CN102223309B - Safe communication system and implementation method based on message load segmentation, encryption and reorder - Google Patents

Safe communication system and implementation method based on message load segmentation, encryption and reorder Download PDF

Info

Publication number
CN102223309B
CN102223309B CN201110189205.5A CN201110189205A CN102223309B CN 102223309 B CN102223309 B CN 102223309B CN 201110189205 A CN201110189205 A CN 201110189205A CN 102223309 B CN102223309 B CN 102223309B
Authority
CN
China
Prior art keywords
burst
algorithm
current
module
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110189205.5A
Other languages
Chinese (zh)
Other versions
CN102223309A (en
Inventor
谢海春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201110189205.5A priority Critical patent/CN102223309B/en
Publication of CN102223309A publication Critical patent/CN102223309A/en
Application granted granted Critical
Publication of CN102223309B publication Critical patent/CN102223309B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a safe communication system based on message load segmentation, encryption and reorder, which is characterized in that the safe communication system mainly comprises a segmentation information generating module (1) for outputting segmentation information (M111), and a safe load conversion module (2) which is used for converting input ordinary application data (M221) into safe load (M211) and reducing received safe load (M211) into the ordinary application data (M221). The invention also discloses an implementation method of the safe communication system based on message load segmentation, encryption and reorder. In the invention, a segmentation information generating mechanism is adopted to ensure that two sides of communication generate segmentation information which is unique and is not self-made, so that the absolute safety of the communication can be ensured.

Description

Based on message load burst, safety communication system and the safe communication method thereof encrypting, reorder
Technical field
The present invention relates to a kind of means of communication, specifically refer to a kind of based on message load burst, safety communication system and the safe communication method thereof encrypting, reorder.
Background technology
At present, people more and more depend on the facility that information technology is brought, but are thereupon the dangerous of network, and wooden horse is more and more savage, even have group in an organized way to utilize the case of security breaches crime on network also to happen occasionally, therefore the civilian demand of safety encipher technology is also more and more stronger.Up to now, safety encipher is used for state secret and company's secret, because state secret requires very high, thereby be equipped with advanced equipment, such as supercomputer, special algorithm etc., the safety encipher of company's secret is used in file and Virtual Private Network (VPN), and large multiplex symmetric encipherment algorithm is realized.
The ciphertext generating due to symmetric cryptosystem is cracked than being easier in transmitting procedure.But the encryption time of asymmetric encryption techniques is longer, and the data volume that can encrypt is very little, and then cause wanting to obtain certain level of security, have to pay high cost, so can not meet people's demand, most of companies and the people's secret requires still to can not get effective guarantee.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of safety communication system and safe communication method thereof based on message load burst, encryption, rearrangement that can effectively prevent that enciphered data is decrypted.
Object of the present invention is achieved through the following technical solutions: based on message load burst, the safety communication system of encrypting, reordering, comprise the burst information generation module for exporting burst information, and the common application data transaction of input is become to safe load and the safe load receiving is reduced into the safe load modular converter of common application data.
Further, described burst information generation module comprises the burst information generative process module for generating burst information, for be the session information interacting module that burst information generative process module is collected session real time information in the time of session establishment, for burst information generative process module provides the random algorithm library module in random algorithm storehouse, for burst information generative process module provides the key algorithm library module in key algorithm storehouse, for burst information generative process module provides the control information database module of the control information of current application and current communication object, be responsible for upgrading random algorithm library module, key algorithm library module, algorithms library renewal process module I and generate and safeguard the control information verification process module composition of control information for controlling control information database module.
Described safe load modular converter comprises the safe load generation module that according to burst information, common application data transaction is become to safe load, according to burst information, safe load is reduced into the safe load recovery module of common application data, for safe load generation module and safe load recovery module provide the digital signature procedure module of digital signature and signature verification, for safe load generation module provides cryptographic algorithm and provides the encrypting and decrypting algorithms library module of decipherment algorithm for safe load recovery module, and the responsible algorithms library renewal process module ii that upgrades digital signature procedure module and encrypting and decrypting algorithms library module.
In order better to realize the present invention, described burst information comprises the global variable of the encrypting and decrypting algorithms library version for obtaining encrypting and decrypting algorithms library module and the many groups of burst length for definite burst size take burst quantity as group number, for obtaining the algorithm mark of algorithms for encryption and decryption index, for the algorithm secret key that uses in encryption and decryption process and reordering and the reduction process that reorders in the skew of reordering that uses.
Described session real time information comprises random train number, the communication time stamp of communication two party combination and the network address of communication two party combination of session identification for generating initial seed, communication two party combination.
Described control information comprises the communication object mark for index, for random algorithm storehouse version, the key algorithm storehouse version in acquisition algorithm storehouse, the key algorithm storehouse mask of selecting for affecting key algorithm, and for generating private data and the residual seed of initial seed.
Based on message load burst, the safe communication method encrypting, reorder, mainly comprise the following steps:
(a) burst information generation module generates burst information according to session real time information and control information;
(b) safe load modular converter becomes safe load to transmit on network common application data transaction according to burst information, or according to burst information, the safe load of obtaining from network is reduced into common application data.
Further, the burst information generation module described in step (a) generates burst information according to session real time information and control information, specifically comprises the following steps:
(a1) burst information generative process module is obtained the control information of current application and current communication object from control information database module, from random algorithm library module, obtain random algorithm storehouse version ability, from key algorithm library module, obtain key algorithm storehouse version ability, and by session information interacting module generate there is session identification, random train number, the session real time information of the network address and communication time stamp.
(a2) judge whether burst information generative process module is successfully obtained control information and be, interaction success is set, execution step (a3); No, if judge again whether the key algorithm storehouse version ability of communication two party and random algorithm storehouse version ability have common factor to have common factor, reset control information and deposit in control information database module by the highest version of occuring simultaneously, interaction success is set simultaneously, execution step (a3), otherwise mutual failure is set, directly finish, and return to burst information failed regeneration, communication finishes.
(a3) according to the random algorithm storehouse version in control information and key algorithm storehouse version, current algorithms library version is set, and end mark is set is false.
(a4) take the private data in the session identification of current session real time information, random train number, the network address and communication time stamp and control information, residual seed as input, the random seed hybrid algorithm calling in random algorithm library module current version generates initial seed and deposits seed variable in, take the residual seed of this initial seed and control information as input, the decay relict subalgorithm of calling in random algorithm library module generates current residual seed and deposits in control information database module again.
(a5) take the seed in current seed variable as input, calling random-length algorithm in random algorithm library module generates current burst length and new seed and deposits new seed in seed variable, and judge whether current all burst length summation SUM having generated are more than or equal to maximum load length and are, execution step (a6), no, execution step (a7).
(a6) reset current burst length according to " burst length=current burst length-(burst length summation SUM-maximum load length) ", and end mark is set is simultaneously true, and execution step (a7).
(a7) take the key algorithm storehouse mask of the seed in seed variable and control information as input, the key algorithm selection algorithm that calls current random algorithm library module is selected key algorithm record and new seed and is deposited new seed in seed variable, and from key algorithm record, obtains the algorithm mark of current burst.
(a8) take the seed in seed variable as input, call the key algorithm in current key algorithm record, generate algorithm secret key and the new seed of current burst and deposit new seed in seed variable.
(a9) judge that end mark, whether for very, performs step (a10), no, rebound execution step (a5).
(a10) take the seed in seed variable as input, call random rearrangement sequence algorithm in current algorithm storehouse, each fragment packets is signed in interior rearrangement, then the reorder skew of each burst in new order by the order computation of resetting, generate burst information.
Safe load modular converter described in step (b) becomes safe load to transmit on network common application data transaction according to burst information, specifically comprises the following steps:
Step 1: safe load generation module arranges the version of the encrypting and decrypting algorithms library module of current use according to the encrypting and decrypting algorithms library version of burst information, and application data buffering area skew is set simultaneously and burst index is 0;
Step 2: read burst length, algorithm mark, algorithm secret key, the skew of reordering of current burst with burst index from burst information, and obtain corresponding cryptographic algorithm according to algorithm mark from the current version of encrypting and decrypting algorithms library module;
Step 3: take the burst length of application data buffering area skew and current burst as input, from application data buffering area, read the clear data of current burst, take the algorithm secret key of current burst as input, the cryptographic algorithm of calling current burst is encrypted the clear data of current burst, generates current burst encrypt data;
Step 4: take current burst encrypt data and signature as input, call number signature process module, generates new signature take reorder skew and burst length as input, stores current burst encrypt data in safe load buffering area into simultaneously;
Step 5: recalculate new application data buffering area skew, make burst index increase by 1;
Step 6: judge whether the skew of current application data buffering area is less than maximum load length and is, represent that the processing of application data burst does not finish, jump to step 2 and process next burst, no, directly perform step 7;
Step 7: read the skew of reordering of current burst by burst index from burst information, and generate safe load according to reorder skew and signature length, and signature is stored in safe load buffering area;
Correspondingly, the safe load modular converter described in step (b) is reduced into common application data according to burst information by the safe load of obtaining from network, and concrete steps are as follows:
Step 1: safe load generation module arranges the version of the encrypting and decrypting algorithms library module of current use according to the encrypting and decrypting algorithms library version of burst information, and application data buffering area skew is set simultaneously and burst index is 0;
Step 2: read burst length, algorithm mark, algorithm secret key, the skew of reordering of current burst with burst index from burst information, and obtain corresponding decipherment algorithm according to algorithm mark from the current version of encrypting and decrypting algorithms library module;
Step 3: reorder skew and the burst length of current burst as input take current burst, read current burst encrypt data from safe load buffering area;
Step 4: take current burst encrypt data and signature as input, call number signature process module, generates new signature; Take the algorithm secret key of current burst as input, the decipherment algorithm that calls current burst is decrypted the encrypt data of current burst, generates current burst clear data; Take application data buffering area skew and burst length as input, by current burst stored in clear in application data buffering area;
Step 5: recalculate new application data buffering area skew, make burst index increase by 1;
Step 6: judge whether the skew of current application data buffering area is less than maximum load length and is, represent that the processing of application data burst does not finish, jump to step 2 and process next burst, no, directly carry out step 7;
Step 7: the skew of reordering of reading current burst by burst index from burst information, according to reorder skew and signature length from safe load buffering area, read signature and with step 4 in the signature that calculates compare, if identical, represent to be reduced into common application data, if not identical, represent to occur error of transmission.
Wherein, the maximum transmitted length-head length-verification of maximum load length=network and the length-signature length described in above-mentioned steps, and this maximum load length integral multiple that is minimum encryption length.
The present invention compared with prior art, has following advantage and beneficial effect:
(1) the burst information generting machanism that the present invention adopts can guarantee completely communication two party generate unique, can not homemade burst information, burst information production process is controlled by session real time information and control information completely.In burst information generative process, seed is dynamic, all can refresh seed, and seed directly acts on the generation of burst information in each step.This mechanism can guarantee as long as session real time information and control information are slightly different, and it is just very large that the burst information obtaining differs.Cover code with regard to the key algorithm storehouse in independent control information, may be divided into 23 bursts according to routine, if key algorithm storehouse provides 200 kinds of key algorithm records, just have 5X10 at least 51plant permutation and combination, do not consider in the situation of out of Memory, this has been a numeral that cannot crack.So eavesdropping all wants to intercept to crack, and just must obtain correct dynamic real time information and control information.
(2) control information protection mechanism of the present invention comprises: first control information is according to application and communication object and individualism, according to the difference of application and communication object, different random algorithm storehouse versions, key algorithm storehouse version, key algorithm storehouse mask, private data all can be set, avoid employing to organize shared mode, reduced the probability that eavesdropping cracks; Secondly, provide control information authentication mechanism, user can upgrade control information manually or automatically; Again adopt relict handset system by user in history the initial seed generating in the time that session burst information produces of the each communication object to each application repeatedly do decay in various degree and merge the residual seed generating and close and store in control information, this mechanism allow listener-in people for stealing after control information, also must from session for the first time stealing, all must intercept each time, reduce the probability that eavesdropping cracks; Last control information storehouse can be arranged to physically and isolation of system, just manually allows to connect access moment user, has accessed rear automatism isolation, therefore can be effectively to preventing intercepting of listener-in.
(3) in burst information generative process, communication two party generate unique, can not homemade burst information after, the present invention estimates fail safe, by the environmental parameter of most possibly setting fail safe, conventional network is Ethernet, and payload capacity length is 1500 bytes, and conventional cryptographic algorithm is aes algorithm, conventionally adopt 128, thus burst length between position be made as 16 bytes.
We remove the expense of signature payload capacity length, then retain a part, we by 90 long measures namely 90X16=1440 byte set payload capacity length.
We are that 8 length cells are set by a segmentation maximum, can freely select length so to few 11 sections, and number of combinations is 8 11, in the combination of these 11 sections, there is the combination total length of half to be less than under 44 length cells, remaining 46 length cells can freely be selected for 5 sections, analogize in proper order, can be calculated as follows the number of combinations of burst:
X=8 11/2X8 5/2X8 2/2X8 1/2=1125899906842624>1X10 15
Burst length average out to 4, is divided into 23 and adds signature, participate in the reordering arrangement of module of 24 burst, and the number of combinations of generation is
Y=24!=620448401733239439360000>6X10 23
So increasing multiple, fail safe can simply be estimated as
X*Y*23=1X10 15X23X6X10 23>1X10 40
Encrypt with respect to single key, the method that the present invention adopts brings up at least 10 by fail safe 40doubly, and in session communication process, burst information produces in the time setting up, and belong to once and consume, and for safe load conversion, it is the same encrypting length, has just increased the burden of the reduction of reordering and reorder, and increases consumption less than 0.1%.
Accompanying drawing explanation
Fig. 1 is system configuration schematic diagram of the present invention.
Fig. 2 is random algorithm library module structural representation of the present invention.
Fig. 3 is key algorithm library module structural representation of the present invention.
Fig. 4 is encrypting and decrypting algorithms library modular structure schematic diagram of the present invention.
Fig. 5 is control information database module structural representation of the present invention.
Fig. 6 is flow diagram of authentication procedures of the present invention.
Fig. 7 is burst information product process figure of the present invention.
Fig. 8 is safe load product process figure of the present invention.
Fig. 9 is safe load generative process schematic diagram of the present invention.
Figure 10 is safe load reduction process schematic diagram of the present invention.
Figure 11 is safe load reduction flow chart of the present invention.
Figure 12 is burst information structural representation of the present invention.
Wherein, the parts name that in figure, Reference numeral is corresponding is called:
1-burst information generation module, 2-safe load modular converter, 11-burst information generative process module, 12-algorithms library renewal process module I, 13-session information interacting module, 14-random algorithm library module, 15-key algorithm library module, 16-control information authentication module, 17-control information database module, 21-safe load generation module, 22-safe load recovery module, 23-digital signature procedure module, 24-encrypting and decrypting algorithms library module, 25-algorithms library renewal process module ii, M111-burst information, M131-session real time information, M171-control information, M221-common application data, M211-safe load.
Embodiment
Below in conjunction with embodiment, the present invention is described in further detail, but embodiments of the present invention are not limited to this.
Embodiment
As shown in Figure 1, the present invention includes two large application modules, one is burst information generation module 1, be mainly used in exporting burst information M111, it two is safe load modular converter 2, is mainly used in the common application data M22 of input to convert safe load M211 to and/or the safe load M211 receiving is reduced into common application data M221.
Wherein, burst information generation module 1 includes the burst information generative process module 11 for generating burst information M111, it in the time of session establishment, is the session information interacting module 13 that burst information generative process module 11 is collected session real time information M131, for burst information generative process module 11 provides the random algorithm library module 14 in random algorithm storehouse, for burst information generative process module 11 provides the key algorithm library module 15 in key algorithm storehouse, for burst information generative process module 11 provides the control information database module 17 of the control information M171 of current application and current communication object, for being responsible for upgrading random algorithm library module 14, the algorithms library renewal process module I 12 of key algorithm library module 15, and generate and safeguard the control information verification process module 16 of control information M171 for control information database module 17.
As shown in figure 12, described burst information M111 is made up of array and the variable encrypting and decrypting algorithms library version of a data structure, and this data structure comprises burst length, algorithm mark, algorithm secret key, the skew of reordering.Wherein, burst length is exactly the length of current burst, can calculate the position skew of current burst by burst length, and concerning i burst, its burst position skew is exactly all burst length summations from first burst to i-1.
In burst information generting machanism, when each random algorithm obtains the burst length of current burst, calculate the length summation of current all bursts, in the time that summation is less than maximum load length, continue burst, in the time that summation is more than or equal to maximum load length, the burst length of last burst is that maximum load length-all burst length is always each above, makes the length summation of all bursts just equal in length with maximum load.
Algorithm mark is the identifier of the encryption/decryption algorithm of current burst, can from algorithms library, extract corresponding encryption/decryption algorithm by this identifier.Algorithm secret key is exactly the key for the encrypt/decrypt of current burst.
What reorder skew and the actual expression of the burst length that reorders is that current burst is rearranged tagmeme and puts, the order of message was { 1 originally, 2, 3, i-1, i, i+1, n, signature }, after the mixed order module in burst information generting machanism, requiring the order of resetting is likely { e, i, 1, signature, , the physical location of burst 1 is likely k, the length summation meter that is exactly k-1 burst above by the reposition skew of burst 1 so calculates assignment to the skew [0] of reordering, because burst information is to generate in a session, and be applied to whole encryption communication module, so do not wish all to calculate in the time that each transmission receives.
Described in summary, this burst information M111 essence is exactly the index that comprises the global variable of the encrypting and decrypting algorithms library version for obtaining encrypting and decrypting algorithms library module 24 and obtain each burst, for determining the burst length of burst size, for obtaining the algorithm mark of algorithms for encryption and decryption index, for the algorithm secret key that uses in encryption and decryption process and reordering and the reduction process that reorders in the skew of reordering that uses.
In session real time information M131, comprise random train number, the communication time stamp of communication two party combination and the network address of communication two party combination of session identification for generating initial seed, communication two party combination.
As shown in Figure 2, stored a variable random algorithm storehouse version in described random algorithm library module 14, it is a bitmap, and a bitmap represents a specific version, in the time that this position is 1, represents to have in database the random algorithm group of this version.
In random algorithm library module 14, can store the random algorithm group of multiple versions, every group of random algorithm group includes five random algorithms, it is respectively random seed hybrid algorithm, its input be private data and the residual seed in session real time information M131 and control information M171, its output be initial seed; Decay relict subalgorithm, its input be the residual seed in initial seed and control information M171, output be new residual seed; Random-length algorithm, its input is seed, output is burst length and seed; Key algorithm selection algorithm, its input be seed, output be key algorithm mark and seed; Random rearrangement sequence algorithm, its input be set sequence, output be also the set sequence after rearrangement.
As shown in Figure 3, stored a variable key algorithm storehouse version in key algorithm library module 15, it is a bitmap, and a bitmap represents a specific version, and in the time that this position is 1, representing has this version key algorithm group in database.
In key algorithm library module 15, can store the key algorithm group of multiple versions, in each version, store multiple key algorithm records, as record 1, record 2, record 3 ... record n etc.And include a variable algorithm mark and a key algorithm in each key algorithm record.Wherein, variable algorithm mark is for extracting encrypting and decrypting algorithm from encrypting and decrypting algorithms library module 24, and key algorithm is for generating key, its input be seed, output be key and seed.
As shown in Figure 5, this control information database module 17 comprises more than one record, and wherein each record has included communication object mark, random algorithm storehouse version, key algorithm storehouse version, private data, residual seed and key algorithm storehouse mask.Wherein, random algorithm storehouse version, key algorithm storehouse version, private data and residual seed have formed control information M171 together.
As shown in Figure 1,2 of safe load modular converters comprise the safe load generation module 21 that common application data M221 is converted to safe load M211, safe load M211 is reduced into the safe load recovery module 22 of common application data M221, for verifying the digital signature procedure module 23 of error of transmission, encrypting and decrypting algorithm for encryption and decryption is module 24, and is responsible for upgrading the algorithms library renewal process module ii 25 of digital signature procedure module 23 and encrypting and decrypting algorithms library module 24.
Wherein, the structure of encrypting and decrypting algorithms library module 24 as shown in Figure 4, this encrypting and decrypting algorithms library module 24 has multiple variable encrypting and decrypting algorithms library versions, and each variable encrypting and decrypting algorithms library version all includes multiple encrypting and decrypting algorithm records, as encrypting and decrypting algorithm record 1, encrypting and decrypting algorithm record 2 ... encrypting and decrypting algorithm records n etc.
This encrypting and decrypting algorithms library module 24 is main to be responsible for converting plaintext, ciphertext to ciphertext, expressly by encrypting and decrypting, its input be expressly, ciphertext and key, exporting is ciphertext, expressly.
As mentioned above, control information verification process module 16 is verification process that control information database module 17 generated and safeguarded control information M171, and its concrete steps as shown in Figure 6, comprise following detailed process:
Step 1 is information interaction, oneself version ability and control information will be sent to the other side by safe communication method, obtains the other side's version information and control information M171 by safe communication method simultaneously.Do not occur simultaneously once random algorithm storehouse version ability or key algorithm storehouse, prompting communication two party also exits verification process.
Step 2: control information verification process module 16 judges whether that manually inputting version information is, enters version information manual negotiations, no, enters version information auto negotiation.
In described version information auto negotiation process, the highest-capacity that communication two party occurs simultaneously by version ability arranges verify data, and generates at random key algorithm storehouse mask and send to the other side by safe communication method; And in version information manual negotiations process, verify data need to be manually set, send to the other side with the random key algorithm storehouse mask that generates by safe communication method, wait for the other side's confirmation, receive verify data and the key algorithm storehouse mask of the other side's manual setting by safe communication method simultaneously, if confirmed, send out confirmation, after both sides confirm successfully, manually negotiations process completes.In this process, if both sides' version information manual negotiations control is all true, it is true that manual input version information is set, otherwise is false.
Step 3: control information authentication module 16 judges whether that manually inputting private information is, carries out private information auto negotiation, no, enters private information manual negotiations.If both sides' private information manual negotiations control is all true, it is true that manual input private information is set, otherwise is false.
Wherein, in private information auto negotiation, default private data be sent to the other side, and after receiving the other side's private data and confirm successfully; In private information manual negotiations, the private data of manually input need to be sent to the other side, and receive manually success after the private data of input of the other side.
Step 4: the data of authentication are deposited in to the respective record of controlling database, and complete verification process.
Based on the relevant information of above system, implementation procedure of the present invention is as follows:
(a) burst information generation module 1 generates burst information M111 according to session real time information M131 and control information M171, and its flow process as shown in Figure 7, specifically comprises the following steps:
(a1) burst information generative process module 11 is obtained the control information M171 of current application and current communication object from control information database module 17, from random algorithm library module 14, obtain random algorithm storehouse version ability, from key algorithm library module 15, obtain key algorithm storehouse version ability, and by session information interacting module 13 generate there is session identification, the session real time information M131 of random train number, the network address and communication time stamp.Wherein, this control information M171 includes the communication object mark for index, for random algorithm storehouse version, the key algorithm storehouse version in acquisition algorithm storehouse, the key algorithm storehouse mask of selecting for affecting key algorithm, and for generating private data and the residual seed of initial seed.
(a2) judge whether burst information generative process module 11 is successfully obtained control information M171 and be, interaction success is set, execution step (a3); No, if further judge again whether the key algorithm storehouse version ability of communication two party and random algorithm storehouse version ability have common factor to have common factor, reset control information M171 and deposit in control information database module 17 by the highest version of occuring simultaneously, interaction success is set simultaneously, execution step (a3), otherwise mutual failure is set, directly finish, and return to burst information M111 failed regeneration, communication finishes.
(a3) according to the random algorithm storehouse version in control information M171 and key algorithm storehouse version, current algorithms library version is set, and end mark is set is false.
(a4) take the private data in the session identification of current session real time information M131, random train number, the network address and communication time stamp and control information M171, residual seed as input, the random seed hybrid algorithm calling in random algorithm library module 14 current versions generates initial seed and deposits in seed variable, take the residual seed of this initial seed and control information M171 as input, the decay relict subalgorithm of calling in random algorithm library module 14 generates current residual seed and deposits in control information database module 17 again.
(a5) take the seed in seed variable as input, calling random-length algorithm in random algorithm library module 14 generates current burst length and new seed and deposits new seed in seed variable, and judge whether current all burst length summation SUM having generated are more than or equal to maximum load length and are, execution step (a6), no, execution step (a7).
Wherein, described the length M TU-head length-verification of maximum load length=network maximum transmitted and length-signature length, and this maximum load length integral multiple that is minimum encryption length, also can be self-defined by applying according to the actual conditions of application.For instance, if all algorithms are adopted the aes algorithm of 128, minimum encryption length is just 16 bytes, and maximum load length must be the integral multiple of 16 bytes.
Because the present invention needs ceaselessly data in new seed variable more, repeatedly calls above each step in running, therefore seed described here just refers to the related data being stored in seed variable.
(a6) reset current burst length according to " burst length=current burst length-(burst length summation SUM-maximum load length) ", and end mark is set is simultaneously true, and execution step (a7).
(a7) take the key algorithm storehouse mask of the seed in seed variable and control information M171 as input, the key algorithm selection algorithm that calls current random algorithm library module 14 is selected key algorithm record and new seed and is deposited new seed in seed variable, and from key algorithm record, obtains the algorithm mark of current burst.
(a8) take the seed in seed variable as input, call the key algorithm in current key algorithm record, generate algorithm secret key and the new seed of current burst and deposit new seed in seed variable.
(a9) judge that end mark, whether for very, performs step (a10), no, rebound execution step (a5).
(a10) take the seed in seed variable as input, call random rearrangement sequence algorithm in current algorithm storehouse, each fragment packets is signed in interior rearrangement, then the reorder skew of each burst at new order by the order computation of resetting, generate burst information M111.This step (a10) is the final step that generates burst information, and preceding step has generated burst length, the algorithm secret key of each burst, algorithm mark.Obtain the skew of reordering of each burst in this step.From the key algorithm storehouse of current version, obtain again the burst information M111 of the encrypting and decrypting algorithms library version current sessions that also combination obtains conforming with the regulations.
(b) safe load modular converter 2 converts common application data M221 to safe load M211 according to burst information M111 and transmits on network, or according to burst information M111, the safe load M211 obtaining from network is reduced into common application data M221.This safe load modular converter 2 has double corresponding effect, and first effect is that the common application data M221 that needs are sent converts safe load 211 to, and sends by network, to guarantee that listener-in can not decode its content; Second effect is that the safe load M211 receiving is reduced into common application data M221, to guarantee that application is appreciated that its particular content.
Wherein, as shown in Figure 8,9, it specifically comprises the following steps the step that converts common application data M221 to safe load M211:
Step 1: safe load generation module 21 arranges the version of the encrypting and decrypting algorithms library module 24 of current use according to the encrypting and decrypting algorithms library version of burst information M111, and application data buffering area skew is set simultaneously and burst index is 0, point to first burst.
Step 2: read burst length, algorithm mark, algorithm secret key, the skew of reordering of current burst with burst index from burst information M111, and obtain corresponding cryptographic algorithm according to algorithm mark from the current version of encrypting and decrypting algorithms library module 24.
Step 3: take the burst length of application data buffering area skew and current burst as input, from application data buffering area, read the clear data of current burst, take the algorithm secret key of current burst as input, the cryptographic algorithm of calling current burst is encrypted the clear data of current burst, generates current burst encrypt data.
Step 4: take current burst encrypt data and signature as input, call number signature process module 23, generates new signature take reorder skew and burst length as input, stores current burst encrypt data in safe load buffering area into simultaneously.
Step 5: recalculate new application data buffering area skew, make burst index increase by 1, point to next burst.
Step 6: judge whether the skew of current application data buffering area is less than maximum load length and is, represent that the processing of application data burst does not finish, jump to step 2 and process next burst, no, directly perform step 7.
Step 7: point to signature by burst index, read the skew of reordering of current burst from burst information M111, and generate safe load M211 according to reorder skew and signature length, and signature is stored in safe load buffering area.
The safe load M211 by obtaining from network answering is in contrast reduced into the step of common application data M221 as shown in Figure 10,11, specifically comprises:
Step 1: safe load generation module 21 arranges the version of the encrypting and decrypting algorithms library module 24 of current use according to the encrypting and decrypting algorithms library version of burst information M111, and application data buffering area skew is set simultaneously and burst index is 0, point to first burst.
Step 2: read burst length, algorithm mark, algorithm secret key, the skew of reordering of current burst with burst index from burst information M111, and obtain corresponding decipherment algorithm according to algorithm mark from the current version of encrypting and decrypting algorithms library module 24.
Step 3: reorder skew and the burst length of current burst as input take current burst, read current burst encrypt data from safe load buffering area.
Step 4: take current burst encrypt data and signature as input, call number signature process module 23, generates new signature; Take the algorithm secret key of current burst as input, the decipherment algorithm that calls current burst is decrypted the encrypt data of current burst, generates current burst clear data; Take application data buffering area skew and burst length as input, by current burst stored in clear in application data buffering area.
Step 5: recalculate new application data buffering area skew, make burst index increase by 1, point to next burst.
Step 6: judge whether the skew of current application data buffering area is less than maximum load length and is, represent that the processing of application data burst does not finish, jump to step 2 and process next burst, no, directly carry out step 7.
Step 7: point to signature by burst index, from burst information M111, read the skew of reordering of current burst, according to reorder skew and signature length from safe load buffering area, read signature and with step 4 in the signature that calculates compare, if identical, represent to be reduced into common application data M221, if not identical, represent to occur error of transmission.
As mentioned above, just can well realize the present invention.

Claims (8)

1. based on message load burst, the safety communication system of encrypting, reordering, it is characterized in that: comprise the burst information generation module (1) for exporting burst information (M111), and the common application data (M221) of input are converted to safe load (M211) and the safe load receiving (M211) are reduced into the safe load modular converter (2) of common application data (M221); described burst information generation module (1) comprises the burst information generative process module (11) for generating burst information (M111), for be the session information interacting module (13) that burst information generative process module (11) is collected session real time information (M131) in the time of session establishment, for burst information generative process module (11) provides the random algorithm library module (14) in random algorithm storehouse, for burst information generative process module (11) provides the key algorithm library module (15) in key algorithm storehouse, for burst information generative process module (11) provides the control information database module (17) of the control information (M171) of current application and current communication object, be responsible for upgrading the algorithms library renewal process module I (12) of random algorithm library module (14) and key algorithm library module (15), and generate and safeguard the control information verification process module (16) of control information (M171) for control information database module (17).
2. according to claim 1 based on message load burst, encrypt, the safety communication system reordering, it is characterized in that: described safe load modular converter (2) comprises the safe load generation module (21) that according to burst information (M111), common application data (M221) is converted to safe load (M211), according to burst information (M111), safe load (M211) is reduced into the safe load recovery module (22) of common application data (M221), for safe load generation module (21) and safe load recovery module (22) provide the digital signature procedure module (23) of digital signature and signature verification, for safe load generation module (21) provides cryptographic algorithm and provides the encrypting and decrypting algorithms library module (24) of decipherment algorithm for safe load recovery module (22), and the responsible algorithms library renewal process module ii (25) that upgrades digital signature procedure module (23) and encrypting and decrypting algorithms library module (24).
3. according to claim 2 based on message load burst, the safety communication system of encrypting, reordering, it is characterized in that: described burst information (M111) comprises the global variable of the encrypting and decrypting algorithms library version for obtaining encrypting and decrypting algorithms library module (24) and the many groups of burst length for definite burst size take burst quantity as group number, for obtaining the algorithm mark of algorithms for encryption and decryption index, for the algorithm secret key that uses in encryption and decryption process and reordering and the reduction process that reorders in the skew of reordering that uses.
4. according to claim 3 based on message load burst, the safety communication system of encrypting, reordering, it is characterized in that: described session real time information (M131) comprises random train number, the communication time stamp of communication two party combination and the network address of communication two party combination of session identification for generating initial seed, communication two party combination.
5. according to claim 3 based on message load burst, the safety communication system of encrypting, reordering, it is characterized in that: described control information (M171) comprises the communication object mark for index, for random algorithm storehouse version, the key algorithm storehouse version in acquisition algorithm storehouse, the key algorithm storehouse mask of selecting for affecting key algorithm, and for generating private data and the residual seed of initial seed.
6. based on message load burst, the safe communication method encrypting, reorder, it is characterized in that, mainly comprise the following steps:
(a) burst information generation module (1) generates burst information (M111) according to session real time information (M131) and control information (M171);
(b) safe load modular converter (2) converts common application data (M221) to safe load (M211) according to burst information (M111) and transmits on network, or according to burst information (M111), the safe load of obtaining from network (M211) is reduced into common application data (M221);
Step (a) specifically comprises the following steps:
(a1) burst information generative process module (11) is obtained the control information (M171) of current application and current communication object from control information database module (17), from random algorithm library module (14), obtain random algorithm storehouse version ability, from key algorithm library module (15), obtain key algorithm storehouse version ability, and by session information interacting module (13) generate there is session identification, random train number, the session real time information (M131) of the network address and communication time stamp;
(a2) judge whether burst information generative process module (11) is successfully obtained control information (M171) and be, interaction success is set, execution step (a3); No, if judge again whether the key algorithm storehouse version ability of communication two party and random algorithm storehouse version ability have common factor to have common factor, reset control information (M171) and deposit in control information database module (17) by the highest version of occuring simultaneously, interaction success is set simultaneously, execution step (a3), otherwise mutual failure is set, directly finish, and return to burst information (M111) failed regeneration, communication finishes;
(a3) according to the random algorithm storehouse version in control information (M171) and key algorithm storehouse version, current algorithms library version is set, and end mark is set is false;
(a4) with the session identification of current session real time information (M131), random train number, private data in the network address and communication time stamp and control information (M171), residual seed is input, the random seed hybrid algorithm calling in random algorithm library module (14) current version generates initial seed and deposits in seed variable, again take the residual seed of this initial seed and control information (M171) as input, the decay relict subalgorithm of calling in random algorithm library module (14) generates current residual seed and deposits in control information database module (17),
(a5) take the seed in seed variable as input, calling random-length algorithm in random algorithm library module (14) generates current burst length and new seed and new seed is deposited in seed variable, and judge whether current all burst length summation SUM having generated are more than or equal to maximum load length and are, execution step (a6), no, execution step (a7);
(a6) reset current burst length according to " burst length=current burst length-(burst length summation SUM-maximum load length) ", and end mark is set is simultaneously true, and execution step (a7);
(a7) take the key algorithm storehouse mask of the seed in seed variable and control information (M171) as input, the key algorithm selection algorithm that calls current random algorithm library module (14) is selected key algorithm record and new seed and is deposited new seed in seed variable, and from key algorithm record, obtains the algorithm mark of current burst;
(a8) take the seed in seed variable as input, call the key algorithm in current key algorithm record, generate algorithm secret key and the new seed of current burst and deposit new seed in seed variable;
(a9) judge that end mark, whether for very, performs step (a10), no, rebound execution step (a5);
(a10) take the seed in seed variable as input, call random rearrangement sequence algorithm in current algorithm storehouse, each fragment packets is signed in interior rearrangement, then the reorder skew of each burst in new order by the order computation of resetting, generate burst information (M111).
7. according to claim 6 based on message load burst, the safe communication method encrypting, reorder, it is characterized in that, safe load modular converter (2) described in step (b) converts common application data (M221) to safe load (M211) according to burst information (M111) and transmits on network, specifically comprises the following steps:
Step 1: safe load generation module (21) arranges the version of the encrypting and decrypting algorithms library module (24) of current use according to the encrypting and decrypting algorithms library version of burst information (M111), and application data buffering area skew is set simultaneously and burst index is 0;
Step 2: read burst length, algorithm mark, algorithm secret key, the skew of reordering of current burst with burst index from burst information (M111), and obtain corresponding cryptographic algorithm according to algorithm mark from the current version of encrypting and decrypting algorithms library module (24);
Step 3: take the burst length of application data buffering area skew and current burst as input, from application data buffering area, read the clear data of current burst, take the algorithm secret key of current burst as input, the cryptographic algorithm of calling current burst is encrypted the clear data of current burst, generates current burst encrypt data;
Step 4: take current burst encrypt data and signature as input, call number signature process module (23), generate new signature, take reorder skew and burst length as input, current burst encrypt data is stored in safe load buffering area simultaneously;
Step 5: recalculate new application data buffering area skew, make burst index increase by 1;
Step 6: judge whether the skew of current application data buffering area is less than maximum load length and is, represent that the processing of application data burst does not finish, jump to step 2 and process next burst, no, directly perform step 7;
Step 7: read the skew of reordering of current burst by burst index from burst information (M111), and generate safe load (M211) according to reorder skew and signature length, and signature is stored in safe load buffering area;
Safe load modular converter (2) described in step (b) is reduced into common application data (M221) according to burst information (M111) by the safe load of obtaining from network (M211), and concrete steps are as follows:
Step 1: safe load generation module (21) arranges the version of the encrypting and decrypting algorithms library module (24) of current use according to the encrypting and decrypting algorithms library version of burst information (M111), and application data buffering area skew is set simultaneously and burst index is 0;
Step 2: read burst length, algorithm mark, algorithm secret key, the skew of reordering of current burst with burst index from burst information (M111), and obtain corresponding decipherment algorithm according to algorithm mark from the current version of encrypting and decrypting algorithms library module (24);
Step 3: reorder skew and the burst length of current burst as input take current burst, read current burst encrypt data from safe load buffering area;
Step 4: take current burst encrypt data and signature as input, call number signature process module (23), generates new signature; Take the algorithm secret key of current burst as input, the decipherment algorithm that calls current burst is decrypted the encrypt data of current burst, generates current burst clear data; Take application data buffering area skew and burst length as input, by current burst stored in clear in application data buffering area;
Step 5: recalculate new application data buffering area skew, make burst index increase by 1;
Step 6: judge whether the skew of current application data buffering area is less than maximum load length and is, represent that the processing of application data burst does not finish, jump to step 2 and process next burst, no, directly carry out step 7;
Step 7: the skew of reordering of reading current burst by burst index from burst information (M111), according to reorder skew and signature length from safe load buffering area, read signature and with step 4 in the signature that calculates compare, if identical, represent to be reduced into common application data (M221), if not identical, represent to occur error of transmission.
8. according to claim 7 based on message load burst, the safe communication method encrypting, reorder, it is characterized in that: described the maximum transmitted length-head length-verification of maximum load length=network and length-signature length, and this maximum load length integral multiple that is minimum encryption length.
CN201110189205.5A 2011-07-07 2011-07-07 Safe communication system and implementation method based on message load segmentation, encryption and reorder Expired - Fee Related CN102223309B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110189205.5A CN102223309B (en) 2011-07-07 2011-07-07 Safe communication system and implementation method based on message load segmentation, encryption and reorder

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110189205.5A CN102223309B (en) 2011-07-07 2011-07-07 Safe communication system and implementation method based on message load segmentation, encryption and reorder

Publications (2)

Publication Number Publication Date
CN102223309A CN102223309A (en) 2011-10-19
CN102223309B true CN102223309B (en) 2014-07-02

Family

ID=44779741

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110189205.5A Expired - Fee Related CN102223309B (en) 2011-07-07 2011-07-07 Safe communication system and implementation method based on message load segmentation, encryption and reorder

Country Status (1)

Country Link
CN (1) CN102223309B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102368704A (en) * 2011-10-20 2012-03-07 西南大学 Encryption and decryption methods and systems thereof for hardware of superspeed optical packet switching network
CN103685247A (en) * 2013-12-04 2014-03-26 冯丽娟 Safety communication method, device and system and safety mainboard
CN104410616B (en) * 2014-11-20 2018-01-05 广州日滨科技发展有限公司 data encryption, decryption, transmission method and system
CN105701410B (en) * 2015-12-31 2019-03-01 华为技术有限公司 The method, apparatus and system of information in a kind of acquisition source code
CN108228663A (en) * 2016-12-21 2018-06-29 杭州海康威视数字技术股份有限公司 A kind of paging search method and device
CN108365954B (en) * 2018-02-09 2020-09-04 哈尔滨工业大学 Control code multiplexing method
CN111224974A (en) * 2019-12-31 2020-06-02 北京安码科技有限公司 Method, system, electronic device and storage medium for network communication content encryption
CN111859436B (en) * 2020-07-29 2023-10-17 贵州力创科技发展有限公司 Data security encryption method for vehicle insurance anti-fraud platform
CN113452520B (en) * 2021-06-25 2024-03-12 北京经纬恒润科技股份有限公司 A communication data processing method device and communication system
CN113890759B (en) * 2021-09-28 2023-10-31 中国电信股份有限公司 File transmission method, device, electronic equipment and storage medium
CN113709188B (en) * 2021-10-27 2022-03-11 北京蓝莓时节科技有限公司 Session control information processing method, device, system and storage medium
CN114338017B (en) * 2022-03-04 2022-06-10 支付宝(杭州)信息技术有限公司 Sorting method and system based on secret sharing
CN115378664B (en) * 2022-08-02 2023-07-18 深圳市乐凡信息科技有限公司 Data encryption transmission method, device, equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101064599A (en) * 2006-04-26 2007-10-31 华为技术有限公司 Method and system for optical network authentication, cipher key negotiation method and system and optical line terminal and optical network unit
CN101335740B (en) * 2007-06-26 2012-10-03 华为技术有限公司 Method and system for transmitting and receiving data
CN101202624B (en) * 2007-12-24 2010-10-13 北京创毅视讯科技有限公司 Method and system of document transmission
CN101222512A (en) * 2008-01-25 2008-07-16 华为技术有限公司 Enciphering and deciphering card, enciphering and deciphering method

Also Published As

Publication number Publication date
CN102223309A (en) 2011-10-19

Similar Documents

Publication Publication Date Title
CN102223309B (en) Safe communication system and implementation method based on message load segmentation, encryption and reorder
CN100468438C (en) Encryption and decryption method for realizing hardware and software binding
CN101969438B (en) Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things
CN109218825B (en) Video encryption system
US20140331050A1 (en) Qkd key management system
CN101448130B (en) Method, system and device for protecting data encryption in monitoring system
CN109151508B (en) Video encryption method
CN102291418A (en) Method for realizing cloud computing security architecture
CN103427987A (en) Data encryption method, data verification method and electronic device
EP0858700A2 (en) Unified end-to-end security methods and systems for operating on insecure networks
CN108632296B (en) Dynamic encryption and decryption method for network communication
CN103986583A (en) Dynamic encryption method and encryption communication system thereof
CN112511304A (en) Power data privacy communication method based on hybrid encryption algorithm
CN109218295A (en) Document protection method, device, computer equipment and storage medium
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
EP3476078A1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
CN102833075A (en) Identity authentication and digital signature method based on three-layered overlapping type key management technology
CN101931623B (en) Safety communication method suitable for remote control with limited capability at controlled end
CN107104795A (en) Method for implanting, framework and the system of RSA key pair and certificate
CN104579680A (en) Method for safe distribution of seed
CN107483388A (en) A kind of safety communicating method and its terminal and high in the clouds
CN101790160A (en) Method and device for safely consulting session key
CN103108245A (en) Smart television payment secret key system and payment method based on smart television
CN112532584A (en) Construction site information security encryption working method according to block chain network
CN111262852A (en) Business card signing and issuing method and system based on block chain

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140702

Termination date: 20150707

EXPY Termination of patent right or utility model