CN105447407A - Off-line data encryption method and decryption method and corresponding apparatus and system - Google Patents
Off-line data encryption method and decryption method and corresponding apparatus and system Download PDFInfo
- Publication number
- CN105447407A CN105447407A CN201510766316.6A CN201510766316A CN105447407A CN 105447407 A CN105447407 A CN 105447407A CN 201510766316 A CN201510766316 A CN 201510766316A CN 105447407 A CN105447407 A CN 105447407A
- Authority
- CN
- China
- Prior art keywords
- line data
- encryption
- symmetric key
- algorithm
- plaintext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides an off-line data encryption method and decryption method and a corresponding apparatus and system. The encryption method comprises: randomly generating a symmetric key; performing encryption for plain-text off-line data by using the symmetric key and by using a preset first encryption algorithm, to obtain cipher-text off-line data; performing encryption for the symmetric key by using a public key at a decryption end and by using a preset second encryption algorithm, to obtain an encrypted symmetric key; invoking an interface provided by a USB Key, performing encryption for an abstract of the plain-text off-line data by using a private key at an encryption end and by using a preset third encryption algorithm, to obtain a data abstract signature; and sending the abstract of the plain-text off-line data, the cipher-text off-line data, the data abstract signature, and the encrypted symmetric key to the decryption end. According to the method provided by the present invention, encryption for plain-text off-line data, the symmetric key, and the abstract of the plain-text off-line data is implemented, thereby greatly improving security of off-line data.
Description
Technical field
The present invention relates to encryption, decryption technology field, more particularly, relate to a kind of encryption method of off-line data, decryption method and related device and system.
Background technology
Between bank's built-in system and banking system and outreaching to exist between system and carry out by non real-time transmission modes such as mail sending, storage medium copies the data that exchange, these data are referred to as off-line data.
In order to ensure the false proof of off-line data and security, need in prior art to sign to off-line data and encrypt.Wherein, the process that plaintext off-line data becomes ciphertext off-line data is referred to as ciphering process, process ciphertext off-line data being become expressly off-line data is referred to as decrypting process.
Particularly, symmetric key is adopted to carry out encryption and decryption to off-line data in prior art, its encryption process is, encryption end utilizes symmetric key to be encrypted plaintext off-line data, generate the ciphertext off-line data after encryption, and then the ciphertext off-line data after encryption and symmetric key are sent to decrypting end by modes such as mails by encryption end.After decrypting end receives the ciphertext off-line data after encryption and symmetric key, according to symmetric key, and utilize the algorithm decrypting ciphertext off-line data that encryption is held and decrypting end is pre-set, finally obtain expressly off-line data.
But owing to adopting symmetric key to carry out in the method for encryption and decryption to off-line data in prior art, need to send ciphertext off-line data and symmetric key by modes such as mails, if and once mail is intercepted and captured or is stolen, then can cause the leakage of symmetric key, thus reduce the security of off-line data.
Summary of the invention
In view of this, the invention provides a kind of encryption method of off-line data, decryption method and related device and system, adopt symmetric key easily to cause the leakage of symmetric key to the method that off-line data carries out encryption and decryption to solve in prior art, thus reduce the problem of the security of off-line data.Technical scheme is as follows:
Based on an aspect of of the present present invention, the invention provides a kind of encryption method of off-line data, be applied to encryption end, comprise:
Stochastic generation symmetric key;
Utilize described symmetric key, adopt the first cryptographic algorithm pre-set to be encrypted plaintext off-line data, obtain ciphertext off-line data;
Utilize the PKI in decrypting end, adopt the second cryptographic algorithm pre-set to be encrypted described symmetric key, obtain the symmetric key after encryption;
Call the interface that USBKey provides, utilize the private key in described encryption end, adopt the summary of the 3rd cryptographic algorithm to described plaintext off-line data pre-set to be encrypted, obtain data summarization signature; Wherein, the summary of described plaintext off-line data is adopt the digest algorithm pre-set to carry out calculating generation to described plaintext off-line data;
Symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption is sent to described decrypting end.
Preferably, before described stochastic generation symmetric key, described method also comprises:
Obtain root certificate and the certificate of described decrypting end;
Utilize the certificate of decrypting end described in described certificate verification;
When the certificate of decrypting end is legal described in certification, then perform the step of described stochastic generation symmetric key;
Wherein, describedly the PKI in decrypting end is utilized to comprise: to utilize the PKI in certificate in described decrypting end.
Preferably, described symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption be sent to described decrypting end and comprise:
Symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption is packed according to preset standard form, generates packet;
By described Packet Generation to described decrypting end.
Preferably, described second cryptographic algorithm comprises: DES Cipher algorithm, triple DES 3DES algorithm, Advanced Encryption Standard aes algorithm or SM4 algorithm.
Based on another aspect of the present invention, the present invention also provides a kind of decryption method of off-line data, is applied to decrypting end, comprising:
Receive the symmetric key after the summary of the plaintext off-line data that encryption end sends, ciphertext off-line data, data summarization signature and encryption;
Utilize the PKI in described encryption end, adopt the first decipherment algorithm pre-set to be decrypted described data summarization signature, obtain the summary after deciphering;
The summary of the summary after described deciphering and described plaintext off-line data is compared;
When the summary after described deciphering is consistent with the summary of described plaintext off-line data, call the interface that USBKey provides, utilize the private key in described decrypting end, adopt the second decipherment algorithm pre-set to be decrypted the symmetric key after described encryption, obtain the symmetric key after deciphering;
Utilize the symmetric key after described deciphering, adopt the 3rd decipherment algorithm pre-set to be decrypted described ciphertext off-line data, obtain the plaintext off-line data after deciphering.
Preferably, before summary, ciphertext off-line data, data summarization signature and the symmetric key after encrypting holding the plaintext off-line data sent is encrypted in described reception, described method also comprises:
Obtain root certificate and the certificate of described encryption end;
Utilize the certificate encrypting end described in described certificate verification;
When the certificate encrypting end described in certification is legal, then perform the step that summary, ciphertext off-line data, data summarization signature and the symmetric key after encrypting holding the plaintext off-line data sent is encrypted in described reception;
Wherein, describedly the PKI in described encryption end is utilized to comprise: to utilize the PKI in certificate in described encryption end.
Preferably, described second decipherment algorithm comprises: DES Cipher algorithm, triple DES 3DES algorithm, Advanced Encryption Standard aes algorithm or SM4 algorithm.
Based on another aspect of the invention, the present invention also provides a kind of encryption device, comprising:
Symmetric key generation module, for stochastic generation symmetric key;
First encrypting module, for utilizing described symmetric key, adopting the first cryptographic algorithm pre-set to be encrypted plaintext off-line data, obtaining ciphertext off-line data;
Second encrypting module, for utilizing the PKI in decryption device, adopting the second cryptographic algorithm pre-set to be encrypted described symmetric key, obtaining the symmetric key after encryption;
3rd encrypting module, for calling the interface that USBKey provides, utilizes the private key in described encryption device, adopts the summary of the 3rd cryptographic algorithm to described plaintext off-line data pre-set to be encrypted, and obtains data summarization signature; Wherein, the summary of described plaintext off-line data is adopt the digest algorithm pre-set to carry out calculating generation to described plaintext off-line data;
Data transmission blocks, for being sent to described decryption device by the symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption.
Preferably, also comprise:
First acquisition module, for obtaining root certificate and the certificate of described decryption device;
First authentication module, for utilizing the certificate of decryption device described in described certificate verification;
Wherein, described second encrypting module specifically for, utilize the PKI in certificate in described decryption device, adopt the second cryptographic algorithm of pre-setting to be encrypted described symmetric key, obtain the symmetric key after encryption.
Preferably, described data transmission blocks comprises:
Packet generates submodule, for being packed according to preset standard form by the symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption, generates packet;
Packet Generation submodule, for by described Packet Generation to described decryption device.
Preferably, described second cryptographic algorithm comprises: DES Cipher algorithm, triple DES 3DES algorithm, Advanced Encryption Standard aes algorithm or SM4 algorithm.
Based on another aspect of the invention, the present invention also provides a kind of decryption device, comprising:
Data reception module, for receiving the symmetric key after the summary of plaintext off-line data that encryption device sends, ciphertext off-line data, data summarization signature and encryption;
First deciphering module, for utilizing the PKI in described encryption device, adopting the first decipherment algorithm pre-set to be decrypted described data summarization signature, obtaining the summary after deciphering;
Comparing module, for comparing the summary of the summary after described deciphering and described plaintext off-line data;
Second deciphering module, for when the summary after deciphering described in described comparison module is consistent with the summary of described plaintext off-line data, call the interface that USBKey provides, utilize the private key in described decryption device, adopt the second decipherment algorithm pre-set to be decrypted the symmetric key after described encryption, obtain the symmetric key after deciphering;
3rd deciphering module, for utilizing the symmetric key after described deciphering, adopting the 3rd decipherment algorithm pre-set to be decrypted described ciphertext off-line data, obtaining the plaintext off-line data after deciphering.
Preferably, also comprise:
Second acquisition module, for obtaining root certificate and the certificate of described encryption device;
Second authentication module, for utilizing the certificate of encryption device described in described certificate verification;
Wherein, described first deciphering module specifically for, utilize the PKI in certificate in described encryption device, adopt the first decipherment algorithm of pre-setting to be decrypted described data summarization signature, obtain the summary after deciphering.
Preferably, described second decipherment algorithm comprises: DES Cipher algorithm, triple DES 3DES algorithm, Advanced Encryption Standard aes algorithm or SM4 algorithm.
Based on another aspect of the invention, the present invention also provides a kind of encrypting and deciphering system based on off-line data, comprising: encryption device as above and decryption device as above.
Apply technique scheme of the present invention, the encryption method of off-line data provided by the invention comprises: utilize symmetric key, the first cryptographic algorithm pre-set is adopted to be encrypted plaintext off-line data, obtain ciphertext off-line data, utilize the PKI in decrypting end, the second cryptographic algorithm pre-set is adopted to be encrypted symmetric key, obtain the symmetric key after encryption, and by calling the interface that USBKey (hardware device of USB interface) provides, utilize the private key in encryption end, the summary of the 3rd cryptographic algorithm to described plaintext off-line data pre-set is adopted to be encrypted, acquisition data summarization is signed.Therefore, the present invention not only achieves the encryption to plaintext off-line data, also achieves the encryption of symmetric key, and achieves the encryption of the summary to plaintext off-line data by calling USBKey, the present invention effectively reduces the leakage of symmetric key, substantially increases the security of off-line data.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only embodiments of the invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to the accompanying drawing provided.
Fig. 1 is the process flow diagram of the encryption method of a kind of off-line data provided by the invention;
Fig. 2 is the structural representation of packet in the present invention;
Fig. 3 is the process flow diagram of the decryption method of a kind of off-line data provided by the invention;
Fig. 4 is the structural representation of a kind of encryption device provided by the invention;
Fig. 5 is the structural representation of a kind of decryption device provided by the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Refer to Fig. 1, it illustrates the process flow diagram of the encryption method of a kind of off-line data provided by the invention, the method is applied to encryption end, specifically comprises:
Step 101, stochastic generation symmetric key.
In the present embodiment, when encryption end needs to be encrypted data, first can stochastic generation one group of symmetric key.
In actual application of the present invention, as preferably, encryption end is before step 101, and the present invention can also comprise:
Step 1001: the root certificate and the certificate that obtain decrypting end.
In the present embodiment, encryption end can obtain its root certificate and certificate by modes such as mails to decrypting end, and then its root certificate and certificate are returned to encryption end in modes such as mails by decrypting end again.
Step 1002: the certificate utilizing decrypting end described in described certificate verification.
Encryption end, after the root certificate obtaining decrypting end and certificate, utilizes its root certificate to carry out the certificate of certification decrypting end.When the certificate encrypting decrypting end described in end certification is legal, shows that current decryption end is validated user, now start again to perform step 101.Therefore, this invention ensures that the legitimacy of decrypting end, first ensure that the security that data send.
Step 102, utilizes described symmetric key, adopts the first cryptographic algorithm pre-set to be encrypted plaintext off-line data, obtains ciphertext off-line data.
Step 103, utilizes the PKI in decrypting end, adopts the second cryptographic algorithm pre-set to be encrypted described symmetric key, obtains the symmetric key after encryption.
Wherein, described second cryptographic algorithm can comprise: DES (DataEncryptionStandard, data encryption standards) algorithm, 3DES (TripleDataEncryptionAlgorithm, triple DES) algorithm, AES (AdvancedEncryptionStandard, Advanced Encryption Standard) algorithm or SM4 algorithm.
In the present embodiment, encryption end utilizes the PKI in decrypting end to be encrypted symmetric key to be specially: encryption end utilizes the PKI in the certificate in described decrypting end to be encrypted symmetric key.
Step 104, calls the interface that USBKey provides, and utilizes the private key in described encryption end, adopts the summary of the 3rd cryptographic algorithm to described plaintext off-line data pre-set to be encrypted, obtain data summarization signature.
Wherein, the summary of described plaintext off-line data is adopt the digest algorithm pre-set to carry out calculating generation to described plaintext off-line data.
In the present embodiment, encryption end can be encrypted plaintext off-line data successively and obtain ciphertext off-line data, be encrypted the symmetric key after obtaining encryption to symmetric key, and is encrypted acquisition data summarization signature to the summary of plaintext off-line data.
Therefore in the present invention, after the above-mentioned process of holding through encryption, encryption end, for being sent to the data of decrypting end as shown in Figure 2, comprises four parts altogether: the summary of the symmetric key after ciphertext off-line data, encryption, data summarization signature and plaintext off-line data.
It should be noted that, the present invention does not limit for the execution sequence of above-mentioned steps 103 and step 104, and the present invention first performs step 104, rear execution step 103, or step 103 and step 104 perform simultaneously.
Step 105, is sent to described decrypting end by the symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption.
After encrypting the summary of the symmetric key of end after obtaining ciphertext off-line data, encryption, data summarization signature and plaintext off-line data, just these data are sent to decrypting end.
Conduct in the present embodiment preferably, after encrypting the summary of the symmetric key of end after obtaining ciphertext off-line data, encryption, data summarization signature and plaintext off-line data, first the symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption can be packed according to preset standard form, generate packet, namely as shown in Figure 2.And then, by the Packet Generation extremely described decrypting end generated.
Therefore in the present invention, at encryption end, encryption end comprises altogether: utilize symmetric key, the first cryptographic algorithm pre-set is adopted to be encrypted plaintext off-line data, obtain ciphertext off-line data, the PKI utilized in decrypting end, the second cryptographic algorithm pre-set is adopted to be encrypted symmetric key, obtain encryption after symmetric key and by calling the interface that USBKey provides, utilize the private key in encryption end, adopt the summary of the 3rd cryptographic algorithm to described plaintext off-line data pre-set to be encrypted, obtain data summarization signature.Therefore, the present invention not only achieves the encryption to plaintext off-line data, also achieves the encryption of symmetric key, and achieves the encryption of the summary to plaintext off-line data by calling USBKey, the present invention effectively reduces the leakage of symmetric key, substantially increases the security of off-line data.
So further, for decrypting end of the present invention, as shown in Figure 3, it illustrates the process flow diagram of the decryption method of a kind of off-line data provided by the invention, the method is applied to decrypting end, specifically comprises:
Step 201, receives the symmetric key after the summary of the plaintext off-line data that encryption end sends, ciphertext off-line data, data summarization signature and encryption.
In the present embodiment, if the data that encryption end is sent to decrypting end are the packet of the symmetric key after comprising the summary of expressly off-line data, ciphertext off-line data, data summarization signature and encryption, so first decrypting end then reads described packet, and then from described packet, obtain the symmetric key after the summary of expressly off-line data, ciphertext off-line data, data summarization signature and encryption.
Certainly in the present embodiment, decrypting end is in order to ensure the legitimacy of encrypting end identity, and the present invention is as preferably, and decrypting end can also comprise before step 201:
Step 2001: the root certificate and the certificate that obtain encryption end.
In the present embodiment, decrypting end also first can obtain its root certificate and certificate to encryption end by modes such as mails, and then its root certificate and certificate are returned to decrypting end in modes such as mails by encryption end again.
Step 2002: utilize the certificate encrypting end described in described certificate verification.
Decrypting end, after the root certificate obtaining encryption end and certificate, utilizes its root certificate to carry out the certificate of authenticated encryption end.When the certificate encrypting end described in decrypting end certification is legal, shows that current crypto end is validated user, now start again to perform step 201.Therefore, this invention ensures that the legitimacy of encryption end, first ensure that the security that data send.
Step 202, utilizes the PKI in described encryption end, adopts the first decipherment algorithm pre-set to be decrypted described data summarization signature, obtains the summary after deciphering.
First decrypting end in the present invention is decrypted data digest according to the PKI in encryption end, obtains the summary after deciphering.
Wherein, the present invention utilizes the PKI in described encryption end to be decrypted data digest and is specially, and utilizes the PKI in the certificate in described encryption end to be decrypted data digest.
Step 203, compares the summary of the summary after described deciphering and described plaintext off-line data.When comparison success, perform step 204, when comparison failure, perform step 206.
Wherein, described comparison successfully refers to the summary after deciphering and holds the summary of the plaintext off-line data sent consistent with encryption, and described comparison unsuccessfully refers to the summary after deciphering and holds the summary of the plaintext off-line data sent inconsistent with encryption.
In actual application, sometimes the content of the ciphertext off-line data of encryption end transmission can be maliciously tampered by intercepting and capturing, the present invention is in order to ensure the correctness of decrypting end for the ciphertext off-line data of deciphering, summary after can first utilizing the public key decryptions data summarization signature in encryption end to obtain deciphering, and then hold the summary of the plaintext off-line data sent to compare the summary after deciphering and encryption.When comparison success, show that the data that decrypting end is currently received are correctly legal, now perform subsequent decryption step again.And if comparison is unsuccessful, then show that the data that decrypting end is currently received have the suspicion be maliciously tampered, decrypting end stops process, no longer processes the data coming from the transmission of encryption end received.
Step 204, calls the interface that USBKey provides, and utilizes the private key in described decrypting end, adopts the second decipherment algorithm pre-set to be decrypted the symmetric key after described encryption, obtains the symmetric key after deciphering.
Wherein, the second decipherment algorithm can comprise: DES algorithm, 3DES algorithm, aes algorithm or SM4 algorithm.
Step 205, utilizes the symmetric key after described deciphering, adopts the 3rd decipherment algorithm pre-set to be decrypted described ciphertext off-line data, obtains the plaintext off-line data after deciphering.
Step 206, stops process.
Therefore in the present invention, in decrypting end, first decrypting end utilizes the PKI in encryption end, adopts the first decipherment algorithm pre-set to be decrypted data digest, obtain the summary after deciphering, and then the summary of the summary after deciphering with plaintext off-line data is compared.When comparison success, decrypting end calls the interface that USBKey provides again further, utilize the private key in decrypting end, the second decipherment algorithm pre-set is adopted to be decrypted the symmetric key after encryption, obtain the symmetric key after deciphering, and utilize the symmetric key after deciphering further, adopt the 3rd decipherment algorithm pre-set to be decrypted ciphertext off-line data, obtain the plaintext off-line data after deciphering.Therefore after the present invention is decrypted the symmetric key after obtaining deciphering by the interface calling USBKey and provide to the symmetric key after encryption, symmetric key after utilizing deciphering further is again decrypted ciphertext off-line data, obtain the plaintext off-line data after deciphering, the present invention effectively reduces the leakage of symmetric key, substantially increases the security of off-line data.
Based on the encryption method of a kind of off-line data provided by the invention above, the present invention also provides a kind of encryption device, as shown in Figure 4, comprising:
Symmetric key generation module 100, for stochastic generation symmetric key;
First encrypting module 200, for utilizing described symmetric key, adopting the first cryptographic algorithm pre-set to be encrypted plaintext off-line data, obtaining ciphertext off-line data;
Second encrypting module 300, for utilizing the PKI in decryption device, adopting the second cryptographic algorithm pre-set to be encrypted described symmetric key, obtaining the symmetric key after encryption;
Wherein, described second cryptographic algorithm comprises: DES algorithm, 3DES algorithm, aes algorithm or SM4 algorithm.
3rd encrypting module 400, for calling the interface that USBKey provides, utilizes the private key in described encryption device, adopts the summary of the 3rd cryptographic algorithm to described plaintext off-line data pre-set to be encrypted, and obtains data summarization signature; Wherein, the summary of described plaintext off-line data is adopt the digest algorithm pre-set to carry out calculating generation to described plaintext off-line data;
Data transmission blocks 500, for being sent to described decryption device by the symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption.
Wherein preferably, the present invention can also comprise in conduct:
First acquisition module 600, for obtaining root certificate and the certificate of described decryption device;
First authentication module 700, for utilizing the certificate of decryption device described in described certificate verification;
Now, described second encrypting module 300 specifically for, utilize the PKI in certificate in described decryption device, adopt the second cryptographic algorithm of pre-setting to be encrypted described symmetric key, obtain the symmetric key after encryption.
Be further used as more excellent, the data transmission blocks 500 in the present invention can also comprise:
Packet generates submodule 501, for being packed according to preset standard form by the symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption, generates packet;
Packet Generation submodule 502, for by described Packet Generation to described decryption device.
Meanwhile, based on the decryption method of provided the above a kind of off-line data of the present invention, the present invention also provides a kind of decryption device, as shown in Figure 5, comprising:
Data reception module 1000, for receiving the symmetric key after the summary of plaintext off-line data that encryption device sends, ciphertext off-line data, data summarization signature and encryption;
First deciphering module 2000, for utilizing the PKI in described encryption device, adopting the first decipherment algorithm pre-set to be decrypted described data summarization signature, obtaining the summary after deciphering;
Comparing module 3000, for comparing the summary of the summary after described deciphering and described plaintext off-line data;
Second deciphering module 4000, for when the summary after deciphering described in the comparison of described comparing module 3000 is consistent with the summary of described plaintext off-line data, call the interface that USBKey provides, utilize the private key in described decryption device, adopt the second decipherment algorithm pre-set to be decrypted the symmetric key after described encryption, obtain the symmetric key after deciphering;
Wherein, described second decipherment algorithm comprises: DES algorithm, 3DES algorithm, aes algorithm or SM4 algorithm.
3rd deciphering module 5000, for utilizing the symmetric key after described deciphering, adopting the 3rd decipherment algorithm pre-set to be decrypted described ciphertext off-line data, obtaining the plaintext off-line data after deciphering.
Wherein preferably, the present invention can also comprise in conduct:
Second acquisition module 6000, for obtaining root certificate and the certificate of described encryption device;
Second authentication module 7000, for utilizing the certificate of encryption device described in described certificate verification;
Now, described first deciphering module 2000 specifically for, utilize the PKI in certificate in described encryption device, adopt the first decipherment algorithm of pre-setting to be decrypted described data summarization signature, obtain the summary after deciphering.
In addition, the present invention also provides a kind of encrypting and deciphering system based on off-line data, comprises encryption device as above and decryption device as above.
It should be noted that, each embodiment in this instructions all adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually see.For device class embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
Finally, also it should be noted that, in this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment comprising described key element and also there is other identical element.
Above the encryption method of a kind of off-line data provided by the present invention, decryption method and related device and system are described in detail, apply specific case herein to set forth principle of the present invention and embodiment, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (15)
1. an encryption method for off-line data, is applied to encryption end, it is characterized in that, comprising:
Stochastic generation symmetric key;
Utilize described symmetric key, adopt the first cryptographic algorithm pre-set to be encrypted plaintext off-line data, obtain ciphertext off-line data;
Utilize the PKI in decrypting end, adopt the second cryptographic algorithm pre-set to be encrypted described symmetric key, obtain the symmetric key after encryption;
Call the interface that USBKey provides, utilize the private key in described encryption end, adopt the summary of the 3rd cryptographic algorithm to described plaintext off-line data pre-set to be encrypted, obtain data summarization signature; Wherein, the summary of described plaintext off-line data is adopt the digest algorithm pre-set to carry out calculating generation to described plaintext off-line data;
Symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption is sent to described decrypting end.
2. method according to claim 1, is characterized in that, before described stochastic generation symmetric key, described method also comprises:
Obtain root certificate and the certificate of described decrypting end;
Utilize the certificate of decrypting end described in described certificate verification;
When the certificate of decrypting end is legal described in certification, then perform the step of described stochastic generation symmetric key;
Wherein, describedly the PKI in decrypting end is utilized to comprise: to utilize the PKI in certificate in described decrypting end.
3. method according to claim 1 and 2, is characterized in that, described symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption is sent to described decrypting end and comprises:
Symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption is packed according to preset standard form, generates packet;
By described Packet Generation to described decrypting end.
4. method according to claim 1 and 2, is characterized in that, described second cryptographic algorithm comprises: DES Cipher algorithm, triple DES 3DES algorithm, Advanced Encryption Standard aes algorithm or SM4 algorithm.
5. a decryption method for off-line data, is applied to decrypting end, it is characterized in that, comprising:
Receive the symmetric key after the summary of the plaintext off-line data that encryption end sends, ciphertext off-line data, data summarization signature and encryption;
Utilize the PKI in described encryption end, adopt the first decipherment algorithm pre-set to be decrypted described data summarization signature, obtain the summary after deciphering;
The summary of the summary after described deciphering and described plaintext off-line data is compared;
When the summary after described deciphering is consistent with the summary of described plaintext off-line data, call the interface that USBKey provides, utilize the private key in described decrypting end, adopt the second decipherment algorithm pre-set to be decrypted the symmetric key after described encryption, obtain the symmetric key after deciphering;
Utilize the symmetric key after described deciphering, adopt the 3rd decipherment algorithm pre-set to be decrypted described ciphertext off-line data, obtain the plaintext off-line data after deciphering.
6. method according to claim 5, is characterized in that, before summary, ciphertext off-line data, data summarization signature and the symmetric key after encrypting holding the plaintext off-line data sent is encrypted in described reception, described method also comprises:
Obtain root certificate and the certificate of described encryption end;
Utilize the certificate encrypting end described in described certificate verification;
When the certificate encrypting end described in certification is legal, then perform the step that summary, ciphertext off-line data, data summarization signature and the symmetric key after encrypting holding the plaintext off-line data sent is encrypted in described reception;
Wherein, describedly the PKI in described encryption end is utilized to comprise: to utilize the PKI in certificate in described encryption end.
7. the method according to claim 5 or 6, is characterized in that, described second decipherment algorithm comprises: DES Cipher algorithm, triple DES 3DES algorithm, Advanced Encryption Standard aes algorithm or SM4 algorithm.
8. an encryption device, is characterized in that, comprising:
Symmetric key generation module, for stochastic generation symmetric key;
First encrypting module, for utilizing described symmetric key, adopting the first cryptographic algorithm pre-set to be encrypted plaintext off-line data, obtaining ciphertext off-line data;
Second encrypting module, for utilizing the PKI in decryption device, adopting the second cryptographic algorithm pre-set to be encrypted described symmetric key, obtaining the symmetric key after encryption;
3rd encrypting module, for calling the interface that USBKey provides, utilizes the private key in described encryption device, adopts the summary of the 3rd cryptographic algorithm to described plaintext off-line data pre-set to be encrypted, and obtains data summarization signature; Wherein, the summary of described plaintext off-line data is adopt the digest algorithm pre-set to carry out calculating generation to described plaintext off-line data;
Data transmission blocks, for being sent to described decryption device by the symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption.
9. encryption device according to claim 8, is characterized in that, also comprises:
First acquisition module, for obtaining root certificate and the certificate of described decryption device;
First authentication module, for utilizing the certificate of decryption device described in described certificate verification;
Wherein, described second encrypting module specifically for, utilize the PKI in certificate in described decryption device, adopt the second cryptographic algorithm of pre-setting to be encrypted described symmetric key, obtain the symmetric key after encryption.
10. encryption device according to claim 8 or claim 9, it is characterized in that, described data transmission blocks comprises:
Packet generates submodule, for being packed according to preset standard form by the symmetric key after the summary of described plaintext off-line data, described ciphertext off-line data, described data summarization signature and described encryption, generates packet;
Packet Generation submodule, for by described Packet Generation to described decryption device.
11. encryption devices according to claim 8 or claim 9, it is characterized in that, described second cryptographic algorithm comprises: DES Cipher algorithm, triple DES 3DES algorithm, Advanced Encryption Standard aes algorithm or SM4 algorithm.
12. 1 kinds of decryption devices, is characterized in that, comprising:
Data reception module, for receiving the symmetric key after the summary of plaintext off-line data that encryption device sends, ciphertext off-line data, data summarization signature and encryption;
First deciphering module, for utilizing the PKI in described encryption device, adopting the first decipherment algorithm pre-set to be decrypted described data summarization signature, obtaining the summary after deciphering;
Comparing module, for comparing the summary of the summary after described deciphering and described plaintext off-line data;
Second deciphering module, for when the summary after deciphering described in described comparison module is consistent with the summary of described plaintext off-line data, call the interface that USBKey provides, utilize the private key in described decryption device, adopt the second decipherment algorithm pre-set to be decrypted the symmetric key after described encryption, obtain the symmetric key after deciphering;
3rd deciphering module, for utilizing the symmetric key after described deciphering, adopting the 3rd decipherment algorithm pre-set to be decrypted described ciphertext off-line data, obtaining the plaintext off-line data after deciphering.
13. decryption devices according to claim 12, is characterized in that, also comprise:
Second acquisition module, for obtaining root certificate and the certificate of described encryption device;
Second authentication module, for utilizing the certificate of encryption device described in described certificate verification;
Wherein, described first deciphering module specifically for, utilize the PKI in certificate in described encryption device, adopt the first decipherment algorithm of pre-setting to be decrypted described data summarization signature, obtain the summary after deciphering.
14. decryption devices according to claim 12 or 13, it is characterized in that, described second decipherment algorithm comprises: DES Cipher algorithm, triple DES 3DES algorithm, Advanced Encryption Standard aes algorithm or SM4 algorithm.
15. 1 kinds based on the encrypting and deciphering system of off-line data, is characterized in that, comprising: the encryption device as above described in any one of claim 8-11 and the decryption device as above described in any one of claim 12-14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510766316.6A CN105447407A (en) | 2015-11-11 | 2015-11-11 | Off-line data encryption method and decryption method and corresponding apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510766316.6A CN105447407A (en) | 2015-11-11 | 2015-11-11 | Off-line data encryption method and decryption method and corresponding apparatus and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105447407A true CN105447407A (en) | 2016-03-30 |
Family
ID=55557570
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510766316.6A Pending CN105447407A (en) | 2015-11-11 | 2015-11-11 | Off-line data encryption method and decryption method and corresponding apparatus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105447407A (en) |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106100841A (en) * | 2016-05-31 | 2016-11-09 | 成都九十度工业产品设计有限公司 | A kind of data encryption system based on molecule encryption technology and method |
| CN106790607A (en) * | 2016-12-29 | 2017-05-31 | 北京奇虎科技有限公司 | Send the method and device of deferred information |
| CN106878331A (en) * | 2017-03-22 | 2017-06-20 | 清华大学合肥公共安全研究院 | Personal information uses outline management system |
| CN106921667A (en) * | 2017-03-06 | 2017-07-04 | 济南浪潮高新科技投资发展有限公司 | A kind of provision price control method, system and supervision center and grain purchases terminal |
| CN107231237A (en) * | 2017-06-02 | 2017-10-03 | 上海斐讯数据通信技术有限公司 | A kind of safe credit method and system |
| CN108880791A (en) * | 2018-05-30 | 2018-11-23 | 招商银行股份有限公司 | Cryptographic key protection method, terminal and computer readable storage medium |
| CN109462472A (en) * | 2017-09-06 | 2019-03-12 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of data encryption and decryption |
| CN109800588A (en) * | 2019-01-24 | 2019-05-24 | 工业和信息化部装备工业发展中心 | Bar code dynamic encrypting method and device, bar code dynamic decryption method and device |
| CN109802825A (en) * | 2017-11-17 | 2019-05-24 | 深圳市金证科技股份有限公司 | A kind of data encryption, the method for decryption, system and terminal device |
| CN109818747A (en) * | 2018-12-28 | 2019-05-28 | 苏州科达科技股份有限公司 | Digital signature method and device |
| CN110263582A (en) * | 2019-05-10 | 2019-09-20 | 阿里巴巴集团控股有限公司 | A kind of account checking method based on alliance's chain, device and electronic equipment |
| CN111404953A (en) * | 2020-03-24 | 2020-07-10 | 广东工业大学 | Message encryption method, message decryption method, related devices and related systems |
| CN111651776A (en) * | 2020-05-12 | 2020-09-11 | 北京信息科技大学 | Access control record storage method and device |
| CN111769934A (en) * | 2020-07-08 | 2020-10-13 | 深圳思凯微电子有限公司 | Data transmission method, system and computer readable storage medium |
| CN112199346A (en) * | 2020-12-08 | 2021-01-08 | 北京每日优鲜电子商务有限公司 | Article information storage method and device, electronic equipment and computer readable medium |
| CN112711764A (en) * | 2020-12-30 | 2021-04-27 | 南方电网科学研究院有限责任公司 | Data reading and writing method and device and electronic equipment |
| CN113014531A (en) * | 2019-12-20 | 2021-06-22 | 中标软件有限公司 | Method for encrypting and transmitting e-mail data |
| WO2021120683A1 (en) * | 2019-12-16 | 2021-06-24 | 苏宁云计算有限公司 | Method and apparatus for secure communication based on identity authentication |
| WO2021237542A1 (en) * | 2020-05-27 | 2021-12-02 | 深圳市大疆创新科技有限公司 | Data processing, encryption, and decryption methods, device, and storage medium |
| US11228446B2 (en) | 2019-05-10 | 2022-01-18 | Advanced New Technologies Co., Ltd. | Blockchain-based reconciliation method and apparatus and electronic device |
| CN114978534A (en) * | 2022-05-16 | 2022-08-30 | 中国银行股份有限公司 | Authentication method and system for third party access, third party enterprise terminal and bank terminal |
| CN115277267A (en) * | 2022-09-30 | 2022-11-01 | 北京道达天际科技股份有限公司 | Document security encryption and decryption method |
| CN115941185A (en) * | 2023-03-13 | 2023-04-07 | 北京紫光青藤微系统有限公司 | Method and device for offline downloading and electronic equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1556449A (en) * | 2004-01-08 | 2004-12-22 | 中国工商银行 | Device and method for proceeding encryption and identification of network bank data |
| CN101127111A (en) * | 2006-08-18 | 2008-02-20 | 中信银行 | Internet bank U disc KEY ciphering, authentication device and method |
| CN102025505A (en) * | 2010-12-16 | 2011-04-20 | 浪潮(北京)电子信息产业有限公司 | Advanced encryption standard (AES) algorithm-based encryption/decryption method and device |
| JP4912809B2 (en) * | 2006-09-25 | 2012-04-11 | 株式会社エヌ・ティ・ティ・ドコモ | Electronic signature server, electronic signature system, and electronic signature method |
| CN103179086A (en) * | 2011-12-21 | 2013-06-26 | 中国电信股份有限公司 | Method and system for remote storing processing of data |
| CN103731270A (en) * | 2013-12-25 | 2014-04-16 | 华南理工大学 | Communication data encryption and decryption method based on BBS, RSA and SHA-1 encryption algorithm |
| CN103905204A (en) * | 2014-04-02 | 2014-07-02 | 天地融科技股份有限公司 | Data transmission method and transmission system |
-
2015
- 2015-11-11 CN CN201510766316.6A patent/CN105447407A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1556449A (en) * | 2004-01-08 | 2004-12-22 | 中国工商银行 | Device and method for proceeding encryption and identification of network bank data |
| CN101127111A (en) * | 2006-08-18 | 2008-02-20 | 中信银行 | Internet bank U disc KEY ciphering, authentication device and method |
| JP4912809B2 (en) * | 2006-09-25 | 2012-04-11 | 株式会社エヌ・ティ・ティ・ドコモ | Electronic signature server, electronic signature system, and electronic signature method |
| CN102025505A (en) * | 2010-12-16 | 2011-04-20 | 浪潮(北京)电子信息产业有限公司 | Advanced encryption standard (AES) algorithm-based encryption/decryption method and device |
| CN103179086A (en) * | 2011-12-21 | 2013-06-26 | 中国电信股份有限公司 | Method and system for remote storing processing of data |
| CN103731270A (en) * | 2013-12-25 | 2014-04-16 | 华南理工大学 | Communication data encryption and decryption method based on BBS, RSA and SHA-1 encryption algorithm |
| CN103905204A (en) * | 2014-04-02 | 2014-07-02 | 天地融科技股份有限公司 | Data transmission method and transmission system |
Non-Patent Citations (1)
| Title |
|---|
| 凌捷,谢赞福: "《信息化建设与信息安全》", 30 April 2013, 广东人民出版社 * |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106100841B (en) * | 2016-05-31 | 2019-02-15 | 江苏环亚医用科技集团股份有限公司 | A kind of data encryption system and method based on molecule encryption technology |
| CN106100841A (en) * | 2016-05-31 | 2016-11-09 | 成都九十度工业产品设计有限公司 | A kind of data encryption system based on molecule encryption technology and method |
| CN106790607A (en) * | 2016-12-29 | 2017-05-31 | 北京奇虎科技有限公司 | Send the method and device of deferred information |
| CN106790607B (en) * | 2016-12-29 | 2020-11-03 | 北京奇虎科技有限公司 | Method and device for sending offline message |
| CN106921667A (en) * | 2017-03-06 | 2017-07-04 | 济南浪潮高新科技投资发展有限公司 | A kind of provision price control method, system and supervision center and grain purchases terminal |
| CN106878331A (en) * | 2017-03-22 | 2017-06-20 | 清华大学合肥公共安全研究院 | Personal information uses outline management system |
| CN107231237A (en) * | 2017-06-02 | 2017-10-03 | 上海斐讯数据通信技术有限公司 | A kind of safe credit method and system |
| CN109462472A (en) * | 2017-09-06 | 2019-03-12 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of data encryption and decryption |
| CN109802825A (en) * | 2017-11-17 | 2019-05-24 | 深圳市金证科技股份有限公司 | A kind of data encryption, the method for decryption, system and terminal device |
| CN108880791A (en) * | 2018-05-30 | 2018-11-23 | 招商银行股份有限公司 | Cryptographic key protection method, terminal and computer readable storage medium |
| CN109818747A (en) * | 2018-12-28 | 2019-05-28 | 苏州科达科技股份有限公司 | Digital signature method and device |
| CN109818747B (en) * | 2018-12-28 | 2022-01-28 | 苏州科达科技股份有限公司 | Digital signature method and device |
| CN109800588A (en) * | 2019-01-24 | 2019-05-24 | 工业和信息化部装备工业发展中心 | Bar code dynamic encrypting method and device, bar code dynamic decryption method and device |
| US11228446B2 (en) | 2019-05-10 | 2022-01-18 | Advanced New Technologies Co., Ltd. | Blockchain-based reconciliation method and apparatus and electronic device |
| CN110263582A (en) * | 2019-05-10 | 2019-09-20 | 阿里巴巴集团控股有限公司 | A kind of account checking method based on alliance's chain, device and electronic equipment |
| WO2021120683A1 (en) * | 2019-12-16 | 2021-06-24 | 苏宁云计算有限公司 | Method and apparatus for secure communication based on identity authentication |
| CN113014531A (en) * | 2019-12-20 | 2021-06-22 | 中标软件有限公司 | Method for encrypting and transmitting e-mail data |
| CN111404953A (en) * | 2020-03-24 | 2020-07-10 | 广东工业大学 | Message encryption method, message decryption method, related devices and related systems |
| CN111651776A (en) * | 2020-05-12 | 2020-09-11 | 北京信息科技大学 | Access control record storage method and device |
| WO2021237542A1 (en) * | 2020-05-27 | 2021-12-02 | 深圳市大疆创新科技有限公司 | Data processing, encryption, and decryption methods, device, and storage medium |
| CN111769934B (en) * | 2020-07-08 | 2023-12-08 | 深圳思凯微电子有限公司 | Data transmission method, system and computer readable storage medium |
| CN111769934A (en) * | 2020-07-08 | 2020-10-13 | 深圳思凯微电子有限公司 | Data transmission method, system and computer readable storage medium |
| CN112199346A (en) * | 2020-12-08 | 2021-01-08 | 北京每日优鲜电子商务有限公司 | Article information storage method and device, electronic equipment and computer readable medium |
| CN112711764A (en) * | 2020-12-30 | 2021-04-27 | 南方电网科学研究院有限责任公司 | Data reading and writing method and device and electronic equipment |
| CN114978534A (en) * | 2022-05-16 | 2022-08-30 | 中国银行股份有限公司 | Authentication method and system for third party access, third party enterprise terminal and bank terminal |
| CN115277267A (en) * | 2022-09-30 | 2022-11-01 | 北京道达天际科技股份有限公司 | Document security encryption and decryption method |
| CN115277267B (en) * | 2022-09-30 | 2022-12-02 | 北京道达天际科技股份有限公司 | Document security encryption and decryption method |
| CN115941185A (en) * | 2023-03-13 | 2023-04-07 | 北京紫光青藤微系统有限公司 | Method and device for offline downloading and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105447407A (en) | Off-line data encryption method and decryption method and corresponding apparatus and system | |
| US11323276B2 (en) | Mutual authentication of confidential communication | |
| EP3642997B1 (en) | Secure communications providing forward secrecy | |
| CN108199835B (en) | Multi-party combined private key decryption method | |
| CN101789865B (en) | Dedicated server used for encryption and encryption method | |
| CN101075874B (en) | Certifying method and system | |
| JP2019533384A (en) | Data transmission method, apparatus and system | |
| CN104821944A (en) | Hybrid encrypted network data security method and system | |
| CN107317677B (en) | Secret key storage and equipment identity authentication method and device | |
| CN102394749B (en) | Line protection method, system, information safety equipment and application equipment for data transmission | |
| CN103763631A (en) | Authentication method, server and television | |
| CN113132099B (en) | Method and device for encrypting and decrypting transmission file based on hardware password equipment | |
| CN106850207B (en) | Identity identifying method and system without CA | |
| US20190268145A1 (en) | Systems and Methods for Authenticating Communications Using a Single Message Exchange and Symmetric Key | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CN103036880A (en) | Network information transmission method, transmission equipment and transmission system | |
| CN108809936B (en) | Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof | |
| CN103138938A (en) | SM2 certificate application method based on cryptographic service provider (CSP) | |
| CN104901803A (en) | Data interaction safety protection method based on CPK identity authentication technology | |
| CN107483429B (en) | A kind of data ciphering method and device | |
| CN112564906A (en) | Block chain-based data security interaction method and system | |
| CN112738133A (en) | RSA authentication method | |
| CN109218251B (en) | Anti-replay authentication method and system | |
| CN102916810A (en) | Method, system and apparatus for authenticating sensor | |
| CN114650173A (en) | Encryption communication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160330 |