Communication method, system and related device and computer readable storage medium
阅读说明:本技术 通信方法、系统和相关设备以及计算机可读存储介质 (Communication method, system and related device and computer readable storage medium ) 是由 张祎 赵飞飞 樊婷婷 程涛 王渭清 于 2018-08-24 设计创作,主要内容包括:本发明公开了一种通信方法、系统和相关设备以及计算机可读存储介质,涉及信息安全技术领域。通信方法包括:发送终端获取来自网络侧的通道密钥和内容密钥,其中,发送终端获取的通道密钥与接收终端获取的通道密钥相同;发送终端采用内容密钥对数据内容加密,生成内容加密数据;发送终端采用通道密钥对内容密钥加密,生成密钥加密数据;发送终端向接收终端发送内容加密数据和密钥加密数据,以便接收终端采用通道密钥对密钥加密数据进行解密,获得内容密钥,并采用内容密钥对内容加密数据进行解密,获得数据内容。本发明的实施例在实现了安全通信的同时,通过对称加密的方式提高了加解密的速度,从而降低了通信时延。(The invention discloses a communication method, a communication system, related equipment and a computer readable storage medium, and relates to the technical field of information security. The communication method comprises the following steps: a sending terminal acquires a channel key and a content key from a network side, wherein the channel key acquired by the sending terminal is the same as the channel key acquired by a receiving terminal; the sending terminal encrypts the data content by adopting a content key to generate content encrypted data; the sending terminal encrypts the content key by adopting a channel key to generate key encrypted data; the sending terminal sends the content encrypted data and the key encrypted data to the receiving terminal, so that the receiving terminal can decrypt the key encrypted data by adopting the channel key to obtain a content key, and decrypt the content encrypted data by adopting the content key to obtain data content. The embodiment of the invention realizes the safe communication and simultaneously improves the speed of encryption and decryption by a symmetrical encryption mode, thereby reducing the communication time delay.)
1. A method of communication, comprising:
a sending terminal acquires a channel key and a content key from a network side, wherein the channel key acquired by the sending terminal is the same as the channel key acquired by a receiving terminal;
the sending terminal encrypts the data content by adopting a content key to generate content encrypted data;
the sending terminal encrypts the content key by adopting a channel key to generate key encrypted data;
the sending terminal sends the content encrypted data and the key encrypted data to the receiving terminal, so that the receiving terminal can decrypt the key encrypted data by adopting the channel key to obtain a content key, and decrypt the content encrypted data by adopting the content key to obtain data content.
2. The communication method according to claim 1, wherein the sending terminal obtains the channel key and the content key issued by the base station, and the channel keys issued by the base station to the terminals within the coverage range are the same.
3. The communication method according to claim 2, wherein the channel key issued by the base station to the terminal within the coverage area includes a channel key corresponding to the base station and a channel key corresponding to an adjacent base station, and the sending terminal and the receiving terminal are located within the coverage area of the same base station or the coverage area of the adjacent base station.
4. The communication method according to claim 3,
the sending terminal encrypts the content key by using each acquired channel key respectively to generate a plurality of key encrypted data.
5. The communication method according to claim 1,
a sending terminal acquires a content key ordered group from a network side, wherein content keys except a first content key in the content key ordered group are generated according to a last content key and a hash function;
the transmitting terminal encrypts the data content using the last unused key in the ordered set of content keys.
6. The communication method according to claim 1, wherein the transmitting terminal transmits the content encryption data and the key encryption data to a plurality of receiving terminals, wherein the content encryption data transmitted to different receiving terminals is encrypted with different content encryption keys.
7. The communication method according to claim 1, wherein the transmitting terminal and the receiving terminal are in-vehicle terminals.
8. The communication method according to claim 1, wherein,
further comprising: the sending terminal signs the content encryption data by adopting the content key to generate signature data;
the transmitting terminal transmits the content encryption data, the key encryption data and the signature data to the receiving terminal so that the receiving terminal verifies the content data according to the signature.
9. The communication method according to any one of claims 1 to 8, further comprising:
the receiving terminal decrypts the key encrypted data from the sending terminal by adopting the channel key to obtain a content key;
the receiving terminal verifies the obtained content key;
in response to the verification passing, the receiving terminal decrypts the content encrypted data using the obtained content key to obtain the data content.
10. The communication method of claim 9, wherein the verifying the obtained content key by the receiving terminal comprises:
under the condition that a receiving terminal receives content encryption data and key encryption data sent by a sending terminal for the first time within preset time, the receiving terminal sends an obtained content key to a network side for verification;
and under the condition that the receiving terminal does not receive the content encryption data and the key encryption data sent by the sending terminal for the first time within the preset time, the receiving terminal verifies the content key obtained this time based on the content key obtained last time and the hash function, wherein the sending terminal adopts the key in the content key ordered group to encrypt the content data, and the content keys except the first content key in the content key ordered group are generated according to the last content key and the hash function.
11. The communication method according to any one of claims 1 to 8, further comprising:
and the base station issues the channel key and the content key to the terminals in the coverage area, wherein the channel key obtained by each terminal in the coverage area of the base station is the same, and the obtained content keys are different.
12. The communication method of claim 11, further comprising:
the network side equipment generates a channel key corresponding to each base station;
and the network side equipment issues the channel key corresponding to each base station and the channel key corresponding to the adjacent base station of each base station to each base station.
13. The communication method of claim 11, further comprising:
the network side equipment generates an initial content key for each terminal;
the network side equipment generates a content key ordered group according to the initial content key and a hash function, wherein the content key ordered group comprises a plurality of content keys;
the network side equipment issues the content key ordered group of the terminal to the base station, so that the base station issues the content key ordered group of the terminal to the terminal.
14. A communication terminal, comprising:
the key acquisition module is configured to acquire a channel key and a content key from a network side, wherein the channel key acquired by the key acquisition module is the same as the channel key acquired by the receiving terminal;
a content encryption module configured to encrypt data content using a content key, generating content encrypted data;
a key encryption module configured to encrypt the content key with a channel key to generate key encrypted data;
and the sending module is configured to send the content encrypted data and the key encrypted data to the receiving terminal so that the receiving terminal decrypts the key encrypted data by using the channel key to obtain a content key, and decrypts the content encrypted data by using the content key to obtain the data content.
15. The communication terminal according to claim 14, wherein the key obtaining module is configured to obtain the channel key and the content key issued by the base station, and the channel keys issued by the base station to the terminals within the coverage range are the same.
16. The communication terminal according to claim 15, wherein the channel key issued by the base station to the terminal within the coverage area includes a channel key corresponding to the base station and a channel key corresponding to an adjacent base station, and the communication terminal and the receiving terminal are located within the coverage area of the same base station or the coverage area of the adjacent base station.
17. The communication terminal according to claim 16, wherein the key encryption module is further configured to encrypt the content key with each acquired channel key, respectively, to generate a plurality of key encrypted data.
18. The communication terminal of claim 14,
the key obtaining module is further configured to obtain a content key ordered group from the network side, wherein content keys except a first content key in the content key ordered group are generated according to a last content key and a hash function;
the content encryption module is further configured to encrypt the data content using the last unused key in the ordered set of content keys.
19. The communication terminal of claim 14,
the transmitting module is further configured to transmit the content encryption data and the key encryption data to a plurality of receiving terminals, wherein the content encryption data transmitted to different receiving terminals is encrypted with different content encryption keys.
20. The communication terminal according to any of claims 14-19, further comprising:
a receiving module configured to acquire content encrypted data and key encrypted data from a transmitting terminal;
the key decryption module is configured to decrypt the key encrypted data from the sending terminal by adopting the channel key to obtain a content key;
and the content decryption module is configured to decrypt the content encrypted data by using the obtained content key to obtain the data content.
21. The communication terminal of claim 20, further comprising:
the key verification module is configured to verify the obtained content key, and the receiving terminal sends the obtained content key to the network side for verification under the condition that the receiving terminal receives the content encryption data and the key encryption data sent by the sending terminal for the first time within the preset time; and under the condition that the receiving terminal does not receive the content encryption data and the key encryption data sent by the sending terminal for the first time within the preset time, the receiving terminal verifies the content key obtained this time based on the content key obtained last time and the hash function, wherein the sending terminal adopts the key in the content key ordered group to encrypt the content data, and the content keys except the first content key in the content key ordered group are generated according to the last content key and the hash function.
22. A communication system, comprising:
the communication terminal of any one of claims 14 to 21; and
the base station is configured to issue a channel key and a content key to terminals within a coverage range, wherein the channel key obtained by each terminal within the coverage range of the base station is the same, and the obtained content keys are different.
23. The communication system of claim 22, further comprising:
and the network side equipment is configured to generate a channel key corresponding to each base station and issue the channel key corresponding to each base station and the channel key corresponding to the adjacent base station of each base station to each base station.
24. The communication system of claim 23, wherein the network side device is further configured to generate an initial content key for each terminal, generate an ordered group of content keys according to the initial content key and a hash function, wherein the ordered group of content keys includes a plurality of content keys, and send the ordered group of content keys of the terminal to the base station, so that the base station sends the ordered group of content keys of the terminal to the terminal.
25. A communication terminal, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the communication method of any of claims 1-13 based on instructions stored in the memory.
26. A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, implements the communication method of any one of claims 1 to 13.
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a communication method, a communication system, a related device, and a computer-readable storage medium.
Background
Some communications have relatively high requirements for security and low time-ductility of the communications. For example, in the V2X (Vehicle to outside information exchange) scenario, the communication between vehicles needs to ensure confidentiality, integrity and availability, and needs to complete authentication and data encryption with low latency requirements.
At present, CA (Certificate Authority) is mainly used to encrypt and decrypt data through an asymmetric key.
Disclosure of Invention
After analysis, the inventor finds that the encryption and decryption speed of the CA mode is low, and the requirement of safe communication in a low-delay scene cannot be met.
The embodiment of the invention aims to solve the technical problem that: how to reduce the delay in the secure communication process.
According to a first aspect of some embodiments of the present invention, there is provided a communication method comprising: a sending terminal acquires a channel key and a content key from a network side, wherein the channel key acquired by the sending terminal is the same as the channel key acquired by a receiving terminal; the sending terminal encrypts the data content by adopting a content key to generate content encrypted data; the sending terminal encrypts the content key by adopting a channel key to generate key encrypted data; the sending terminal sends the content encrypted data and the key encrypted data to the receiving terminal, so that the receiving terminal can decrypt the key encrypted data by adopting the channel key to obtain a content key, and decrypt the content encrypted data by adopting the content key to obtain data content.
In some embodiments, the sending terminal obtains the channel key and the content key issued by the base station, and the channel keys issued by the base station to the terminals in the coverage area are the same.
In some embodiments, the channel key issued by the base station to the terminal within the coverage area includes a channel key corresponding to the base station and a channel key corresponding to an adjacent base station, and the sending terminal and the receiving terminal are located within the coverage area of the same base station or the coverage area of the adjacent base station.
In some embodiments, the sending terminal encrypts the content key using each acquired channel key, respectively, to generate a plurality of key-encrypted data.
In some embodiments, the sending terminal obtains a content key ordered group from the network side, and content keys except a first content key in the content key ordered group are generated according to a last content key and a hash function; the transmitting terminal encrypts the data content using the last unused key in the ordered set of content keys.
In some embodiments, a transmitting terminal transmits content encryption data and key encryption data to a plurality of receiving terminals, wherein the content encryption data transmitted to different receiving terminals is encrypted with different content encryption keys.
In some embodiments, the sending terminal and the receiving terminal are in-vehicle terminals.
In some embodiments, the communication method further comprises: the sending terminal signs the content encryption data by adopting the content key to generate signature data; the transmitting terminal transmits the content encryption data, the key encryption data and the signature data to the receiving terminal so that the receiving terminal verifies the content data according to the signature.
In some embodiments, the communication method further comprises: the receiving terminal decrypts the key encrypted data from the sending terminal by adopting the channel key to obtain a content key; the receiving terminal verifies the obtained content key; in response to the verification passing, the receiving terminal decrypts the content encrypted data using the obtained content key to obtain the data content.
In some embodiments, the verifying the obtained content key by the receiving terminal comprises: under the condition that the receiving terminal receives the content encryption data and the key encryption data sent by the sending terminal for the first time within the preset time, the receiving terminal sends the obtained content key to the network side for verification; and under the condition that the receiving terminal does not receive the content encryption data and the key encryption data sent by the sending terminal for the first time within the preset time, the receiving terminal verifies the content key obtained this time based on the content key obtained last time and the hash function, wherein the sending terminal adopts the key in the content key ordered group to encrypt the content data, and the content keys except the first content key in the content key ordered group are generated according to the last content key and the hash function.
In some embodiments, the communication method further comprises: and the base station issues the channel key and the content key to the terminals in the coverage area, wherein the channel key obtained by each terminal in the coverage area of the base station is the same, and the obtained content keys are different.
In some embodiments, the communication method further comprises: the network side equipment generates a channel key corresponding to each base station; and the network side equipment issues the channel key corresponding to each base station and the channel key corresponding to the adjacent base station of each base station to each base station.
In some embodiments, the communication method further comprises: the network side equipment generates an initial content key for each terminal; the network side equipment generates a content key ordered group according to the initial content key and a hash function, wherein the content key ordered group comprises a plurality of content keys; the network side equipment issues the content key ordered group of the terminal to the base station, so that the base station issues the content key ordered group of the terminal to the terminal.
According to a second aspect of some embodiments of the present invention, there is provided a communication terminal comprising: the key acquisition module is configured to acquire a channel key and a content key from a network side, wherein the channel key acquired by the key acquisition module is the same as the channel key acquired by the receiving terminal; a content encryption module configured to encrypt data content using a content key, generating content encrypted data; a key encryption module configured to encrypt the content key with a channel key to generate key encrypted data; and the sending module is configured to send the content encrypted data and the key encrypted data to the receiving terminal so that the receiving terminal decrypts the key encrypted data by using the channel key to obtain a content key, and decrypts the content encrypted data by using the content key to obtain the data content.
In some embodiments, the key obtaining module is configured to obtain the channel key and the content key issued by the base station, and the channel keys issued by the base station to the terminals in the coverage area are the same.
In some embodiments, the channel key issued by the base station to the terminal within the coverage area includes a channel key corresponding to the base station and a channel key corresponding to an adjacent base station, and the communication terminal and the receiving terminal are located within the coverage area of the same base station or the coverage area of the adjacent base station.
In some embodiments, the key encryption module is further configured to encrypt the content key with each of the obtained channel keys, respectively, to generate a plurality of key encryption data.
In some embodiments, the key obtaining module is further configured to obtain an ordered set of content keys from the network side, the content keys in the ordered set of content keys except for a first content key being generated according to a last content key and a hash function; the content encryption module is further configured to encrypt the data content using the last unused key in the ordered set of content keys.
In some embodiments, the transmitting module is further configured to transmit the content encryption data and the key encryption data to a plurality of receiving terminals, wherein the content encryption data transmitted to different receiving terminals is encrypted with different content encryption keys.
In some embodiments, the communication terminal further comprises: a receiving module configured to acquire content encrypted data and key encrypted data from a transmitting terminal; the key decryption module is configured to decrypt the key encryption data by adopting a channel key to obtain a content key; and the content decryption module is configured to decrypt the content encrypted data by using the obtained content key to obtain the data content.
In some embodiments, the communication terminal further comprises: the key verification module is configured to verify the obtained content key, and the receiving terminal sends the obtained content key to the network side for verification under the condition that the receiving terminal receives the content encryption data and the key encryption data sent by the sending terminal for the first time within the preset time; and under the condition that the receiving terminal does not receive the content encryption data and the key encryption data sent by the sending terminal for the first time within the preset time, the receiving terminal verifies the content key obtained this time based on the content key obtained last time and the hash function, wherein the sending terminal adopts the key in the content key ordered group to encrypt the content data, and the content keys except the first content key in the content key ordered group are generated according to the last content key and the hash function.
According to a third aspect of some embodiments of the present invention there is provided a communication system comprising: any of the foregoing communication terminals; and the base station is configured to issue the channel key and the content key to the terminals in the coverage area, wherein the channel key obtained by each terminal in the coverage area of the base station is the same, and the obtained content keys are different.
In some embodiments, the communication system further comprises: and the network side equipment is configured to generate a channel key corresponding to each base station and issue the channel key corresponding to each base station and the channel key corresponding to the adjacent base station of each base station to each base station.
In some embodiments, the network side device is further configured to generate an initial content key for each terminal, generate an ordered group of content keys according to the initial content key and a hash function, where the ordered group of content keys includes a plurality of content keys, and send the ordered group of content keys of the terminal to the base station, so that the base station sends the ordered group of content keys of the terminal to the terminal.
According to a fourth aspect of some embodiments of the present invention there is provided a communication terminal comprising: a memory; and a processor coupled to the memory, the processor configured to perform any of the aforementioned communication methods based on instructions stored in the memory.
According to a fifth aspect of some embodiments of the present invention, there is provided a computer readable storage medium having a computer program stored thereon, wherein the program when executed by a processor implements any one of the aforementioned communication methods.
Some embodiments of the above invention have the following advantages or benefits: because the sending terminal and the receiving terminal have the same channel key, both communication parties can encrypt and decrypt in a symmetric encryption mode to transmit the content key, and further, the content data can be encrypted and decrypted in a symmetric encryption mode. Therefore, the method of the embodiment improves the speed of encryption and decryption by a symmetric encryption mode while realizing secure communication, thereby reducing communication delay.
Other features of the present invention and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flow diagram of a communication method according to some embodiments of the invention.
Fig. 2 is a flow diagram of a communication method according to further embodiments of the present invention.
Fig. 3A is a flow chart illustrating a content data encryption method according to some embodiments of the invention.
Fig. 3B is a flowchart illustrating a content key issuing method according to some embodiments of the present invention.
Fig. 4A is a flow diagram of a decryption process at a receiving terminal according to some embodiments of the invention.
Fig. 4B is a flow chart illustrating a content key verification method according to some embodiments of the invention.
FIG. 5 is a schematic flow diagram of a vehicle networking communication method according to some embodiments of the invention.
Fig. 6 is a schematic diagram of a communication terminal according to some embodiments of the present invention.
Fig. 7 is a block diagram of a communication system according to some embodiments of the invention.
Fig. 8 is a schematic structural diagram of a communication terminal according to further embodiments of the present invention.
Fig. 9 is a schematic diagram of a communication terminal according to further embodiments of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a flow diagram of a communication method according to some embodiments of the invention. As shown in fig. 1, the communication method of the embodiment includes steps S102 to S112.
In step S102, the sending terminal obtains the channel key and the content key from the network side, where the channel key obtained by the sending terminal is the same as the channel key obtained by the receiving terminal.
In the embodiment of the invention, two keys are used for encryption. The content key is used for encrypting data content to be sent, and the channel key is used for encrypting the content key.
In some embodiments, the content key acquired by the sending terminal is a content key corresponding to the sending terminal, and there may be one or more content keys.
In some embodiments, the sending terminal may periodically obtain the channel key and the content key for key update.
In step S104, the transmission terminal encrypts the data content using the content key, and generates content encrypted data.
In step S106, the transmitting terminal encrypts the content key with the channel key to generate key-encrypted data.
In step S108, the transmitting terminal transmits the content encrypted data and the key encrypted data to the receiving terminal.
In some embodiments, the sending terminal may send data directly to the receiving terminal based on a direct communication interface with the receiving terminal. For example, direct communication of nearby devices may be accomplished using the PC5 interface. The PC5 interface is based on D2D (Device to Device) proximity communication service in the LTE (long term Evolution) standard, and can realize high-speed and high-density communication.
In step S110, the receiving terminal decrypts the key-encrypted data using the channel key, and obtains a content key.
In step S112, the receiving terminal decrypts the content encrypted data using the content key, and obtains the data content.
Because the sending terminal and the receiving terminal have the same channel key, both communication parties can encrypt and decrypt in a symmetric encryption mode to transmit the content key, and further, the content data can be encrypted and decrypted in a symmetric encryption mode. Therefore, the method of the embodiment improves the speed of encryption and decryption by a symmetric encryption mode while realizing secure communication, thereby reducing communication delay.
In some embodiments, the transmitting terminal may also attach a signature to the transmitted content. An embodiment of the communication method of the present invention is described below with reference to fig. 2.
Fig. 2 is a flow diagram of a communication method according to further embodiments of the present invention. As shown in fig. 2, the communication method of this embodiment includes steps S202 to S216.
In step S202, the sending terminal acquires the channel key and the content key from the network side, wherein the channel key acquired by the sending terminal is the same as the channel key acquired by the receiving terminal from the network side.
In step S204, the transmission terminal encrypts the data content using the content key, and generates content encrypted data.
In step S206, the transmitting terminal encrypts the content key with the channel key to generate key-encrypted data.
In step S208, the transmission terminal signs the content encrypted data with the content key, and generates signature data. For example, the transmitting terminal may first calculate a digest of the content encrypted data, and then encrypt the digest with the content key to generate signature data.
In step S210, the transmitting terminal transmits the content encryption data, the key encryption data, and the signature data to the receiving terminal.
In step S212, the receiving terminal decrypts the key-encrypted data using the channel key, and obtains a content key.
In step S214, the receiving terminal decrypts the content encrypted data using the content key, and obtains the data content.
In step S216, the receiving terminal verifies the content data based on the signature. For example, the receiving terminal may calculate a digest of the data content, and compare whether the calculated digest and the result of decrypting the signature with the content key are identical, and if they are identical, the verification is passed, and if they are not identical, the verification is not passed.
Therefore, whether the data is tampered or not can be verified, and the protection of the data integrity is improved.
In some embodiments, the key may be issued by the base station. For example, the base station issues a channel key and a content key to terminals within a coverage area, where the channel key obtained by each terminal within the coverage area of the base station is the same and the obtained content key is different. At this time, the terminals within the coverage of the same base station have the same channel key, so that the terminals can perform encrypted communication and perform a symmetric encryption and decryption process by using the same channel key.
The embodiment of the invention considers the situations that the terminal is possibly subjected to cell switching in the moving process, or the transceiver is respectively positioned at the boundary of the adjacent base stations, and the like, and can enable the adjacent base stations to share the channel key. In some embodiments, the channel key issued by the base station to the terminal within the coverage area includes a channel key corresponding to the base station and a channel key corresponding to an adjacent base station, and the sending terminal and the receiving terminal are located within the coverage area of the same base station or the coverage area of the adjacent base station. For example, the network side device may generate a channel key corresponding to each base station, and then issue the channel key corresponding to each base station and the channel key corresponding to the neighboring base station of each base station to each base station.
For example, base station a and base station B are adjacent. The channel key of the base station a is KeyA, and the channel key of the base station B is KeyB. After the base station A and the base station B share the channel key, the base station A simultaneously issues KeyA and KeyB when issuing the key, and the base station B also simultaneously issues KeyA and KeyB when issuing the key. Therefore, the terminal in the coverage of the base station A and the terminal in the coverage of the base station B can have the same channel key, so that the low-delay secure communication based on the symmetric encryption can be carried out.
When the transmitting terminal has a plurality of channel keys, the content key may be encrypted using each of the obtained channel keys, respectively, to generate a plurality of key-encrypted data. Therefore, when receiving the encrypted data of the plurality of keys, the receiving terminal can decrypt the encrypted data by using the channel keys acquired by the receiving terminal one by one, and the content key can be acquired after the decryption is successful.
In some embodiments, the network side device may generate a channel key corresponding to each base station and a content key corresponding to each terminal, and then the network side device issues the generated keys to the base stations, so that the base stations issue the keys to the terminals. The network side device may be located in the base station or in the core network.
In some embodiments, the sending terminal may employ a one-time pad method for encrypted communications. For example, the base station may issue the content key group to the terminal, and the terminal encrypts the content data with an unused content key each time the content data is sent, so that the security of communication may be further improved.
In some embodiments, the keys in the content key set may be associated with each other for authentication by the receiving terminal. An embodiment of the content data encryption method of the present invention is described below with reference to fig. 3A.
Fig. 3A is a flow chart illustrating a content data encryption method according to some embodiments of the invention. As shown in fig. 3A, the content data encryption method of this embodiment includes steps S302 to S304.
In step S302, the transmission terminal acquires a content key ordered group from the network side, in which content keys other than the first content key are generated based on the last content key and the hash function.
In some embodiments, the initial Key in the ordered set of content keys is Key1, the Key1 is used as the argument to compute the function value of the hash function to obtain Key2, the Key2 is used as the argument to compute the function value of the hash function to obtain Key3, and so on. Finally, according to the order of Key generation, Key1, Key2, and Key3 … … KeyN constitute an ordered group of content keys, where N is the number of content keys in the ordered group of content keys.
In step S304, the transmitting terminal encrypts the data content using the last key that was not used in the ordered set of content keys. That is, the content key encrypts the data content using KeyN, KeyN-1, and KeyN-2 … … in this order.
Since the hash function is unidirectional, the subsequent content key can be generated based on the previous content key, but the previous content key cannot be obtained based on the subsequent content key. Therefore, the last content key in the content key ordered group is used in the reverse order, the key can be replaced every time of communication, and the receiving terminal cannot deduce other content keys which are not used by the sending terminal through the content key obtained in the current communication, so that the communication safety is improved.
In some embodiments, the content key obtained by the terminal may be generated by the network side device and sent by the base station. An embodiment of a content key issuing method is described below with reference to fig. 3B.
Fig. 3B is a flowchart illustrating a content key issuing method according to some embodiments of the present invention. As shown in fig. 3B, the content key issuing method of this embodiment includes steps S312 to S316.
In step S312, the network-side device generates an initial content key for each terminal.
In step S314, the network side device generates a content key ordered group according to the initial content key and the hash function, where the content key ordered group includes a plurality of content keys.
In step S316, the network device issues the content key ordered group of the terminal to the base station, so that the base station issues the content key ordered group of the terminal to the terminal.
In some embodiments, the network side device may generate the content key periodically and issue the content key to the terminal.
The network side device may be, for example, a large key generation device, which may generate keys quickly. The number of bits of the key may be set as desired, e.g., 128, 192, 256 bits, etc. The network side device may be located in the base station or in the core network.
In some embodiments, the receiving terminal may authenticate the received key. An embodiment of the decryption process of the receiving terminal of the present invention is described below with reference to fig. 4A.
Fig. 4A is a flow diagram of a decryption process at a receiving terminal according to some embodiments of the invention. As shown in fig. 4A, the decryption process of this embodiment includes steps S402 to S406.
In step S402, the receiving terminal decrypts the key-encrypted data from the transmitting terminal using the channel key, obtaining a content key.
In step S404, the receiving terminal verifies the obtained content key.
In step S406, in response to the verification passing, the reception terminal decrypts the content encrypted data with the obtained content key, obtaining the data content.
The receiving terminal may, for example, send the content key to the network side for authentication, or may authenticate using a hash function when the sending terminal encrypts with the key in the ordered set of content keys. The content key verification method of the present invention is described below with reference to fig. 4B.
Fig. 4B is a flow chart illustrating a content key verification method according to some embodiments of the invention. As shown in fig. 4, the content key verification method of this embodiment includes steps S410 to S418.
In step S410, the transmitting terminal encrypts the content data with the key in the content key ordered group, and transmits the content encrypted data and the key encrypted data to the receiving terminal. The content keys in the ordered set of content keys, except for the first content key, are generated based on the last content key and a hash function.
In step S412, the receiving terminal decrypts the key-encrypted data from the transmitting terminal using the channel key, obtaining the content key.
In step S414, the receiving terminal determines whether the currently received data is the content encrypted data and the key encrypted data that are first received within the preset time and sent by the sending terminal. If so, go to step S416, otherwise go to step S418.
The preset time may be set as needed, for example, according to the period of key update.
In step S416, the receiving terminal transmits the obtained content key to the network side for authentication. The receiving terminal may, for example, send the content key and the information of the sending terminal to the network side for authentication on the network side.
In step S418, the receiving terminal verifies the content key obtained this time based on the content key obtained last time and the hash function. For example, the receiving terminal may calculate a value of a hash function using the content key obtained this time as an argument, and if the calculation result matches the content key obtained last time, the verification is passed.
Thus, the receiving terminal can perform network side authentication and local authentication, and in most cases, performs local authentication, thereby improving the security of communication.
The embodiment of the invention can be applied to the application scene of multipoint-to-multipoint communication. For example, the transmitting terminal may transmit content encryption data and key encryption data to a plurality of receiving terminals, wherein the content encryption data transmitted to different receiving terminals is encrypted with different content encryption keys. The following describes an embodiment of the communication method of the present invention, taking a car networking scenario as an example.
FIG. 5 is a schematic flow diagram of a vehicle networking communication method according to some embodiments of the invention. As shown in fig. 5, base station a is adjacent to base station B, and base station C is adjacent to base station a; the base station A and the base station C share channel keys RA and RC, and the base station A and the base station B share channel keys RA and RB; the vehicle-mounted terminal A is located in the coverage range of the base station A, the vehicle-mounted terminal B is located in the coverage range of the base station B, and the vehicle-mounted terminal C is located in the coverage range of the base station C. The vehicle networking communication method of this embodiment includes steps S502 to S522.
In step S502, the base station A issues a channel key { RA, RB, RC } and an ordered set of content keys { R11, R12, … R1(L-2), R1(L-1), R1L } to the terminal A.
In step S504, the base station B issues a channel key { RA, RB } and an ordered set of content keys { R21, R22, … R2M } to the terminal B.
In step S506, the base station C issues a channel key { RA, RC } and an ordered set of content keys { R31, R32, … R3N } to the terminal C.
The terminal a may start the encryption process when it wants to send the current speed of the vehicle in which the terminal a is located to the surrounding vehicles.
In step S508, the terminal a encrypts the content key R1L with the channel keys RA, RB, RC to generate key encrypted data C11, C12, C13, and encrypts the content key R1(L-1) to generate key encrypted data C21, C22, C23, respectively.
In step S510, the terminal a encrypts the current speed data with the content keys R1L, R1(L-1), respectively, to generate content encrypted data X1 and X2.
In step S512, the terminal a signs X1 with the content key R1L to generate signature data S1, and signs X2 with the content key R1(L-1) to generate signature data S2.
In step S514, terminal a transmits { C11, C12, C13, X1, S1} to terminal B, and { C21, C22, C23, X2, S2} to terminal C.
In step S516, terminal B attempts decryption of C11, C12, C13 using the received channel keys { RA, RB }, respectively. RA can successfully decrypt C11, RB can successfully decrypt C12, and the decryption results of both are the content key R1L.
In step S518, terminal B authenticates the content key R1L.
In step S520, in response to the verification passing, the terminal B decrypts X1 with the content key R1L, obtaining the current speed data of the terminal a.
In step S522, terminal B verifies the signature S1 with the content key R1L. In response to the verification passing, the terminal B confirms that the current speed data of the terminal a obtained by decryption is error-free.
The processing flow of the terminal C is similar to that of the terminal B, and is not described herein again. While receiving the data transmitted by the terminal a, the terminals B and C may also receive data transmitted by other terminals. Therefore, the safety in the process of multipoint-to-multipoint communication is improved, and the communication time delay is reduced.
An embodiment of the communication terminal of the present invention is described below with reference to fig. 6.
Fig. 6 is a schematic diagram of a communication terminal according to some embodiments of the present invention. As shown in fig. 6, the
In some embodiments, the key obtaining module 6100 is configured to obtain the channel key and the content key issued by the base station, and the channel keys issued by the base station to the terminals in the coverage area are the same.
In some embodiments, the channel key issued by the base station to the terminal within the coverage area includes a channel key corresponding to the base station and a channel key corresponding to an adjacent base station, and the communication terminal and the receiving terminal are located within the coverage area of the same base station or the coverage area of the adjacent base station.
In some embodiments, the key encryption module 6300 is further configured to encrypt the content key with each acquired channel key respectively, and generate a plurality of key encryption data.
In some embodiments, the key acquisition module 6100 is further configured to acquire an ordered set of content keys from the network side, the content keys in the ordered set of content keys except for the first content key being generated from the last content key and a hash function; the content encryption module 6200 is further configured to encrypt the data content with a last key in the ordered set of content keys that is unused.
In some embodiments, the transmitting module 6400 is further configured to transmit the content encryption data and the key encryption data to a plurality of receiving terminals, wherein the content encryption data transmitted to different receiving terminals is encrypted with different content encryption keys.
In some embodiments, the
In some embodiments, the
An embodiment of the communication system of the present invention is described below with reference to fig. 7.
Fig. 7 is a block diagram of a communication system according to some embodiments of the invention. As shown in fig. 7, the
In some embodiments, the
In some embodiments, the network-side device 730 is further configured to generate an initial content key for each terminal, generate an ordered group of content keys according to the initial content key and a hash function, where the ordered group of content keys includes a plurality of content keys, and send the ordered group of content keys of the terminal to the base station, so that the base station sends the ordered group of content keys of the terminal to the terminal.
Fig. 8 is a schematic structural diagram of a communication terminal according to further embodiments of the present invention. As shown in fig. 8, the
Fig. 9 is a schematic diagram of a communication terminal according to further embodiments of the present invention. As shown in fig. 9, the
An embodiment of the present invention also provides a computer-readable storage medium on which a computer program is stored, wherein the program is configured to implement any one of the aforementioned communication methods when executed by a processor.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
- 上一篇:一种医用注射器针头装配设备
- 下一篇:网络攻击防御方法及设备