[go: up one dir, main page]

CN112671733A - Data communication method, key management system, device, and storage medium - Google Patents

Data communication method, key management system, device, and storage medium Download PDF

Info

Publication number
CN112671733A
CN112671733A CN202011486200.4A CN202011486200A CN112671733A CN 112671733 A CN112671733 A CN 112671733A CN 202011486200 A CN202011486200 A CN 202011486200A CN 112671733 A CN112671733 A CN 112671733A
Authority
CN
China
Prior art keywords
data
key
request
response
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011486200.4A
Other languages
Chinese (zh)
Inventor
王俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN202011486200.4A priority Critical patent/CN112671733A/en
Publication of CN112671733A publication Critical patent/CN112671733A/en
Priority to PCT/CN2021/090448 priority patent/WO2022126972A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to the field of information security technologies, and in particular, to a data communication method, a key management system, a device, and a storage medium. The data communication method comprises the steps of obtaining a special key corresponding to a data request party; when a data request party initiates a data request, the proxy client side adopts a special key for encryption to obtain ciphertext request data; when the service response party receives the data request, the proxy server side decrypts the data request by adopting the special key to obtain plaintext request data, so that the service response party carries out processing according to preset service logic based on the plaintext request data to obtain response message data; when the service response party responds to the data request, the proxy server side encrypts the data request by adopting a special key pair to obtain ciphertext response data; and when the data request party receives the ciphertext response data, the proxy client decrypts the ciphertext response data by adopting the special key to obtain the plaintext response data. The method can effectively reduce the coupling degree of the service system. The invention also relates to the technical field of blockchains, and the special key can be stored in the blockchain.

Description

Data communication method, key management system, device, and storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a data communication method, a key management system, a device, and a storage medium.
Background
At present, data communication is generally performed between a client and a server of internet application in an HTTP request-API service response manner, in order to prevent plaintext data of a user or the server from being hijacked and tampered during data communication, the client and the server may agree on a certain data encryption manner and transmit encrypted ciphertext data, but for different users, a situation that a plurality of users share a secret key to perform encryption and decryption usually occurs, so that potential safety hazards exist in data transmission between the client and the server. In addition, as the current encryption and decryption codes are embedded into the client or the server in an intrusive mode, the non-service codes of the current system are too many, the code intrusiveness is strong, and the coupling degree of the service system is high.
Disclosure of Invention
Embodiments of the present invention provide a data communication method, a key management system, a device, and a storage medium, so as to solve the problem of high coupling degree of a service system due to excessive non-service codes and strong code intrusiveness of the existing current system.
A data communication method is applied to a key management system, and the key management system comprises an agent client and an agent server; the proxy client is connected with the data requester, and the proxy server is connected with the service responder; the data communication method comprises the following steps:
acquiring a special key corresponding to a data requester;
when the data request party initiates a data request to a service response party, triggering the proxy client to encrypt request message data by using the special key to obtain ciphertext request data so that the data request party initiates a data request to the service response party based on the ciphertext request data;
when the service response party receives the data request, triggering the proxy server to decrypt the ciphertext request data by using the special key to obtain plaintext request data, so that the service response party processes the plaintext request data according to preset service logic to obtain response message data;
when the service responder responds to the data request, triggering the proxy server to encrypt response message data by adopting the special key to obtain ciphertext response data so as to return the ciphertext response data to the data requester;
and when the data request party receives the ciphertext response data, triggering the proxy client to decrypt the ciphertext response data by adopting the special key to obtain plaintext response data so as to complete data communication.
A key management system, comprising:
the special key acquisition module is used for acquiring a special key corresponding to the data requester;
the first encryption module is used for triggering the proxy client to encrypt request message data by adopting the special key to obtain ciphertext request data when the data request party initiates a data request to a service response party so as to enable the data request party to initiate a data request to the service response party based on the ciphertext request data;
the first decryption module is used for triggering the proxy server to decrypt the ciphertext request data by using the special key when the service response party receives the data request to obtain plaintext request data, so that the service response party processes the plaintext request data according to preset service logic to obtain response message data;
the second encryption module is used for triggering the proxy server to encrypt response message data by adopting the special key when the service responder responds to the data request to obtain ciphertext response data so as to return the ciphertext response data to the data requester;
and the second decryption module is used for triggering the proxy client to decrypt the ciphertext response data by adopting the special key when the data requester receives the ciphertext response data to obtain plaintext response data so as to complete data communication.
A computer storage medium, which stores a computer program that, when executed by a processor, implements the steps of the above-described data communication method.
In the data communication method, the key management system, the device and the storage medium, the corresponding private keys are generated aiming at different data requesters, so that when the subsequent data requesters perform data communication with the service responder, the private keys are adopted for encryption and decryption, the situation that multiple users share the keys during the data communication is avoided, and the security of the data communication between the client (the data requester) and the server (the service responder) is improved. Then, when data communication is carried out, when a data request is initiated to a service responder from a data request side, the proxy client is triggered to encrypt request message data by using the special key, or to decrypt ciphertext response data, and the proxy server is triggered to encrypt the ciphertext response data by using the special key, or to decrypt the ciphertext request data, so that the key encryption and decryption related to the data communication between the client and the server are extracted from the original service, and the original service is used as an independent key management system and is arranged between the client and the server.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
FIG. 1 is a diagram of an application environment of a data communication method according to an embodiment of the present invention;
FIG. 2 is a flow chart of a data communication method according to an embodiment of the present invention;
FIG. 3 is a flow chart of a data communication method according to an embodiment of the present invention;
FIG. 4 is a detailed flowchart of step S201 in FIG. 2;
FIG. 5 is a flow chart of a method of communicating data in accordance with an embodiment of the present invention;
FIG. 6 is a flow chart of a method of communicating data in accordance with an embodiment of the present invention;
FIG. 7 is a flow chart of a method of communicating data in accordance with an embodiment of the present invention;
FIG. 8 is a flow chart of a method of communicating data in accordance with an embodiment of the present invention;
FIG. 9 is a schematic diagram of a key management system in accordance with an embodiment of the present invention;
FIG. 10 is a schematic diagram of a computer device according to an embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The method can be applied to a key management system, wherein the key management system comprises an agent client and an agent server; the proxy client is connected with a data requester (namely, a client installed on a computer device), and the proxy server is connected with a service responder (namely, a server). Wherein the computer device communicates with the server through the key management system. The computer device may be, but is not limited to, various personal computers, laptops, smartphones, tablets, and portable wearable devices. The server may be implemented as a stand-alone server.
In one embodiment, as shown in fig. 2, there is provided a data communication method, comprising the steps of:
s201: and acquiring a special key corresponding to the data requester.
Specifically, the method can be applied to a key management system, the key management system is arranged between a client and a server, so that when data communication is carried out between the client and the server, a corresponding proxy client or a corresponding proxy server in the key management system is directly triggered to carry out encryption and decryption, non-service codes are reduced, and the coupling degree of a service system is reduced; meanwhile, the key management system can uniformly manage the private key of the user, and is convenient to maintain. The proxy client is used for connecting with a data request party so as to encrypt and decrypt data sent or received by the data request party. The proxy server is used for connecting the service responder to encrypt and decrypt data sent or received by the service responder. It should be noted that the agent money protection end may be implemented by a plug-in, and the agent service end is implemented by a plug-in or an interceptor.
Specifically, the key management system can generate corresponding private keys for different data requesters, so that when subsequent data communication is performed between the data requesters and the service responders, the private keys are used for encryption and decryption, the situation that multiple users share the keys during data communication is avoided, and the security of data communication between a client (the data requesters) and a server (the service responders) is improved.
It is emphasized that the object code may also be stored in a node of a block chain in order to further ensure the privacy and security of the private key.
S202: when a data request party initiates a data request to a service response party, the triggering proxy client encrypts the request message data by adopting a special key to obtain ciphertext request data, so that the data request party initiates a data request to the service response party based on the ciphertext request data.
The request message data is message data which is not encrypted and corresponds to the data request. Specifically, when a data request party initiates a data request to a service response party, the proxy client seals the request message data to be encrypted to generate ciphertext request data, and then initiates the data request to the API service response party.
S203: when the service response party receives the data request, the trigger proxy server side decrypts the ciphertext request data by adopting the special key to obtain plaintext request data, so that the service response party processes the plaintext request data according to preset service logic to obtain response message data.
The plaintext request data is plaintext data obtained by decrypting the ciphertext request data. The response message data refers to response data that is not encrypted. Specifically, when the service response party receives the data request, the trigger proxy server decrypts the ciphertext request data by using the special key to obtain plaintext request data, so that the service response party processes the plaintext request data according to a preset service logic to obtain response message data.
S204: when the service response party responds to the data request, the trigger proxy server side encrypts the response message data by adopting the special key to obtain ciphertext response data, and the ciphertext response data is returned to the data request party.
Specifically, when the service responder responds to the data request, the trigger proxy server encrypts the response message data by using the special key to obtain ciphertext response data, so as to return the ciphertext response data to the data requester.
S205: and when the data request party receives the ciphertext response data, the trigger agent client decrypts the ciphertext response data by adopting the special key to obtain plaintext response data so as to complete data communication.
The plaintext response data is response data obtained by decrypting the ciphertext response data. Specifically, when the data requesting party receives ciphertext response data returned by the service responding party, the triggering agent client decrypts the ciphertext response data by using the special key to obtain plaintext response data so as to complete data communication.
As an embodiment, the following describes an overall process of data communication between a client and a server in conjunction with the key system of the method: firstly, the key system generates a special key responded by a data request party according to a preset key generation rule, when a data request party initiates a data request to a service response party, before the data request is sent to the service response party, a trigger proxy client side encrypts request message data by adopting the special key to obtain ciphertext request data so as to initiate the data request to the service response party based on the ciphertext request data; at the moment, the service response party receives the data request, and triggers the proxy server to decrypt the ciphertext request data by adopting the special key to obtain plaintext request data, so that the server response party processes the plaintext request data according to preset service logic to obtain response message data; then, before the service response party responds to the data request, the triggering proxy server side encrypts response message data by adopting a special key to obtain ciphertext response data, and returns the ciphertext response data to the data request party; and finally, when the data request party receives the ciphertext response data, the proxy client is triggered to decrypt the ciphertext response data by adopting the special key to obtain plaintext response data so as to complete data communication.
In this embodiment, corresponding private keys are generated for different data requesters, so that when a subsequent data requester performs data communication with a service responder, the private key is used for encryption and decryption, thereby avoiding the situation that multiple users share the key during data communication, and improving the security of data communication between a client (data requester) and a server (service responder). Then, when data communication is carried out and a data request is initiated to a service responder from a data request direction, a trigger proxy client side adopts a special key to encrypt request message data or decrypt ciphertext response data, and a trigger proxy server side adopts the special key to encrypt the ciphertext response data or decrypt the ciphertext request data so as to extract original service from encryption and decryption of keys involved in interactive communication between the client side and the server side, wherein the key encryption and decryption are used as an independent key management system and are arranged between the client side and the server side.
In one embodiment, as shown in fig. 3, the method further comprises the steps of:
s301: and acquiring a special key corresponding to the data requester.
Specifically, step S301 is consistent with step S201, and is not described herein again to avoid repetition. Further, before generating the private key corresponding to the data requester, whether the user ID corresponding to the data requester is a blacklist ID may be further determined; and if the ID is not the blacklist ID, executing the step of generating the private key corresponding to the data requester. Specifically, by determining whether the user ID corresponding to the data requester of the data communication is in the blacklist, that is, the blacklist ID, if so, it is determined that a potential safety hazard may exist, and the private key corresponding to the data requester is not generated.
S302: generating an asymmetric key corresponding to a data requester by adopting an asymmetric encryption algorithm; the asymmetric key comprises a public key and a private key.
Wherein the asymmetric key is used to encrypt and decrypt the private key. The public key in the asymmetric key is used for encrypting and decrypting the proxy client; the private key is used for encryption and decryption of the proxy server. The asymmetric encryption algorithm in this embodiment includes, but is not limited to, an RSA algorithm, a DSA algorithm, an ECC algorithm, and a DH algorithm, which is not limited herein.
It can be understood that the private key is a symmetric key, that is, the encryption and decryption of the data requester and the service responder are the same key, when the key at any end is leaked, a security risk occurs, and encryption and decryption using the same private key require different private keys to be generated for multiple times to avoid risks, which increases the burden of key management. Therefore, in this embodiment, to solve the above problem, the private key is encrypted by using the asymmetric key, so that different keys are used for encryption and decryption of the data requester and the service responder, and the security of the private key can be effectively improved.
It is emphasized that, to further ensure the privacy and security of the private key in the asymmetric key, the object code may also be stored in a node of a block chain.
S303: when a data request party initiates a data request to a service responder, a trigger proxy client encrypts a special key by adopting a public key to obtain a first key; and encrypting the request message data by adopting the first key to obtain ciphertext request data so as to initiate a data request to the service responder based on the ciphertext request data.
S304: when the service response party receives the data request, triggering the proxy server to decrypt the first key by using the private key; and the trigger proxy server decrypts the ciphertext request data by using the decrypted special key to obtain plaintext request data, so that a server response party processes the plaintext request data according to preset service logic to obtain response message data.
S305: when the service responder responds to the data request, the proxy server is triggered to encrypt the special key by using the private key to obtain a second key; and encrypting the response message data by adopting a second key to obtain ciphertext response data, and returning the ciphertext response data to the data requester.
S306: when the data request party receives the ciphertext response data, the proxy client is triggered to decrypt the second secret key by adopting the public key; and decrypting the ciphertext response data by using the decrypted special key to obtain plaintext response data so as to complete data communication.
As another embodiment, the following describes an overall process of data communication between a client and a server in conjunction with the key system in this embodiment: when a data request party initiates a data request to a service response party, before the data request is sent to the service response party, a proxy client is triggered to encrypt a private key by using a public key and encrypt request message data by using the private key to obtain ciphertext request data so as to initiate the data request to the service response party based on the ciphertext request data; at the moment, the service response party receives the data request and triggers the proxy server to decrypt the encrypted private key by adopting a private key; the trigger proxy server decrypts the ciphertext request data by using the decrypted special key to obtain plaintext request data, so that a server response party processes the plaintext request data according to preset service logic to obtain response message data; before the service response party responds to the data request, the proxy server is triggered to encrypt the private key by using a private key; encrypting the response message data by using the encrypted special key to obtain ciphertext response data, and returning the ciphertext response data to the data requester; finally, when the data request party receives the ciphertext response data, the proxy client is triggered to decrypt the encrypted special key by adopting the public key; and decrypting the ciphertext response data by using the decrypted special key to obtain plaintext response data so as to complete data communication.
In an embodiment, as shown in fig. 4, step S201 specifically includes the following steps:
s401: the key length of the private key is obtained.
The key length of the private key includes, but is not limited to, 128 bits or 256 bits, and may be configured according to actual requirements, which is not limited herein.
S402: a private key of a key length is generated based on the random number and specific information corresponding to the data requester.
The specific information is specific data that is corresponding to the data requesting party and can be used for proving the identity of the user, such as a user ID, a user role, and the like. Specifically, a special key with a fixed key length is generated by combining specific information with a random number, so that the special key is bound with the identity of a user, different users adopt different keys, multi-scene key requirements are met, and system safety is improved.
In one embodiment, as shown in fig. 5, the method further comprises:
s501: and configuring a first key validity period corresponding to the private key and a second key validity period of the asymmetric key.
S502: updating the private key according to the validity period of the first key; and updating the asymmetric key according to the validity period of the second key.
Wherein, the first key validity period and the second key validity period can be the same or different. Specifically, when the current date of the system is the first key validity period, step S302 may be repeatedly performed to update the private key corresponding to the data requestor; when the current date of the system is the validity period of the second key, step S202 may be repeatedly performed to update the asymmetric key corresponding to the data requestor.
In one embodiment, as shown in fig. 6, the method further comprises the steps of:
s601: the first key is stored in a first cache.
S602: and storing the second key in a second cache.
The first key is a private key which is corresponding to the data requester and is encrypted by a public key. The second key is a private key which is encrypted by a private key and corresponds to the service responder. The first cache is used for storing a first key corresponding to the data requester. The second cache is used for storing a second key corresponding to the service responder.
S603: when the data request party initiates a data request to the service response party again, the triggering proxy client side encrypts the request message data by adopting the cached first secret key to obtain ciphertext request data so as to initiate the data request to the service response party based on the ciphertext request data.
S604: when the service response party receives the data request, triggering the proxy server to decrypt the first key by using the private key; and the trigger proxy server decrypts the ciphertext request data by using the decrypted special key to obtain plaintext request data, so that a server response party processes the plaintext request data according to preset service logic to obtain response message data.
S605: when the service response party responds to the data request, the proxy server is triggered to encrypt the response message data by using the cached second key to obtain ciphertext response data, and the ciphertext response data is returned to the data request party.
S606: when the data request party receives the ciphertext response data, the proxy client is triggered to decrypt the second secret key by adopting the public key; and decrypting the ciphertext response data by using the decrypted special key to obtain plaintext response data so as to complete data communication.
It can be understood that after the private key is encrypted by the public key to obtain the first key and after the private key is encrypted by the private key to obtain the second key, the first key or the second key may be cached, so that when the data requester communicates with the service responder subsequently, the first key or the second key may be directly read from the cache to be encrypted without repeatedly performing the step of encrypting the private key, thereby improving the system performance.
In an embodiment, as shown in fig. 7, after step S505, the method further includes the following steps:
s701: when the private key is updated, clearing the data in the first cache and the data in the second cache; or,
s702: when the asymmetric key is updated, the data in the first cache and the data in the second cache are cleared.
Specifically, after the private key or the asymmetric key is updated, the data in the first cache and the data in the second cache need to be updated synchronously, so as to ensure that the subsequent data communication is encrypted or decrypted by using the updated key.
In one embodiment, as shown in fig. 8, the method further comprises the steps of:
s801: and carrying out duplicate removal detection on the asymmetric key updated by the data request party.
S802: if the asymmetric key corresponding to the data requestor is the same as the asymmetric key corresponding to the other data requestor, step S302 is repeatedly performed.
Specifically, in order to avoid the situation that the updated asymmetric key is duplicated with the asymmetric keys corresponding to other data requesters stored in the system, the updated asymmetric key may be subjected to deduplication processing after the asymmetric key is generated, so as to further improve the security of the key.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
In one embodiment, a key management system is provided, and the key management system corresponds to the data communication methods in the above embodiments one to one. As shown in fig. 9, the key management system includes a private key obtaining module 10, a first encryption module 20, a first decryption module 30, a second encryption module 40, and a second decryption module 50. The functional modules are explained in detail as follows:
the private key obtaining module 10 is configured to obtain a private key corresponding to the data requester.
The first encryption module 20 is configured to, when the data request party initiates a data request to the service responder, trigger the proxy client to encrypt the request message data by using the private key to obtain ciphertext request data, so that the data request party initiates a data request to the service responder based on the ciphertext request data.
The first decryption module 30 is configured to, when the service responder receives the data request, trigger the proxy server to decrypt the ciphertext request data by using the private key to obtain plaintext request data, so that the service responder performs processing according to a preset service logic based on the plaintext request data to obtain response message data.
And the second encryption module 40 is configured to, when the service responder responds to the data request, trigger the proxy server to encrypt the response packet data by using the private key to obtain ciphertext response data, and return the ciphertext response data to the data requester.
And the second decryption module 50 is configured to, when the data requestor receives the ciphertext response data, trigger the proxy client to decrypt the ciphertext response data with the dedicated key to obtain plaintext response data, so as to complete data communication.
Specifically, the key management system further includes an asymmetric key generation module, a third encryption module, a third decryption module, a fourth encryption module, and a fourth decryption module.
The asymmetric key generation module is used for generating an asymmetric key corresponding to the data request party by adopting an asymmetric encryption algorithm; the asymmetric key comprises a public key and a private key.
The third encryption module is used for triggering the proxy client to encrypt the special key by adopting the public key to obtain a first key when the data request party initiates a data request to the service responder; and encrypting the request message data by adopting the first key to obtain ciphertext request data.
The third decryption module is used for triggering the proxy server to decrypt the first secret key by adopting a private key when the service response party receives the data request; and the trigger proxy server decrypts the ciphertext request data by using the decrypted special key to obtain plaintext request data.
The fourth encryption module is used for triggering the proxy server to encrypt the private key by using a private key when the service responder responds to the data request, so as to obtain a second key; and encrypting the response message data by adopting a second key to obtain ciphertext response data.
The fourth decryption module is used for triggering the proxy client to decrypt the second secret key by adopting the public key when the data request party receives the ciphertext response data; and decrypting the ciphertext response data by using the decrypted special key to obtain plaintext response data.
Specifically, the private key acquisition module includes a key length acquisition unit and a private key generation unit.
A key length obtaining unit for obtaining the key length of the private key.
And the special key generating unit is used for generating a special key with the key length based on the specific information corresponding to the data requester and the random number.
Specifically, the key management system further comprises a first storage module, a second storage module, a fifth encryption module, a fifth decryption module and a sixth encryption module.
The first storage module is used for storing the first key into the first cache.
And the second storage module is used for storing the second key into the second cache.
And the fifth encryption module is used for triggering the proxy client to encrypt the request message data by adopting the cached first secret key to obtain ciphertext request data when the data request party initiates a data request to the service response party again, so as to initiate the data request to the service response party based on the ciphertext request data.
The fifth decryption module is used for triggering the proxy server to decrypt the first secret key by adopting a private key when the service response party receives the data request; and the trigger proxy server decrypts the ciphertext request data by using the decrypted special key to obtain plaintext request data, so that a server response party processes the plaintext request data according to preset service logic to obtain response message data.
And the sixth encryption module is used for triggering the proxy server to encrypt the response message data by adopting the cached second key when the service responder responds to the data request, so as to obtain ciphertext response data, and returning the ciphertext response data to the data requester.
The sixth decryption module is used for triggering the proxy client to decrypt the second key by adopting the public key when the data requester receives the ciphertext response data; and decrypting the ciphertext response data by using the decrypted special key to obtain plaintext response data so as to complete data communication.
Specifically, the key management system further comprises a key validity period configuration module and a key updating module.
And the key validity period configuration module is used for configuring a first key validity period corresponding to the special key and a second key validity period of the asymmetric key.
The key updating module is used for updating the special key according to the validity period of the first key; and updating the asymmetric key according to the validity period of the second key.
Specifically, the key management system further comprises a first updating module and a second updating module.
The first updating module is used for clearing the data in the first cache and the data in the second cache when the private key is updated; or,
and the second updating module is used for clearing the data in the first cache and the data in the second cache when the asymmetric key is updated.
Specifically, the key management system further comprises a deduplication detection module and a deduplication module.
And the duplication removal detection module is used for carrying out duplication removal detection on the asymmetric key updated by the data request party.
And the duplication removing module is used for repeatedly executing the step of generating the asymmetric key corresponding to the data requester by adopting an asymmetric encryption algorithm if the asymmetric key corresponding to the data requester is the same as the asymmetric keys corresponding to other data requesters.
For specific limitations of the key management system, reference may be made to the above limitations of the data communication method, which are not described herein again. The various modules in the key management system described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 10. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a computer storage medium and an internal memory. The computer storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the computer storage media. The database of the computer device is used for storing data, such as a private key, generated or obtained during execution of the data communication method. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a data communication method.
In one embodiment, a computer device is provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the steps of the data communication method in the above-described embodiments are implemented, for example, steps S201 to S205 shown in fig. 2 or steps shown in fig. 3 to 8. Alternatively, when the processor executes the computer program, the functions of the modules/units in the embodiment of the key management system, for example, the functions of the modules/units shown in fig. 9, are not described here again to avoid repetition.
In an embodiment, a computer storage medium is provided, and a computer program is stored on the computer storage medium, and when being executed by a processor, the computer program implements the steps of the data communication method in the foregoing embodiments, such as steps S201 to S205 shown in fig. 2 or steps shown in fig. 3 to fig. 8, which are not repeated herein for avoiding repetition. Alternatively, the computer program, when executed by the processor, implements the functions of each module/unit in the embodiment of the key management system, for example, the functions of each module/unit shown in fig. 9, and is not described here again to avoid repetition.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing functional units and modules are merely illustrated in terms of division, and in practical applications, the foregoing functional allocation may be performed by different functional units and modules as needed, that is, the internal structure of the key management system is divided into different functional units or modules to perform all or part of the above described functions.
The above examples are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the foregoing examples, those of ordinary skill in the art should understand that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.

Claims (10)

1. A data communication method is applied to a key management system, and is characterized in that the key management system comprises an agent client and an agent server; the proxy client is connected with the data requester, and the proxy server is connected with the service responder; the data communication method comprises the following steps:
acquiring a special key corresponding to a data requester;
when the data request party initiates a data request to a service response party, triggering the proxy client to encrypt request message data by using the special key to obtain ciphertext request data so that the data request party initiates a data request to the service response party based on the ciphertext request data;
when the service response party receives the data request, triggering the proxy server to decrypt the ciphertext request data by using the special key to obtain plaintext request data, so that the service response party processes the plaintext request data according to preset service logic to obtain response message data;
when the service responder responds to the data request, triggering the proxy server to encrypt response message data by adopting the special key to obtain ciphertext response data so as to return the ciphertext response data to the data requester;
and when the data request party receives the ciphertext response data, triggering the proxy client to decrypt the ciphertext response data by adopting the special key to obtain plaintext response data so as to complete data communication.
2. The data communication method according to claim 1, wherein after the obtaining of the private key corresponding to the data requester, the data communication method further comprises:
generating an asymmetric key corresponding to the data requester by adopting an asymmetric encryption algorithm; wherein the asymmetric key comprises a public key and a private key;
when the data request party initiates a data request to a service responder, triggering the proxy client to encrypt request message data by using the special key to obtain ciphertext request data, wherein the method comprises the following steps:
when a data request party initiates a data request to a service responder, triggering the proxy client to encrypt the special key by adopting the public key to obtain a first key; encrypting the request message data by adopting the first key to obtain ciphertext request data;
when the service response party receives the data request, triggering the proxy server to decrypt the ciphertext request data by using the special key to obtain plaintext request data, including:
when the service response party receives the data request, triggering the proxy server to decrypt the first secret key by adopting the private key; triggering the proxy server to decrypt the ciphertext request data by using the decrypted special key to obtain plaintext request data;
when the service responder responds to the data request, triggering the proxy server to encrypt response message data by using the special key to obtain ciphertext response data, wherein the method comprises the following steps:
when the service responder responds to the data request, triggering the proxy server to encrypt the special key by using the private key to obtain a second key; encrypting the response message data by adopting the second key to obtain ciphertext response data;
when the data request party receives the ciphertext response data, triggering the proxy client to decrypt the ciphertext response data by using the special key to obtain plaintext response data, including:
when the data request party receives the ciphertext response data, triggering the proxy client to decrypt the second secret key by adopting the public key; and decrypting the ciphertext response data by using the decrypted special key to obtain plaintext response data.
3. The data communication method according to claim 1, wherein the obtaining of the private key corresponding to the data requester includes;
acquiring the key length of the special key;
and generating a special key of the key length based on the specific information corresponding to the data requester and the random number.
4. The data communication method according to claim 2, wherein after triggering the proxy client to encrypt the private key with the public key when the data requester initiates a data request to a service responder, and obtaining a first key, the data communication method further comprises:
storing the first key in a first cache;
after the triggering the proxy server to encrypt the private key by using the private key when the service responder responds to the data request to obtain a second key, the data communication method further includes:
storing the second key in a second cache;
after the data communication is completed, the data communication method further includes:
when the data request party initiates a data request to the service response party again, triggering the proxy client to encrypt request message data by using the cached first key to obtain ciphertext request data so as to initiate a data request to the service response party based on the ciphertext request data;
when the service response party receives the data request, triggering the proxy server to decrypt the first secret key by adopting the private key; triggering the proxy server to decrypt the ciphertext request data by using the decrypted special key to obtain plaintext request data, so that the server responder processes the plaintext request data according to preset service logic based on the plaintext request data to obtain response message data;
when the service responder responds to the data request, triggering the proxy server to encrypt the response message data by using the cached second key to obtain ciphertext response data, and returning the ciphertext response data to the data requester;
when the data request party receives the ciphertext response data, triggering the proxy client to decrypt the second secret key by adopting the public key; and decrypting the ciphertext response data by using the decrypted special key to obtain plaintext response data so as to complete data communication.
5. The data communication method according to claim 4, wherein after said generating an asymmetric key corresponding to said data requestor using an asymmetric encryption algorithm, said data communication method further comprises:
configuring a first key validity period corresponding to the private key and a second key validity period of the asymmetric key;
after the data communication is completed, the data communication method further includes;
updating the private key according to the validity period of the first key; and updating the asymmetric key according to the second key validity period.
6. The data communication method according to claim 5, wherein the private key is updated according to the first key validity period; and after updating the asymmetric key according to the second key validity period, the data communication method further includes:
clearing data in the first cache and data in the second cache when the private key is updated; or,
when the asymmetric key is updated, the data in the first cache and the data in the second cache are cleared.
7. The data communication method of claim 4, wherein after said storing the second key in a second cache, the data communication method further comprises:
carrying out duplication elimination detection on the asymmetric key updated by the data request party;
and if the asymmetric key corresponding to the data request party is the same as the asymmetric keys corresponding to other data request parties, repeatedly executing the step of generating the asymmetric key corresponding to the data request party by adopting an asymmetric encryption algorithm.
8. A key management system, comprising:
the special key acquisition module is used for acquiring a special key corresponding to the data requester;
the first encryption module is used for triggering the proxy client to encrypt request message data by adopting the special key to obtain ciphertext request data when the data request party initiates a data request to the service response party so as to enable the data request party to initiate a data request to the service response party based on the ciphertext request data;
the first decryption module is used for triggering the proxy server to decrypt the ciphertext request data by using the special key when the service response party receives the data request to obtain plaintext request data, so that the service response party processes the plaintext request data according to preset service logic to obtain response message data;
the second encryption module is used for triggering the proxy server to encrypt response message data by adopting the special key when the service responder responds to the data request to obtain ciphertext response data so as to return the ciphertext response data to the data requester;
and the second decryption module is used for triggering the proxy client to decrypt the ciphertext response data by adopting the special key when the data requester receives the ciphertext response data to obtain plaintext response data so as to complete data communication.
9. A computer arrangement comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the data communication method according to any of claims 1 to 7 when executing the computer program.
10. A computer storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the data communication method according to any one of claims 1 to 7.
CN202011486200.4A 2020-12-16 2020-12-16 Data communication method, key management system, device, and storage medium Pending CN112671733A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202011486200.4A CN112671733A (en) 2020-12-16 2020-12-16 Data communication method, key management system, device, and storage medium
PCT/CN2021/090448 WO2022126972A1 (en) 2020-12-16 2021-04-28 Data communication method, key management system, device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011486200.4A CN112671733A (en) 2020-12-16 2020-12-16 Data communication method, key management system, device, and storage medium

Publications (1)

Publication Number Publication Date
CN112671733A true CN112671733A (en) 2021-04-16

Family

ID=75405570

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011486200.4A Pending CN112671733A (en) 2020-12-16 2020-12-16 Data communication method, key management system, device, and storage medium

Country Status (2)

Country Link
CN (1) CN112671733A (en)
WO (1) WO2022126972A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113127900A (en) * 2021-04-19 2021-07-16 上海同态信息科技有限责任公司 Privacy computing software and hardware service mode based on homomorphic configuration encryption
CN114095165A (en) * 2021-11-22 2022-02-25 中国建设银行股份有限公司 Key updating method, server device, client device and storage medium
WO2022126972A1 (en) * 2020-12-16 2022-06-23 平安科技(深圳)有限公司 Data communication method, key management system, device, and storage medium
CN115134152A (en) * 2022-06-29 2022-09-30 北京天融信网络安全技术有限公司 Data transmission method, data transmission device, storage medium, and electronic apparatus

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115914019A (en) * 2022-11-08 2023-04-04 招银云创信息技术有限公司 ERP message data testing method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141244A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Network encrypted data virus detection and elimination system and proxy server and method
CN202679412U (en) * 2012-07-12 2013-01-16 郑州信大信安科技有限公司 Data transmission encrypting and decrypting system
CN110635912A (en) * 2019-08-20 2019-12-31 北京思源理想控股集团有限公司 Data processing method and device
CN111447060A (en) * 2020-04-01 2020-07-24 中电万维信息技术有限责任公司 Electronic document distribution method based on proxy re-encryption

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8010670B2 (en) * 2003-12-23 2011-08-30 Slipstream Data Inc. Meta-data based method for local cache utilization
CN101299753B (en) * 2008-06-17 2012-12-05 浙江大学 Web service security control mechanism based on proxy server
CN101388770B (en) * 2008-10-20 2012-08-22 华为技术有限公司 Method, server and customer apparatus for acquiring dynamic host configuration protocol cipher
CN107222473B (en) * 2017-05-26 2020-07-10 深圳易嘉恩科技有限公司 Method and system for encrypting and decrypting API service data at transport layer
CN112671733A (en) * 2020-12-16 2021-04-16 平安科技(深圳)有限公司 Data communication method, key management system, device, and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141244A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Network encrypted data virus detection and elimination system and proxy server and method
CN202679412U (en) * 2012-07-12 2013-01-16 郑州信大信安科技有限公司 Data transmission encrypting and decrypting system
CN110635912A (en) * 2019-08-20 2019-12-31 北京思源理想控股集团有限公司 Data processing method and device
CN111447060A (en) * 2020-04-01 2020-07-24 中电万维信息技术有限责任公司 Electronic document distribution method based on proxy re-encryption

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
喻小光等: "一种基于SOCKS5的Web安全代理技术", 《华侨大学学报(自然科学版)》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022126972A1 (en) * 2020-12-16 2022-06-23 平安科技(深圳)有限公司 Data communication method, key management system, device, and storage medium
CN113127900A (en) * 2021-04-19 2021-07-16 上海同态信息科技有限责任公司 Privacy computing software and hardware service mode based on homomorphic configuration encryption
CN114095165A (en) * 2021-11-22 2022-02-25 中国建设银行股份有限公司 Key updating method, server device, client device and storage medium
CN114095165B (en) * 2021-11-22 2024-04-26 中国建设银行股份有限公司 Key updating method, server device, client device and storage medium
CN115134152A (en) * 2022-06-29 2022-09-30 北京天融信网络安全技术有限公司 Data transmission method, data transmission device, storage medium, and electronic apparatus

Also Published As

Publication number Publication date
WO2022126972A1 (en) 2022-06-23

Similar Documents

Publication Publication Date Title
CN114024710B (en) Data transmission method, device, system and equipment
US10785019B2 (en) Data transmission method and apparatus
CN112671733A (en) Data communication method, key management system, device, and storage medium
US11831753B2 (en) Secure distributed key management system
WO2021120871A1 (en) Authentication key negotiation method and apparatus, storage medium and device
US10887085B2 (en) System and method for controlling usage of cryptographic keys
CN110690956B (en) Bidirectional authentication method and system, server and terminal
CN111245597A (en) Key management method, system and equipment
CN113691502A (en) Communication method, communication device, gateway server, client and storage medium
EP3598714A1 (en) Method, device, and system for encrypting secret key
CN113239046A (en) Data query method, system, computer device and storage medium
CN111294203B (en) Information transmission method
WO2020252611A1 (en) Data interaction method and related equipments
CN111914291A (en) Message processing method, device, equipment and storage medium
CN112953974B (en) Data collision method, device, equipment and computer readable storage medium
CN114503506A (en) A blockchain system that supports changes to plaintext data contained in transactions
CN115941278A (en) Data transmission method, device, electronic device and computer readable medium
CN113438205A (en) Block chain data access control method, node and system
CN112966287A (en) Method, system, device and computer readable medium for acquiring user data
WO2023051337A1 (en) Data processing method and apparatus, and device and storage medium
CN113726772B (en) Method, device, equipment and storage medium for realizing online inquiry session
CN110401535B (en) Digital certificate generation, secure communication and identity authentication method and device
CN118153075A (en) Data storage encryption method and device and electronic equipment
CN116155491B (en) Symmetric key synchronization method of security chip and security chip device
CN113411347B (en) Transaction message processing method and processing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210416