CN118018226A - Data transmission method and related products - Google Patents
Data transmission method and related products Download PDFInfo
- Publication number
- CN118018226A CN118018226A CN202211406803.8A CN202211406803A CN118018226A CN 118018226 A CN118018226 A CN 118018226A CN 202211406803 A CN202211406803 A CN 202211406803A CN 118018226 A CN118018226 A CN 118018226A
- Authority
- CN
- China
- Prior art keywords
- account
- authentication code
- data
- key information
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
技术领域Technical Field
本申请实施例涉及终端技术领域,涉及但不限于一种数据传输方法及相关产品。The embodiments of the present application relate to the field of terminal technology, and are related to but not limited to a data transmission method and related products.
背景技术Background technique
随着终端技术的发展,各种各样的终端设备已深入应用到人们的生活中。为方便管理,目前用户在各个终端设备上均使用同一个账号进行信息记录,例如手机、ipad和手环使用一个用户账号进行信息记录和管理。With the development of terminal technology, various terminal devices have been deeply applied to people's lives. For the convenience of management, users currently use the same account to record information on various terminal devices. For example, a mobile phone, iPad and bracelet use one user account to record and manage information.
然而在实践中发现,同账号的终端设备之间是基于双向账号证书建立的通信连接,其需要依赖账号证书机制,具体需检查对端设备提供的证书是否来自可行设备颁发、证书中的账号标识是否与自身是同一用户账号,从而导致通信建立的时延较长,降低通信效率。However, in practice, it is found that the communication connection between terminal devices with the same account is established based on a two-way account certificate, which needs to rely on the account certificate mechanism. Specifically, it is necessary to check whether the certificate provided by the other device is issued by a feasible device and whether the account identifier in the certificate is the same user account as itself, which leads to a longer delay in establishing communication and reduces communication efficiency.
发明内容Summary of the invention
有鉴于此,本申请实施例提供的一种数据传输方法及相关产品,能够解决现有技术中存在的通信建立的时延较长、降低通信效率的问题。In view of this, a data transmission method and related products provided in an embodiment of the present application can solve the problems of long delay in communication establishment and reduced communication efficiency existing in the prior art.
第一方面,本申请实施例提供一种数据传输方法,应用于发端设备,该方法包括:In a first aspect, an embodiment of the present application provides a data transmission method, which is applied to a transmitting device, and the method includes:
获取账号密钥信息和待传输的业务数据,所述账号密钥信息为用户账号的共享密钥信息,所述用户账号为所述发端设备和收端设备共用的账号;Acquire account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the transmitting device and the receiving device;
根据所述账号密钥信息对所述业务数据进行加密和认证码计算,得到对应的加密数据和第一认证码;Encrypt the business data and calculate the authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code;
向所述收端设备发送数据消息,所述数据消息携带有所述加密数据和所述第一认证码。A data message is sent to the receiving device, where the data message carries the encrypted data and the first authentication code.
第二方面,本申请实施例提供另一种数据传输方法,应用于收端设备,该方法包括:In a second aspect, an embodiment of the present application provides another data transmission method, which is applied to a receiving device, and the method includes:
接收发端设备发送的数据消息,所述数据消息携带有加密数据和第一认证码,所述加密数据和所述第一认证码均为根据用户账号的共享密钥信息对待传输的业务数据进行加密和认证码计算得到的,所述用户账号为所述发端设备和收端设备共用的账号;Receive a data message sent by a transmitting device, the data message carrying encrypted data and a first authentication code, the encrypted data and the first authentication code being obtained by encrypting the service data to be transmitted and calculating the authentication code according to shared key information of a user account, the user account being an account shared by the transmitting device and the receiving device;
在对所述第一认证码认证成功后,对所述加密数据进行解密,得到所述业务数据。After the first authentication code is successfully authenticated, the encrypted data is decrypted to obtain the business data.
第三方面,本申请实施例提供一种数据传输系统,包括发端设备和收端设备,其中:In a third aspect, an embodiment of the present application provides a data transmission system, including a transmitting device and a receiving device, wherein:
所述发端设备,用于获取账号密钥信息和待传输的业务数据,所述账号密钥信息为用户账号的共享密钥信息,所述用户账号为所述发端设备和收端设备共用的账号;根据所述账号密钥信息对所述业务数据进行加密和认证码计算,得到对应的加密数据和第一认证码;向所述收端设备发送数据消息,所述数据消息携带有所述加密数据和所述第一认证码;The originating device is configured to obtain account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating device and the receiving device; encrypt the service data and calculate the authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code; and send a data message to the receiving device, wherein the data message carries the encrypted data and the first authentication code;
所述收端设备,用于接收所述数据消息,在对所述第一认证码认证成功后,对所述加密数据进行解密,得到所述业务数据。The receiving device is used to receive the data message, and after successfully authenticating the first authentication code, decrypt the encrypted data to obtain the business data.
第四方面,本申请实施例提供一种计算机设备,包括存储器和处理器,所述存储器存储有可在处理器上运行的计算机程序,所述处理器执行所述程序时实现本申请实施例所述第一方面或第二方面提供的方法。In a fourth aspect, an embodiment of the present application provides a computer device, comprising a memory and a processor, wherein the memory stores a computer program that can be executed on the processor, and when the processor executes the program, the method provided in the first aspect or the second aspect of the embodiment of the present application is implemented.
第五方面,本申请实施例提供一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现本申请实施例所述第一方面或第二方面提供的方法。In a fifth aspect, an embodiment of the present application provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the method provided in the first aspect or the second aspect of the embodiment of the present application.
与现有技术相比,本申请至少具有如下有益效果:Compared with the prior art, this application has at least the following beneficial effects:
本申请实施例中,发端设备获取账号密钥信息和待传输的业务数据,所述账号密钥信息为用户账号的共享密钥信息,所述用户账号为所述发端设备和收端设备共用的账号;根据所述账号密钥信息对所述业务数据进行加密和认证码计算,得到对应的加密数据和第一认证码;向所述收端设备发送数据消息,所述数据消息携带有所述加密数据和所述第一认证码。可见,本申请能基于发端设备和收端设备共用的用户账号的账号密钥信息来进行相互间的数据通信,相比于现有技术而言,规避了账号证书,避免黑客入侵恶意颁发账号证书,出现通信不安全的问题,且还降低了终端的研发成本,减少了设备侧对账号密钥信息的存储和维护开销。从而既保证了数据安全,又能提升数据传输的便捷性和高效性。同时还能解决现有技术中存在的通信建立的时延较长、降低通信效率的问题。In the embodiment of the present application, the originating device obtains account key information and business data to be transmitted, the account key information is the shared key information of the user account, and the user account is the account shared by the originating device and the receiving device; the business data is encrypted and the authentication code is calculated according to the account key information to obtain the corresponding encrypted data and the first authentication code; a data message is sent to the receiving device, and the data message carries the encrypted data and the first authentication code. It can be seen that the present application can carry out data communication between each other based on the account key information of the user account shared by the originating device and the receiving device. Compared with the prior art, it avoids the account certificate, avoids hackers from maliciously issuing account certificates, and causes communication insecurity, and also reduces the R&D cost of the terminal, and reduces the storage and maintenance expenses of the account key information on the device side. Thereby, data security is guaranteed, and the convenience and efficiency of data transmission can be improved. At the same time, it can also solve the problem of long delay in communication establishment and reduced communication efficiency in the prior art.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
此处的附图被并入说明书中并构成本说明书的一部分,这些附图示出了符合本申请的实施例,并与说明书一起用于说明本申请的技术方案。The drawings herein are incorporated into the specification and constitute a part of the specification. These drawings illustrate embodiments consistent with the present application and are used together with the specification to illustrate the technical solution of the present application.
图1是现有技术提供的一种账号证书颁发的流程示意图。FIG. 1 is a schematic diagram of a process of issuing an account certificate provided by the prior art.
图2是现有技术提供的一种数据传输方法的流程示意图。FIG. 2 is a flow chart of a data transmission method provided by the prior art.
图3是本申请实施例提供的一种数据传输系统的结构示意图。FIG3 is a schematic diagram of the structure of a data transmission system provided in an embodiment of the present application.
图4是本申请实施例提供的一种账号密钥信息获取的流程示意图。FIG4 is a schematic diagram of a process for obtaining account key information provided in an embodiment of the present application.
图5是本申请实施例提供的一种数据传输方法的流程示意图。FIG5 is a flow chart of a data transmission method provided in an embodiment of the present application.
图6是本申请实施例提供的另一种数据传输方法的流程示意图。FIG6 is a flow chart of another data transmission method provided in an embodiment of the present application.
图7是本申请实施例提供的一种数据传输装置的结构示意图。FIG. 7 is a schematic diagram of the structure of a data transmission device provided in an embodiment of the present application.
图8是本申请实施例提供的另一种数据传输装置的结构示意图。FIG8 is a schematic diagram of the structure of another data transmission device provided in an embodiment of the present application.
图9是本申请实施例提供的一种数据传输系统的结构示意图。FIG. 9 is a schematic diagram of the structure of a data transmission system provided in an embodiment of the present application.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请的具体技术方案做进一步详细描述。以下实施例用于说明本申请,但不用来限制本申请的范围。In order to make the purpose, technical scheme and advantages of the embodiments of the present application clearer, the specific technical scheme of the present application will be further described in detail below in conjunction with the drawings in the embodiments of the present application. The following embodiments are used to illustrate the present application, but are not used to limit the scope of the present application.
除非另有定义,本文所使用的所有的技术和科学术语与属于本申请的技术领域的技术人员通常理解的含义相同。本文中所使用的术语只是为了描述本申请实施例的目的,不是旨在限制本申请。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as those commonly understood by those skilled in the art to which this application belongs. The terms used herein are only for the purpose of describing the embodiments of this application and are not intended to limit this application.
在以下的描述中,涉及到“一些实施例”,其描述了所有可能实施例的子集,但是可以理解,“一些实施例”可以是所有可能实施例的相同子集或不同子集,并且可以在不冲突的情况下相互结合。In the following description, reference is made to “some embodiments”, which describe a subset of all possible embodiments, but it will be understood that “some embodiments” may be the same subset or different subsets of all possible embodiments and may be combined with each other without conflict.
需要指出,本申请实施例所涉及的术语“第一\第二\第三”用以区别类似或不同的对象,不代表针对对象的特定排序,可以理解地,“第一\第二\第三”在允许的情况下可以互换特定的顺序或先后次序,以使这里描述的本申请实施例能够以除了在这里图示或描述的以外的顺序实施。It should be pointed out that the terms "first\second\third" involved in the embodiments of the present application are used to distinguish similar or different objects, and do not represent a specific ordering of the objects. It can be understood that "first\second\third" can be interchanged in a specific order or sequence where permitted, so that the embodiments of the present application described here can be implemented in an order other than that illustrated or described here.
申请人在提出本申请的过程中还发现:在终端设备互联互通的业务场景(如手机的视频聊天facetime,由平板ipad接管手机的电话通信),经常涉及近场环境下同一个用户账号下绑定的不同终端设备之间的安全通信。该终端设备包括但不限于例如手机、平板、手表和智能音箱等。其通信实施方案如下:In the process of filing this application, the applicant also found that in the business scenarios of terminal device interconnection (such as FaceTime video chat on mobile phones, and the phone communication of mobile phones being taken over by tablets and iPads), secure communication between different terminal devices bound to the same user account in a near-field environment is often involved. The terminal devices include, but are not limited to, mobile phones, tablets, watches, and smart speakers. The communication implementation plan is as follows:
请参见图1是现有技术提供的一种账号证书颁发的流程示意图。如图1所示的流程包括如下步骤:Please refer to Figure 1, which is a schematic diagram of a process of issuing an account certificate provided by the prior art. The process shown in Figure 1 includes the following steps:
S101、用户在终端A侧登录用户账号(U_ID),由终端代工厂(OEM)厂商的服务器S进行登录鉴权。S101. A user logs in to a user account (U_ID) at terminal A, and a server S of a terminal OEM manufacturer performs login authentication.
S102、用户在终端A上操作,随机生成与用户账号绑定的账号公私钥对,记为(U_A_private_key,U_A_public_key)。S102. The user operates on terminal A to randomly generate a public-private key pair bound to the user account, recorded as (U_A_private_key, U_A_public_key).
S103、用户在终端A侧安全存储账号私钥U_A_public_key。S103. The user securely stores the account private key U_A_public_key on terminal A.
S104、用户在终端A侧向服务器S发送证书颁发请求,该请求用于申请颁发账号证书。该请求中携带有U_ID和U_A_public_key等信息。S104: The user sends a certificate issuance request to the server S at the terminal A, and the request is used to apply for the issuance of an account certificate. The request carries information such as U_ID and U_A_public_key.
S105、服务器S为用户颁发与终端A绑定的账号证书,记为U_A_Cert。该账号证书中携带有U_ID和U_A_public_key等信息。S105. Server S issues an account certificate to the user, which is bound to terminal A, and is recorded as U_A_Cert. The account certificate carries information such as U_ID and U_A_public_key.
S106、服务器S向终端A返回账号证书U_A_Cert。S106. Server S returns the account certificate U_A_Cert to terminal A.
S107、终端A安全存储账号证书U_A_Cert。S107. Terminal A securely stores the account certificate U_A_Cert.
在实际应用中,若未来用户需在终端A侧解绑,即解除终端A与用户账号之间的绑定,则服务器S将撤销/注销账号证书U_A_Cert。类似于上述图1所示流程,用户在终端B侧同样可生成账号公私钥对,记为(U_B_private_key,U_B_public_key)及获得账号证书U_B_Cert,这里不再赘述。In actual applications, if the user needs to unbind on the terminal A side in the future, that is, to unbind the terminal A from the user account, the server S will revoke/cancel the account certificate U_A_Cert. Similar to the process shown in Figure 1 above, the user can also generate an account public and private key pair on the terminal B side, recorded as (U_B_private_key, U_B_public_key) and obtain the account certificate U_B_Cert, which will not be repeated here.
请一并参见图2,是现有技术提供的一种数据传输方法的流程示意图。如图2所示的方法包括如下实施步骤:Please refer to Figure 2, which is a flowchart of a data transmission method provided by the prior art. The method shown in Figure 2 includes the following implementation steps:
S201、终端A向终端B发起传输层安全性协议(Transport Layer Security,TLS)安全连接请求,关于TLS协议的内容可对应参考国际标准RFC8446中的相关介绍,本申请这里不做详述。S201. Terminal A initiates a Transport Layer Security (TLS) secure connection request to terminal B. For the content of the TLS protocol, please refer to the relevant introduction in the international standard RFC8446, which will not be described in detail in this application.
S202、终端B加载自身的账号私钥U_B_private_key,并向终端A返回账号证书U_B_Cert。S202. Terminal B loads its own account private key U_B_private_key, and returns the account certificate U_B_Cert to terminal A.
S203、终端A检查账号证书U_B_Cert的证书信任链来自可信的OEM厂商(也可检查证书信任链来自颁发证书的服务器S),且证书中的用户账号U_ID与终端A当前绑定的用户账号相同。如果不同,则终止本次通信。S203, terminal A checks that the certificate trust chain of the account certificate U_B_Cert comes from a trusted OEM manufacturer (it can also check that the certificate trust chain comes from the server S that issued the certificate), and the user account U_ID in the certificate is the same as the user account currently bound to terminal A. If they are different, terminate this communication.
S204、终端A加载自身的账号私钥U_A_private_key,并向终端B返回账号证书U_A_Cert。S204. Terminal A loads its own account private key U_A_private_key, and returns the account certificate U_A_Cert to terminal B.
S205、终端B检查账号证书U_A_Cert的证书信任链来自可信OEM厂商,且证书中的用户账号U_ID与终端B当前绑定的用户账号相同。如果不同,则终止本次通信。S205. Terminal B checks that the certificate trust chain of the account certificate U_A_Cert comes from a trusted OEM manufacturer, and that the user account U_ID in the certificate is the same as the user account currently bound to terminal B. If they are different, the communication is terminated.
S206、在双方都检查成功后,终端A和终端B成功建立TLS通信连接,进行安全通信,具体可相互传输用户的业务数据等。S206. After both parties have successfully checked, terminal A and terminal B successfully establish a TLS communication connection and conduct secure communication, specifically transmitting user business data, etc. to each other.
然而在实践中发现,现有方案存在以下几个缺点:对同账号终端的判定,强依赖于账号证书机制,导致终端侧的研发成本较高。终端通过检查通信对端提供的证书信任链是否来自可信的OEM厂商、及检查证书中的用户账号是否与自身账号相同,认证流程复杂、不简便,降低通信效率。同账号终端的通信连接是基于双向账号证书建立的TLS连接,通信建立的时延较长。此外,由于账号证书依赖于OEM厂商的服务器S颁发,若服务器S存在黑客入侵等安全事件,可能在用户不知情的情况下,向终端C颁发账号证书U_C_Cert。在终端A与终端B没有其他辅助安全机制时,黑客通过入侵服务器S颁发的证书U_C_Cert,与终端A或B建立安全通信,导致用户数据泄露,降低数据传输的安全性。However, in practice, it is found that the existing scheme has the following shortcomings: the determination of the same-account terminal strongly relies on the account certificate mechanism, resulting in high R&D costs on the terminal side. The terminal checks whether the certificate trust chain provided by the communication counterpart is from a trusted OEM manufacturer and whether the user account in the certificate is the same as its own account. The authentication process is complicated and inconvenient, which reduces communication efficiency. The communication connection between the same-account terminal is a TLS connection established based on a two-way account certificate, and the delay in establishing communication is relatively long. In addition, since the account certificate depends on the issuance of the OEM manufacturer's server S, if there is a security incident such as a hacker intrusion on server S, the account certificate U_C_Cert may be issued to terminal C without the user's knowledge. When terminal A and terminal B do not have other auxiliary security mechanisms, hackers establish secure communication with terminal A or B by invading the certificate U_C_Cert issued by server S, resulting in user data leakage and reducing the security of data transmission.
为解决上述问题,本申请提出一种数据传输方法及相关产品。本申请将为同一用户账号下的各设备派生通用的账号密钥信息,同账号终端可基于该账号密钥信息进行安全通信。To solve the above problems, the present application proposes a data transmission method and related products. The present application will derive universal account key information for each device under the same user account, and the same account terminals can communicate securely based on the account key information.
首先,介绍本申请适用的系统实施例。请参见图3是本申请实施例提供的一种数据传输系统的结构示意图。如图3所示的系统包括:发端设备100和收端设备200,可选地还可包括服务器300。其中,系统中的任意两个设备可根据业务需求通过网络相互通信。First, the system embodiment applicable to the present application is introduced. Please refer to FIG3 for a structural diagram of a data transmission system provided by an embodiment of the present application. The system shown in FIG3 includes: a transmitting device 100 and a receiving device 200, and optionally also includes a server 300. Any two devices in the system can communicate with each other through a network according to business requirements.
本申请的发端设备100也可称为发送端,通常是指信源端。收端设备200也可称为接收端,通常是指信宿端。发端设备100和收端设备200之间通常存在有业务数据的交互,具体在本申请下文详述。本申请中的发端设备100和收端设备200均可以是指终端设备,其可包括但不限于例如智能手机(如Android手机、IOS手机等)、个人电脑、平板电脑、掌上电脑、电子阅读器、移动互联网设备(MID,Mobile Internet Devices)、穿戴式智能设备或其他具备通信功能的设备等。The transmitting device 100 of the present application may also be referred to as the transmitting end, which usually refers to the information source end. The receiving device 200 may also be referred to as the receiving end, which usually refers to the information destination end. There is usually an interaction of business data between the transmitting device 100 and the receiving device 200, which is described in detail below in this application. The transmitting device 100 and the receiving device 200 in the present application may both refer to terminal devices, which may include but are not limited to, for example, smart phones (such as Android phones, IOS phones, etc.), personal computers, tablet computers, PDAs, e-readers, mobile Internet devices (MID, Mobile Internet Devices), wearable smart devices or other devices with communication functions.
本申请的服务器300用于与终端设备(具体可为发端设备100或收端设备200)协商相应的账号密钥信息,具体在本申请下文详述。本申请的服务器300可以是指本地的服务器,也可以是指云端的服务器。且,本申请对上述发端设备100、收端设备200和服务器300各自的数量并不做限定,其可根据实际需求确定。The server 300 of the present application is used to negotiate the corresponding account key information with the terminal device (specifically, the transmitting device 100 or the receiving device 200), which is described in detail below in the present application. The server 300 of the present application can refer to a local server or a cloud server. Moreover, the present application does not limit the number of the above-mentioned transmitting device 100, receiving device 200 and server 300, which can be determined according to actual needs.
接着,介绍本申请涉及的密钥派生实施例。请参见图4是本申请实施例提供的一种账号密钥信息获取的流程示意图。图示中,以用户在发端设备100侧派生/获取账号密钥信息为例进行相关内容的介绍,但并不构成限定。如图4所示的流程包括如下实施步骤:Next, the key derivation embodiment involved in this application is introduced. Please refer to Figure 4, which is a schematic diagram of a process of obtaining account key information provided by an embodiment of this application. In the figure, the user derives/obtains account key information on the originating device 100 as an example to introduce the relevant content, but it does not constitute a limitation. The process shown in Figure 4 includes the following implementation steps:
S401、发端设备100向服务器300发送账号绑定请求,所述账号绑定请求携带有所述用户账号的账号标识及用户身份识别码。相应地,服务器300接收该账号绑定请求。S401: The originating device 100 sends an account binding request to the server 300, wherein the account binding request carries the account identifier and the user identity code of the user account. Accordingly, the server 300 receives the account binding request.
具体实现中,用户在发端设备100侧登录用户账号(其账号标识可记为U_ID),由设备OEM厂商的服务器300进行登录鉴权。用户在发端设备100侧输入用户身份识别码(Personal identification number,PIN)码,基于PIN码向服务器300提交账号绑定请求,记为U_KeyPair_Reqest。在实际应用中,该账号绑定请求中可携带有用户账号的账号标识和PIN码,可选地还可携带有例如发端设备100基于自身的业务数据生成/产生的一些公钥参数等信息。In a specific implementation, the user logs in to the user account (whose account identifier can be recorded as U_ID) on the originating device 100 side, and the server 300 of the device OEM manufacturer performs login authentication. The user enters the user identity identification number (PIN) code on the originating device 100 side, and submits an account binding request to the server 300 based on the PIN code, which is recorded as U_KeyPair_Reqest. In actual applications, the account binding request may carry the account identifier and PIN code of the user account, and may optionally carry some public key parameters generated/produced by the originating device 100 based on its own business data.
S402、服务器300基于所述用户账号的账号标识及所述用户身份识别码,派生获得密钥生成参数。S402: The server 300 derives a key generation parameter based on the account identifier of the user account and the user identity identification code.
服务器300可响应该账号绑定请求,根据账号标识、PIN码再结合其他信息(如服务器自身的秘密值S_secret等)派生出相应的密钥生成参数。该密钥生成参数用于为该用户账号生成相应的账号密钥信息。The server 300 may respond to the account binding request and derive corresponding key generation parameters based on the account identifier, PIN code and other information (such as the server's own secret value S_secret, etc.). The key generation parameters are used to generate corresponding account key information for the user account.
本申请对密钥生成参数的派生具体实施方式并不做限定,例如采用预设的密钥生成算法来生成等。该密钥生成算法为系统或用户自定义设置的,本申请并不做限定。The present application does not limit the specific implementation method of deriving the key generation parameters, for example, using a preset key generation algorithm to generate the key, etc. The key generation algorithm is a system or user-defined setting, and the present application does not limit it.
S403、服务器300向发端设备100发送账号绑定响应。相应地,发端设备100接收该账号绑定响应,所述账号绑定响应携带有密钥生成参数,所述密钥生成参数为所述服务器根据所述账号标识和所述用户身份识别码生成的。S403, the server 300 sends an account binding response to the originating device 100. Accordingly, the originating device 100 receives the account binding response, which carries a key generation parameter generated by the server according to the account identifier and the user identity code.
服务器300可基于该密钥生成参数生成对应的账号绑定响应,记为U_KeyPair_Response。并将该账号绑定响应返回给发端设备100。在实际应用中,该账号绑定响应中至少携带有密钥生成参数,可选地还可根据实际需求携带有其他信息。The server 300 may generate a corresponding account binding response based on the key generation parameters, recorded as U_KeyPair_Response, and return the account binding response to the originating device 100. In actual applications, the account binding response carries at least the key generation parameters, and may optionally carry other information according to actual needs.
S404、发端设备100基于所述密钥生成参数派生得到所述账号密钥信息。S404: The originating device 100 derives the account key information based on the key generation parameters.
本申请发端设备100在获得账号绑定响应后,可依据响应中的密钥生成参数,再结合其他信息(如发端设备100初始化生成的私钥参数等)为用户账号生成对应的账号密钥信息。该账号密钥信息可包括账号公私钥对(具体包括账号共享私钥和账号共享公钥),记为(U_private_key,U_public_key);及账号对称密钥,记为U_symmetric_key等信息。After obtaining the account binding response, the originating device 100 of the present application can generate the corresponding account key information for the user account based on the key generation parameters in the response and in combination with other information (such as the private key parameters generated by the originating device 100). The account key information may include the account public-private key pair (specifically including the account shared private key and the account shared public key), recorded as (U_private_key, U_public_key); and the account symmetric key, recorded as U_symmetric_key and other information.
本申请对账号密钥信息的派生实施方式并不做限定,例如采用国际标准OPAQUE中规定的派生机制派生获得等。This application does not limit the implementation method for deriving account key information, for example, it can be derived using the derivation mechanism specified in the international standard OPAQUE.
S405、发端设备100安全存储账号共享私钥和账号对称密钥。S405. The originating device 100 securely stores the account shared private key and the account symmetric key.
本申请中用户可在发端设备100侧安全存储账号共享私钥U_private_key和账号对称密钥U_symmetric_key。In this application, the user can securely store the account shared private key U_private_key and the account symmetric key U_symmetric_key on the originating device 100 side.
S406、发端设备100将所述账号共享公钥发送给所述服务器300。相应地,服务器300接收并保存所述账号共享公钥。S406: The originating device 100 sends the account shared public key to the server 300. Correspondingly, the server 300 receives and stores the account shared public key.
用户可在发端设备100侧向服务器300安全提交账号共享公钥U_public_key。在实际应用中,若未来用户在发端设备100侧解绑,即解除发端设备100与用户账号的绑定,则服务器300可删除账号共享公钥U_public_key。若用户需要修改PIN码,则用户在发端设备100侧需重新与服务器300协商生成新的账号密钥信息。类似上述图4所示流程,用户在收端设备200侧同样可与服务器300协商获得该用户账号的账号密钥信息,本申请这里不再赘述。The user can securely submit the account shared public key U_public_key to the server 300 on the originating device 100 side. In actual applications, if the user unbinds the originating device 100 from the user account in the future, that is, unbinds the originating device 100 from the user account, the server 300 can delete the account shared public key U_public_key. If the user needs to modify the PIN code, the user needs to negotiate with the server 300 on the originating device 100 side to generate new account key information. Similar to the process shown in Figure 4 above, the user can also negotiate with the server 300 on the receiving device 200 side to obtain the account key information of the user account, which will not be repeated in this application.
基于上述实施例,请参见图5是本申请实施例提供的一种数据传输方法的流程示意图。如图5所示的方法包括如下实施步骤:Based on the above embodiment, please refer to Figure 5 which is a flow chart of a data transmission method provided by an embodiment of the present application. The method shown in Figure 5 includes the following implementation steps:
S501、发端设备100获取账号密钥信息和待传输的业务数据,所述账号密钥信息为用户账号的共享密钥信息,所述用户账号为所述发端设备100和收端设备200共用的账号。S501, the originating device 100 obtains account key information and business data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating device 100 and the receiving device 200.
本申请对账号密钥信息的获取实施方式并不做限定,例如采用如上图4所示流程可获得用户账号的账号密钥信息等。本申请涉及的账号密钥信息是指用户账号的相关信息,其可包括但不限于例如用户账号的账号公私钥对(具体可包括账号共享公钥和账号共享私钥)和账号对称密钥等信息。This application does not limit the implementation method for obtaining account key information. For example, the account key information of a user account can be obtained by using the process shown in Figure 4 above. The account key information involved in this application refers to relevant information of a user account, which may include but is not limited to information such as the public and private key pair of the user account (specifically, it may include an account shared public key and an account shared private key) and an account symmetric key.
本申请对业务数据的获取实施方式也不做限定,例如直接从数据库中获取待传输的业务数据,又如在检测到用户的选择操作后,将选择操作所对应的数据作为待传输的业务数据等,本申请不做限定。The present application does not limit the implementation method for obtaining business data. For example, the business data to be transmitted can be directly obtained from the database, or after detecting the user's selection operation, the data corresponding to the selection operation can be used as the business data to be transmitted, etc. The present application does not limit it.
S502、发端设备100根据所述账号密钥信息对所述业务数据进行加密和认证码计算,得到对应的加密数据和第一认证码。S502: The originating device 100 encrypts the service data and calculates an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code.
S503、发端设备100向收端设备200发送数据消息,所述数据消息携带有所述加密数据和所述第一认证码。相应地,收端设备200接收该数据消息。S503: The transmitting device 100 sends a data message to the receiving device 200, wherein the data message carries the encrypted data and the first authentication code. Correspondingly, the receiving device 200 receives the data message.
S504、收端设备200在对所述第一认证码认证成功后,对所述加密数据进行解密,得到所述业务数据。S504: After successfully authenticating the first authentication code, the receiving device 200 decrypts the encrypted data to obtain the business data.
本申请的第一认证码用于对发端设备100进行身份认证。在认证成功后,收端设备200才可解析上述加密数据,以获得发端设备10所发送的业务数据。The first authentication code of the present application is used to authenticate the identity of the originating device 100. After the authentication is successful, the receiving device 200 can parse the encrypted data to obtain the service data sent by the originating device 10.
通过实施本申请实施例,发端设备获取账号密钥信息和待传输的业务数据,所述账号密钥信息为用户账号的共享密钥信息,所述用户账号为所述发端设备和收端设备共用的账号;根据所述账号密钥信息对所述业务数据进行加密和认证码计算,得到对应的加密数据和第一认证码;向所述收端设备发送数据消息,所述数据消息携带有所述加密数据和所述第一认证码。可见,本申请能基于发端设备和收端设备共用的用户账号的账号密钥信息来进行相互间的数据通信,相比于现有技术而言,规避了账号证书,避免黑客入侵恶意颁发账号证书,出现通信不安全的问题,且还降低了终端的研发成本,减少了设备侧对账号密钥信息的存储和维护开销。从而既保证了数据安全,又能提升数据传输的便捷性和高效性。同时还能解决现有技术中存在的通信建立的时延较长、降低通信效率的问题。By implementing the embodiment of the present application, the originating device obtains the account key information and the business data to be transmitted, the account key information is the shared key information of the user account, and the user account is the account shared by the originating device and the receiving device; the business data is encrypted and the authentication code is calculated according to the account key information to obtain the corresponding encrypted data and the first authentication code; a data message is sent to the receiving device, and the data message carries the encrypted data and the first authentication code. It can be seen that the present application can carry out data communication between each other based on the account key information of the user account shared by the originating device and the receiving device. Compared with the prior art, it avoids the account certificate, avoids hackers from maliciously issuing account certificates, and causes the problem of insecure communication, and also reduces the R&D cost of the terminal, and reduces the storage and maintenance expenses of the account key information on the device side. Thereby, data security is guaranteed, and the convenience and efficiency of data transmission can be improved. At the same time, it can also solve the problem of long delay in communication establishment and reduced communication efficiency in the prior art.
请参见图6,是本申请实施例提供的另一种数据传输方法的流程示意图。如图6所示的方法包括如下实施步骤:Please refer to Figure 6, which is a flowchart of another data transmission method provided by an embodiment of the present application. The method shown in Figure 6 includes the following implementation steps:
S601、发端设备100获取账号密钥信息和待传输的业务数据,所述账号密钥信息为用户账号的共享密钥信息,所述用户账号为发端设备100和收端设备200共用的账号,所述账号密钥信息包括账号共享公钥和账号对称密钥。S601, the originating device 100 obtains account key information and business data to be transmitted, the account key information is the shared key information of the user account, the user account is an account shared by the originating device 100 and the receiving device 200, and the account key information includes an account shared public key and an account symmetric key.
S602、发端设备100根据所述账号共享公钥对所述业务数据进行加密,得到加密数据。S602: The originating device 100 encrypts the business data according to the account shared public key to obtain encrypted data.
本申请对加密的具体实施方式并不做限定,例如可采用预设的加密算法利用账号共享公钥U_public_key对业务数据Data进行数字信封加密,得到加密数据,记为Data_Envelope。该加密算法为系统自定义设置的加密算法,其可包括但不限于例如国际标准ECIES中规定的数字信封函数/算法等。This application does not limit the specific implementation method of encryption. For example, a preset encryption algorithm can be used to use the account shared public key U_public_key to encrypt the business data Data in a digital envelope to obtain encrypted data, which is recorded as Data_Envelope. The encryption algorithm is a system-defined encryption algorithm, which may include but is not limited to the digital envelope function/algorithm specified in the international standard ECIES.
S603、发端设备100根据所述账号对称密钥对所述加密数据进行认证码计算,得到第一认证码。S603: The originating device 100 calculates an authentication code on the encrypted data according to the account symmetric key to obtain a first authentication code.
本申请可使用账号对称密钥U_symmetric_key对加密数据Data_Envelope进行消息认证码计算,得到第一认证码,记为Data_Envelope_MAC。其中,本申请对认证码计算的具体实施方式并不做限定,例如采用国际标准HMAC及CMAC中规定的相关消息认证码函数计算获得等。This application can use the account symmetric key U_symmetric_key to calculate the message authentication code of the encrypted data Data_Envelope to obtain a first authentication code, which is recorded as Data_Envelope_MAC. Among them, this application does not limit the specific implementation method of the authentication code calculation, for example, it is calculated using the relevant message authentication code function specified in the international standards HMAC and CMAC.
S604、发端设备100向收端设备200发送数据消息,所述数据消息携带有所述加密数据和所述第一认证码。S604: The originating device 100 sends a data message to the receiving device 200, where the data message carries the encrypted data and the first authentication code.
本申请发端设备100可向收端设备200发送上述加密数据Data_Envelope和第一认证码Data_Envelope_MAC。具体地,可将上述加密数据Data_Envelope和第一认证码Data_Envelope_MAC承载于数据消息中,发送给收端设备200。相应地,收端设备200可接收该加密数据和第一认证码,并对应记为(Recv_Data_Envelope,Recv_Data_Envelope_MAC)。The transmitting device 100 of the present application may send the encrypted data Data_Envelope and the first authentication code Data_Envelope_MAC to the receiving device 200. Specifically, the encrypted data Data_Envelope and the first authentication code Data_Envelope_MAC may be carried in a data message and sent to the receiving device 200. Accordingly, the receiving device 200 may receive the encrypted data and the first authentication code, and record them as (Recv_Data_Envelope, Recv_Data_Envelope_MAC).
S605、收端设备200获取所述用户账号的账号密钥信息,所述账号密钥信息至少包括账号对称密钥和账号共享私钥。S605. The receiving device 200 obtains the account key information of the user account, where the account key information at least includes an account symmetric key and an account shared private key.
本申请中收端设备200对账号密钥信息的获取实施方式并不做限定,例如在一个示例中在收端设备200与发端设备100建立互信后,可从发端设备100侧获取该用户账号的账号密钥信息。在另一个示例中,收端设备200可采用类似上述图4所示流程,与服务器300协商获得该用户账号的账号密钥信息。关于该账号密钥信息的内容可对应参考前述实施例中的相关介绍,这里不再赘述。In this application, the receiving device 200 does not limit the implementation method for obtaining the account key information. For example, in one example, after the receiving device 200 and the transmitting device 100 establish mutual trust, the account key information of the user account can be obtained from the transmitting device 100. In another example, the receiving device 200 can adopt a process similar to that shown in FIG. 4 above to negotiate with the server 300 to obtain the account key information of the user account. The content of the account key information can be referred to the relevant introduction in the above-mentioned embodiment, and will not be repeated here.
S606、收端设备200根据所述账号对称密钥对所述加密数据进行认证码计算,得到第二认证码。S606. The receiving device 200 calculates an authentication code for the encrypted data according to the account symmetric key to obtain a second authentication code.
收端设备200利用账号对称密钥U_symmetric_key对接收的加密数据Recv_Data_Envelope进行消息认证码计算,得到第二认证码,并记为Data_Envelope_MAC2。The receiving device 200 uses the account symmetric key U_symmetric_key to calculate the message authentication code for the received encrypted data Recv_Data_Envelope to obtain a second authentication code, which is recorded as Data_Envelope_MAC2.
S607、收端设备200基于所述第二认证码对所述第一认证码进行认证。S607: The receiving device 200 authenticates the first authentication code based on the second authentication code.
收端设备200将第一认证码Recv_Data_Envelope_MAC和第二认证码Data_Envelope_MAC2进行比较。在所述第一认证码和所述第二认证码相同时,可确定第一认证码认证成功,继续执行步骤S608。反之在所述第一认证码和所述第二认证码不同时,可确定第一认证码认证失败,继续执行步骤S609。The receiving device 200 compares the first authentication code Recv_Data_Envelope_MAC with the second authentication code Data_Envelope_MAC2. When the first authentication code and the second authentication code are the same, it can be determined that the first authentication code authentication is successful, and the step S608 is continued. On the contrary, when the first authentication code and the second authentication code are different, it can be determined that the first authentication code authentication fails, and the step S609 is continued.
S608、收端设备200在对所述第一认证码认证成功后,根据所述账号共享私钥对所述加密数据进行解密,得到所述业务数据。S608. After successfully authenticating the first authentication code, the receiving device 200 decrypts the encrypted data according to the account shared private key to obtain the business data.
收端设备200利用账号共享私钥U_private_key对接收的加密数据Recv_Data_Envelope进行解密,从而获得发端设备100发送的业务数据Data。The receiving device 200 uses the account shared private key U_private_key to decrypt the received encrypted data Recv_Data_Envelope, thereby obtaining the business data Data sent by the originating device 100.
本申请对解密的具体实施方式不做限定,例如采用预设的解密算法进行解密等,该解密算法为系统或用户自定义设置的,本申请不做限定。This application does not limit the specific implementation method of decryption, such as using a preset decryption algorithm for decryption, etc. The decryption algorithm is customized by the system or user, and this application does not limit it.
S609、收端设备200在对所述第一认证码认证失败后,向所述发端设备100发送失败消息,所述失败消息用于指示所述业务数据发送失败。相应地,发端设备100接收该失败消息。S609: After the first authentication code fails to be authenticated, the receiving device 200 sends a failure message to the sending device 100, where the failure message is used to indicate that the service data fails to be sent. Accordingly, the sending device 100 receives the failure message.
S610、发端设备100在接收到所述收端设备200发送的失败消息后,重复执行上述S601-S609的步骤。S610. After receiving the failure message sent by the receiving device 200, the sending device 100 repeats the above steps S601-S609.
收端设备200在对第一认证码认证失败后,可向发端设备100返回失败消息,以告知本次业务数据发送失败,并终止本次通信。发端设备100接收该失败消息后,可重复执行上述S601-S609的步骤,再次加密传输该业务数据。关于本申请实施例中未介绍或未描述的内容可对应参考前述实施例中的相关介绍,这里不再赘述。After the receiving device 200 fails to authenticate the first authentication code, it can return a failure message to the transmitting device 100 to inform that the service data transmission fails and terminate the communication. After receiving the failure message, the transmitting device 100 can repeat the above steps S601-S609 to encrypt and transmit the service data again. For the contents not introduced or described in the embodiments of the present application, please refer to the relevant introduction in the above embodiments, which will not be repeated here.
可以看出,本申请提供了一种轻量级的同账号终端安全通信方案,通过用户输入PIN码和服务器相互协作的方式派生用户账号下各终端设备通用的账号密钥信息(如账号公私钥对),使得该用户账号下的不同设备之间可以基于该账号密钥信息建立安全通信。规避了传统证书方案中,黑客入侵服务器,导致恶意颁发用户账号证书的风险。且,相比于现有账号证书链安全检查及证书内账号标识比较机制来说,降低了终端设备的研发成本,减小了设备侧的账号密钥存储和维护的开销。此外,本申请同账号下的各终端设备之间基于账号密钥信息建立双向安全通信,其采用的通信协议不做限定,例如可选用国际标准的SIGMA协议等。另外,本申请采用支持轻量级的数字信封、消息认证码机制建立安全通信,相对于传统的双向账号证书建立TLS连接来说,有效降低了数据包大小,减少了连接建立的时延。It can be seen that the present application provides a lightweight same-account terminal security communication solution, which derives the common account key information (such as the account public and private key pair) of each terminal device under the user account by the user inputting the PIN code and the server cooperating with each other, so that different devices under the user account can establish secure communication based on the account key information. It avoids the risk of hackers invading the server and maliciously issuing user account certificates in the traditional certificate solution. Moreover, compared with the existing account certificate chain security check and the account identification comparison mechanism in the certificate, it reduces the research and development cost of the terminal device and reduces the cost of account key storage and maintenance on the device side. In addition, the present application establishes two-way secure communication between each terminal device under the same account based on the account key information, and the communication protocol adopted is not limited, for example, the international standard SIGMA protocol can be selected. In addition, the present application adopts a lightweight digital envelope and message authentication code mechanism to establish secure communication, which effectively reduces the size of the data packet and reduces the delay in connection establishment compared to the traditional two-way account certificate to establish a TLS connection.
也就是说,本申请能基于发端设备和收端设备共用的用户账号的账号密钥信息来进行相互间的数据通信,相比于现有技术而言,规避了账号证书,避免黑客入侵恶意颁发账号证书,出现通信不安全的问题,且还降低了终端的研发成本,减少了设备侧对账号密钥信息的存储和维护开销。从而既保证了数据安全,又能提升数据传输的便捷性和高效性。同时还能解决现有技术中存在的通信建立的时延较长、降低通信效率的问题。In other words, this application can perform data communication between the transmitting device and the receiving device based on the account key information of the user account shared by the transmitting device and the receiving device. Compared with the prior art, it avoids the account certificate, avoids hackers from maliciously issuing account certificates, and prevents the problem of communication insecurity. It also reduces the R&D cost of the terminal and reduces the storage and maintenance costs of the account key information on the device side. This ensures data security and improves the convenience and efficiency of data transmission. At the same time, it can also solve the problem of long delay in communication establishment and reduced communication efficiency in the prior art.
应该理解的是,虽然图4-图6的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,这些步骤可以以其它的顺序执行。而且,图4至图6中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,这些子步骤或者阶段的执行顺序也不必然是依次进行,而是可以与其它步骤或者其它步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that, although the various steps in the flow charts of Fig. 4-Fig. 6 are shown in sequence according to the indication of the arrows, these steps are not necessarily performed in sequence according to the order indicated by the arrows. Unless there is a clear explanation in this article, the execution of these steps does not have a strict order restriction, and these steps can be performed in other orders. Moreover, at least a portion of the steps in Fig. 4 to Fig. 6 may include a plurality of sub-steps or a plurality of stages, and these sub-steps or stages are not necessarily performed at the same time, but can be performed at different times, and the execution order of these sub-steps or stages is not necessarily performed in sequence, but can be performed in turn or alternately with at least a portion of other steps or sub-steps or stages of other steps.
基于前述的实施例,本申请实施例提供几种可能的数据传输装置,该装置包括所包括的各模块、以及各模块所包括的各单元,可以通过处理器来实现;当然也可通过具体的逻辑电路实现;在实施的过程中,处理器可以为中央处理器(CPU)、微处理器(MPU)、数字信号处理器(DSP)或现场可编程门阵列(FPGA)等。Based on the foregoing embodiments, the embodiments of the present application provide several possible data transmission devices, which include the modules included and the units included in the modules, and can be implemented by a processor; of course, it can also be implemented by a specific logic circuit; in the implementation process, the processor can be a central processing unit (CPU), a microprocessor (MPU), a digital signal processor (DSP) or a field programmable gate array (FPGA), etc.
请参见图7,是本申请实施例提供的一种数据传输装置的结构示意图。如图7所示的装置应用于发端设备100中,该装置包括获取模块701、计算模块702和发送模块703;其中:Please refer to Figure 7, which is a schematic diagram of the structure of a data transmission device provided in an embodiment of the present application. The device shown in Figure 7 is applied to a transmitting device 100, and the device includes an acquisition module 701, a calculation module 702 and a sending module 703; wherein:
所述获取模块701,用于获取账号密钥信息和待传输的业务数据,所述账号密钥信息为用户账号的共享密钥信息,所述用户账号为所述发端设备和收端设备共用的账号;The acquisition module 701 is used to acquire account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the transmitting device and the receiving device;
所述计算模块702,用于根据所述账号密钥信息对所述业务数据进行加密和认证码计算,得到对应的加密数据和第一认证码;The calculation module 702 is used to encrypt the business data and calculate the authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code;
所述发送模块703,用于向所述收端设备发送数据消息,所述数据消息携带有所述加密数据和所述第一认证码。The sending module 703 is used to send a data message to the receiving device, where the data message carries the encrypted data and the first authentication code.
请一并参见图8是本申请实施例提供的另一种数据传输装置的结构示意图。如图8所示的装置应用于收端设备200中,该装置包括接收模块801和处理模块802;其中:Please refer to FIG8 for a schematic diagram of another data transmission device provided in an embodiment of the present application. The device shown in FIG8 is applied to a receiving device 200, and the device includes a receiving module 801 and a processing module 802; wherein:
所述接收模块801,用于接收发端设备发送的数据消息,所述数据消息携带有加密数据和第一认证码,所述加密数据和所述第一认证码均为根据用户账号的共享密钥信息对待传输的业务数据进行加密和认证码计算得到的,所述用户账号为所述发端设备和收端设备共用的账号;The receiving module 801 is used to receive a data message sent by a transmitting device, wherein the data message carries encrypted data and a first authentication code, wherein the encrypted data and the first authentication code are both obtained by encrypting the service data to be transmitted and calculating the authentication code according to the shared key information of the user account, and the user account is an account shared by the transmitting device and the receiving device;
所述处理模块802,用于在对所述第一认证码认证成功后,对所述加密数据进行解密,得到所述业务数据。The processing module 802 is used to decrypt the encrypted data to obtain the business data after the first authentication code is successfully authenticated.
以上装置实施例的描述,与上述方法实施例的描述是类似的,具有同方法实施例相似的有益效果。对于本申请装置实施例中未披露的技术细节,请参照本申请方法实施例的描述而理解。The description of the above device embodiment is similar to the description of the above method embodiment, and has similar beneficial effects as the method embodiment. For technical details not disclosed in the device embodiment of the present application, please refer to the description of the method embodiment of the present application for understanding.
需要说明的是,本申请实施例中图7和图8所示的数据处理装置对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。也可以采用软件和硬件结合的形式实现。It should be noted that the division of modules by the data processing device shown in Figures 7 and 8 in the embodiments of the present application is schematic and is only a logical function division. There may be other division methods in actual implementation. In addition, each functional unit in each embodiment of the present application may be integrated into a processing unit, or may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of a software functional unit. It may also be implemented in the form of a combination of software and hardware.
需要说明的是,本申请实施例中,如果以软件功能模块的形式实现上述的方法,并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得电子设备执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read Only Memory,ROM)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本申请实施例不限制于任何特定的硬件和软件结合。It should be noted that in the embodiment of the present application, if the above method is implemented in the form of a software function module and sold or used as an independent product, it can also be stored in a computer-readable storage medium. Based on such an understanding, the technical solution of the embodiment of the present application can be essentially or partly embodied in the form of a software product that contributes to the relevant technology. The computer software product is stored in a storage medium, including several instructions to enable an electronic device to execute all or part of the methods described in each embodiment of the present application. The aforementioned storage medium includes: various media that can store program codes, such as a U disk, a mobile hard disk, a read-only memory (ROM), a disk or an optical disk. In this way, the embodiment of the present application is not limited to any specific combination of hardware and software.
本申请实施例提供一种数据传输系统,该系统包括发端设备100和收端设备200。可选地,还可包括服务器300(图未示出)。该发端设备100和收端设备200均可为计算机设备,其内部结构图可以如图9所示。该计算机设备包括通过系统总线连接的处理器、存储器和网络接口。其中,该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统、计算机程序和数据库。该内存储器为非易失性存储介质中的操作系统和计算机程序的运行提供环境。该计算机设备的数据库用于存储数据。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机程序被处理器执行时以实现一种数据传输方法。An embodiment of the present application provides a data transmission system, which includes a transmitting device 100 and a receiving device 200. Optionally, a server 300 (not shown) may also be included. Both the transmitting device 100 and the receiving device 200 may be computer devices, and their internal structure diagram may be shown in Figure 9. The computer device includes a processor, a memory, and a network interface connected via a system bus. Among them, the processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of the operating system and the computer program in the non-volatile storage medium. The database of the computer device is used to store data. The network interface of the computer device is used to communicate with an external terminal through a network connection. When the computer program is executed by the processor, a data transmission method is implemented.
本申请实施例提供一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现上述实施例中提供的方法中的步骤。An embodiment of the present application provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps in the method provided in the above embodiment are implemented.
本申请实施例提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述方法实施例提供的方法中的步骤。An embodiment of the present application provides a computer program product including instructions, which, when executed on a computer, enables the computer to execute the steps of the method provided in the above method embodiment.
本领域技术人员可以理解,图9中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的计算机设备的限定,具体的计算机设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。Those skilled in the art will understand that the structure shown in FIG. 9 is merely a block diagram of a partial structure related to the solution of the present application, and does not constitute a limitation on the computer device to which the solution of the present application is applied. The specific computer device may include more or fewer components than shown in the figure, or combine certain components, or have a different arrangement of components.
在一个实施例中,本申请提供的装置可以实现为一种计算机程序的形式,计算机程序可在如图9所示的收端设备或发端设备上运行。设备的存储器中可存储组成该采样装置的各个程序模块,比如,图7所示的获取模块、计算模块和传输模块,图8所示的接收模块和处理模块。各个程序模块构成的计算机程序使得处理器执行本说明书中描述的本申请各个实施例的数据处理方法中的步骤。In one embodiment, the apparatus provided by the present application can be implemented in the form of a computer program, and the computer program can be run on a receiving device or a transmitting device as shown in FIG9. The memory of the device can store various program modules constituting the sampling apparatus, such as the acquisition module, the calculation module and the transmission module shown in FIG7, and the receiving module and the processing module shown in FIG8. The computer program composed of various program modules enables the processor to execute the steps of the data processing method of various embodiments of the present application described in this specification.
在一个实施例中,提供了一种发端设备100,包括存储器和处理器,该存储器存储有计算机程序,该处理器执行计算机程序时实现以下步骤:In one embodiment, a transmitting device 100 is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor implements the following steps when executing the computer program:
获取账号密钥信息和待传输的业务数据,所述账号密钥信息为用户账号的共享密钥信息,所述用户账号为所述发端设备和收端设备共用的账号;Acquire account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the transmitting device and the receiving device;
根据所述账号密钥信息对所述业务数据进行加密和认证码计算,得到对应的加密数据和第一认证码;Encrypt the business data and calculate the authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code;
向所述收端设备发送数据消息,所述数据消息携带有所述加密数据和所述第一认证码。A data message is sent to the receiving device, where the data message carries the encrypted data and the first authentication code.
在一个实施例中,所述账号密钥信息包括账号共享公钥和账号对称密钥,所述根据所述账号密钥信息对所述业务数据进行加密和认证码计算,得到对应的加密数据和第一认证码包括:In one embodiment, the account key information includes an account shared public key and an account symmetric key, and the encryption of the business data and the calculation of the authentication code according to the account key information to obtain the corresponding encrypted data and the first authentication code includes:
根据所述账号共享公钥对所述业务数据进行加密,得到加密数据;Encrypting the business data according to the account shared public key to obtain encrypted data;
根据所述账号对称密钥对所述加密数据进行认证码计算,得到第一认证码。An authentication code is calculated on the encrypted data according to the account symmetric key to obtain a first authentication code.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:In one embodiment, when the processor executes the computer program, the following steps are also implemented:
在接收到所述收端设备发送的失败消息后,重复执行所述获取账号密钥信息和待传输的业务数据的步骤。After receiving the failure message sent by the receiving device, repeat the steps of obtaining the account key information and the business data to be transmitted.
在一个实施例中,所述获取账号密钥信息之前,处理器执行计算机程序时还实现以下步骤:In one embodiment, before obtaining the account key information, the processor further implements the following steps when executing the computer program:
向服务器发送账号绑定请求,所述账号绑定请求携带有所述用户账号的账号标识及用户身份识别码;Sending an account binding request to the server, wherein the account binding request carries the account identifier and user identity code of the user account;
接收所述服务器返回的账号绑定响应,所述账号绑定响应携带有密钥生成参数,所述密钥生成参数为所述服务器根据所述账号标识和所述用户身份识别码生成的;Receiving an account binding response returned by the server, wherein the account binding response carries a key generation parameter, and the key generation parameter is generated by the server according to the account identifier and the user identity identification code;
基于所述密钥生成参数派生得到所述账号密钥信息。The account key information is derived based on the key generation parameters.
在一个实施例中,所述账号密钥信息包括账号共享公钥,处理器执行计算机程序时还实现以下步骤:In one embodiment, the account key information includes an account shared public key, and the processor further implements the following steps when executing the computer program:
将所述账号共享公钥发送给所述服务器。The account shared public key is sent to the server.
在一个实施例中,提供了一种收端设备200,包括存储器和处理器,该存储器存储有计算机程序,该处理器执行计算机程序时实现以下步骤:In one embodiment, a receiving device 200 is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor implements the following steps when executing the computer program:
接收发端设备发送的数据消息,所述数据消息携带有加密数据和第一认证码,所述加密数据和所述第一认证码均为根据用户账号的共享密钥信息对待传输的业务数据进行加密和认证码计算得到的,所述用户账号为所述发端设备和收端设备共用的账号;Receive a data message sent by a transmitting device, the data message carrying encrypted data and a first authentication code, the encrypted data and the first authentication code being obtained by encrypting the service data to be transmitted and calculating the authentication code according to shared key information of a user account, the user account being an account shared by the transmitting device and the receiving device;
在对所述第一认证码认证成功后,对所述加密数据进行解密,得到所述业务数据。After the first authentication code is successfully authenticated, the encrypted data is decrypted to obtain the business data.
在一个实施例中,所述账号密钥信息还包括账号共享私钥,所述对所述加密数据进行解密,得到所述业务数据包括:In one embodiment, the account key information further includes an account shared private key, and the decrypting of the encrypted data to obtain the business data includes:
根据所述账号共享私钥对所述加密数据进行解密,得到所述业务数据。The encrypted data is decrypted according to the account shared private key to obtain the business data.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:In one embodiment, when the processor executes the computer program, the following steps are also implemented:
在对所述第一认证码认证失败后,向所述发端设备发送失败消息,所述失败消息用于指示所述业务数据发送失败。After the authentication of the first authentication code fails, a failure message is sent to the originating device, where the failure message is used to indicate that the service data has failed to be sent.
在一个实施例中,提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现如上所述方法中的部分或全部内容。In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored. When the computer program is executed by a processor, part or all of the contents of the above-mentioned method are implemented.
通过实施本申请实施例,发端设备获取账号密钥信息和待传输的业务数据,所述账号密钥信息为用户账号的共享密钥信息,所述用户账号为所述发端设备和收端设备共用的账号;根据所述账号密钥信息对所述业务数据进行加密和认证码计算,得到对应的加密数据和第一认证码;向所述收端设备发送数据消息,所述数据消息携带有所述加密数据和所述第一认证码。可见,本申请能基于发端设备和收端设备共用的用户账号的账号密钥信息来进行相互间的数据通信,相比于现有技术而言,规避了账号证书,避免黑客入侵恶意颁发账号证书,出现通信不安全的问题,且还降低了终端的研发成本,减少了设备侧对账号密钥信息的存储和维护开销。从而既保证了数据安全,又能提升数据传输的便捷性和高效性。同时还能解决现有技术中存在的通信建立的时延较长、降低通信效率的问题。By implementing the embodiment of the present application, the originating device obtains the account key information and the business data to be transmitted, the account key information is the shared key information of the user account, and the user account is the account shared by the originating device and the receiving device; the business data is encrypted and the authentication code is calculated according to the account key information to obtain the corresponding encrypted data and the first authentication code; a data message is sent to the receiving device, and the data message carries the encrypted data and the first authentication code. It can be seen that the present application can carry out data communication between each other based on the account key information of the user account shared by the originating device and the receiving device. Compared with the prior art, it avoids the account certificate, avoids hackers from maliciously issuing account certificates, and causes the problem of insecure communication, and also reduces the R&D cost of the terminal, and reduces the storage and maintenance expenses of the account key information on the device side. Thereby, data security is guaranteed, and the convenience and efficiency of data transmission can be improved. At the same time, it can also solve the problem of long delay in communication establishment and reduced communication efficiency in the prior art.
这里需要指出的是:以上存储介质和设备实施例的描述,与上述方法实施例的描述是类似的,具有同方法实施例相似的有益效果。对于本申请存储介质、存储介质和设备实施例中未披露的技术细节,请参照本申请方法实施例的描述而理解。It should be noted here that the description of the above storage medium and device embodiments is similar to the description of the above method embodiments, and has similar beneficial effects as the method embodiments. For technical details not disclosed in the storage medium, storage medium and device embodiments of this application, please refer to the description of the method embodiments of this application for understanding.
应理解,说明书通篇中提到的“一个实施例”或“一实施例”或“一些实施例”意味着与实施例有关的特定特征、结构或特性包括在本申请的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”或“在一实施例中”或“在一些实施例中”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。上文对各个实施例的描述倾向于强调各个实施例之间的不同之处,其相同或相似之处可以互相参考,为了简洁,本文不再赘述。It should be understood that "one embodiment" or "an embodiment" or "some embodiments" mentioned throughout the specification means that specific features, structures or characteristics related to the embodiment are included in at least one embodiment of the present application. Therefore, "in one embodiment" or "in one embodiment" or "in some embodiments" appearing throughout the specification may not necessarily refer to the same embodiment. In addition, these specific features, structures or characteristics can be combined in one or more embodiments in any suitable manner. It should be understood that in various embodiments of the present application, the size of the sequence number of the above-mentioned processes does not mean the order of execution, and the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiment of the present application. The above-mentioned sequence numbers of the embodiments of the present application are only for description and do not represent the advantages and disadvantages of the embodiments. The above description of each embodiment tends to emphasize the differences between the various embodiments, and the same or similarities can be referenced to each other. For the sake of brevity, this article will not repeat them.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如对象A和/或对象B,可以表示:单独存在对象A,同时存在对象A和对象B,单独存在对象B这三种情况。The term "and/or" in this article is only a description of the association relationship of associated objects, indicating that there may be three relationships. For example, object A and/or object B can mean: object A exists alone, object A and object B exist at the same time, and object B exists alone.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that, in this article, the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, an element defined by the sentence "comprises a ..." does not exclude the existence of other identical elements in the process, method, article or device including the element.
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。以上所描述的实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个模块或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或模块的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided in the present application, it should be understood that the disclosed devices and methods can be implemented in other ways. The embodiments described above are only schematic. For example, the division of the modules is only a logical function division. There may be other division methods in actual implementation, such as: multiple modules or components can be combined, or can be integrated into another system, or some features can be ignored, or not executed. In addition, the coupling, direct coupling, or communication connection between the components shown or discussed can be through some interfaces, and the indirect coupling or communication connection of devices or modules can be electrical, mechanical or other forms.
上述作为分离部件说明的模块可以是、或也可以不是物理上分开的,作为模块显示的部件可以是、或也可以不是物理模块;既可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部模块来实现本实施例方案的目的。The modules described above as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules; they may be located in one place or distributed on multiple network units; some or all of the modules may be selected according to actual needs to achieve the purpose of the present embodiment.
另外,在本申请各实施例中的各功能模块可以全部集成在一个处理单元中,也可以是各模块分别单独作为一个单元,也可以两个或两个以上模块集成在一个单元中;上述集成的模块既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, all functional modules in the embodiments of the present application may be integrated into one processing unit, or each module may be a separate unit, or two or more modules may be integrated into one unit; the above-mentioned integrated modules may be implemented in the form of hardware or in the form of hardware plus software functional units.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(Read Only Memory,ROM)、磁碟或者光盘等各种可以存储程序代码的介质。A person of ordinary skill in the art can understand that: all or part of the steps of implementing the above-mentioned method embodiment can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, it executes the steps of the above-mentioned method embodiment; and the aforementioned storage medium includes: various media that can store program codes, such as mobile storage devices, read-only memories (ROM), magnetic disks or optical disks.
或者,本申请上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得电子设备执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括:移动存储设备、ROM、磁碟或者光盘等各种可以存储程序代码的介质。Alternatively, if the above-mentioned integrated unit of the present application is implemented in the form of a software function module and sold or used as an independent product, it can also be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiment of the present application can essentially or in other words, the part that contributes to the relevant technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including a number of instructions for enabling an electronic device to execute all or part of the methods described in each embodiment of the present application. The aforementioned storage medium includes: various media that can store program codes, such as mobile storage devices, ROMs, magnetic disks, or optical disks.
本申请所提供的几个方法实施例中所揭露的方法,在不冲突的情况下可以任意组合,得到新的方法实施例。The methods disclosed in several method embodiments provided in this application can be arbitrarily combined without conflict to obtain new method embodiments.
本申请所提供的几个产品实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的产品实施例。The features disclosed in several product embodiments provided in this application can be arbitrarily combined without conflict to obtain new product embodiments.
本申请所提供的几个方法或设备实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的方法实施例或设备实施例。The features disclosed in several method or device embodiments provided in this application can be arbitrarily combined without conflict to obtain new method embodiments or device embodiments.
以上所述,仅为本申请的实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above is only an implementation method of the present application, but the protection scope of the present application is not limited thereto. Any person skilled in the art who is familiar with the present technical field can easily think of changes or substitutions within the technical scope disclosed in the present application, which should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.
Claims (12)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211406803.8A CN118018226A (en) | 2022-11-10 | 2022-11-10 | Data transmission method and related products |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211406803.8A CN118018226A (en) | 2022-11-10 | 2022-11-10 | Data transmission method and related products |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118018226A true CN118018226A (en) | 2024-05-10 |
Family
ID=90958642
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211406803.8A Pending CN118018226A (en) | 2022-11-10 | 2022-11-10 | Data transmission method and related products |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118018226A (en) |
-
2022
- 2022-11-10 CN CN202211406803.8A patent/CN118018226A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12047362B2 (en) | Systems and methods for secure multi-party communications using a proxy | |
| US20230421394A1 (en) | Secure authentication of remote equipment | |
| CN113438071B (en) | Method and device for secure communication | |
| US9137017B2 (en) | Key recovery mechanism | |
| CN109891423B (en) | Data encryption control using multiple control mechanisms | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| EP3073668B1 (en) | Apparatus and method for authenticating network devices | |
| WO2022100356A1 (en) | Identity authentication system, method and apparatus, device, and computer readable storage medium | |
| CN108512846A (en) | Mutual authentication method and device between a kind of terminal and server | |
| US11196721B2 (en) | Systems and methods for establishing a secure communication channel between an information handling system and a docking station | |
| WO2017129089A1 (en) | Wireless network connecting method and apparatus, and storage medium | |
| JP2016540462A (en) | Key configuration method, system, and apparatus | |
| WO2019178942A1 (en) | Method and system for performing ssl handshake | |
| US11368288B2 (en) | Apparatus and method of lightweight communication protocols between multiple blockchains | |
| CN112400299A (en) | Data interaction method and related equipment | |
| CN103036872A (en) | Method, equipment and system for encryption and decryption of data transmission | |
| CN108809907A (en) | A kind of certificate request message sending method, method of reseptance and device | |
| CN111756528A (en) | A quantum session key distribution method, device and communication architecture | |
| CN117812581A (en) | Session data secure communication method, post quantum secure channel device and system | |
| CN118018226A (en) | Data transmission method and related products | |
| CN114760042A (en) | Identity authentication method and device | |
| US12400016B2 (en) | System and method for managing data-file transmission and access right to data files | |
| CN119997023A (en) | Identity authentication method and system | |
| TW202327313A (en) | Message transmitting system, user device and hardware security module for use therein | |
| CN115529128A (en) | SD-WAN-based end-to-end negotiation communication method, terminal equipment and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |