Search

CN-121664573-B - Data security transmission method and device based on cryptographic algorithm

CN121664573BCN 121664573 BCN121664573 BCN 121664573BCN-121664573-B

Abstract

The application provides a data security transmission method and a data security transmission device based on a national encryption algorithm, wherein the method comprises the steps that a client generates a signature value according to a local secret key and sends the signature value to an encryption end, the encryption end requests an authentication certificate to a server end according to the signature value and sends the authentication certificate to the client end, the client end initiates access authentication to the encryption end through the authentication certificate and receives a verification result, the encryption end transmits the authentication certificate and the verification result, the server end generates a verification result according to the authentication certificate, and the client end establishes data transmission connection with the server end according to the verification result. Through the cooperative authentication of the encryption end and the server end, the security problems of identity forging, data tampering, behavior repudiation, sensitive information interception and the like are radically solved, and the user does not need to carry additional hardware such as UKey and the like, so that the original use habit of the user is not changed.

Inventors

  • JIANG ZHENG
  • LIU JIAQI
  • DAN BO
  • ZHONG XIWEI

Assignees

  • 深圳奥联信息安全技术有限公司

Dates

Publication Date
20260508
Application Date
20260209

Claims (9)

  1. 1. The data security transmission method based on the cryptographic algorithm is characterized by comprising a client, an encryption end and a server, wherein the client is used for receiving a user operation instruction, storing a local key and initiating a request; The method comprises the following steps: When receiving a login request initiated by a user, the client calls a corresponding local key according to the login request; The client generates a signature value according to the local key and sends the signature value to the encryption end; the encryption end requests an authentication credential from the server end according to the signature value and sends the authentication credential to the client end; the client initiates access authentication to the encryption end through the authentication credentials and receives a verification result; the encryption end transmits the authentication credentials and the verification result; the server side generates a verification result according to the authentication credentials; the client establishes data transmission connection with the server according to the verification result; the client downloads a local key according to the login request, and the method comprises the following steps: the client sends a key downloading request and user identity information to the encryption end, and the encryption end sends the user identity information to the server end; The client receives the identity verification instruction, verifies according to the identity verification instruction to obtain a verification result, and sends the verification result to the encryption end; the encryption end sends the verification result to the server end; the server side generates key data according to the verification result and sends the key data to the encryption side; the encryption terminal encrypts the key data and then sends the encrypted key data to the client; and the client decrypts the key data and stores the decrypted key data to a local to obtain a local key.
  2. 2. The method as recited in claim 1, further comprising: The client sends a secure connection establishment request to the encryption end according to the authentication credentials; the client receives the connection configuration parameters and completes initialization of a local encryption channel according to the connection configuration parameters; When a user triggers a disconnection operation, the client sends a safe connection disconnection request and current connection state information to the encryption end; and the client receives the disconnection confirmation instruction, closes the local encryption channel and clears the temporary cache data of the current connection.
  3. 3. The method of claim 1, wherein the client generates a signature value from the local key and sends the signature value to an encryption terminal, wherein the encryption terminal requests authentication credentials from the server terminal based on the signature value and sends the authentication credentials to the client terminal, and wherein the step of including: the client receives a random challenge value which is forwarded by the encryption end and generated by the server end; the client calls the local key to carry out cryptographic algorithm signature operation on the random challenge value, and a signature value with a dynamic factor is generated; the client sends the random challenge value and the signature value to the encryption end, and the encryption end and the server end perform collaborative verification on the signature value.
  4. 4. The method as recited in claim 1, further comprising: the client generates a KS key in a key storage module of a corresponding terminal system; The client randomly generates a PIN code, encrypts the PIN code through the KS key and stores the encrypted PIN code; when the client side needs to use the PIN code, triggering local verification, acquiring the KS key after verification is passed, and decrypting the PIN code through the KS key.
  5. 5. The method as recited in claim 1, further comprising: The client detects the service period of a local key or receives a key rotation instruction issued by the server and sends a key update request and a current key identifier to the encryption end; the client receives the new key data forwarded by the encryption end, and replaces the original key after decryption; and the client executes safe destruction operation on the abandoned key, and clears the abandoned key data by repeatedly covering a storage area or calling a hardware encryption module.
  6. 6. The method of claim 1, further comprising the step of protecting data integrity after the client establishes a data transmission connection with the server: the client generates an integrity check value by adopting an SM3 cryptographic hash algorithm for transmission data; the client sends the transmission data and the integrity check value to the server; the server side checks the transmission data according to the integrity check value to obtain a check result; And the client receives the verification result, and if the verification is inconsistent, the data transmission is terminated and the retransmission flow is triggered.
  7. 7. The method is characterized by comprising a client, an encryption end and a server, wherein the client is used for receiving a user operation instruction, storing a local key and initiating a request; The method comprises the following steps: When receiving a signature value generated by the client-side by calling a local key through a user login request, the encryption terminal requests an authentication credential from the server-side according to the signature value, acquires the authentication credential returned by the server-side and then sends the authentication credential to the client-side; the encryption terminal receives an access authentication association request initiated by the client based on the authentication credentials, cooperates with the server terminal to perform validity check on the authentication credentials and generate a check result, and sends the check result to the client; the encryption terminal receives a key downloading request and user identity information sent by the client terminal, and sends the user identity information to the server terminal; the server side generates an identity verification instruction according to the user identity information, and sends the identity verification instruction to the client side, and the client side verifies according to the identity verification instruction to obtain a verification result; The encryption terminal receives the verification result and sends the verification result to the server terminal, the server terminal generates key data according to the verification result and sends the key data to the encryption terminal, the encryption terminal encrypts the key data and sends the key data to the client terminal, and the client terminal decrypts the key data and stores the decrypted key data to a local key.
  8. 8. The data security transmission method based on the cryptographic algorithm is characterized by comprising a client, an encryption end and a server, wherein the client is used for receiving a user operation instruction, storing a local key and initiating a request; The method comprises the following steps: When a signature value generated by the client-side by calling a local key through a user login request is received, the server-side receives the signature value and performs validity check; The server side generates an authentication certificate after checking that the signature value passes, and sends the authentication certificate to the encryption side; The server receives an access authentication request initiated by the client based on the authentication credentials, performs secondary verification on the authentication credentials, generates a verification result, and sends the verification result to the encryption end; when the verification result is legal, the server establishes encryption data transmission connection with the client based on a national encryption algorithm; The server receives a key downloading request and user identity information, generates an identity verification instruction according to the user identity information, and sends the identity verification instruction to the client; the client receives the identity verification instruction, verifies according to the identity verification instruction to obtain a verification result, and sends the verification result to the encryption end; The server side generates key data according to the verification result and sends the key data to the encryption side, the encryption side encrypts the key data and sends the key data to the client side, and the client side decrypts the key data and stores the decrypted key data to the local to obtain a local key.
  9. 9. The data security transmission device based on the cryptographic algorithm is characterized by comprising a client, an encryption end and a server, wherein the client is used for receiving user operation instructions, storing local keys and initiating requests, the encryption end is provided with user information login verification rights, the server is used for transmitting encrypted data, and the data security transmission device is used for realizing the steps of the enhanced identity authentication and data security transmission method based on the cryptographic algorithm according to claim 7: Comprising the following steps: the client side calls a corresponding local key according to the login request; The authentication module is used for generating a signature value by the client according to the local key and sending the signature value to the encryption end; The verification module is used for the client to initiate access authentication to the encryption end through the authentication credentials and receive a verification result; the encryption end transmits the authentication credentials and the verification result; the server side generates a verification result according to the authentication credentials; and the transmission module is used for establishing data transmission connection with the server side by the client side according to the verification result.

Description

Data security transmission method and device based on cryptographic algorithm Technical Field The invention relates to the technical field of data transmission, in particular to a data security transmission method and device based on a cryptographic algorithm. Background The general business system does not have national secret identity authentication capability, meets compliance requirements such as secret assessment and the like, needs to reform the existing authentication mode, and realizes enhanced authentication and channel protection of user identity, and the main technical scheme at present comprises the following steps: The user uses the compliant national secret UKey to store the digital certificate, combines the PIN code to carry out identity authentication, the certificate is issued by a compliant CA organization or a self-signing CA, the SM2 signature verification signature is supported, the user needs to carry hardware equipment, the mobile terminal needs to support OTG or NFC (part of mobile phones have poor compatibility), the Ukey purchase, distribution and management cost is high, and the certificate needs to be issued again after the certificate is lost. Dynamic passwords (hardware tokens or APP tokens) are generated based on an SM3 algorithm, double-factor authentication is realized by combining a user name/password, a seed key is needed to be relied on, batch counterfeiting risks exist, time synchronization is needed by time type OTP, verification is possibly affected by network delay, dynamic codes are needed to be manually input, and operation steps are more. Based on SM2 algorithm and blockchain technology, generating an electronic identity card (eID) with decentralization, combining two-dimension code or face identification authentication, needing to build a node network, having high operation and maintenance cost, having higher delay of a blockchain consensus mechanism, being not suitable for real-time authentication, and not being fully opened for domestic application of blockchain identity, and possibly having compliance problem. Disclosure of Invention In view of the foregoing, the present application provides a method and apparatus for secure data transmission implemented based on a cryptographic algorithm, which overcomes the foregoing or at least partially solves the foregoing problems, and includes: The method relates to a client, an encryption end and a server, wherein the client is used for receiving a user operation instruction, storing a local key and initiating a request, and the encryption end has user information login verification authority; The method comprises the following steps: When receiving a login request initiated by a user, the client calls a corresponding local key according to the login request; The client generates a signature value according to the local key and sends the signature value to the encryption end; the encryption end requests an authentication credential from the server end according to the signature value and sends the authentication credential to the client end; the client initiates access authentication to the encryption end through the authentication credentials and receives a verification result; the encryption end transmits the authentication credentials and the verification result; the server side generates a verification result according to the authentication credentials; and the client establishes data transmission connection with the server according to the verification result. Further, the method further comprises the step that the client downloads a local key according to the login request, and the method comprises the following steps: the client sends a key downloading request and user identity information to the encryption end, and the encryption end sends the user identity information to the server end; The client receives the identity verification instruction, verifies according to the identity verification instruction to obtain a verification result, and sends the verification result to the encryption end; the encryption end sends the verification result to the server end; the server side generates key data according to the verification result and sends the key data to the encryption side; the encryption terminal encrypts the key data and then sends the encrypted key data to the client; and the client decrypts the key data and stores the decrypted key data to a local to obtain a local key. Further, the method further comprises the following steps: The client sends a secure connection establishment request to the encryption end according to the authentication credentials; the client receives the connection configuration parameters and completes initialization of a local encryption channel according to the connection configuration parameters; When a user triggers a disconnection operation, the client sends a safe connection disconnection request and current connection state information to the encryption end; and the client rece