Search

CN-122027166-A - Data transmission method and system based on information security

CN122027166ACN 122027166 ACN122027166 ACN 122027166ACN-122027166-A

Abstract

The invention relates to the technical field of information security, in particular to a data transmission method and system based on information security, wherein the method comprises the steps of acquiring a zero knowledge proof capability statement, a distributed identity mark and data to be transmitted of a client; in the handshake stage, an authentication certification is generated based on a zero knowledge proof capability statement, a verification client side meets a preset strategy and has a private key corresponding to a long-term identity promise, the matching of a public key corresponding to a distributed identity mark and a handshake signature is verified, a block chain is queried to confirm that the public key has a specific qualification certificate, a mixed key exchange and double signature operation is performed to generate a session key, in the data transmission stage, a user behavior characteristic calculation trust score is collected, a safety response strategy is performed according to a comparison result of the user behavior characteristic calculation trust score and a dynamic threshold, and data is transmitted through an encryption channel.

Inventors

  • YUAN JINSONG
  • LIU SHUOXUAN
  • LIU XINGYU
  • CHEN XINRU
  • CHEN WEI
  • YANG WEIMING
  • LIANG SHIJIE
  • YU ZHILONG
  • LU LEI
  • Xu Baixuan
  • LV XIAOJUN
  • Hou Huajie
  • LIN CHAO

Assignees

  • 广东职业技术学院

Dates

Publication Date
20260512
Application Date
20260210

Claims (9)

  1. 1. A data transmission method based on information security, the method comprising the steps of: s100, acquiring a zero knowledge proof capability statement, a distributed identity and data to be transmitted of a client; S200, inputting the zero-knowledge proof capability statement, the distributed identity mark and the data to be transmitted into an enhanced type safe transmission framework, and generating an identity verification certificate through a zero-knowledge proof generation module based on the zero-knowledge proof capability statement in a handshake stage, wherein the identity verification certificate is used for verifying that a client meets a preset strategy and has a private key corresponding to a long-term identity commitment; S300, verifying the matching of a public key corresponding to the distributed identity and a handshake signature through a distributed identity analysis module, and querying a verifiable credential registry on a blockchain to confirm that the distributed identity holds a specific qualification credential; s400, performing mixed key exchange and double signature operation through a post quantum cryptography module to generate a session key; S500, in the data transmission stage, the user behavior characteristics are collected through the continuous authentication monitor, the trust score is calculated, a corresponding safety response strategy is executed according to the comparison result of the trust score and the dynamic threshold value, and the data to be transmitted is transmitted through the encryption channel.
  2. 2. The method according to claim 1, wherein in S200, the generating, by the zero knowledge proof generating module, an authentication proof comprises: s210, acquiring a random number challenge sent by a server and a strategy requiring client side certification; s220, calling a local zero knowledge proof certifier to generate proof data, wherein the proof data is used for verifying that a client knows attribute values meeting the policy and correspond to long-term identity promises, and meanwhile, the client has a private key bound with the identity; And S230, the proving data and the digital signature for the random number challenge are transmitted to a server, so that the server verifies the digital signature and verifies the proving data by using a zero-knowledge proving verifier.
  3. 3. The method of claim 1, wherein in S300, the verifying, by the distributed identity resolution module, the matching of the public key corresponding to the distributed identity with the handshake signature includes: S310, acquiring a distributed identity identifier sent by a client and a corresponding distributed identity document uniform resource locator; S320, obtaining a distributed identity document corresponding to the uniform resource locator of the distributed identity document through a distributed identity analyzer, wherein the distributed identity document comprises a public key and a verification method; S330, verifying whether the public key in the distributed identity document is matched with the handshake signature, and inquiring a revocation status contract on the blockchain to confirm the certificate revocation status of the distributed identity.
  4. 4. The method of claim 1, wherein in S400, the performing a hybrid key exchange and double signature operation by the post quantum cryptography module comprises: s410, acquiring a classical algorithm key pair and a post quantum algorithm key pair; S420, carrying out double signature on the key handshake message by using an elliptic curve digital signature algorithm and a crystal dilution algorithm simultaneously, and verifying two signatures simultaneously by a receiver; S430, performing elliptic curve diffie-hellman-based key exchange and crystal keber-based key encapsulation, and jointly deriving an elliptic curve diffie-hellman-based shared secret and a crystal keber-based encapsulated key as the session key.
  5. 5. The method of claim 1, wherein in S500, the collecting user behavior features and calculating trust scores by the continuous authentication monitor comprises: S510, acquiring user interaction characteristics, wherein the user interaction characteristics comprise key stroke dynamics characteristics, mouse movement mode characteristics and equipment holding gesture characteristics; S520, extracting a feature vector corresponding to the user interaction feature, comparing the feature vector with a pre-stored user behavior baseline model, and calculating a similarity value as the trust score.
  6. 6. The method according to claim 5, wherein in S500, the executing the corresponding security response policy according to the comparison result of the trust score and the dynamic threshold value includes: S530, acquiring a data sensitivity parameter and a network environment risk parameter, and calculating the dynamic threshold according to the data sensitivity parameter and the network environment risk parameter; s540, triggering a secondary authentication request or rejecting a sensitive operation request when the trust score is lower than the dynamic threshold; And S550, when the trust score is higher than or equal to the dynamic threshold value, maintaining the current session state and continuing to execute S600.
  7. 7. The method of claim 1, further comprising, prior to S200: S110, acquiring an attribute promise registered in advance at an identity provider by a client, wherein the attribute promise is used for verifying the corresponding relation between an attribute value and a long-term identity promise in the zero knowledge proof verification process; S120, newly adding zero knowledge proof assertion extension in the hello message of the transport layer security protocol handshake client, and declaring that the client supports zero knowledge proof and provable attribute types.
  8. 8. A data transmission system based on information security, comprising: At least one processor; at least one memory for storing at least one program; the at least one program, when executed by the at least one processor, causes the at least one processor to implement the method of any one of claims 1 to 7.
  9. 9. A computer readable storage medium storing a computer program, characterized in that the computer program, when executed by a processor, implements the method of any one of claims 1 to 7.

Description

Data transmission method and system based on information security Technical Field The invention relates to the technical field of information security, in particular to a data transmission method and system based on information security. Background The currently mainstream end-to-end secure data transmission (such as TLS/SSL protocol) relies heavily on the traditional Public Key Infrastructure (PKI) for authentication. This system has the following inherent drawbacks: and the privacy disclosure risk is that the certificate plaintext contains a server domain name, organization information and the like and is easy to be used by listeners to construct user portraits. Centralized trust bottlenecks-relying on a few trusted Certificate Authorities (CAs), a single point of failure or CA intrusion will result in global trust collapse. Authentication rigidifies, a binary verification of "yes/no" alone, cannot support fine-grained, selective attribute declarations (e.g. "prove users are 18 years old without exposing a specific age"). The existing asymmetric encryption algorithms (such as RSA and ECC) cannot resist the attack of future quantum computers. Authentication status is static-after authentication in the handshake phase, there is no continuous verification of the user identity during the whole session. While some research attempts have been made to introduce zero knowledge proof, blockchain identity, or postquantum cryptography, most of them are stand alone solutions that fail to be systematically integrated into a complete data transport protocol stack and suffer from deficiencies in efficiency, compatibility, and user experience. Disclosure of Invention In order to solve the problems, the invention provides a data transmission method and a system based on information security, which aim to ensure confidentiality, integrity, identity privacy and quantum attack resistance of data transmission in an untrusted network environment. In order to achieve the above object, the present invention provides the following technical solutions: in one aspect, an embodiment of the present invention provides a data transmission method based on information security, where the method includes the following steps: s100, acquiring a zero knowledge proof capability statement, a distributed identity and data to be transmitted of a client; S200, inputting the zero-knowledge proof capability statement, the distributed identity mark and the data to be transmitted into an enhanced type safe transmission framework, and generating an identity verification certificate through a zero-knowledge proof generation module based on the zero-knowledge proof capability statement in a handshake stage, wherein the identity verification certificate is used for verifying that a client meets a preset strategy and has a private key corresponding to a long-term identity commitment; S300, verifying the matching of a public key corresponding to the distributed identity and a handshake signature through a distributed identity analysis module, and querying a verifiable credential registry on a blockchain to confirm that the distributed identity holds a specific qualification credential; s400, performing mixed key exchange and double signature operation through a post quantum cryptography module to generate a session key; S500, in the data transmission stage, the user behavior characteristics are collected through the continuous authentication monitor, the trust score is calculated, a corresponding safety response strategy is executed according to the comparison result of the trust score and the dynamic threshold value, and the data to be transmitted is transmitted through the encryption channel. Optionally, in S200, the generating, by the zero knowledge proof generating module, an authentication proof includes: s210, acquiring a random number challenge sent by a server and a strategy requiring client side certification; s220, calling a local zero knowledge proof certifier to generate proof data, wherein the proof data is used for verifying that a client knows attribute values meeting the policy and correspond to long-term identity promises, and meanwhile, the client has a private key bound with the identity; And S230, the proving data and the digital signature for the random number challenge are transmitted to a server, so that the server verifies the digital signature and verifies the proving data by using a zero-knowledge proving verifier. Optionally, in S300, the verifying, by the distributed identity analysis module, the matching between the public key corresponding to the distributed identity and the handshake signature includes: S310, acquiring a distributed identity identifier sent by a client and a corresponding distributed identity document uniform resource locator; S320, obtaining a distributed identity document corresponding to the uniform resource locator of the distributed identity document through a distributed identity analyzer, wherein the d