Front-end data security transmission method and device based on RSA-AES hybrid encryption

By using the RSA-AES hybrid encryption method, the problems of secure key distribution, selective encryption signature encapsulation, and response segmentation decryption in the secure transmission of front-end data are solved, realizing secure closed-loop processing and improving the confidentiality and integrity verification of data transmission.

CN122339732APending Publication Date: 2026-07-03HANGZHOU YONGRONG INFORMATION TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HANGZHOU YONGRONG INFORMATION TECHNOLOGY CO LTD
Filing Date
2026-03-19
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing front-end data security transmission methods have shortcomings in key acquisition and session binding management, selective encryption and signature encapsulation, and signature verification and segmented decryption of response ciphertexts. These shortcomings result in insufficient key security distribution and encryption processing capabilities, affecting the confidentiality and integrity verification of data transmission.

Method used

The RSA-AES hybrid encryption method is adopted. The asymmetric key pair is obtained by desalting and decryption and a session binding mapping is established. Combined with the whitelist encryption scope determination of the global request interceptor, request data encryption and private key signing and encapsulation, a secure request message is generated. The secure closed-loop processing is completed by the signature verification, segmented decryption and key clearing of the global response interceptor.

Benefits of technology

It effectively solves the shortcomings of traditional technologies in key secure distribution, selective encrypted signature encapsulation, response segmentation decryption, and key lifecycle management, providing confidentiality assurance and integrity verification for secure data transmission in front-end applications.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339732A_ABST
    Figure CN122339732A_ABST
Patent Text Reader

Abstract

This application provides a front-end data security transmission method and apparatus based on RSA-AES hybrid encryption. It obtains an asymmetric key pair through desalting and establishes a session binding mapping. It combines the whitelist encryption scope determination of a global request interceptor, request data encryption, and private key signature encapsulation to generate secure request messages. Furthermore, it completes a secure closed-loop process through signature verification, segmented decryption and concatenation, and proactive key removal using a global response interceptor. This effectively addresses the shortcomings of traditional technologies in key security distribution, selective encryption signature encapsulation, response segmented decryption, and key lifecycle management, providing technical assurance for the confidentiality and integrity verification of front-end application data security transmission.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of data processing, specifically to a front-end data security transmission method and apparatus based on RSA-AES hybrid encryption. Background Technology

[0002] Existing methods for secure front-end data transmission have significant shortcomings. Traditional systems perform poorly in key acquisition and session binding management, typically transmitting keys in plaintext or with simple encoding. They lack the secure key distribution capability to obtain encrypted key data packets from the server via key acquisition requests carrying session identifiers, perform desalting and decryption using symmetric decryption algorithms to obtain asymmetric key pairs, and establish session binding mapping relationships. This results in the risk of key leakage during transmission and storage, making it difficult to provide a reliable key management foundation for subsequent encrypted front-end data communication.

[0003] Furthermore, existing technologies have bottlenecks in the selective encryption and signature encapsulation of request data. Most systems lack the ability to accurately determine the encryption scope based on the interface whitelist configuration in the global request interceptor, perform asymmetric encryption and private key signing operations on the request data to be sent that belongs to the encryption scope, and co-encapsulate the ciphertext data and the request signature value into a secure request message. This results in a lack of integrity verification and confidentiality protection for sensitive front-end interface data during transmission, affecting the level of data anti-tampering and anti-eavesdropping security.

[0004] Existing systems have technical shortcomings in signature verification, segmented decryption, and secure key removal for ciphertext responses. They lack a complete secure closed-loop processing mechanism that verifies signature validity in a global response interceptor, splits the ciphertext message into a sequence of ciphertext segments based on preset segmentation thresholds, performs segmented decryption and concatenation to obtain the plaintext response data, and finally proactively removes asymmetric key pairs from the memory cache. This affects the decryption capabilities for large volumes of response data and the security of key lifecycle management. Solving these problems is crucial for improving the confidentiality, integrity, and key security management of data transmission in front-end applications. Summary of the Invention

[0005] To address the problems in the existing technology, this application provides a front-end data security transmission method and apparatus based on RSA-AES (asymmetric encryption (RSA) and symmetric encryption (AES)) hybrid encryption. It can effectively solve the shortcomings of traditional technologies in key security distribution, selective encryption signature encapsulation, response segmentation decryption and key lifecycle management, and provide technical protection for the confidentiality and integrity verification of front-end application data security transmission.

[0006] To solve at least one of the above problems, this application provides the following technical solution: In a first aspect, this application provides a front-end data security transmission method based on RSA-AES hybrid encryption, comprising: The application programming interface (API) sends a key acquisition request carrying a session identifier to the server to obtain an encrypted key data packet. The encrypted key data packet is then desalted using a symmetric decryption algorithm to obtain an asymmetric key pair. The asymmetric key pair is then written into a memory cache and a session binding mapping relationship is established. In the global request interceptor, it is determined whether the current request belongs to the encryption scope according to the interface whitelist configuration. For the request data to be sent that belongs to the encryption scope, the asymmetric key pair is used to perform encryption operation to obtain the request ciphertext data. The request ciphertext data is used to perform signature operation with the private key to obtain the request signature value. The request ciphertext data and the request signature value are encapsulated into a secure request message. The global response interceptor receives the ciphertext message of the response and verifies the validity of the signature. Based on the preset segmentation threshold condition, the ciphertext message of the response is split into a ciphertext segment sequence. The ciphertext segment sequence is decrypted in segments using the asymmetric key pair to obtain a plaintext segment sequence. The plaintext segment sequence is then concatenated to obtain the response plaintext data and the asymmetric key pair in the memory cache is cleared.

[0007] Furthermore, it also includes: generating a session identifier during the front-end application initialization phase and writing the session identifier into the request header field, constructing a key based on the session identifier to obtain request parameters, and initiating a call to the key distribution interface of the server to obtain server response data; The encryption type field, decryption type field, and global encryption switch field are parsed from the server response data. The encryption type field, decryption type field, and global encryption switch field are written to the local configuration cache. The key payload that has undergone symmetric encryption is extracted from the server response data to obtain the encryption key data packet.

[0008] Furthermore, it also includes: extracting a salt value field and a ciphertext payload field from the encryption key data packet; performing a key derivation operation based on the salt value field and a preset symmetric key seed to obtain a symmetric decryption key; and performing a symmetric decryption operation on the ciphertext payload field using the symmetric decryption key to obtain an asymmetric key pair. Create a key cache object in memory and write the asymmetric key pair into the key cache object. Read the current session identifier and use the session identifier as an index key to establish a mapping relationship with the key cache object and write it into the memory cache area. Set an expiration timestamp for the key cache object based on a preset key validity period threshold condition.

[0009] Furthermore, it also includes: obtaining the interface path identifier of the current request in the global request interceptor, matching and comparing the interface path identifier with the preset interface whitelist configuration to obtain the scope determination result, filtering requests belonging to the encrypted scope based on the scope determination result and extracting the request data to be sent; The asymmetric key pair is read from the memory cache according to the current session identifier, the public key is extracted from the asymmetric key pair, the request data to be sent is serialized into a string format to obtain the request plaintext string, and the asymmetric encryption operation is performed on the request plaintext string using the public key to obtain the request ciphertext data.

[0010] Furthermore, it also includes: extracting the private key from the asymmetric key pair, concatenating the request ciphertext data with the current timestamp to obtain the data to be signed, and performing a digital signature operation on the data to be signed using the private key to obtain the request signature value; Create a security request message object and write the encrypted request data into the data field of the security request message object, write the request signature value into the signature field of the security request message object, write the current timestamp into the timestamp field of the security request message object, and send the security request message object as the request body to the server.

[0011] Furthermore, it also includes: receiving the ciphertext response message returned by the server in the global response interceptor, extracting the response signature value, response timestamp, and response ciphertext data from the ciphertext response message, reading the asymmetric key pair from the memory cache and extracting the public key, and using the public key to perform a signature verification operation on the ciphertext response data and the response timestamp to obtain the signature verification result; Based on the signature verification result, the validity of the signature is determined. For the valid response ciphertext data, the data length is calculated. The data length is compared with a preset segmentation threshold condition. For the response ciphertext data that exceeds the preset segmentation threshold condition, a splitting operation is performed according to a fixed segment length to obtain a ciphertext segment sequence.

[0012] Furthermore, it also includes: extracting a private key from an asymmetric key pair, sequentially reading each ciphertext segment in the ciphertext segment sequence, performing an asymmetric decryption operation on each ciphertext segment using the private key to obtain the corresponding plaintext segment, and writing each plaintext segment into the plaintext segment sequence in its original order; The plaintext segments in the plaintext segment sequence are concatenated sequentially to obtain the response plaintext string. The response plaintext string is deserialized and parsed to obtain the response plaintext data. The key cache object corresponding to the current session identifier is located in the memory cache area and a clearing operation is performed to destroy the asymmetric key pair.

[0013] Secondly, this application provides a front-end data security transmission device based on RSA-AES hybrid encryption, comprising: The mapping relationship establishment module is used to initiate a key acquisition request carrying a session identifier to the server through the application interface to obtain an encrypted key data packet, desalting the encrypted key data packet using a symmetric decryption algorithm to obtain an asymmetric key pair, writing the asymmetric key pair into a memory cache and establishing a session binding mapping relationship. The hybrid encryption module is used to determine whether the current request belongs to the encryption scope according to the interface whitelist configuration in the global request interceptor, perform encryption operation on the request data to be sent that belongs to the encryption scope using the asymmetric key pair to obtain the request ciphertext data, perform signature operation on the request ciphertext data using the private key to obtain the request signature value, and encapsulate the request ciphertext data and the request signature value into a secure request message. The data transmission module is used to receive the ciphertext response message and verify the signature validity in the global response interceptor, split the ciphertext response message into a ciphertext segment sequence based on a preset segmentation threshold condition, perform segmented decryption on the ciphertext segment sequence using the asymmetric key pair to obtain a plaintext segment sequence, concatenate the plaintext segment sequence to obtain the response plaintext data, and clear the asymmetric key pair in the memory cache.

[0014] Thirdly, this application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps of the aforementioned front-end data security transmission method based on RSA-AES hybrid encryption.

[0015] Fourthly, this application provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the aforementioned front-end data secure transmission method based on RSA-AES hybrid encryption.

[0016] Fifthly, this application provides a computer program product, including a computer program / instruction that, when executed by a processor, implements the steps of the aforementioned front-end data security transmission method based on RSA-AES hybrid encryption.

[0017] As can be seen from the above technical solution, this application provides a front-end data security transmission method and device based on RSA-AES hybrid encryption. It obtains an asymmetric key pair by desalting and decryption and establishes a session binding mapping. It generates secure request messages by combining the whitelist encryption scope determination of the global request interceptor, request data encryption and private key signature encapsulation. It completes the security closed-loop processing by signature verification, segmented decryption and splicing and active key clearing of the global response interceptor. It effectively solves the shortcomings of traditional technologies in key security distribution, selective encryption signature encapsulation and response segmented decryption and key lifecycle management, and provides technical guarantee for the confidentiality and integrity verification of front-end application data security transmission. Attached Figure Description

[0018] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0019] Figure 1 This is a flowchart illustrating the front-end data security transmission method based on RSA-AES hybrid encryption in the embodiments of this application; Figure 2 This is a structural diagram of the front-end data security transmission device based on RSA-AES hybrid encryption in the embodiments of this application. Detailed Implementation

[0020] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0021] The acquisition, storage, use, and processing of data in this application comply with relevant laws and regulations.

[0022] In view of the problems existing in the prior art, this application provides a front-end data security transmission method and device based on RSA-AES hybrid encryption. It obtains asymmetric key pairs by desalting and decryption and establishes session binding mapping. It generates secure request messages by combining the whitelist encryption scope determination of the global request interceptor, request data encryption and private key signature encapsulation. It completes the security closed-loop processing by signature verification, segmented decryption and splicing and active key clearing of the global response interceptor. It effectively solves the shortcomings of traditional technologies in key security distribution, selective encryption signature encapsulation and response segmented decryption and key lifecycle management, and provides technical guarantee for the confidentiality and integrity verification of front-end application data security transmission.

[0023] To effectively address the shortcomings of traditional technologies in key secure distribution, selective encrypted signature encapsulation, response segmentation and decryption, and key lifecycle management, and to provide technical assurance for the confidentiality and integrity verification of front-end application data secure transmission, this application provides an embodiment of a front-end data secure transmission method based on RSA-AES hybrid encryption. See [link to embodiment]. Figure 1 The aforementioned front-end data security transmission method based on RSA-AES hybrid encryption specifically includes the following: Step S101: Send a key acquisition request carrying a session identifier to the server through the application programming interface to obtain an encrypted key data packet. Desalt the encrypted key data packet using a symmetric decryption algorithm to obtain an asymmetric key pair. Write the asymmetric key pair into the memory cache and establish a session binding mapping relationship. In this embodiment, after the front-end application completes initialization and loading, it initiates a key acquisition request to the server through the application programming interface (API). Before initiating the request, this embodiment generates a unique session identifier on the client and writes it into the request header field. The session identifier is generated by concatenating a timestamp and a random number to ensure that the identifiers of different sessions are not duplicated. This embodiment uses the session identifier as part of the request parameters to initiate a call to the server's preset key distribution interface.

[0024] After receiving the key acquisition request, the server returns response data. In this embodiment, the encrypted key data packet is parsed from the response data. The encrypted key data packet includes a salt value field and a ciphertext payload field. The salt value field stores salt value data randomly generated by the storage server during the encryption phase, and the ciphertext payload field stores the ciphertext of the asymmetric key pair after symmetric encryption. This embodiment also extracts the encryption type field, decryption type field, and global encryption switch field from the response data, and writes these three configuration fields into a local configuration cache for subsequent request interceptors to read and call.

[0025] After the encryption key data packet is acquired, this embodiment performs desalting and decryption processing on it. Specifically, this embodiment reads the salt value field from the encryption key data packet and uses the salt value field and a preset symmetric key seed as input to perform a key derivation operation. The key derivation operation uses an iterative hashing method to mix the salt value and the key seed to expand it into a fixed-length symmetric decryption key. The number of iterations in the derivation process is pre-configured according to the security strength requirements.

[0026] Based on the symmetric decryption key, this embodiment performs a symmetric decryption operation on the ciphertext payload field. The decryption process takes the ciphertext payload field as input and uses a symmetric decryption algorithm to recover the plaintext form of the asymmetric key pair. The asymmetric key pair consists of two parts: a public key and a private key. The public key is used in subsequent step S201 to perform encryption operations on the request data, and the private key is used in subsequent step S201 to perform signature operations on the request ciphertext and in subsequent step S301 to perform decryption operations on the response ciphertext.

[0027] After the asymmetric key pair is decrypted, this embodiment creates a key cache object in memory and writes the asymmetric key pair into this object. This embodiment reads the current session identifier and uses it as an index key, establishes a mapping relationship with the key cache object, and then writes it into the memory cache. This mapping relationship ensures that different sessions can access their respective key data in isolation, avoiding the mixing of keys across sessions.

[0028] Accordingly, this embodiment sets an expiration timestamp for the key cache object. The expiration timestamp is calculated based on a preset key validity threshold condition. When the system time exceeds the expiration timestamp, the key cache object will be marked as invalid. The asymmetric key pairs and session binding mapping relationship stored in the memory cache area serve as the input data source for the global request interceptor to perform encryption and signature operations in the subsequent step S201.

[0029] Step S102: In the global request interceptor, determine whether the current request belongs to the encryption scope according to the interface whitelist configuration. For the request data to be sent that belongs to the encryption scope, use the asymmetric key pair to perform encryption operation to obtain the request ciphertext data. Use the private key to perform signature operation on the request ciphertext data to obtain the request signature value. Encapsulate the request ciphertext data and the request signature value into a secure request message. In this embodiment, a global request interceptor is configured in the network request layer of the front-end application. The global request interceptor is automatically triggered and executed before each request is sent. When the application initiates a network request, the global request interceptor first obtains the interface path identifier of the current request, which is the path portion of the target address of the request.

[0030] After the interface path identifier is obtained, this embodiment compares it with a preset interface whitelist configuration. The interface whitelist configuration is stored in a local configuration cache and contains a set of interface paths that need to be encrypted. This embodiment iterates through each path entry in the interface whitelist configuration and determines whether the current interface path identifier matches any of the entries. If the match is successful, the current request is determined to belong to the encryption scope; if the match fails, the current request is determined not to belong to the encryption scope, and the original request is allowed.

[0031] For requests within the encrypted scope, this embodiment extracts the request data to be sent from the request body. This request data is a set of business parameters of object type. This embodiment performs serialization processing on it, converting the object structure into a string format to obtain the plaintext request string. The serialization process uses a standardized data exchange format to ensure that the string content can be correctly parsed and restored by the server.

[0032] Based on the asymmetric key pair written to the memory cache in step S101 above, this embodiment reads the current session identifier and locates the corresponding key cache object from the memory cache. This embodiment extracts the public key from the key cache object and uses the public key to perform asymmetric encryption on the plaintext request string. The encryption process takes the plaintext request string as input, encrypts it with the public key, and outputs ciphertext request data. This ciphertext request data can only be decrypted and restored by the server holding the corresponding private key.

[0033] After the requested ciphertext data is generated, this embodiment extracts the private key from the key cache object to perform a signature operation. This embodiment obtains the current system timestamp and concatenates the requested ciphertext data with the current timestamp in a predetermined order to obtain the data to be signed. This embodiment uses the private key to perform a digital signature operation on the data to be signed. The operation process calculates a digest value for the data to be signed, encrypts it using the private key, and outputs the requested signature value.

[0034] Accordingly, this embodiment creates a secure request message object and completes field encapsulation. In this embodiment, the encrypted request data is written into the data field of the secure request message object, the request signature value is written into the signature field, and the current timestamp is written into the timestamp field. After replacing the original request body, the secure request message object is sent to the server. The server can verify the signature to confirm the data source is trustworthy and restore the business parameters through decryption. The secure request message serves as the trigger condition for the server to process and return the encrypted response message in subsequent step S103.

[0035] Step S103: Receive the ciphertext response message in the global response interceptor and verify the signature validity. Based on the preset segmentation threshold condition, split the ciphertext response message into a ciphertext segment sequence. Use the asymmetric key pair to perform segmented decryption on the ciphertext segment sequence to obtain a plaintext segment sequence. Concatenate the plaintext segment sequences to obtain the response plaintext data and clear the asymmetric key pair in the memory cache.

[0036] In this embodiment, a global response interceptor is configured at the network request layer of the front-end application. The global response interceptor is automatically triggered and executed after receiving data returned by the server. After the server processes the security request message sent in the aforementioned step S102 and returns a ciphertext response message, the global response interceptor captures the response and extracts three fields from it: the response signature value, the response timestamp, and the ciphertext response data.

[0037] After extracting all fields from the encrypted response message, this embodiment performs a signature verification operation to confirm data integrity and source credibility. This embodiment reads the asymmetric key pair from the key cache object written to the memory buffer in step S101 and extracts the public key. The encrypted response data and the response timestamp are then concatenated in a predetermined order to obtain the data to be verified. This embodiment uses the public key to perform a signature verification operation on the response signature value, comparing the verification result with the digest value of the data to be verified. If they match, the signature is deemed valid; otherwise, the signature is deemed invalid, and the subsequent decryption process is terminated.

[0038] For the ciphertext response data that has passed signature verification, this embodiment calculates its data length and compares it with a preset segmentation threshold condition. The preset segmentation threshold condition is pre-configured based on the ciphertext block length limit of the asymmetric encryption algorithm. When the length of the ciphertext response data exceeds the preset segmentation threshold condition, this embodiment performs a splitting operation on the ciphertext response data according to a fixed segment length. The splitting process starts from the beginning of the ciphertext response data and sequentially extracts fixed-length ciphertext segments until all data is processed, resulting in a ciphertext segment sequence.

[0039] Based on the ciphertext segment sequence, this embodiment extracts the private key from the key cache object to perform segmented decryption operations. This embodiment sequentially reads each ciphertext segment in the ciphertext segment sequence, performs an independent asymmetric decryption operation on each ciphertext segment using the private key, and writes the decrypted plaintext fragments back into the plaintext segment sequence in their original order. This segmented decryption strategy breaks down large blocks of ciphertext into multiple smaller blocks for separate processing, reducing the computational load and memory usage of a single decryption operation.

[0040] After the plaintext segment sequence is generated, this embodiment performs a concatenation operation to restore the complete response content. This embodiment reads each plaintext segment in the plaintext segment sequence sequentially, concatenates adjacent segments end-to-end, and obtains the response plaintext string. This embodiment performs deserialization parsing on the response plaintext string, restoring the string format to an object structure to obtain the response plaintext data, which is the business response result returned by the server.

[0041] Accordingly, this embodiment performs a key clearing operation to eliminate the risk of sensitive data residing within the cache. This embodiment locates the key cache object corresponding to the current session identifier in the memory cache, performs a clearing operation on the key cache object, and destroys the asymmetric key pair stored therein from memory. This clearing operation ensures that the key exists only within a single request-response cycle, and the response plaintext data serves as the input data source for subsequent processing by the business logic layer.

[0042] As can be seen from the above description, the front-end data security transmission method based on RSA-AES hybrid encryption provided in this application embodiment can obtain asymmetric key pairs and establish session binding mapping through desalting and decryption. It can generate secure request messages by combining the whitelist encryption scope determination of the global request interceptor, request data encryption and private key signature encapsulation, and complete the security closed-loop processing through signature verification, segmented decryption and splicing and active key clearing of the global response interceptor. It effectively solves the shortcomings of traditional technologies in key security distribution, selective encryption signature encapsulation and response segmented decryption and key lifecycle management, and provides technical guarantee for the confidentiality and integrity verification of front-end application data security transmission.

[0043] In one embodiment of the front-end data security transmission method based on RSA-AES hybrid encryption in this application, it may further include the following: Step S201: During the front-end application initialization phase, generate a session identifier and write the session identifier into the request header field. Based on the session identifier, construct a key to obtain request parameters and initiate a call to the key distribution interface of the server to obtain server response data. Step S202: Parse the encryption type field, decryption type field, and global encryption switch field from the server response data, write the encryption type field, decryption type field, and global encryption switch field into the local configuration cache, and extract the key payload that has undergone symmetric encryption processing from the server response data to obtain the encryption key data packet.

[0044] In this embodiment, the session identifier generation process is triggered when the front-end application completes page loading and enters the initialization phase. The generation process reads the current system timestamp as a time factor, calls a random number generator to generate a random factor, concatenates the time factor and the random factor according to a predetermined format, performs a hash operation, and outputs a fixed-length string as the session identifier. This session identifier remains unique within the current browser session lifecycle and is used to identify the complete lifecycle of this user visit.

[0045] After the session identifier is generated, this embodiment writes it into the request header field so that the server can identify the request source. This embodiment sets default request header parameters in the network request configuration layer, writing the session identifier as the value of a custom header field. All subsequent network requests automatically carry this header field. The name of the request header field is pre-agreed upon according to the front-end and back-end protocols; the server can obtain the session identifier corresponding to the current request by parsing this field.

[0046] Based on the session identifier, this embodiment constructs key retrieval request parameters and initiates a call to the server. This embodiment uses the session identifier as a component of the request parameters, and adds auxiliary parameters such as the application version identifier and client type identifier to assemble a complete key retrieval request parameter object. This embodiment initiates a network call to a pre-defined key distribution interface on the server. The address of the key distribution interface is predefined in the application configuration file. After the call is completed, the server response data returned by the server is received.

[0047] After the server-side response data is obtained, this embodiment parses its execution fields to extract configuration information. This embodiment sequentially reads the encryption type field, decryption type field, and global encryption switch field from the configuration block of the server-side response data. The encryption type field indicates the encryption strategy during the request phase, and can be either encryption only, signing only, or a combination of encryption and signing. The decryption type field indicates the decryption strategy during the response phase, and can be either decryption only, signature verification only, or a combination of decryption and signature verification. The global encryption switch field indicates whether encryption processing is enabled for all interfaces.

[0048] Accordingly, this embodiment writes the three parsed configuration fields into a local configuration cache. This embodiment creates a configuration storage object in the client's memory, and writes the encryption type field, the decryption type field, and the global encryption switch field into their respective storage locations. The local configuration cache is read and invoked by the global request interceptor in subsequent step S102 to determine which encryption and signature strategy should be executed for the current request.

[0049] After the configuration fields are written, this embodiment extracts the key payload block from the server response data. The key payload block contains the ciphertext of the asymmetric key pair after symmetric encryption. This embodiment reads the block completely and encapsulates it into an encrypted key data packet. The encrypted key data packet serves as the input data source for the desalting operation in the subsequent step S301. After decryption, the asymmetric key pair that can be used for encrypted signature operations is restored.

[0050] In one embodiment of the front-end data security transmission method based on RSA-AES hybrid encryption in this application, it may further include the following: Step S301: Extract the salt value field and the ciphertext payload field from the encryption key data packet; perform a key derivation operation based on the salt value field and a preset symmetric key seed to obtain a symmetric decryption key; and perform a symmetric decryption operation on the ciphertext payload field using the symmetric decryption key to obtain an asymmetric key pair. Step S302: Create a key cache object in memory and write the asymmetric key pair into the key cache object. Read the current session identifier and use the session identifier as an index key to establish a mapping relationship with the key cache object and write it into the memory cache area. Set an expiration timestamp for the key cache object based on a preset key validity period threshold condition.

[0051] This embodiment performs a field extraction operation from the encryption key data packet output in step S202. The encryption key data packet is organized in a structured format. This embodiment locates the start and end positions of the salt value field based on predefined field boundary markers, and reads the byte sequence within this interval as the salt value field. This embodiment then locates the storage interval for the ciphertext payload field, reading the remaining byte sequence as the ciphertext payload field. The ciphertext payload field stores the ciphertext of the asymmetric key pair after symmetric encryption.

[0052] After the salt value field and the ciphertext payload field are extracted, this embodiment performs a key derivation operation to generate a symmetric decryption key. This embodiment reads a preset symmetric key seed from the application configuration; the symmetric key seed is a fixed string pre-negotiated between the front-end and back-end. This embodiment uses the salt value field and the symmetric key seed as input parameters, calls the key derivation function to perform iterative hashing, and the operation process mixes the two input parameters and expands them into a fixed-length byte sequence through multiple rounds of hashing, outputting the symmetric decryption key.

[0053] Based on the symmetric decryption key, this embodiment performs a symmetric decryption operation on the ciphertext payload field. This embodiment initializes a symmetric decryption algorithm instance and sets the symmetric decryption key as the decryption parameter, using the ciphertext payload field as the input data to be decrypted. The decryption operation follows the reverse process of the symmetric encryption algorithm, restoring the ciphertext byte sequence to a plaintext byte sequence. This embodiment performs format parsing on the plaintext byte sequence, separating and extracting the public key data and private key data, and assembling them into an asymmetric key pair.

[0054] After the asymmetric key pair is decrypted, this embodiment creates a key cache object in memory to hold the key data. This embodiment instantiates the cache object and sets up public key storage slots and private key storage slots. The public key from the asymmetric key pair is written to the public key storage slot, and the private key is written to the private key storage slot. The key cache object exists only in runtime memory and does not undergo persistent write operations, thus preventing key data leakage to local storage media.

[0055] Accordingly, this embodiment reads the current session identifier generated in step S201 and uses it as an index key to establish a mapping relationship with the key cache object. This embodiment accesses the memory cache and calls the key-value write interface to write the session identifier as the key and the key cache object as the value to the memory cache. This mapping relationship ensures that the global request interceptor in subsequent step S401 can quickly locate the corresponding key cache object using the session identifier.

[0056] After the mapping relationship is established, this embodiment sets an expiration timestamp for the key cache object to control the key validity period. This embodiment reads a preset key validity threshold condition, which defines the maximum lifespan of a key from creation to expiration. This embodiment obtains the current system time and adds the validity period to it, calculates the expiration timestamp, and writes it to the expiration attribute field of the key cache object. When the system time exceeds the expiration timestamp, the key cache object will be marked as invalid, and subsequent accesses will require re-initiating the key acquisition process.

[0057] In one embodiment of the front-end data security transmission method based on RSA-AES hybrid encryption in this application, it may further include the following: Step S401: Obtain the interface path identifier of the current request in the global request interceptor, match and compare the interface path identifier with the preset interface whitelist configuration to obtain the scope determination result, filter the requests belonging to the encrypted scope based on the scope determination result and extract the request data to be sent. Step S402: Read the asymmetric key pair from the memory cache according to the current session identifier, extract the public key from the asymmetric key pair, serialize the request data to be sent into a string format to obtain the request plaintext string, and perform asymmetric encryption operation on the request plaintext string using the public key to obtain the request ciphertext data.

[0058] In this embodiment, after the global request interceptor is triggered, the interface path identifier of the current request is first obtained. The obtaining process reads the target address field from the request configuration object, performs path resolution operations on the target address field, strips away the protocol prefix, domain name, and query parameters, and retains the path portion as the interface path identifier. The interface path identifier represents the specific business interface accessed by the current request.

[0059] After the interface path identifier is obtained, this embodiment compares it with the preset interface whitelist configuration. This embodiment reads the global encryption switch field from the local configuration cache written in step S202. If the global encryption switch field indicates a globally enabled state, it is determined that all interfaces belong to the encryption scope. If the global encryption switch field indicates a non-globally enabled state, this embodiment continues to read the preset interface whitelist configuration, which is a set of interface paths.

[0060] Based on the preset interface whitelist configuration, this embodiment traverses each path entry and performs a string matching operation with the current interface path identifier. The matching process supports two modes: exact matching and prefix matching. Exact matching requires the paths to be completely identical, while prefix matching allows the current path to use a whitelist entry as a prefix. This embodiment records the result of the matching operation as a scope determination result. If the match is successful, the scope determination result indicates that it belongs to the encrypted scope; if the match fails, the scope determination result indicates that it does not belong to the encrypted scope.

[0061] For requests whose scope determination result indicates they belong to an encrypted scope, this embodiment extracts the request data to be sent from the request configuration object. This embodiment determines the request method type; for request types carrying a request body, it reads the business parameter object from the request body field as the request data to be sent. The request data to be sent is a structured object type, containing all parameter fields required to be transmitted in this business request.

[0062] Accordingly, this embodiment reads an asymmetric key pair from a memory cache to perform encryption operations. This embodiment obtains the current session identifier generated in step S201, uses it as an index key to access the memory cache, and locates the corresponding key cache object from the mapping relationship established in step S302. This embodiment extracts the public key from the key cache object, and the public key is used to perform encryption processing on the requested data.

[0063] After the public key is extracted, this embodiment performs serialization processing on the request data to be sent. This embodiment calls a serialization function to convert the request data from an object structure into a string format, obtaining the plaintext request string. The serialization process uses a standardized data exchange format to ensure that the string content can be correctly parsed and restored to the original object structure by the server.

[0064] Based on the public key and the plaintext request string, this embodiment performs asymmetric encryption. This embodiment initializes an asymmetric encryption algorithm instance and sets the public key as the encryption parameter. The plaintext request string is encoded into a byte sequence and used as the input to be encrypted. The encryption operation outputs ciphertext request data, which serves as the input data source for the signature operation in subsequent step S501.

[0065] In one embodiment of the front-end data security transmission method based on RSA-AES hybrid encryption in this application, it may further include the following: Step S501: Extract the private key from the asymmetric key pair, concatenate the request ciphertext data with the current timestamp to obtain the data to be signed, and use the private key to perform a digital signature operation on the data to be signed to obtain the request signature value; Step S502: Create a security request message object and write the ciphertext data of the request into the data field of the security request message object, write the request signature value into the signature field of the security request message object, write the current timestamp into the timestamp field of the security request message object, and send the security request message object as the request body to the server.

[0066] In this embodiment, the private key is extracted from the key cache object written to the memory cache area in step S302 above to perform the signature operation. This embodiment locates the key cache object based on the current session identifier, reads the data content of the private key storage slot from it, and loads the private key into the signature operation context for later use. The private key and the public key extracted in step S402 above form a pair; the public key is used for encryption, and the private key is used for signing.

[0067] After the private key is extracted, this embodiment obtains the current system timestamp as the time factor for the signature operation. This embodiment calls the system time interface to read the current millisecond-level timestamp, which is used to identify the initiation time of this request. This embodiment performs a string concatenation operation between the ciphertext request data output in step S402 and the current timestamp, using a predetermined separator, to obtain the data to be signed.

[0068] Based on the private key and the data to be signed, this embodiment performs a digital signature operation. The signing process first performs a digest calculation on the data to be signed, using a hash algorithm to compress the data of arbitrary length into a fixed-length digest value. This embodiment then uses the private key to perform asymmetric encryption on the digest value, outputting a request signature value. This request signature value can be verified by a server holding the public key to confirm data integrity and source credibility.

[0069] After the request signature value is generated, this embodiment creates a secure request message object to encapsulate the transmitted data. This embodiment instantiates the message object and initializes three storage locations: the data field, the signature field, and the timestamp field. The secure request message object is organized in a structured format, with clear boundaries for each field, facilitating server-side parsing and extraction.

[0070] Accordingly, this embodiment sequentially writes each data item into the corresponding field of the security request message object. This embodiment writes the encrypted request data output in step S402 into the data field of the security request message object, writes the request signature value into the signature field, and writes the current timestamp into the timestamp field. After writing is complete, the security request message object contains complete encrypted data, signature information, and timestamps.

[0071] After the security request message object is encapsulated, this embodiment sends it as the request body to the server. This embodiment replaces the request body field in the original request configuration object with the security request message object, keeping the request header, request method, and other configurations unchanged. The global request interceptor releases the request and continues execution. The network layer serializes the security request message object and transmits it to the server via the network channel. The security request message serves as the trigger condition for the server to return a ciphertext response message in subsequent step S601.

[0072] In one embodiment of the front-end data security transmission method based on RSA-AES hybrid encryption in this application, it may further include the following: Step S601: Receive the ciphertext response message returned by the server in the global response interceptor, extract the response signature value, response timestamp, and response ciphertext data from the ciphertext response message, read the asymmetric key pair from the memory cache and extract the public key, and use the public key to perform a signature verification operation on the ciphertext response data and the response timestamp to obtain the signature verification result. Step S602: Determine the validity of the signature based on the signature verification result, calculate the data length of the valid response ciphertext data, compare the data length with the preset segmentation threshold condition, and perform a splitting operation on the response ciphertext data that exceeds the preset segmentation threshold condition to obtain the ciphertext segment sequence.

[0073] In this embodiment, the encrypted response message returned by the server is received in the global response interceptor. After the server processes the security request message sent in step S502, it returns the business response data after encryption and signature processing. The global response interceptor captures this response and triggers the decryption and signature verification process. In this embodiment, the response body content is read from the response object, and the response body content is the encrypted response message.

[0074] After the encrypted response message is acquired, this embodiment performs field parsing to extract its components. Based on a predefined message structure, this embodiment locates the storage location of the response signature value field and reads its content. It then locates the response timestamp field and reads the timestamp used by the server to generate the response. Finally, it locates the encrypted response data field and reads the encrypted business response. The parsing order and field boundaries of these three fields are pre-agreed upon according to the front-end and back-end protocols.

[0075] Based on the parsed fields, this embodiment reads an asymmetric key pair from the memory cache to perform signature verification. This embodiment obtains the current session identifier and uses it as an index key to access the memory cache, locating the corresponding key cache object from the mapping relationship established in step S302. This embodiment extracts the public key from the key cache object; the public key is used to verify the signature generated by the server's private key.

[0076] After the public key is extracted, this embodiment performs a signature verification operation. In this embodiment, the ciphertext response data and the response timestamp are concatenated using a predetermined separator to obtain data to be verified. A digest calculation is then performed on the data to be verified to obtain a local digest value. In this embodiment, the public key is used to perform an asymmetric decryption operation on the response signature value to obtain a signature digest value. The local digest value is compared with the signature digest value, and the comparison result is recorded as the signature verification result.

[0077] Accordingly, this embodiment determines the validity of a signature based on the signature verification result. If the signature verification result indicates that the local digest value matches the signature digest value, the signature is deemed valid, the response data has not been tampered with, and its source is trustworthy. If the signature verification result indicates that the two digest values ​​do not match, the signature is deemed invalid, and this embodiment terminates the subsequent decryption process and returns a signature verification failure error message to the business layer.

[0078] For a validly signed ciphertext response, this embodiment calculates its data length to determine whether segmented decryption is required. This embodiment calls a string length calculation function to obtain the byte length of the ciphertext response and compares this data length with a preset segmentation threshold. The preset segmentation threshold is pre-configured based on the ciphertext block length limit of the asymmetric encryption algorithm, and its typical value is related to the key length.

[0079] After the comparison is completed, this embodiment determines the subsequent processing method based on the comparison result. If the data length does not exceed the preset segmentation threshold, the response ciphertext data can be directly decrypted in whole. If the data length exceeds the preset segmentation threshold, this embodiment performs a splitting operation on the response ciphertext data according to a fixed segment length, sequentially extracting fixed-length ciphertext fragments from the starting position until all data is processed, obtaining a ciphertext segment sequence. The ciphertext segment sequence serves as the input data source for the segmented decryption operation in the subsequent step S701.

[0080] In one embodiment of the front-end data security transmission method based on RSA-AES hybrid encryption in this application, it may further include the following: Step S701: Extract the private key from the asymmetric key pair, read each ciphertext segment in the ciphertext segment sequence in sequence, perform asymmetric decryption operation on each ciphertext segment using the private key to obtain the corresponding plaintext segment, and write each plaintext segment into the plaintext segment sequence in the original order. Step S702: Perform string concatenation operation on each plaintext segment in the plaintext segment sequence in order to obtain the response plaintext string, perform deserialization parsing on the response plaintext string to obtain the response plaintext data, locate the key cache object corresponding to the current session identifier in the memory cache area and perform a clear operation to destroy the asymmetric key pair.

[0081] In this embodiment, the private key is extracted from the key cache object written to the memory cache area in step S302 above to perform decryption operations. This embodiment locates the key cache object based on the current session identifier, reads the data content of the private key storage slot from it, and loads the private key into the decryption operation context for later use. The private key is paired with the public key held by the server; data encrypted by the server using the public key can only be decrypted and restored using the private key.

[0082] After the private key extraction is completed, this embodiment sequentially reads each ciphertext segment from the ciphertext segment sequence output in step S602. This embodiment initializes the segment index counter and sets it to the starting position, reading the current ciphertext segment from the ciphertext segment sequence in index order. The segment index counter increments after each read until all ciphertext segments have been read and processed.

[0083] Based on the private key and the currently read ciphertext segment, this embodiment performs an asymmetric decryption operation. This embodiment initializes an asymmetric decryption algorithm instance and sets the private key as the decryption parameter, using the current ciphertext segment as the input data to be decrypted. The decryption operation follows the reverse process of the asymmetric encryption algorithm, restoring the ciphertext byte sequence to a plaintext byte sequence and outputting the corresponding plaintext segment.

[0084] After each ciphertext segment is decrypted, this embodiment writes the resulting plaintext segments into a plaintext segment sequence in their original order. This embodiment maintains the plaintext segment sequence as a storage container for the decryption results. Each time the decryption operation of a ciphertext segment is completed, the output plaintext segment is appended to the end of the plaintext segment sequence. The order of the plaintext segments in the plaintext segment sequence remains consistent with the original ciphertext segment sequence.

[0085] Accordingly, this embodiment performs a concatenation operation on the plaintext segment sequence to restore the complete response content. This embodiment sequentially traverses each plaintext segment in the plaintext segment sequence, concatenates adjacent plaintext segments end-to-end, and performs a string concatenation operation. After all plaintext segments are concatenated, the response plaintext string is obtained. The response plaintext string is the serialized form of the server-side business response data.

[0086] After the plaintext response string is generated, this embodiment performs deserialization parsing on it. This embodiment calls a deserialization function to convert the plaintext response string from a string format into an object structure. The parsing process restores the mapping relationship between field names and field values ​​according to the syntax rules of the data exchange format, and outputs the plaintext response data. This plaintext response data is the business response result returned by the server, which can be directly called and processed by the business logic layer.

[0087] After the plaintext response data is generated, this embodiment performs a key clearing operation to eliminate the risk of sensitive data residing within the memory. This embodiment locates the key cache object corresponding to the current session identifier in the memory cache and calls the cache clearing interface to remove the key cache object from memory. The clearing operation destroys the public and private key data of the asymmetric key pair from the memory space, ensuring that the key exists only within a single request-response cycle. The plaintext response data serves as the final output returned to the business caller by the global response interceptor.

[0088] To effectively address the shortcomings of traditional technologies in key secure distribution, selective encrypted signature encapsulation, response segmentation decryption, and key lifecycle management, and to provide technical assurance for the confidentiality and integrity verification of front-end application data secure transmission, this application provides an embodiment of an RSA-AES hybrid encryption-based front-end data secure transmission device for implementing all or part of the aforementioned RSA-AES hybrid encryption-based front-end data secure transmission method. See [link to embodiment]. Figure 2 The front-end data security transmission device based on RSA-AES hybrid encryption specifically includes the following components: The mapping relationship establishment module 10 is used to initiate a key acquisition request carrying a session identifier to the server through the application interface to obtain an encrypted key data packet, desalting the encrypted key data packet using a symmetric decryption algorithm to obtain an asymmetric key pair, writing the asymmetric key pair into a memory cache and establishing a session binding mapping relationship. The hybrid encryption module 20 is used to determine whether the current request belongs to the encryption scope according to the interface whitelist configuration in the global request interceptor, perform encryption operation on the request data to be sent that belongs to the encryption scope using the asymmetric key pair to obtain the request ciphertext data, perform signature operation on the request ciphertext data using the private key to obtain the request signature value, and encapsulate the request ciphertext data and the request signature value into a secure request message. The data transmission module 30 is used to receive the ciphertext message of the response in the global response interceptor and verify the validity of the signature, split the ciphertext message of the response into a ciphertext segment sequence based on a preset segmentation threshold condition, perform segmented decryption on the ciphertext segment sequence using the asymmetric key pair to obtain a plaintext segment sequence, concatenate the plaintext segment sequence to obtain the response plaintext data, and clear the asymmetric key pair in the memory cache.

[0089] As can be seen from the above description, the front-end data security transmission device based on RSA-AES hybrid encryption provided in this application embodiment can obtain asymmetric key pairs and establish session binding mapping through desalting and decryption. It can generate secure request messages by combining the whitelist encryption scope determination of the global request interceptor, request data encryption and private key signature encapsulation, and complete the security closed-loop processing through signature verification, segmented decryption and splicing and active key clearing of the global response interceptor. It effectively solves the shortcomings of traditional technologies in key security distribution, selective encryption signature encapsulation and response segmented decryption and key lifecycle management, and provides technical guarantee for the confidentiality and integrity verification of front-end application data security transmission.

[0090] This invention also provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the front-end data security transmission method based on RSA-AES hybrid encryption.

[0091] This invention also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the aforementioned front-end data security transmission method based on RSA-AES hybrid encryption.

[0092] This invention also provides a computer program product, which includes a computer program that, when executed by a processor, implements the aforementioned front-end data security transmission method based on RSA-AES hybrid encryption.

[0093] In this embodiment of the invention, an asymmetric key pair is obtained by desalting and decryption and a session binding mapping is established. Secure request messages are generated by combining the whitelist encryption scope determination of the global request interceptor, request data encryption and private key signature encapsulation. Secure closed-loop processing is completed by signature verification, segmented decryption and splicing and active key clearing of the global response interceptor. This effectively solves the shortcomings of traditional technologies in key security distribution, selective encryption signature encapsulation and response segmented decryption and key lifecycle management, and provides technical protection for the confidentiality and integrity verification of front-end application data secure transmission.

[0094] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0095] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0096] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0097] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0098] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above descriptions are merely specific embodiments of the present invention and are not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims

1. A front-end data security transmission method based on RSA-AES hybrid encryption, characterized in that, The method includes: The application programming interface (API) sends a key acquisition request carrying a session identifier to the server to obtain an encrypted key data packet. The encrypted key data packet is then desalted using a symmetric decryption algorithm to obtain an asymmetric key pair. The asymmetric key pair is then written into a memory cache and a session binding mapping relationship is established. In the global request interceptor, it is determined whether the current request belongs to the encryption scope according to the interface whitelist configuration. For the request data to be sent that belongs to the encryption scope, the asymmetric key pair is used to perform encryption operation to obtain the request ciphertext data. The request ciphertext data is used to perform signature operation with the private key to obtain the request signature value. The request ciphertext data and the request signature value are encapsulated into a secure request message. The global response interceptor receives the ciphertext message of the response and verifies the validity of the signature. Based on the preset segmentation threshold condition, the ciphertext message of the response is split into a ciphertext segment sequence. The ciphertext segment sequence is decrypted in segments using the asymmetric key pair to obtain a plaintext segment sequence. The plaintext segment sequence is then concatenated to obtain the response plaintext data and the asymmetric key pair in the memory cache is cleared.

2. The front-end data security transmission method based on RSA-AES hybrid encryption according to claim 1, characterized in that, The step of initiating a key acquisition request carrying a session identifier to the server via the application programming interface to obtain the encryption key data packet includes: During the initialization phase of the front-end application, a session identifier is generated and written into the request header field. Based on the session identifier, a key is constructed to obtain request parameters and a call is made to the key distribution interface of the server to obtain the server response data. The encryption type field, decryption type field, and global encryption switch field are parsed from the server response data. The encryption type field, decryption type field, and global encryption switch field are written to the local configuration cache. The key payload that has undergone symmetric encryption is extracted from the server response data to obtain the encryption key data packet.

3. The front-end data security transmission method based on RSA-AES hybrid encryption according to claim 1, characterized in that, The process of desalting and decrypting the encrypted key data packet using a symmetric decryption algorithm to obtain an asymmetric key pair, writing the asymmetric key pair into a memory buffer, and establishing a session binding mapping relationship includes: Extract the salt value field and the ciphertext payload field from the encrypted key data packet. Perform a key derivation operation on the salt value field and a preset symmetric key seed to obtain a symmetric decryption key. Use the symmetric decryption key to perform a symmetric decryption operation on the ciphertext payload field to obtain an asymmetric key pair. Create a key cache object in memory and write the asymmetric key pair into the key cache object. Read the current session identifier and use the session identifier as an index key to establish a mapping relationship with the key cache object and write it into the memory cache area. Set an expiration timestamp for the key cache object based on a preset key validity period threshold condition.

4. The method for secure transmission of data from front end based on hybrid encryption of RSA-AES as claimed in claim 1, wherein, The step of determining whether the current request belongs to the encryption scope based on the interface whitelist configuration in the global request interceptor, and performing encryption operations on the request data to be sent using the asymmetric key pair to obtain the ciphertext data of the request, includes: The interface path identifier of the current request is obtained in the global request interceptor. The interface path identifier is matched and compared with the preset interface whitelist configuration to obtain the scope determination result. Based on the scope determination result, requests belonging to the encrypted scope are filtered and the request data to be sent is extracted. The asymmetric key pair is read from the memory cache according to the current session identifier, the public key is extracted from the asymmetric key pair, the request data to be sent is serialized into a string format to obtain the request plaintext string, and the asymmetric encryption operation is performed on the request plaintext string using the public key to obtain the request ciphertext data.

5. The method for secure transmission of data from front end based on hybrid encryption of RSA-AES as claimed in claim 1 wherein, The step of performing a signature operation on the encrypted request data using a private key to obtain a request signature value, and then encapsulating the encrypted request data and the request signature value into a secure request message includes: Extract the private key from the asymmetric key pair, concatenate the request ciphertext data with the current timestamp to obtain the data to be signed, and use the private key to perform a digital signature operation on the data to be signed to obtain the request signature value; Create a security request message object and write the encrypted request data into the data field of the security request message object, write the request signature value into the signature field of the security request message object, write the current timestamp into the timestamp field of the security request message object, and send the security request message object as the request body to the server.

6. The front-end data security transmission method based on RSA-AES hybrid encryption according to claim 1, characterized in that, The step of receiving the ciphertext response message and verifying the signature validity in the global response interceptor, and splitting the ciphertext response message into a ciphertext segment sequence based on a preset segmentation threshold condition, includes: The global response interceptor receives the ciphertext response message returned by the server, extracts the response signature value, response timestamp, and response ciphertext data from the ciphertext response message, reads the asymmetric key pair from the memory cache and extracts the public key, and uses the public key to perform a signature verification operation on the response ciphertext data and the response timestamp to obtain the signature verification result. Based on the signature verification result, the validity of the signature is determined. For the valid response ciphertext data, the data length is calculated. The data length is compared with a preset segmentation threshold condition. For the response ciphertext data that exceeds the preset segmentation threshold condition, a splitting operation is performed according to a fixed segment length to obtain a ciphertext segment sequence.

7. The front-end data security transmission method based on RSA-AES hybrid encryption according to claim 1, characterized in that, The step of performing segmented decryption on the ciphertext segmented sequence using the asymmetric key pair to obtain a plaintext segmented sequence, concatenating the plaintext segmented sequences to obtain the response plaintext data, and clearing the asymmetric key pair from the memory buffer includes: Extract the private key from the asymmetric key pair, read each ciphertext segment in the ciphertext segment sequence in sequence, perform asymmetric decryption operation on each ciphertext segment using the private key to obtain the corresponding plaintext segment, and write each plaintext segment into the plaintext segment sequence in the original order. The plaintext segments in the plaintext segment sequence are concatenated sequentially to obtain the response plaintext string. The response plaintext string is deserialized and parsed to obtain the response plaintext data. The key cache object corresponding to the current session identifier is located in the memory cache area and a clearing operation is performed to destroy the asymmetric key pair.

8. A front-end data security transmission device based on RSA-AES hybrid encryption, characterized in that, The device includes: The mapping relationship establishment module is used to initiate a key acquisition request carrying a session identifier to the server through the application interface to obtain an encrypted key data packet, desalting the encrypted key data packet using a symmetric decryption algorithm to obtain an asymmetric key pair, writing the asymmetric key pair into a memory cache and establishing a session binding mapping relationship. The hybrid encryption module is used to determine whether the current request belongs to the encryption scope according to the interface whitelist configuration in the global request interceptor, perform encryption operation on the request data to be sent that belongs to the encryption scope using the asymmetric key pair to obtain the request ciphertext data, perform signature operation on the request ciphertext data using the private key to obtain the request signature value, and encapsulate the request ciphertext data and the request signature value into a secure request message. The data transmission module is used to receive the ciphertext response message and verify the signature validity in the global response interceptor, split the ciphertext response message into a ciphertext segment sequence based on a preset segmentation threshold condition, perform segmented decryption on the ciphertext segment sequence using the asymmetric key pair to obtain a plaintext segment sequence, concatenate the plaintext segment sequence to obtain the response plaintext data, and clear the asymmetric key pair in the memory cache.

9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the steps of the front-end data security transmission method based on RSA-AES hybrid encryption as described in any one of claims 1 to 7.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When executed by a processor, the computer program implements the steps of the front-end data security transmission method based on RSA-AES hybrid encryption as described in any one of claims 1 to 7.