Summary of the invention
The embodiment of the invention provides a kind of enciphered data transmission method and system, is used to improve safety of data transmission.
For solving the problems of the technologies described above, the embodiment of the invention provides:
A kind of enciphered data transmission method may further comprise the steps:
Receive common parameter and digital signature, described common parameter is generated by cryptocenter, and described digital signature is that cryptocenter uses self private key to the common parameter generation of signing;
Digital signature is authenticated, authenticate by sending after the back data encryption of using described common parameter to send.
A kind of enciphered data transmission method may further comprise the steps:
Data receiver receives common parameter and digital signature, and described common parameter is generated by cryptocenter, and described digital signature is that cryptocenter uses self private key to the common parameter generation of signing;
Data receiver is compared the common parameter that receives and the common parameter that prestores, and after the comparison unanimity, data receiver authenticates digital signature, sends after the data encryption that authentication uses described common parameter to send by the back.
A kind of enciphered data transmission method may further comprise the steps:
Receive common parameter, described common parameter is generated by cryptocenter;
Compare with the common parameter that prestores, the comparison unanimity is then passed through for authentication, and the data encryption that authentication uses described common parameter to send by the back sends.
A kind of encrypted data transmission system comprises cryptocenter and terminal, and described cryptocenter and terminal configuration have the PKI of self,
Described cryptocenter comprises:
The private key generation unit is used for according to the PKI generation cryptocenter of cryptocenter and terminal and the private key of terminal correspondence;
The common parameter generation unit is used to generate common parameter;
Signature unit is used to use self private key to the common parameter generation digital signature of signing;
Described terminal comprises:
Authentication ' unit is used to receive described common parameter and digital signature, and described digital signature is authenticated;
Ciphering unit is used to utilize authenticate send after the common parameter that passes through sends data encryption to need.
A kind of encrypted data transmission system comprises cryptocenter and terminal, and described cryptocenter and terminal configuration have the PKI of self,
Described terminal comprises:
Memory cell is used to store at least one cover common parameter;
Comparing unit is used for the common parameter that will receive and the common parameter of cell stores and compares;
Ciphering unit is used to utilize the consistent common parameter of described comparing unit comparison that need are sent data and encrypts.
A kind of cryptocenter comprises:
The private key generation unit is used for according to the PKI generation cryptocenter of cryptocenter and terminal and the private key of terminal;
The common parameter generation unit is used to generate common parameter;
Signature unit is used to use self private key to the common parameter generation digital signature of signing.
A kind of communication terminal comprises:
Authentication ' unit is used to receive described common parameter and digital signature, and described digital signature is authenticated;
Ciphering unit, the common parameter that is used to utilize authentication to pass through is encrypted the back transmission to need transmission data.
The embodiment of the invention sends by back that common parameter is signed, and the digital signature that receives is authenticated, and can guarantee the source and the integrality of common parameter, prevents that the assailant from replacing and changing common parameter, improves the common parameter safety of transmission.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, embodiment of the present invention is described further in detail below in conjunction with accompanying drawing.
Be to simplify the cipher key management considerations of conventional public-key cryptographic system, cryptographic technique existing by based on the public key cryptosyst of certificate to IBE (identity-based encryption is based on the password of identity) system development.
Cryptographic system comprises cryptocenter and a plurality of terminal, and cryptocenter can be PKG, also can generate the network entity of private key for other; Terminal is the network entity that need communicate in network.Cryptocenter and terminal all dispose the PKI of self in cryptographic system, and PKI can be the sign of cryptocenter and terminal, and sign can be the IP address of cryptocenter and terminal, also can be different from the sign of other network entities for cryptocenter and terminal.
In the IBE system, terminal need obtain common parameter from cryptocenter just can carry out corresponding encryption and decryption process, and the transmission course of common parameter is easy to be subjected to the third party and attacks, and bigger potential safety hazard is arranged.As shown in Figure 1, the embodiment of the invention 1 provides a kind of common parameter authentication method, specifically may further comprise the steps:
Step 11: cryptocenter generates self private key and common parameter;
The private key of cryptocenter is according to the algorithm of system definition, and PKI and the generation of main private key by cryptocenter have certain corresponding relation between the PKI of cryptocenter and the private key; Each cryptocenter generates one group at random and satisfy the parameter of certain condition, maintains secrecy except main private key in these parameters, and other parameters all need open, and these disclosed parameters are exactly common parameter.Wherein main private key is produced according to PKI and is preserved by cryptocenter, and different with PKI is, main private key is underground, and cryptocenter generates the private key of correspondence according to the PKI of cryptocenter and terminal by main private key;
Step 12: cryptocenter uses self private key to the common parameter generation digital signature of signing, and sends common parameter and digital signature to terminal;
Wherein Qian Ming detailed process can for: cryptocenter connects common parameter with fixed form, the common parameter of series connection is carried out Hash operation, and the private key at the center that accesses to your password is then encrypted the cryptographic Hash that obtains, obtains the digital signature of common parameter; Describe for convenient, the digital signature of common parameter abbreviates digital signature as among the application;
Digital signature can append to common parameter, and wherein Fu Jia particular location is not limit, can be in the back of common parameter, and also can be in the front of common parameter; Digital signature also can be used as and is stored separately and sends, but keeps getting in touch reliably between needs and the common parameter;
Step 13: terminal receives common parameter and digital signature, and the PKI at the center that accesses to your password authenticates signature, if authentication is passed through, uses this common parameter.
In this cryptographic system, terminal need prestore the PKI of the cryptocenter of one or more trusts;
The detailed process that the PKI at center of wherein accessing to your password authenticates signature can for: the access to your password PKI at center of digital signature is decrypted, simultaneously common parameter is carried out Hash operation and obtain cryptographic Hash, cryptographic Hash with decryption content and common parameter compares then, if consistent, then checking is passed through.
Because digital signature is that cryptocenter produces with private key in the present embodiment, the terminal that receives digital signature has only and uses the PKI corresponding with private key to decipher, and can confirm the source of common parameter, prevents that the assailant from replacing common parameter; Owing to apply to Hash operation in the present embodiment, therefore can guarantee the integrality of common parameter, prevent that the assailant from changing the part common parameter, so present embodiment can improve the common parameter safety of transmission.
The verification process of common parameter can specifically be applied to the transmission method of enciphered data among the above embodiment, as shown in Figure 2, suppose that terminal A need send data to terminal B, be that terminal A is a data receiver, terminal B is the data receiver, and a kind of enciphered data transmission method that the embodiment of the invention 2 provides specifically may further comprise the steps:
Step 201: initialization cryptocenter, cryptocenter generates private key and common parameter;
Self private key of cryptocenter is according to the algorithm of system definition, produced by the PKI and the main private key of cryptocenter; The private key of each terminal utilizes main private key to generate according to the PKI of each terminal after by cryptocenter terminal being carried out the status authentication; Common parameter can be system parameters;
Step 202: cryptocenter uses self private key to the common parameter generation digital signature of signing, and sends common parameter and digital signature to terminal B;
Wherein Qian Ming detailed process can for: cryptocenter connects common parameter with fixed form, the common parameter of series connection is carried out Hash operation, and the private key at the center that accesses to your password is then encrypted the cryptographic Hash that obtains, obtains the digital signature of common parameter; Describe for convenient, the digital signature of common parameter abbreviates digital signature as among the application;
Digital signature can append to common parameter, and wherein Fu Jia particular location is not limit, can be in the back of common parameter, and also can be in the front of common parameter; Digital signature also can be used as and is stored separately and sends, but keeps getting in touch reliably between needs and the common parameter;
Step 203: terminal B sends to terminal A with common parameter and digital signature, and the access to your password PKI at center of terminal A authenticates digital signature; If authentication is passed through, execution in step 204 is not if execution in step 206 is passed through in authentication;
In this cryptographic system, terminal need prestore the PKI of the cryptocenter of one or more trusts; PKI can be to obtain by believable channel, and for example the keeper carries out manual configuration in this locality, perhaps uses mobile memory medium directly to be stored in terminal this locality after cryptocenter obtains.
Wherein access to your password detailed process that the PKI at center authenticates digital signature of terminal A can be decrypted the access to your password PKI at center of digital signature for: terminal A, simultaneously common parameter is carried out Hash operation and obtain cryptographic Hash, cryptographic Hash with decryption content and common parameter compares then, if consistent, then authentication is passed through.
Step 204: terminal A uses the PKI of common parameter and terminal B that data are encrypted, and data encrypted is sent to terminal B;
Step 205: terminal B utilizes common parameter and self private key that the data that receive are decrypted;
Step 206: stop communication.
Because digital signature in the present embodiment is because cryptocenter produces with private key, the terminal that receives digital signature has only and uses the PKI corresponding with private key to decipher, and can confirm the source of common parameter, prevents victim replacement common parameter; Owing to apply to Hash operation in the present embodiment, therefore can guarantee the integrality of common parameter, prevent victim change part common parameter, so present embodiment can improve the common parameter safety of transmission.
The embodiment of the invention also provides a kind of common parameter authentication method, the terminal common parameter of cryptocenter issue of one or more sets trusts that can prestore in the embodiment of the invention.The common parameter that prestores can be to obtain by believable channel, and for example the keeper carries out manual configuration in this locality, perhaps uses mobile memory medium directly to be stored in this locality after cryptocenter obtains.The common parameter that terminal will obtain through various channels carries out unified management.Which kind of, no matter received a cover common parameter by channel and method after this common parameter and the common parameter that oneself prestores are compared as the recipient.If the common parameter that the common parameter that receives prestores with oneself is consistent, show that then this common parameter is credible, send after the data encryption of using this common parameter to send; If the common parameter that receives common parameter and oneself prestore is inconsistent, then abandons and receive common parameter.The common parameter that terminal receives might be the encryption common parameter of encrypting with recipient's PKI, needs the recipient to be decrypted with the private key of self before comparison.
The common parameter that terminal prestores has a lot of covers, and the common parameter that both sides need just to use be reached an agreement, and by the reception common parameter, compares and can determine the common parameter that uses.Can guarantee the credibility and the consistency of common parameter by present embodiment.
Present embodiment can also be used in combination with a last common parameter authentication method embodiment, that is: compare when data receiver can receive common parameter and digital signature, compare after also can authenticating, with the credibility of further raising common parameter to digital signature.
Based on technique scheme, the embodiment of the invention also provides a kind of system that authenticates common parameter, as shown in Figure 3, the system of authentication common parameter comprises cryptocenter 31 and at least one terminal 32, cryptocenter 31 and terminal 32 all dispose the PKI of self in the native system, PKI can be the sign of cryptocenter and terminal, and sign can be the IP address of cryptocenter and terminal, also can be different from the sign of other network entities for cryptocenter and terminal.Cryptocenter 31 is used to generate private key and common parameter, utilizes self private key to the common parameter generation digital signature of signing,
Specifically comprise:
Private key generation unit 311 is used for the algorithm according to system definition, by the PKI of cryptocenter 31 and the private key of main private key generation self;
Common parameter generation unit 313 is used to generate common parameter;
Signature unit 312, be used for the common parameter that common parameter generation unit 313 generates is connected with fixed form, common parameter to series connection carries out Hash operation, use then that private key generation unit 311 produces private key the cryptographic Hash that obtains is encrypted, obtain digital signature;
Correspondingly, terminal 32 is used for obtaining described common parameter and digital signature from cryptocenter 31, common parameter and digital signature are authenticated, specifically comprise authentication ' unit 321, be used for the access to your password PKI at center 31 of digital signature is decrypted, simultaneously common parameter carried out Hash operation and obtain cryptographic Hash, the cryptographic Hash with decryption content and common parameter compares then, if consistent, then authentication is passed through.
Because digital signature is that cryptocenter's 31 usefulness private keys produce in the present embodiment, the terminal 32 that receives digital signature has only and uses the PKI corresponding with private key to decipher, and can confirm the source of common parameter, prevents that victim from replacing common parameter; Owing to apply to Hash operation in the present embodiment, therefore can guarantee the integrality of common parameter, prevent victim change part common parameter, so present embodiment can improve the common parameter safety of transmission.
As shown in Figure 4, the embodiment of the invention also provides a kind of encrypted data transmission system, comprise cryptocenter 31 and at least one terminal 41, cryptocenter 31 and terminal 41 all dispose the PKI of self in the native system, PKI can be the sign of cryptocenter and terminal, sign can be the IP address of cryptocenter and terminal, also can be different from the sign of other network entities for cryptocenter and terminal.Cryptocenter 31 is used to generate private key and common parameter, utilizes self private key to the common parameter generation digital signature of signing, and specifically comprises:
Private key generation unit 311 is used for the algorithm according to system definition, by PKI and the private key of main private key generation self and the private key of each terminal of cryptocenter;
Common parameter generation unit 313 is used to generate common parameter;
Signature unit 312 is used for common parameter and connects with fixed form, and the common parameter of connecting is carried out Hash operation, and the private key at the center that accesses to your password is then encrypted the cryptographic Hash that obtains, and obtains digital signature.
Correspondingly, terminal 41 is used for common parameter and digital signature are authenticated, and passes through as authentication, utilizes common parameter that data are encrypted, and sends enciphered data, perhaps receives the enciphered data that another terminal is sent, and utilizes common parameter to be decrypted, and specifically comprises:
Authentication ' unit 321 is used for the access to your password PKI at center of digital signature is decrypted, and simultaneously common parameter is carried out Hash operation and obtains cryptographic Hash, and the cryptographic Hash with decryption content and common parameter compares then, if consistent, then authentication is passed through,
Ciphering unit 411 is used to utilize common parameter that authentication passes through and data receiver's PKI that need are sent data and encrypts, and sends enciphered data,
Decrypting device 412 is used to receive the enciphered data that another terminal sends, and the common parameter and self private key that utilize authentication to pass through are decrypted enciphered data.
Be applied to the IBE system as present embodiment, cryptocenter can be PKG, present embodiment can be confirmed the source and the integrality of common parameter, thereby guaranteed that terminal in the IBE system communication process receives the credibility of common parameter, thereby improved the fail safe of whole communication process, IBE can be more widely used.
For further improving safety of data transmission, as shown in Figure 5, the present invention also provides another kind of encrypted data transmission system, specifically comprise cryptocenter 51 and at least one terminal 52, cryptocenter 51 and terminal 52 all dispose the PKI of self in the native system, PKI can be the sign of cryptocenter and terminal, and sign can be the IP address of cryptocenter and terminal, also can be different from the sign of other network entities for cryptocenter and terminal.
Cryptocenter 51 comprises private key generation unit 511, is used to generate cryptocenter and terminal secret key, also comprises common parameter generation unit 512, is used to generate common parameter;
Terminal 52 specifically comprises:
Memory cell 522 is used to store common parameter;
Comparing unit 521, the common parameter that is used for the common parameter that will receive and memory cell 522 storages is compared, if comparison is consistent, then authentication is passed through;
Ciphering unit 411 is used to utilize common parameter that authentication passes through and data receiver's PKI that need are sent data and encrypts, and sends enciphered data,
Decrypting device 412 is used to receive the enciphered data that another terminal sends, and the common parameter and self private key that utilize authentication to pass through are decrypted enciphered data.
Present embodiment can be used in combination with a last embodiment encrypted data transmission system, further improves the fail safe of common parameter.Be applied to the IBE system as present embodiment, cryptocenter can be PKG, present embodiment can be confirmed the source and the integrality of common parameter, thereby guaranteed that terminal in the IBE system communication process receives the credibility of common parameter, thereby improved the fail safe of whole communication process, IBE can be more widely used.
Device embodiment described above only is schematic, wherein said unit as the separating component explanation can or can not be physically to separate also, the parts that show as the unit can be or can not be physical locations also, promptly can be positioned at a place, perhaps also can be distributed on a plurality of network element.Can select wherein some or all of module to realize the purpose of present embodiment scheme according to the actual needs.Those of ordinary skills promptly can understand and implement under the situation of not paying performing creative labour.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly realize by hardware.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in the storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Above-described embodiment of the present invention does not constitute the qualification to protection range of the present invention.Any modification of being done within the spirit and principles in the present invention, be equal to and replace and improvement etc., all should be included within protection scope of the present invention.