设备或第二设备利用对方的通信密钥加密目标信息,获得信息密文,并将信息密文发送至对方,以使对方利用自身的通信密钥解密信息密文,获得目标信息;The first device or the second device encrypts the target information with the communication key of the other party, obtains the information ciphertext, and sends the information ciphertext to the other party, so that the other party uses its own communication key to decrypt the information ciphertext and obtain the target information;

其中,公钥证书、第一身份密钥证书和第二身份密钥证书由设备身份认证中心签发给第一设备和第二设备。The public key certificate, the first identity key certificate and the second identity key certificate are issued to the first device and the second device by the device identity authentication center.

优选地,第一设备和第二设备互相获取对方的通信密钥,包括:Preferably, the first device and the second device obtain each other's communication key, including:

第二设备利用自身中的可信根创建第二通信密钥并存储,发送第二密文至第一设备,第二密文为第二通信密钥中的第二公钥的密文;The second device uses the root of trust in itself to create and store the second communication key, and sends the second ciphertext to the first device, where the second ciphertext is the ciphertext of the second public key in the second communication key;

第一设备解密第二密文,获得第二公钥并存储,利用自身中的可信根创建第一通信密钥并存储,发送第一密文至第二设备,以使第二设备解密第一密文,获得第一公钥并存储;第一密文为第一通信密钥中的第一公钥的密文。The first device decrypts the second ciphertext, obtains and stores the second public key, uses the root of trust in itself to create and stores the first communication key, and sends the first ciphertext to the second device, so that the second device decrypts the first ciphertext. A ciphertext, the first public key is obtained and stored; the first ciphertext is the ciphertext of the first public key in the first communication key.

优选地,第一设备和第二设备互相获取对方的通信密钥,包括:Preferably, the first device and the second device obtain each other's communication key, including:

第二设备利用自身中的可信根创建第二密钥参数并存储,发送第二密钥参数的第二密文至第一设备;The second device uses the root of trust in itself to create and store the second key parameter, and sends the second ciphertext of the second key parameter to the first device;

第一设备解密第二密文,获得第二密钥参数并存储,利用自身中的可信根创建第一密钥参数并存储,发送第一密钥参数的第一密文至第二设备,以使第二设备解密第一密文,获得第一密钥参数并存储;The first device decrypts the second ciphertext, obtains and stores the second key parameter, uses the root of trust in itself to create the first key parameter and stores it, and sends the first ciphertext of the first key parameter to the second device, so that the second device decrypts the first ciphertext, obtains the first key parameter and stores it;

第一设备或第二设备根据第一密钥参数和第二密钥参数生成第二通信密钥和第一通信密钥。The first device or the second device generates the second communication key and the first communication key according to the first key parameter and the second key parameter.

优选地,还包括:Preferably, it also includes:

第一设备处理目标信息,获得处理结果,利用第二通信密钥加密处理结果,获得结果密文,将结果密文发送至第二设备,以使第二设备利用第二通信密钥解密结果密文,获得处理结果;The first device processes the target information, obtains the processing result, encrypts the processing result with the second communication key, obtains the resulting ciphertext, and sends the resulting ciphertext to the second device, so that the second device uses the second communication key to decrypt the result ciphertext. text, get the processing result;

or

第二设备处理目标信息,获得处理结果,利用第一通信密钥加密处理结果,获得结果密文,将结果密文发送至第一设备,以使第一设备或第二设备利用第一通信密钥解密结果密文,获得处理结果。The second device processes the target information, obtains the processing result, encrypts the processing result with the first communication key, obtains the resulting ciphertext, and sends the resulting ciphertext to the first device, so that the first device or the second device can use the first communication key to encrypt the processing result. Decrypt the resulting ciphertext with the key to obtain the processing result.

优选地,第二设备利用自身中的可信根创建第二密钥参数并存储,发送第二密钥参数的第二密文至第一设备,包括:Preferably, the second device uses the root of trust in itself to create and store the second key parameter, and sends the second ciphertext of the second key parameter to the first device, including:

第二设备利用自身中的可信根生成第二密钥参数并存储,第二密钥参数包括:第二随机数、素数、素数的原根以及第二目标参数,利用公钥证书中的公钥加密第二密钥参数,获得第二密文,将第二密文发送至第一设备;The second device uses the trusted root in itself to generate and store the second key parameter. The second key parameter includes: the second random number, the prime number, the original root of the prime number, and the second target parameter. Using the public key in the public key certificate encrypt the second key parameter with the key, obtain the second ciphertext, and send the second ciphertext to the first device;

其中,第二随机数、素数、原根以及第二目标参数之间的关系为:Ya=gamodp,Ya为第二目标参数,g为原根,a为第二随机数,p为素数。Among them, the relationship between the second random number, the prime number, the original root and the second target parameter is: Y a =g a modp, Y a is the second target parameter, g is the original root, a is the second random number, p is a prime number.

优选地,第一设备利用自身中的可信根创建第一密钥参数并存储,发送第一密钥参数的第一密文至第二设备,包括:Preferably, the first device uses the root of trust in itself to create and store the first key parameter, and sends the first ciphertext of the first key parameter to the second device, including:

第一设备利用自身中的可信根创建第一密钥参数,第一密钥参数包括:第一随机数和第一目标参数,利用公钥证书中的公钥加密第一密钥参数,获得第一密文,将第一密文发送至第二设备;The first device uses the trusted root in itself to create a first key parameter, the first key parameter includes: a first random number and a first target parameter, encrypts the first key parameter with the public key in the public key certificate, and obtains the first ciphertext, sending the first ciphertext to the second device;

其中,第一随机数、第一目标参数、素数以及原根之间的关系为:Yb=gbmodp,Yb为第一目标参数,b为第一随机数,g为原根,p为素数。Among them, the relationship between the first random number, the first target parameter, the prime number and the original root is: Y b =g b modp, Y b is the first target parameter, b is the first random number, g is the original root, p is a prime number.

优选地,第一设备或第二设备按照目标公式生成第一通信密钥和第二通信密钥;目标公式为:Preferably, the first device or the second device generates the first communication key and the second communication key according to the target formula; the target formula is:

Figure BDA0002514259210000031
Figure BDA0002514259210000031

其中,Kb为第一通信密钥,Ka为第二通信密钥,Yb为第一目标参数,Ya为第二目标参数,b为第一随机数,a为第二随机数,g为原根,p为素数。Wherein, K b is the first communication key, Ka is the second communication key, Y b is the first target parameter, Y a is the second target parameter, b is the first random number, a is the second random number, g is the primitive root and p is the prime number.

优选地,还包括:Preferably, it also includes:

若第一设备和第二设备通信结束,则第一设备和第二设备删除对方的通信密钥和身份密钥证书。If the communication between the first device and the second device ends, the first device and the second device delete each other's communication key and identity key certificate.

优选地,设备身份认证中心给数据中心中的所有设备签发有公钥证书和设备身份密钥对应的身份密钥证书。Preferably, the device identity authentication center issues all the devices in the data center with the public key certificate and the identity key certificate corresponding to the device identity key.

第二方面,本申请提供了一种通信系统,包括:数据中心中的第一设备和第二设备,第二设备为数据中心中除第一设备以外的其他设备,其中:In a second aspect, the present application provides a communication system, including: a first device and a second device in a data center, where the second device is other devices in the data center except the first device, wherein:

第一设备,用于发送认证请求至第二设备,以使第二设备发送自身的第二身份密钥证书至第一设备;the first device, configured to send an authentication request to the second device, so that the second device sends its own second identity key certificate to the first device;

第一设备,用于利用预先存储的公钥证书验证第二身份密钥证书通过后,存储第二身份密钥证书,并发送自身的第一身份密钥证书至第二设备,以使第二设备利用预先存储的公钥证书验证第一身份密钥证书通过后,存储第一身份密钥证书;The first device is configured to use the pre-stored public key certificate to verify that the second identity key certificate passes, store the second identity key certificate, and send its own first identity key certificate to the second device, so that the second identity key certificate is passed. After the device uses the pre-stored public key certificate to verify that the first identity key certificate is passed, the device stores the first identity key certificate;

第一设备和第二设备互相获取对方的通信密钥;The first device and the second device obtain each other's communication key;

第一设备或第二设备,用于利用对方的通信密钥加密目标信息,获得信息密文,并将信息密文发送至对方,以使对方利用自身的通信密钥解密信息密文,获得目标信息;The first device or the second device is used to encrypt the target information with the communication key of the other party, obtain the information ciphertext, and send the information ciphertext to the other party, so that the other party can use its own communication key to decrypt the information ciphertext and obtain the target information. information;

其中,公钥证书、第一身份密钥证书和第二身份密钥证书由设备身份认证中心签发给第一设备和第二设备。The public key certificate, the first identity key certificate and the second identity key certificate are issued to the first device and the second device by the device identity authentication center.

第三方面,本申请提供了一种通信设备,包括:In a third aspect, the present application provides a communication device, comprising:

存储器,用于存储计算机程序;memory for storing computer programs;

处理器,用于执行计算机程序,以实现前述公开的通信方法。A processor for executing a computer program to implement the communication method disclosed above.

第四方面,本申请提供了一种可读存储介质,用于保存计算机程序,其中,计算机程序被处理器执行时实现前述公开的通信方法。In a fourth aspect, the present application provides a readable storage medium for storing a computer program, wherein the computer program implements the aforementioned communication method when executed by a processor.

通过以上方案可知,本申请提供了一种通信方法,包括:数据中心中的第一设备发送认证请求至第二设备,以使第二设备发送自身的第二身份密钥证书至第一设备;第二设备为数据中心中除第一设备以外的其他设备;第一设备利用预先存储的公钥证书验证第二身份密钥证书通过后,存储第二身份密钥证书,并发送自身的第一身份密钥证书至第二设备,以使第二设备利用预先存储的公钥证书验证第一身份密钥证书通过后,存储第一身份密钥证书;第一设备和第二设备互相获取对方的通信密钥;第一设备或第二设备利用对方的通信密钥加密目标信息,获得信息密文,并将信息密文发送至对方,以使对方利用自身的通信密钥解密信息密文,获得目标信息;其中,公钥证书、第一身份密钥证书和第二身份密钥证书由设备身份认证中心签发给第一设备和第二设备。As can be seen from the above solutions, the present application provides a communication method, including: a first device in a data center sends an authentication request to a second device, so that the second device sends its own second identity key certificate to the first device; The second device is other than the first device in the data center; after the first device uses the pre-stored public key certificate to verify that the second identity key certificate passes, it stores the second identity key certificate, and sends its own first The identity key certificate is sent to the second device, so that the second device uses the pre-stored public key certificate to verify that the first identity key certificate passes, and then stores the first identity key certificate; the first device and the second device mutually obtain each other's Communication key; the first device or the second device encrypts the target information with the communication key of the other party, obtains the information ciphertext, and sends the information ciphertext to the other party, so that the other party can use its own communication key to decrypt the information ciphertext, and obtain Target information; wherein the public key certificate, the first identity key certificate and the second identity key certificate are issued to the first device and the second device by the device identity authentication center.

可见,在本申请提供的通信方法中,数据中心中的第一设备和第二设备均由设备身份认证中心进行了身份认证,并为其签发了公钥证书和相应的身份密钥证书,因此第一设备和第二设备的身份安全性得到了保障,也提高了数据中心的安全性。在第一设备和第二设备通信之前,二者进行了相互的身份认证,即第一设备利用预先存储的公钥证书验证第二身份密钥证书,第二设备利用预先存储的公钥证书验证第一身份密钥证书,故而可再次确保即将要通信的第一设备和第二设备的身份安全性。在第一设备和第二设备相互进行身份认证通过后,二者交换通信密钥,因此可利用对方的通信密钥加密传输信息进行发送,从而使得数据在传输过程中保持加密状态,提高了通信数据的安全性。It can be seen that in the communication method provided by this application, the identity authentication of the first device and the second device in the data center is performed by the device identity authentication center, and a public key certificate and a corresponding identity key certificate are issued for them. Therefore, The identity security of the first device and the second device is guaranteed, and the security of the data center is also improved. Before the first device and the second device communicate, they perform mutual identity authentication, that is, the first device uses the pre-stored public key certificate to verify the second identity key certificate, and the second device uses the pre-stored public key certificate to verify The first identity key certificate, so the identity security of the first device and the second device to be communicated can be ensured again. After the first device and the second device pass the mutual authentication, the two exchange communication keys, so the communication key of the other party can be used to encrypt the transmission information for transmission, so that the data is kept encrypted during the transmission process, and the communication is improved. Data security.

相应地,本申请提供的一种通信系统、设备及可读存储介质,也同样具有上述技术效果。Correspondingly, a communication system, a device and a readable storage medium provided by the present application also have the above technical effects.

附图说明Description of drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only It is an embodiment of the present application. For those of ordinary skill in the art, other drawings can also be obtained according to the provided drawings without any creative effort.

图1为本申请公开的第一种通信方法流程图;1 is a flowchart of a first communication method disclosed in the application;

图2为本申请公开的第二种通信方法流程图;Fig. 2 is the flow chart of the second communication method disclosed by the application;

图3为本申请公开的CA认证设备身份的流程图;Fig. 3 is the flow chart of CA authentication equipment identity disclosed by the present application;

图4为本申请公开的设备结构图;FIG. 4 is a structural diagram of the equipment disclosed in the application;

图5为本申请公开的CA认证设备的结构图;5 is a structural diagram of a CA authentication device disclosed in the present application;

图6为本申请公开的设备互相认证的流程图;FIG. 6 is a flowchart of mutual authentication of devices disclosed in the present application;

图7为本申请公开的设备互相认证的结构图;FIG. 7 is a structural diagram of mutual authentication of devices disclosed in the application;

图8为本申请公开的交换通信密钥的流程图;FIG. 8 is a flow chart of exchanging communication keys disclosed in the present application;

图9为本申请公开的交换通信密钥的结构图;FIG. 9 is a structural diagram of exchanging communication keys disclosed by the application;

图10为本申请公开的一种通信设备示意图。FIG. 10 is a schematic diagram of a communication device disclosed in this application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

目前,软件层面的通信通道加密机制无法保障数据中心中的每个设备的身份安全性,故而会降低数据中心的安全性以及通信数据的安全性。为此,本申请提供了一种通信方案,能够提高数据中心的安全性以及通信数据的安全性。At present, the communication channel encryption mechanism at the software level cannot guarantee the identity security of each device in the data center, thus reducing the security of the data center and the security of communication data. Therefore, the present application provides a communication solution, which can improve the security of the data center and the security of the communication data.

参见图1所示,本申请实施例公开了第一种通信方法,包括:Referring to FIG. 1 , an embodiment of the present application discloses a first communication method, including:

S101、数据中心中的第一设备发送认证请求至第二设备,以使第二设备发送自身的第二身份密钥证书至第一设备;第二设备为数据中心中除第一设备以外的其他设备。S101. The first device in the data center sends an authentication request to the second device, so that the second device sends its own second identity key certificate to the first device; the second device is other than the first device in the data center equipment.

S102、第一设备利用预先存储的公钥证书验证第二身份密钥证书通过后,存储第二身份密钥证书,并发送自身的第一身份密钥证书至第二设备,以使第二设备利用预先存储的公钥证书验证第一身份密钥证书通过后,存储第一身份密钥证书。S102: After the first device verifies that the second identity key certificate passes the pre-stored public key certificate, it stores the second identity key certificate, and sends its own first identity key certificate to the second device, so that the second device After the first identity key certificate is verified by using the pre-stored public key certificate, the first identity key certificate is stored.

S103、第一设备和第二设备互相获取对方的通信密钥。S103. The first device and the second device obtain each other's communication key.

第一设备和第二设备相互完成身份认证后,建立二者之间的加密通道。其中,加密通道使用的密钥可以有两种形式,一种采用可信根生成的密钥,另一种采用软件(如OpenSSL)生成的密钥。前者的密钥安全性更高,因为可信根中的密钥,外界只能使用,但无法获取密钥信息。后者的密钥使用起来加解密效率更高,因为使用软件算法,加解密操作都在内存中进行。因此第一设备和第二设备互相获取对方的通信密钥至少包括两种具体实施方式。After the first device and the second device complete the mutual authentication, an encrypted channel is established between the two. Among them, the key used in the encrypted channel can be in two forms, one is a key generated by a trusted root, and the other is a key generated by software (such as OpenSSL). The former has higher key security, because the key in the root of trust can only be used by the outside world, but the key information cannot be obtained. The latter key is more efficient for encryption and decryption, because using software algorithms, encryption and decryption operations are performed in memory. Therefore, the first device and the second device obtain each other's communication key from each other, including at least two specific implementations.

在一种具体实施方式中,第一设备和第二设备采用可信根生成的密钥,故第一设备和第二设备互相获取对方的通信密钥,包括:第二设备利用自身中的可信根创建第二通信密钥并存储,发送第二密文至第一设备,第二密文为第二通信密钥中的第二公钥的密文;第一设备解密第二密文,获得第二公钥并存储,利用自身中的可信根创建第一通信密钥并存储,发送第一密文至第二设备,以使第二设备解密第一密文,获得第一公钥并存储;第一密文为第一通信密钥中的第一公钥的密文。也就是第一设备和第二设备互相交换了各自通信密钥中的公钥。In a specific implementation manner, the first device and the second device use a key generated by the root of trust, so the first device and the second device obtain each other's communication key, including: the second device uses the The letter root creates and stores the second communication key, sends the second ciphertext to the first device, and the second ciphertext is the ciphertext of the second public key in the second communication key; the first device decrypts the second ciphertext, Obtain and store the second public key, use the root of trust in itself to create and store the first communication key, send the first ciphertext to the second device, so that the second device decrypts the first ciphertext and obtains the first public key and stored; the first ciphertext is the ciphertext of the first public key in the first communication key. That is, the first device and the second device exchange public keys in their respective communication keys with each other.

在另一种具体实施方式中,第一设备和第二设备采用软件(如Open SSL)生成的密钥,故第一设备和第二设备互相获取对方的通信密钥,包括:第二设备利用自身中的可信根创建第二密钥参数并存储,发送第二密钥参数的第二密文至第一设备;第一设备解密第二密文,获得第二密钥参数并存储,利用自身中的可信根创建第一密钥参数并存储,发送第一密钥参数的第一密文至第二设备,以使第二设备解密第一密文,获得第一密钥参数并存储;第一设备或第二设备根据第一密钥参数和第二密钥参数生成第二通信密钥和第一通信密钥。也就是第一设备和第二设备互相交换了密钥参数,二者都可以生成双方的通信密钥。In another specific implementation manner, the first device and the second device use keys generated by software (such as Open SSL), so the first device and the second device obtain each other's communication keys from each other, including: the second device uses The trusted root in itself creates and stores the second key parameter, and sends the second ciphertext of the second key parameter to the first device; the first device decrypts the second ciphertext, obtains and stores the second key parameter, and uses The trusted root in itself creates and stores the first key parameter, sends the first ciphertext of the first key parameter to the second device, so that the second device decrypts the first ciphertext, obtains the first key parameter and stores it ; The first device or the second device generates the second communication key and the first communication key according to the first key parameter and the second key parameter. That is, the first device and the second device exchange key parameters with each other, and both can generate a communication key for both parties.

在一种具体实施方式中,第二设备利用自身中的可信根创建第二密钥参数并存储,发送第二密钥参数的第二密文至第一设备,包括:第二设备利用自身中的可信根生成第二密钥参数并存储,第二密钥参数包括:第二随机数、素数、素数的原根以及第二目标参数,利用公钥证书中的公钥加密第二密钥参数,获得第二密文,将第二密文发送至第一设备;其中,第二随机数、素数、原根以及第二目标参数之间的关系为:Ya=gamodp,Ya为第二目标参数,g为原根,a为第二随机数,p为素数。In a specific implementation manner, the second device uses the root of trust in itself to create and store the second key parameter, and sending the second ciphertext of the second key parameter to the first device includes: the second device uses its own The trusted root in the generated second key parameter and stored, the second key parameter includes: the second random number, the prime number, the original root of the prime number and the second target parameter, use the public key in the public key certificate to encrypt the second key parameter. key parameter, obtain the second ciphertext, and send the second ciphertext to the first device; wherein, the relationship between the second random number, the prime number, the original root and the second target parameter is: Y a =g a modp, Y a is the second target parameter, g is the original root, a is the second random number, and p is a prime number.

在一种具体实施方式中,第一设备利用自身中的可信根创建第一密钥参数并存储,发送第一密钥参数的第一密文至第二设备,包括:第一设备利用自身中的可信根创建第一密钥参数,第一密钥参数包括:第一随机数和第一目标参数,利用公钥证书中的公钥加密第一密钥参数,获得第一密文,将第一密文发送至第二设备;其中,第一随机数、第一目标参数、素数以及原根之间的关系为:Yb=gbmodp,Yb为第一目标参数,b为第一随机数,g为原根,p为素数。In a specific implementation manner, the first device uses the root of trust in itself to create and store the first key parameter, and sending the first ciphertext of the first key parameter to the second device includes: the first device uses its own The trusted root in the certificate creates a first key parameter, the first key parameter includes: a first random number and a first target parameter, and the first key parameter is encrypted with the public key in the public key certificate to obtain the first ciphertext, Send the first ciphertext to the second device; wherein, the relationship between the first random number, the first target parameter, the prime number and the original root is: Y b =g b modp, Y b is the first target parameter, and b is The first random number, g is the original root, p is the prime number.

在一种具体实施方式中,第一设备或第二设备按照目标公式生成第一通信密钥和第二通信密钥;目标公式为:In a specific embodiment, the first device or the second device generates the first communication key and the second communication key according to the target formula; the target formula is:

Figure BDA0002514259210000081
Figure BDA0002514259210000081

其中,Kb为第一通信密钥,Ka为第二通信密钥,Yb为第一目标参数,Ya为第二目标参数,b为第一随机数,a为第二随机数,g为原根,p为素数。Wherein, K b is the first communication key, Ka is the second communication key, Y b is the first target parameter, Y a is the second target parameter, b is the first random number, a is the second random number, g is the primitive root and p is the prime number.

S104、第一设备或第二设备利用对方的通信密钥加密目标信息,获得信息密文,并将信息密文发送至对方,以使对方利用自身的通信密钥解密信息密文,获得目标信息。S104, the first device or the second device encrypts the target information by using the communication key of the other party, obtains the information ciphertext, and sends the information ciphertext to the other party, so that the other party uses its own communication key to decrypt the information ciphertext and obtain the target information .

其中,公钥证书、第一身份密钥证书和第二身份密钥证书由设备身份认证中心签发给第一设备和第二设备。设备身份认证中心给数据中心中的所有设备签发有公钥证书和设备身份密钥对应的身份密钥证书。The public key certificate, the first identity key certificate and the second identity key certificate are issued to the first device and the second device by the device identity authentication center. The device identity authentication center issues a public key certificate and an identity key certificate corresponding to the device identity key to all the devices in the data center.

在一种具体实施方式中,还包括:In a specific embodiment, it also includes:

第一设备处理目标信息,获得处理结果,利用第二通信密钥加密处理结果,获得结果密文,将结果密文发送至第二设备,以使第二设备利用第二通信密钥解密结果密文,获得处理结果;The first device processes the target information, obtains the processing result, encrypts the processing result with the second communication key, obtains the resulting ciphertext, and sends the resulting ciphertext to the second device, so that the second device uses the second communication key to decrypt the result ciphertext. text, get the processing result;

or

第二设备处理目标信息,获得处理结果,利用第一通信密钥加密处理结果,获得结果密文,将结果密文发送至第一设备,以使第一设备或第二设备利用第一通信密钥解密结果密文,获得处理结果。The second device processes the target information, obtains the processing result, encrypts the processing result with the first communication key, obtains the resulting ciphertext, and sends the resulting ciphertext to the first device, so that the first device or the second device can use the first communication key to encrypt the processing result. Decrypt the resulting ciphertext with the key to obtain the processing result.

在一种具体实施方式中,若第一设备和第二设备通信结束,则第一设备和第二设备删除对方的通信密钥和身份密钥证书。一个可信根中,除了身份密钥,每次创建的密钥都是不一样的,所以通信一次创建一次,用完就释放,可以提高安全性。In a specific implementation manner, if the communication between the first device and the second device ends, the first device and the second device delete each other's communication key and identity key certificate. In a trusted root, in addition to the identity key, the keys created each time are different, so the communication is created once and released when it is used up, which can improve security.

可见,在本申请实施例中,数据中心中的第一设备和第二设备均由设备身份认证中心进行了身份认证,并为其签发了公钥证书和相应的身份密钥证书,因此第一设备和第二设备的身份安全性得到了保障,也提高了数据中心的安全性。在第一设备和第二设备通信之前,二者进行了相互的身份认证,即第一设备利用预先存储的公钥证书验证第二身份密钥证书,第二设备利用预先存储的公钥证书验证第一身份密钥证书,故而可再次确保即将要通信的第一设备和第二设备的身份安全性。在第一设备和第二设备相互进行身份认证通过后,二者交换通信密钥,因此可利用对方的通信密钥加密传输信息进行发送,从而使得数据在传输过程中保持加密状态,提高通信数据的安全性。It can be seen that in the embodiment of the present application, the identity authentication of the first device and the second device in the data center is performed by the device identity authentication center, and a public key certificate and a corresponding identity key certificate are issued for them. The identity security of the device and the second device is guaranteed, and the security of the data center is also improved. Before the first device and the second device communicate, they perform mutual identity authentication, that is, the first device uses the pre-stored public key certificate to verify the second identity key certificate, and the second device uses the pre-stored public key certificate to verify The first identity key certificate, so the identity security of the first device and the second device to be communicated can be ensured again. After the first device and the second device pass the mutual authentication, they exchange the communication key, so the communication key of the other party can be used to encrypt the transmission information for transmission, so that the data is kept encrypted during the transmission process, and the communication data is improved. security.

参见图2所示,本申请实施例公开了第二种通信方法,包括:Referring to FIG. 2 , an embodiment of the present application discloses a second communication method, including:

S201、设备身份认证中心认证设备身份。S201. The device identity authentication center authenticates the device identity.

请参见图3,S201具体包括:Please refer to Figure 3, S201 specifically includes:

A、设备向设备身份认证中心请求身份密钥证书:设备将自身身份密钥的公钥发送至设备身份认证中心(Certificate Authority,CA),设备身份认证中心为其签发身份密钥证书(Identity Certificate,IDC)和公钥证书(Certificate Authority Certificate,CAC)。其中,身份密钥证书由CA的私钥签名设备的公钥生成,故IDC中包括设备的公钥。公钥证书中包括CA的公钥,因此公钥证书可用于验证身份密钥证书,即用公钥证书中的公钥验证身份密钥证书。A. The device requests an identity key certificate from the device identity certification center: the device sends the public key of its own identity key to the device identity certification center (Certificate Authority, CA), and the device identity certification center issues an identity key certificate for it. , IDC) and public key certificate (Certificate Authority Certificate, CAC). The identity key certificate is generated by the CA's private key to sign the device's public key, so the IDC includes the device's public key. The public key certificate includes the public key of the CA, so the public key certificate can be used to verify the identity key certificate, that is, the public key in the public key certificate is used to verify the identity key certificate.

B、验证设备请求的公钥证书:设备将CA为其签发的IDC和CAC存储在自身中的可信根中,通过TPM2_NvRead指令读取可信根中的CAC,若读取的CAC与CA中记录的相应CAC相同,则CAC验证通过。B. Verify the public key certificate requested by the device: The device stores the IDC and CAC issued by the CA for it in its own trusted root, and reads the CAC in the trusted root through the TPM2_NvRead command. If the corresponding CACs recorded are the same, the CAC verification is passed.

C、验证设备请求的身份密钥证书:通过TPM2_NvRead指令读取可信根中的IDC和CAC,用CAC验证IDC,若验证通过,则IDC无误。C. Verify the identity key certificate requested by the device: read the IDC and CAC in the trusted root through the TPM2_NvRead command, and use the CAC to verify the IDC. If the verification is passed, the IDC is correct.

其中,可信根(如TPM2.0)是设备中的硬件芯片,设置初始状态时,可信根中无信息。设备自身的身份密钥、IDC和CAC均存储在可信根的非易失空间中。设备中的可信根存储CAC可以提高后续设备间互相认证的效率。设备内置CAC后,每次设备间的认证只需读取设备中的CAC即可,无需向CA申请CAC。Among them, the root of trust (such as TPM2.0) is a hardware chip in the device. When the initial state is set, there is no information in the root of trust. The device's own identity key, IDC and CAC are all stored in the non-volatile space of the root of trust. The trusted root storage CAC in the device can improve the efficiency of mutual authentication between subsequent devices. After the device has built-in CAC, you only need to read the CAC in the device for each authentication between devices, and there is no need to apply for a CAC to the CA.

其中,设备自身的身份密钥(Identity Key,IDK)包括公钥和私钥。公钥用于去CA请求IDC和CAC,私钥自己留存。The identity key (Identity Key, IDK) of the device itself includes a public key and a private key. The public key is used to request the IDC and CAC from the CA, and the private key is kept by itself.

需要说明的是,由同一个CA验证过身份的不同设备中存储的CAC相同。由CA验证过身份的各个设备的结构图可参见图4。在图4中,OS(Operating System)为操作系统,HW(Hardware)为设备硬件,TPM(Trusted Platform Module,可信平台模块)指国外的可信根规范。It should be noted that the CACs stored in different devices whose identity has been verified by the same CA are the same. See Figure 4 for the structure diagram of each device whose identity has been verified by the CA. In FIG. 4 , OS (Operating System) is an operating system, HW (Hardware) is device hardware, and TPM (Trusted Platform Module, Trusted Platform Module) refers to a foreign trusted root specification.

具体的,CA认证设备的结构图可参见图5,图5中的CA证书指CAC。Specifically, for the structure diagram of the CA authentication device, please refer to FIG. 5 , and the CA certificate in FIG. 5 refers to the CAC.

S202、设备接入数据中心,与数据中心中的任一个需要通信的设备进行互相认证。S202, the device is connected to the data center, and performs mutual authentication with any device in the data center that needs to communicate.

请参见图6,假设接入数据中心的设备A要与数据中心中的原有设备B进行通信,其中,设备B的IDC简写为IDC_B,设备A的IDC简写为IDC_A,那么S202具体包括:Please refer to FIG. 6 , assuming that the device A accessing the data center needs to communicate with the original device B in the data center, wherein the IDC of device B is abbreviated as IDC_B, and the IDC of device A is abbreviated as IDC_A, then S202 specifically includes:

A、设备A向设备B发起认证请求,设备B获取该请求后,将自身的IDC_B发送给设备A。A. Device A initiates an authentication request to device B, and device B sends its own IDC_B to device A after acquiring the request.

B、设备A读取自身可信根中的CAC,使用其中的公钥验签IDC_B,验签通过,则意味着设备B是经过身份认证的设备,随后,设备A将自身的IDC_A发送给设备B。B. Device A reads the CAC in its own root of trust, and uses the public key in it to verify the signature of IDC_B. If the verification is passed, it means that device B is an authenticated device. Then, device A sends its own IDC_A to the device. B.

C、设备B读取自身可信根中的CAC,使用其中的公钥验签IDC_A,验签通过,则意味着设备A是经过身份认证的设备。C. Device B reads the CAC in its own root of trust, and uses the public key in it to verify the signature of IDC_A. If the signature is passed, it means that device A is an authenticated device.

此时设备B可以直接发起通信密钥交换流程,也可以给设备A返回身份认证流程已完成的通知消息,让设备A发起通信密钥交换流程。At this time, device B can directly initiate the communication key exchange process, or can return a notification message to device A that the identity authentication process has been completed, so that device A can initiate the communication key exchange process.

具体的,不同设备互相认证的结构图可参见图7。Specifically, for a structural diagram of mutual authentication between different devices, please refer to FIG. 7 .

S203、相互完成认证的两个设备交换通信密钥,进行数据通信。S203 , the two devices that have completed mutual authentication exchange communication keys to perform data communication.

请参见图8,通信密钥交换流程如下:Please refer to Figure 8, the communication key exchange process is as follows:

A、设备A利用自身可信根创建通信密钥(包括公钥Key_A1和私钥Key_A2),使用IDC_B中的公钥(即设备B的身份密钥的公钥)加密Key_A1,将密文传输给设备B。通信密钥可通过TPM2_Create指令创建。通过TPM2_ReadPublic可获取该密钥的公钥Key_A1。TPM2_ReadPublic是TPM2.0读取公钥的命令,是TPM2.0标准定义的。TPM2_Create是TPM2.0创建密钥的命令,是TPM2.0标准定义的。A. Device A uses its own root of trust to create a communication key (including public key Key_A1 and private key Key_A2), uses the public key in IDC_B (that is, the public key of device B's identity key) to encrypt Key_A1, and transmits the ciphertext to device B. Communication keys can be created with the TPM2_Create command. The public key Key_A1 of the key can be obtained through TPM2_ReadPublic. TPM2_ReadPublic is the command for TPM2.0 to read the public key, which is defined by the TPM2.0 standard. TPM2_Create is a command for TPM2.0 to create a key, which is defined by the TPM2.0 standard.

B、设备B用自己的身份密钥的私钥解密收到的密文,得到Key_A1,并利用可信根创建通信密钥(包括公钥Key_B1和私钥Key_B2),使用IDC_A中的公钥(即设备A的身份密钥的公钥)加密Key_B1,将密文传输给设备A。可以通过PM2_LoadExternal加载Key_A1至设备B的可信根(如TPM2.0芯片)中。B. Device B decrypts the received ciphertext with the private key of its own identity key, obtains Key_A1, and uses the trusted root to create a communication key (including public key Key_B1 and private key Key_B2), using the public key in IDC_A ( That is, the public key of the identity key of device A) encrypts Key_B1, and transmits the ciphertext to device A. Key_A1 can be loaded into the trusted root of device B (such as TPM2.0 chip) through PM2_LoadExternal.

C、设备A自己的身份密钥的私钥解密收到的密文,得到Key_B1。C. The private key of device A's own identity key decrypts the received ciphertext to obtain Key_B1.

若设备A向设备B发送信息,则设备A使用Key_B1加密数据,设备B收到密文后,使用Key_B2解密。若设备B向设备A发送信息,则设备B使用Key_A1加密数据,设备A收到密文后,使用Key_A2解密。其中,发送方使用TPM2_RSAEncrypt指令发送,接收方使用TPM2_RSADecrypt指令接收。If device A sends information to device B, device A uses Key_B1 to encrypt the data, and after device B receives the ciphertext, it decrypts it using Key_B2. If device B sends information to device A, device B uses Key_A1 to encrypt the data, and after device A receives the ciphertext, it decrypts it using Key_A2. Among them, the sender uses the TPM2_RSAEncrypt command to send, and the receiver uses the TPM2_RSADecrypt command to receive.

具体的,不同设备交换通信密钥的结构图可参见图9。Specifically, for a structural diagram of different devices exchanging communication keys, please refer to FIG. 9 .

可见,本实施例先让设备在通信前相互验证各自的身份,确保通信的双方是由数据中心认证的设备,认证通过后,创建通信会话,基于双方的身份信息加密通信数据,提高了设备间传输数据的安全性。It can be seen that in this embodiment, the devices firstly verify their identities before communicating to ensure that both parties in the communication are devices authenticated by the data center. After the authentication is passed, a communication session is created, and the communication data is encrypted based on the identity information of the two parties. Security of transmitted data.

下面对本申请实施例提供的一种通信系统进行介绍,下文描述的一种通信系统与上文描述的一种通信方法可以相互参照。A communication system provided by an embodiment of the present application is introduced below, and a communication system described below and a communication method described above may be referred to each other.

本申请实施例公开了一种通信系统,包括:数据中心中的第一设备和第二设备,第二设备为数据中心中除第一设备以外的其他设备,其中:An embodiment of the present application discloses a communication system, including: a first device and a second device in a data center, where the second device is another device in the data center except the first device, wherein:

第一设备,用于发送认证请求至第二设备,以使第二设备发送自身的第二身份密钥证书至第一设备;the first device, configured to send an authentication request to the second device, so that the second device sends its own second identity key certificate to the first device;

第一设备,用于利用预先存储的公钥证书验证第二身份密钥证书通过后,存储第二身份密钥证书,并发送自身的第一身份密钥证书至第二设备,以使第二设备利用预先存储的公钥证书验证第一身份密钥证书通过后,存储第一身份密钥证书;The first device is configured to use the pre-stored public key certificate to verify that the second identity key certificate passes, store the second identity key certificate, and send its own first identity key certificate to the second device, so that the second identity key certificate is passed. After the device uses the pre-stored public key certificate to verify that the first identity key certificate is passed, the device stores the first identity key certificate;

第一设备和第二设备互相获取对方的通信密钥;The first device and the second device obtain each other's communication key;

第一设备或第二设备,用于利用对方的通信密钥加密目标信息,获得信息密文,并将信息密文发送至对方,以使对方利用自身的通信密钥解密信息密文,获得目标信息;The first device or the second device is used to encrypt the target information with the communication key of the other party, obtain the information ciphertext, and send the information ciphertext to the other party, so that the other party can use its own communication key to decrypt the information ciphertext and obtain the target information. information;

其中,公钥证书、第一身份密钥证书和第二身份密钥证书由设备身份认证中心签发给第一设备和第二设备。The public key certificate, the first identity key certificate and the second identity key certificate are issued to the first device and the second device by the device identity authentication center.

在一种具体实施方式中,具体的:In a specific embodiment, specifically:

第二设备利用自身中的可信根创建第二通信密钥并存储,发送第二密文至第一设备,第二密文为第二通信密钥中的第二公钥的密文;The second device uses the root of trust in itself to create and store the second communication key, and sends the second ciphertext to the first device, where the second ciphertext is the ciphertext of the second public key in the second communication key;

第一设备解密第二密文,获得第二公钥并存储,利用自身中的可信根创建第一通信密钥并存储,发送第一密文至第二设备,以使第二设备解密第一密文,获得第一公钥并存储;第一密文为第一通信密钥中的第一公钥的密文。The first device decrypts the second ciphertext, obtains and stores the second public key, uses the root of trust in itself to create and stores the first communication key, and sends the first ciphertext to the second device, so that the second device decrypts the first ciphertext. A ciphertext, the first public key is obtained and stored; the first ciphertext is the ciphertext of the first public key in the first communication key.

在一种具体实施方式中,具体的:In a specific embodiment, specifically:

第二设备利用自身中的可信根创建第二密钥参数并存储,发送第二密钥参数的第二密文至第一设备;The second device uses the root of trust in itself to create and store the second key parameter, and sends the second ciphertext of the second key parameter to the first device;

第一设备解密第二密文,获得第二密钥参数并存储,利用自身中的可信根创建第一密钥参数并存储,发送第一密钥参数的第一密文至第二设备,以使第二设备解密第一密文,获得第一密钥参数并存储;The first device decrypts the second ciphertext, obtains and stores the second key parameter, uses the root of trust in itself to create the first key parameter and stores it, and sends the first ciphertext of the first key parameter to the second device, so that the second device decrypts the first ciphertext, obtains the first key parameter and stores it;

第一设备或第二设备根据第一密钥参数和第二密钥参数生成第二通信密钥和第一通信密钥。The first device or the second device generates the second communication key and the first communication key according to the first key parameter and the second key parameter.

在一种具体实施方式中,还包括:In a specific embodiment, it also includes:

第一设备处理目标信息,获得处理结果,利用第二通信密钥加密处理结果,获得结果密文,将结果密文发送至第二设备,以使第二设备利用第二通信密钥解密结果密文,获得处理结果;The first device processes the target information, obtains the processing result, encrypts the processing result with the second communication key, obtains the resulting ciphertext, and sends the resulting ciphertext to the second device, so that the second device uses the second communication key to decrypt the result ciphertext. text, get the processing result;

or

第二设备处理目标信息,获得处理结果,利用第一通信密钥加密处理结果,获得结果密文,将结果密文发送至第一设备,以使第一设备或第二设备利用第一通信密钥解密结果密文,获得处理结果。The second device processes the target information, obtains the processing result, encrypts the processing result with the first communication key, obtains the resulting ciphertext, and sends the resulting ciphertext to the first device, so that the first device or the second device can use the first communication key to encrypt the processing result. Decrypt the resulting ciphertext with the key to obtain the processing result.

在一种具体实施方式中,具体的:In a specific embodiment, specifically:

第二设备利用自身中的可信根生成第二密钥参数并存储,第二密钥参数包括:第二随机数、素数、素数的原根以及第二目标参数,利用公钥证书中的公钥加密第二密钥参数,获得第二密文,将第二密文发送至第一设备;The second device uses the trusted root in itself to generate and store the second key parameter. The second key parameter includes: the second random number, the prime number, the original root of the prime number, and the second target parameter. Using the public key in the public key certificate encrypt the second key parameter with the key, obtain the second ciphertext, and send the second ciphertext to the first device;

其中,第二随机数、素数、原根以及第二目标参数之间的关系为:Ya=gamodp,Ya为第二目标参数,g为原根,a为第二随机数,p为素数。Among them, the relationship between the second random number, the prime number, the original root and the second target parameter is: Y a =g a modp, Y a is the second target parameter, g is the original root, a is the second random number, p is a prime number.

在一种具体实施方式中,第一设备利用自身中的可信根创建第一密钥参数并存储,发送第一密钥参数的第一密文至第二设备,包括:In a specific implementation manner, the first device uses the root of trust in itself to create and store the first key parameter, and sends the first ciphertext of the first key parameter to the second device, including:

第一设备利用自身中的可信根创建第一密钥参数,第一密钥参数包括:第一随机数和第一目标参数,利用公钥证书中的公钥加密第一密钥参数,获得第一密文,将第一密文发送至第二设备;The first device uses the trusted root in itself to create a first key parameter, the first key parameter includes: a first random number and a first target parameter, encrypts the first key parameter with the public key in the public key certificate, and obtains the first ciphertext, sending the first ciphertext to the second device;

其中,第一随机数、第一目标参数、素数以及原根之间的关系为:Yb=gbmodp,Yb为第一目标参数,b为第一随机数,g为原根,p为素数。Among them, the relationship between the first random number, the first target parameter, the prime number and the original root is: Y b =g b modp, Y b is the first target parameter, b is the first random number, g is the original root, p is a prime number.

在一种具体实施方式中,第一设备或第二设备按照目标公式生成第一通信密钥和第二通信密钥;目标公式为:In a specific embodiment, the first device or the second device generates the first communication key and the second communication key according to the target formula; the target formula is:

Figure BDA0002514259210000131
Figure BDA0002514259210000131

其中,Kb为第一通信密钥,Ka为第二通信密钥,Yb为第一目标参数,Ya为第二目标参数,b为第一随机数,a为第二随机数,g为原根,p为素数。Wherein, K b is the first communication key, Ka is the second communication key, Y b is the first target parameter, Y a is the second target parameter, b is the first random number, a is the second random number, g is the primitive root and p is the prime number.

在一种具体实施方式中,还包括:In a specific embodiment, it also includes:

若第一设备和第二设备通信结束,则第一设备和第二设备删除对方的通信密钥和身份密钥证书。If the communication between the first device and the second device ends, the first device and the second device delete each other's communication key and identity key certificate.

在一种具体实施方式中,设备身份认证中心给数据中心中的所有设备签发有公钥证书和设备身份密钥对应的身份密钥证书。In a specific embodiment, the device identity authentication center issues all devices in the data center with a public key certificate and an identity key certificate corresponding to the device identity key.

其中,关于本实施例中各个模块、单元更加具体的工作过程可以参考前述实施例中公开的相应内容,在此不再进行赘述。For the more specific working process of each module and unit in this embodiment, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.

可见,在两个设备通信前,设备先相互验证各自的身份,确保通信的双方是由数据中心认证的设备,认证通过后,创建通信会话,基于双方的身份信息加密通信数据,提高了设备间传输数据的安全性。It can be seen that before the two devices communicate with each other, the devices first verify their identities to ensure that both parties of the communication are devices authenticated by the data center. After the authentication is passed, a communication session is created, and the communication data is encrypted based on the identity information of the two parties. Security of transmitted data.

下面对本申请实施例提供的一种通信设备进行介绍,下文描述的一种通信设备与上文描述的一种通信方法及系统可以相互参照。The following describes a communication device provided by an embodiment of the present application. A communication device described below and a communication method and system described above can be referred to each other.

参见图10所示,本申请实施例公开了一种通信设备,包括:Referring to FIG. 10 , an embodiment of the present application discloses a communication device, including:

存储器1001,用于保存计算机程序;a memory 1001 for storing computer programs;

处理器1002,用于执行所述计算机程序,以实现上述任意实施例公开的方法。The processor 1002 is configured to execute the computer program to implement the method disclosed in any of the foregoing embodiments.

下面对本申请实施例提供的一种可读存储介质进行介绍,下文描述的一种可读存储介质与上文描述的一种通信方法、系统及设备可以相互参照。A readable storage medium provided by an embodiment of the present application is introduced below. A readable storage medium described below and a communication method, system, and device described above can be referred to each other.

一种可读存储介质,用于保存计算机程序,其中,所述计算机程序被处理器执行时实现前述实施例公开的通信方法。关于该方法的具体步骤可以参考前述实施例中公开的相应内容,在此不再进行赘述。A readable storage medium for storing a computer program, wherein the computer program implements the communication methods disclosed in the foregoing embodiments when executed by a processor. For the specific steps of the method, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.

本申请涉及的“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法或设备固有的其它步骤或单元。References in this application to "first", "second", "third", "fourth", etc. (if any) are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that data so used may be interchanged under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", and any variations thereof, are intended to cover non-exclusive inclusion, for example, a process, method or apparatus comprising a series of steps or elements is not necessarily limited to those steps or elements expressly listed , but may include other steps or elements not expressly listed or inherent to these processes, methods or apparatus.

需要说明的是,在本申请中涉及“第一”、“第二”等的描述仅用于描述目的,而不能理解为指示或暗示其相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。另外,各个实施例之间的技术方案可以相互结合,但是必须是以本领域普通技术人员能够实现为基础,当技术方案的结合出现相互矛盾或无法实现时应当认为这种技术方案的结合不存在,也不在本申请要求的保护范围之内。It should be noted that the descriptions involving "first", "second", etc. in this application are only for the purpose of description, and should not be construed as indicating or implying their relative importance or implying the number of indicated technical features . Thus, a feature delimited with "first", "second" may expressly or implicitly include at least one of that feature. In addition, the technical solutions between the various embodiments can be combined with each other, but must be based on the realization by those of ordinary skill in the art. When the combination of technical solutions is contradictory or cannot be realized, it should be considered that the combination of such technical solutions does not exist. , is not within the scope of protection claimed in this application.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments may be referred to each other.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的可读存储介质中。The steps of a method or algorithm described in conjunction with the embodiments disclosed herein may be directly implemented in hardware, a software module executed by a processor, or a combination of the two. A software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other in the technical field. in any other form of readable storage medium that is well known.

本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。The principles and implementations of the present application are described herein by using specific examples. The descriptions of the above embodiments are only used to help understand the methods and core ideas of the present application. There will be changes in the specific implementation and application scope. To sum up, the content of this specification should not be construed as a limitation to the application.

Claims (10)

1.一种通信方法,其特征在于,包括:1. a communication method, is characterized in that, comprises: 数据中心中的第一设备发送认证请求至第二设备,以使所述第二设备发送自身的第二身份密钥证书至所述第一设备;所述第二设备为所述数据中心中除所述第一设备以外的其他设备;The first device in the data center sends an authentication request to the second device, so that the second device sends its own second identity key certificate to the first device; the second device is the device in the data center. other devices than the first device; 所述第一设备利用预先存储的公钥证书验证所述第二身份密钥证书通过后,存储所述第二身份密钥证书,并发送自身的第一身份密钥证书至所述第二设备,以使所述第二设备利用预先存储的所述公钥证书验证所述第一身份密钥证书通过后,存储所述第一身份密钥证书;After the first device uses the pre-stored public key certificate to verify that the second identity key certificate passes, stores the second identity key certificate, and sends its own first identity key certificate to the second device , so that the second device uses the pre-stored public key certificate to verify that the first identity key certificate passes, and then stores the first identity key certificate; 所述第一设备和所述第二设备互相获取对方的通信密钥;The first device and the second device obtain each other's communication key; 所述第一设备或所述第二设备利用对方的通信密钥加密目标信息,获得信息密文,并将所述信息密文发送至对方,以使对方利用自身的通信密钥解密所述信息密文,获得所述目标信息;The first device or the second device encrypts the target information with the communication key of the counterparty, obtains the ciphertext of the information, and sends the ciphertext of the information to the counterparty, so that the counterparty decrypts the information with its own communication key cipher text to obtain the target information; 其中,所述公钥证书、所述第一身份密钥证书和所述第二身份密钥证书由设备身份认证中心签发给所述第一设备和所述第二设备。Wherein, the public key certificate, the first identity key certificate and the second identity key certificate are issued to the first device and the second device by a device identity authentication center. 2.根据权利要求1所述的通信方法,其特征在于,所述第一设备和所述第二设备互相获取对方的通信密钥,包括:2. The communication method according to claim 1, wherein the first device and the second device obtain each other's communication key from each other, comprising: 所述第二设备利用自身中的可信根创建第二通信密钥并存储,发送第二密文至所述第一设备,所述第二密文为所述第二通信密钥中的第二公钥的密文;The second device uses the root of trust in itself to create and store a second communication key, and sends a second ciphertext to the first device, where the second ciphertext is the first key in the second communication key. The ciphertext of the second public key; 所述第一设备解密所述第二密文,获得所述第二公钥并存储,利用自身中的可信根创建第一通信密钥并存储,发送第一密文至所述第二设备,以使所述第二设备解密所述第一密文,获得第一公钥并存储;所述第一密文为所述第一通信密钥中的第一公钥的密文。The first device decrypts the second ciphertext, obtains the second public key and stores it, uses the root of trust in itself to create a first communication key and stores it, and sends the first ciphertext to the second device , so that the second device decrypts the first ciphertext, obtains and stores the first public key; the first ciphertext is the ciphertext of the first public key in the first communication key. 3.根据权利要求1所述的通信方法,其特征在于,所述第一设备和所述第二设备互相获取对方的通信密钥,包括:3. The communication method according to claim 1, wherein the first device and the second device obtain each other's communication key from each other, comprising: 所述第二设备利用自身中的可信根创建第二密钥参数并存储,发送所述第二密钥参数的第二密文至所述第一设备;The second device uses the root of trust in itself to create and store a second key parameter, and sends the second ciphertext of the second key parameter to the first device; 所述第一设备解密所述第二密文,获得所述第二密钥参数并存储,利用自身中的可信根创建第一密钥参数并存储,发送所述第一密钥参数的第一密文至所述第二设备,以使所述第二设备解密所述第一密文,获得所述第一密钥参数并存储;The first device decrypts the second ciphertext, obtains and stores the second key parameter, uses the root of trust in itself to create the first key parameter and stores it, and sends the first key parameter of the first key parameter. Send a ciphertext to the second device, so that the second device decrypts the first ciphertext, obtains the first key parameter and stores it; 所述第一设备或所述第二设备根据所述第一密钥参数和所述第二密钥参数生成所述第二通信密钥和所述第一通信密钥。The first device or the second device generates the second communication key and the first communication key according to the first key parameter and the second key parameter. 4.根据权利要求3所述的通信方法,其特征在于,所述第二设备利用自身中的可信根创建第二密钥参数并存储,发送所述第二密钥参数的第二密文至所述第一设备,包括:4. The communication method according to claim 3, wherein the second device uses the root of trust in itself to create and store a second key parameter, and sends the second ciphertext of the second key parameter to the first device, including: 所述第二设备利用自身中的可信根生成所述第二密钥参数并存储,所述第二密钥参数包括:第二随机数、素数、素数的原根以及第二目标参数,利用所述公钥证书中的公钥加密所述第二密钥参数,获得所述第二密文,将所述第二密文发送至所述第一设备;The second device uses the trusted root in itself to generate and store the second key parameter, where the second key parameter includes: a second random number, a prime number, the original root of the prime number, and a second target parameter. The public key in the public key certificate encrypts the second key parameter, obtains the second ciphertext, and sends the second ciphertext to the first device; 其中,所述第二随机数、所述素数、所述原根以及所述第二目标参数之间的关系为:Ya=gamodp,Ya为所述第二目标参数,g为所述原根,a为所述第二随机数,p为所述素数。Wherein, the relationship between the second random number, the prime number, the original root and the second target parameter is: Y a =g a modp, Y a is the second target parameter, and g is the The primitive root, a is the second random number, and p is the prime number. 5.根据权利要求4所述的通信方法,其特征在于,所述第一设备利用自身中的可信根创建第一密钥参数并存储,发送所述第一密钥参数的第一密文至所述第二设备,包括:5 . The communication method according to claim 4 , wherein the first device uses the root of trust in itself to create and store a first key parameter, and sends the first ciphertext of the first key parameter. 6 . to the second device, comprising: 所述第一设备利用自身中的可信根创建所述第一密钥参数,所述第一密钥参数包括:第一随机数和第一目标参数,利用所述公钥证书中的公钥加密所述第一密钥参数,获得所述第一密文,将所述第一密文发送至所述第二设备;The first device uses the trusted root in itself to create the first key parameter, the first key parameter includes: a first random number and a first target parameter, and uses the public key in the public key certificate encrypting the first key parameter, obtaining the first ciphertext, and sending the first ciphertext to the second device; 其中,所述第一随机数、所述第一目标参数、所述素数以及所述原根之间的关系为:Yb=gbmodp,Yb为所述第一目标参数,b为所述第一随机数,g为所述原根,p为所述素数。The relationship among the first random number, the first target parameter, the prime number and the original root is: Y b =g b modp, Y b is the first target parameter, and b is the the first random number, g is the primitive root, and p is the prime number. 6.根据权利要求5所述的通信方法,其特征在于,所述第一设备或所述第二设备按照目标公式生成所述第一通信密钥和所述第二通信密钥;所述目标公式为:6. The communication method according to claim 5, wherein the first device or the second device generates the first communication key and the second communication key according to a target formula; the target The formula is:
Figure FDA0002514259200000031
Figure FDA0002514259200000031
 其中,Kb为所述第一通信密钥,Ka为所述第二通信密钥,Yb为所述第一目标参数,Ya为所述第二目标参数,b为所述第一随机数,a为所述第二随机数,g为所述原根,p为所述素数。Wherein, K b is the first communication key, Ka is the second communication key, Y b is the first target parameter, Y a is the second target parameter, and b is the first A random number, a is the second random number, g is the primitive root, and p is the prime number. 7.根据权利要求1-6任意一项所述的通信方法,其特征在于,还包括:7. The communication method according to any one of claims 1-6, characterized in that, further comprising: 若所述第一设备和所述第二设备通信结束,则所述第一设备和所述第二设备删除对方的通信密钥和身份密钥证书。If the communication between the first device and the second device ends, the first device and the second device delete each other's communication key and identity key certificate. 8.一种通信系统,其特征在于,包括:所述数据中心中的第一设备和第二设备,所述第二设备为所述数据中心中除所述第一设备以外的其他设备,其中:8. A communication system, comprising: a first device and a second device in the data center, the second device being another device in the data center except the first device, wherein : 所述第一设备,用于发送认证请求至所述第二设备,以使所述第二设备发送自身的第二身份密钥证书至所述第一设备;the first device, configured to send an authentication request to the second device, so that the second device sends its own second identity key certificate to the first device; 所述第一设备,用于利用预先存储的公钥证书验证所述第二身份密钥证书通过后,存储所述第二身份密钥证书,并发送自身的第一身份密钥证书至所述第二设备,以使所述第二设备利用预先存储的所述公钥证书验证所述第一身份密钥证书通过后,存储所述第一身份密钥证书;The first device is configured to use a pre-stored public key certificate to verify that the second identity key certificate passes, store the second identity key certificate, and send its own first identity key certificate to the a second device, so that the second device uses the pre-stored public key certificate to verify that the first identity key certificate passes, and then stores the first identity key certificate; 所述第一设备和所述第二设备互相获取对方的通信密钥;The first device and the second device obtain each other's communication key; 所述第一设备或所述第二设备,用于利用对方的通信密钥加密目标信息,获得信息密文,并将所述信息密文发送至对方,以使对方利用自身的通信密钥解密所述信息密文,获得所述目标信息;The first device or the second device is used to encrypt the target information with the communication key of the other party, obtain the ciphertext of the information, and send the ciphertext of the information to the other party, so that the other party can decrypt it using its own communication key the information ciphertext to obtain the target information; 其中,所述公钥证书、所述第一身份密钥证书和所述第二身份密钥证书由设备身份认证中心签发给所述第一设备和所述第二设备。Wherein, the public key certificate, the first identity key certificate and the second identity key certificate are issued to the first device and the second device by a device identity authentication center. 9.一种通信设备,其特征在于,包括:9. A communication device, comprising: 存储器,用于存储计算机程序;memory for storing computer programs; 处理器,用于执行所述计算机程序,以实现如权利要求1至7任一项所述的通信方法。A processor for executing the computer program to implement the communication method according to any one of claims 1 to 7. 10.一种可读存储介质,其特征在于,用于保存计算机程序,其中,所述计算机程序被处理器执行时实现如权利要求1至7任一项所述的通信方法。10. A readable storage medium, characterized by being used for storing a computer program, wherein the computer program implements the communication method according to any one of claims 1 to 7 when the computer program is executed by a processor.
CN202010470870.0A 2020-05-28 2020-05-28 A communication method, system, device and readable storage medium Pending CN111600903A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010470870.0A CN111600903A (en) 2020-05-28 2020-05-28 A communication method, system, device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010470870.0A CN111600903A (en) 2020-05-28 2020-05-28 A communication method, system, device and readable storage medium

Publications (1)

Publication Number Publication Date
CN111600903A true CN111600903A (en) 2020-08-28

Family

ID=72184226

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010470870.0A Pending CN111600903A (en) 2020-05-28 2020-05-28 A communication method, system, device and readable storage medium

Country Status (1)

Country Link
CN (1) CN111600903A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113392413A (en) * 2021-05-26 2021-09-14 亿次网联(杭州)科技有限公司 Data security storage method, device, system and storage medium
CN114491471A (en) * 2022-04-08 2022-05-13 季华实验室 Industrial task execution system and method based on data flow
CN117714066A (en) * 2023-12-11 2024-03-15 大唐高鸿信安(浙江)信息科技有限公司 Key processing method, device and readable storage medium
CN117834252A (en) * 2023-12-29 2024-04-05 福建联迪商用设备有限公司 Non-sensing authentication method and system for distributed devices

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010050990A1 (en) * 1997-02-19 2001-12-13 Frank Wells Sudia Method for initiating a stream-oriented encrypted communication
WO2004032413A1 (en) * 2002-09-24 2004-04-15 Laboratories For Information Technology A method of generating private keys
CN102882685A (en) * 2012-09-27 2013-01-16 东莞宇龙通信科技有限公司 Identity Authentication System and Method
CN105792193A (en) * 2016-02-26 2016-07-20 东南大学常州研究院 End-to-end encryption method for mobile terminal voice based on iOS operating system
CN106452736A (en) * 2016-08-12 2017-02-22 数安时代科技股份有限公司 Key negotiation method and system
CN107529167A (en) * 2016-06-21 2017-12-29 普天信息技术有限公司 A kind of authentication method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010050990A1 (en) * 1997-02-19 2001-12-13 Frank Wells Sudia Method for initiating a stream-oriented encrypted communication
WO2004032413A1 (en) * 2002-09-24 2004-04-15 Laboratories For Information Technology A method of generating private keys
CN102882685A (en) * 2012-09-27 2013-01-16 东莞宇龙通信科技有限公司 Identity Authentication System and Method
CN105792193A (en) * 2016-02-26 2016-07-20 东南大学常州研究院 End-to-end encryption method for mobile terminal voice based on iOS operating system
CN107529167A (en) * 2016-06-21 2017-12-29 普天信息技术有限公司 A kind of authentication method
CN106452736A (en) * 2016-08-12 2017-02-22 数安时代科技股份有限公司 Key negotiation method and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113392413A (en) * 2021-05-26 2021-09-14 亿次网联(杭州)科技有限公司 Data security storage method, device, system and storage medium
CN114491471A (en) * 2022-04-08 2022-05-13 季华实验室 Industrial task execution system and method based on data flow
CN117714066A (en) * 2023-12-11 2024-03-15 大唐高鸿信安(浙江)信息科技有限公司 Key processing method, device and readable storage medium
CN117714066B (en) * 2023-12-11 2024-05-28 大唐高鸿信安(浙江)信息科技有限公司 Key processing method, device and readable storage medium
CN117834252A (en) * 2023-12-29 2024-04-05 福建联迪商用设备有限公司 Non-sensing authentication method and system for distributed devices

Similar Documents

Publication Publication Date Title
US12225115B2 (en) Secure shared key establishment for peer to peer communications
CN111416807B (en) Data acquisition method, device and storage medium
CN110677240B (en) Method, device and medium for providing high-availability computing services through certificate issuance
CN107959567B (en) Data storage method, data acquisition method, device and system
US9887838B2 (en) Method and device for secure communications over a network using a hardware security engine
US7688975B2 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US7526649B2 (en) Session key exchange
CN108737106B (en) User authentication method and device on block chain system, terminal equipment and storage medium
CN111654367B (en) Cryptographic operation, method for creating working key, cryptographic service platform and equipment
WO2021036183A1 (en) Method and apparatus for carrying out secure multi-party computation by means of certificate issuing
CN102025503B (en) Data security implementation method in cluster environment and high-security cluster
CN111917710A (en) PCI-E password card, key protection method thereof, and computer-readable storage medium
CN110932850B (en) Communication encryption method and system
CN111600903A (en) A communication method, system, device and readable storage medium
CN110912685B (en) Establishing a protected communication channel
EP4554142A1 (en) Securely generating and multi-party sharing of a root of trust in a clustered cryptosystem
CN119276505B (en) Identity authentication method, terminal device, identity authentication system and storage medium
CN114244502A (en) Signature key generation method and device based on SM9 algorithm and computer equipment
CN115801232A (en) Private key protection method, device, equipment and storage medium
CN114039753B (en) Access control method and device, storage medium and electronic equipment
CN115442136A (en) Application system access method and device
WO2021082222A1 (en) Communication method and apparatus, storage method and apparatus, and operation method and apparatus
JP2026505009A (en) Non-custodial technology for data encryption and decryption
CN107248997B (en) Authentication method based on smart card in multi-server environment
CN116599719A (en) User login authentication method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200828