CN111107038B - Encryption method, decryption method and device - Google Patents
Encryption method, decryption method and device Download PDFInfo
- Publication number
- CN111107038B CN111107038B CN201811253673.2A CN201811253673A CN111107038B CN 111107038 B CN111107038 B CN 111107038B CN 201811253673 A CN201811253673 A CN 201811253673A CN 111107038 B CN111107038 B CN 111107038B
- Authority
- CN
- China
- Prior art keywords
- key
- card
- ciphertext
- terminal
- session key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Abstract
The application discloses an encryption method, a decryption method and a device, wherein the encryption method comprises the following steps: acquiring non-key data to be sent to first target equipment; inputting the non-key data to be sent to the first target equipment to the password card; controlling the password card to carry out a first encryption operation, wherein the first encryption operation is only to encrypt non-key data; and under the condition that the session key needs to be sent to the first target equipment, controlling the password card to perform a second encryption operation, wherein the second encryption operation is only to encrypt the session key. Through the embodiment of the application, the data transmitted among the KDC, the terminal and the server side are non-key data, and even if the operating systems of any equipment in the KDC, the terminal and the server side are broken, an attacker cannot acquire the key through controlling the operating systems.
Description
Technical Field
The present application relates to the field of quantum communication, and in particular, to an encryption method, a decryption method, and an apparatus.
Background
In a quantum communication network, authentication is required before both devices perform data communication. One possible application scenario is that when a terminal needs to apply for a resource or a service from a server, the terminal and the server need to perform authentication. The terminal and the server are non-peer entities, and the server provides services while the terminal uses the services. The terminal actively initiates an authentication process, and the server side waits for the connection of the terminal and carries out validity verification on the terminal. Symmetric cryptography is required to be adopted for authentication of devices in the quantum communication network, and the Kerberos protocol is particularly suitable for device authentication of the quantum communication network because the Kerberos protocol uses the symmetric cryptography for authentication. The Kerberos protocol is a network identity authentication protocol, and is an authentication protocol based on a trusted third party (Key Distribution Center, KDC) and using symmetric cryptography. At present, the method is widely used for the mature identity authentication protocol of the classical network.
The KDC comprises an Authentication Service (AS) and a bill Granting Service (TGS), wherein the AS is used for receiving Authentication information of the terminal and authenticating the terminal according to the received Authentication information; the TGS is used for verifying the legality of the terminal. The process that the terminal and the server side carry out identity authentication according to the Kerberos protocol comprises the following steps: the AS receives authentication information of the terminal, authenticates the terminal according to the received authentication information, and if the AS passes the authentication of the terminal, issues a Ticket Granting Ticket (TGT) to the terminal so that the terminal applies for a Service Ticket (ST) from the TGS by using the TGT; if the TGS issues the ST to the terminal, the identity of the TGS authentication terminal is legal, and the ST is a certificate of the terminal access server; then, the identity authentication is performed between the terminal and the server.
However, in the process of authenticating the terminal and the server, part or all of the authentication key and the session key appear in the KDC, the memory of the terminal and the server, and the CPU. When the operating systems of the KDC, the terminal, and the server are broken by an attacker, that is, the attacker obtains the control right of the operating system, at this time, the attacker can obtain the authentication key and/or the session key by controlling the operating system.
Disclosure of Invention
Based on this, the application provides an encryption method, so that even if the operating systems of the KDC, the terminal and the server are broken by an attacker, the attacker cannot acquire the authentication key and the session key by controlling the operating systems of the KDC, the terminal and the server.
The application also provides an encryption device for ensuring the realization and the application of the method in practice.
The technical scheme provided by the application is as follows:
the application discloses an encryption method, which is applied to first equipment, wherein a password card is preset in the first equipment, and the method comprises the following steps:
acquiring non-key data to be sent to first target equipment;
inputting the non-key data to be sent to the first target equipment to the password card;
controlling the password card to carry out a first encryption operation, wherein the first encryption operation is only used for encrypting the non-key data;
and under the condition that the session key needs to be sent to the first target equipment, controlling the password card to perform a second encryption operation, wherein the second encryption operation is only used for encrypting the session key.
Wherein the first device is a KDC;
before the controlling the cryptographic card to perform the second encryption operation, the method further includes:
And controlling the password card to generate the session key which needs to be sent to the first target equipment.
The password card is preset with a first authentication key shared with the terminal, a second authentication key shared with the server and a unique third authentication key;
before the controlling the cryptographic card to perform the first encryption operation, the method further includes:
controlling a password card of the KDC to generate an intermediate session key; the intermediate session key is used for encrypting non-key data to be sent to the first target equipment;
the controlling the cryptographic card to perform a first encryption operation includes:
controlling a cipher card of the KDC to encrypt the non-key data to be sent to the first target equipment by using the intermediate session key;
the controlling the cryptographic card to perform a second encryption operation includes:
and controlling the cryptographic card to respectively encrypt the intermediate session key and the session key to be sent to the first target device by using the third authentication key.
The KDC is preset with a first authentication key shared with the terminal, a second authentication key shared with the server and a unique third authentication key;
The control of the crypto card to perform a first encryption operation includes:
controlling the password card to encrypt the non-key data which needs to be sent to the first target equipment by adopting the session key which needs to be sent to the first target equipment;
the control of the crypto card to perform a second encryption operation includes:
and controlling the password card to encrypt the session key to be sent to the first target equipment by adopting the first authentication key.
The first device is a terminal or a server, and a session key for communicating with the first target device exists in the password card;
the controlling the cryptographic card to perform a first encryption operation includes:
and controlling the cryptographic card to encrypt the non-key data to be sent to the first target equipment by adopting the session key for communicating with the first target equipment.
The application also discloses a decryption method, which is applied to second equipment, wherein a password card is preset in the second equipment, and the method comprises the following steps:
obtaining a ciphertext to be decrypted; the ciphertext comprises at least one non-key data ciphertext; the non-key data ciphertext is generated by an encryption terminal through a first encryption operation; under the condition that the ciphertext also comprises a session key ciphertext, the session key ciphertext is generated by the encryption terminal through a second encryption operation;
Inputting the ciphertext into the password card;
controlling the cipher card to decrypt each cipher text respectively, decrypting the non-key data cipher text to obtain non-key data, and decrypting the session key cipher text to obtain a session key;
deriving the non-key data from a cryptographic card of the second device.
Wherein the ciphertext comprises at least one first target non-key data ciphertext and at least one session key ciphertext; an authentication key corresponding to the second equipment is preset in the password card;
the controlling the crypto card to decrypt each ciphertext respectively includes:
controlling the cipher card to decrypt the at least one session key ciphertext by adopting an authentication key corresponding to the second device, so that the cipher card of the second device obtains at least one session key;
and controlling the cipher card to decrypt the first target non-key data ciphertext by using the at least one session key, so that the cipher card obtains first target non-key data.
Wherein the ciphertext is a second target non-key data ciphertext; a target session key exists in the password card; the target session key is used for communicating with a device that sends the second target non-key data ciphertext;
The controlling the crypto card to decrypt each ciphertext respectively includes:
and controlling the cipher card to decrypt the second target non-key data cipher text by adopting the target session key so that the cipher card obtains the second target non-key data.
The application also discloses encryption device is applied to first equipment, the password card has been preset in the first equipment, encryption device includes:
the first acquisition unit is used for acquiring non-key data which needs to be sent to the first target equipment;
the first input unit is used for inputting the non-key data which needs to be sent to the first target equipment into the password card;
the first control unit is used for controlling the password card to carry out first encryption operation, and the first encryption operation is only used for encrypting the non-key data;
and the second control unit is used for controlling the cryptographic card to perform a second encryption operation under the condition that the session key needs to be sent to the first target equipment, wherein the second encryption operation is only used for encrypting the session key.
Wherein the first device is a KDC; the device further comprises:
and the third control unit is used for controlling the cryptographic card to generate the session key which needs to be sent to the first target device before the second control unit controls the cryptographic card to perform the second encryption operation.
The password card is preset with a first authentication key shared with the terminal, a second authentication key shared with the server and a unique third authentication key; the device further comprises:
a fourth control unit, configured to control the cryptographic card of the KDC to generate an intermediate session key before the first control unit controls the cryptographic card to perform the first encryption operation; the intermediate session key is used for encrypting non-key data to be sent to the first target equipment;
the first control unit is specifically configured to:
controlling a cipher card of the KDC to encrypt the non-key data to be sent to the first target equipment by using the intermediate session key;
the second control unit is specifically configured to:
and controlling the cryptographic card to respectively encrypt the intermediate session key and the session key to be sent to the first target device by using the third authentication key.
The KDC is preset with a first authentication key shared with the terminal, a second authentication key shared with the server and a unique third authentication key;
the first control unit is specifically configured to:
controlling the cryptographic card to encrypt the non-key data to be sent to the first target equipment by adopting the session key to be sent to the first target equipment;
The second control unit is specifically configured to:
and controlling the password card to encrypt the session key to be sent to the first target equipment by adopting the first authentication key.
The first device is a terminal or a server, and a session key for communicating with the first target device exists in the password card;
the first control unit is specifically configured to:
and controlling the cryptographic card to encrypt the non-key data to be sent to the first target equipment by adopting the session key for communicating with the first target equipment.
The application also discloses a decryption device is applied to the second equipment, the password card has been preset in the second equipment, the device includes:
the second acquisition unit is used for acquiring the ciphertext to be decrypted; the ciphertext comprises at least one non-key data ciphertext; the non-key data ciphertext is generated by an encryption terminal through a first encryption operation; under the condition that the ciphertext also comprises a session key ciphertext, the session key ciphertext is generated by the encryption terminal through a second encryption operation;
the second input unit is used for inputting the ciphertext into the password card;
the fifth control unit is used for controlling the cipher card to decrypt each cipher text respectively, decrypting the non-key data cipher text to obtain non-key data, and decrypting the session key cipher text to obtain a session key;
A derivation unit to derive the non-key data from a cryptographic card of the second device.
The ciphertext to be decrypted acquired by the second acquiring unit is at least one first target non-key data ciphertext and at least one session key ciphertext; an authentication key corresponding to the second equipment is preset in the password card;
the fifth control unit is specifically configured to:
controlling the cipher card to decrypt the at least one session key ciphertext by adopting an authentication key corresponding to the second device, so that the cipher card of the second device obtains at least one session key;
and controlling the cipher card to decrypt the first target non-key data ciphertext by using the at least one session key, so that the cipher card obtains first target non-key data.
The ciphertext to be decrypted acquired by the second acquiring unit is a second target non-key data ciphertext; a target session key exists in the password card; the target session key is used for communicating with a device that sends the second target non-key data ciphertext;
the fifth control unit is specifically configured to:
and controlling the cipher card to decrypt the second target non-key data cipher text by adopting the target session key so that the cipher card obtains the second target non-key data.
The beneficial effect of this application does:
in the embodiment of the application, on one hand, only non-key data which needs to be sent to the first target device is input into the password card, and the generation of a ciphertext which needs to be sent to the first target device based on the data to be encrypted is completed in the password card, so that the data sent by the first device outwards is the non-key data; on the other hand, the password card is controlled to only encrypt the non-key data by adopting a first encryption operation and only encrypt the session key data by adopting a second encryption operation, so that each ciphertext obtained by the password card only comprises the non-key data or the session key data; when the ciphertext obtained by the cipher card is decrypted, the data decrypted by each ciphertext is non-key data or session key data; moreover, under the condition of no user operation, the cryptographic card cannot output the session key data, so that the non-key data can be derived from the cryptographic card only, and the data transmitted outwards by the first device is ensured to be the non-key data. Therefore, in the embodiment of the application, data transmitted among the KDC, the terminal, and the server are non-key data, and even if the operating systems of any devices among the KDC, the terminal, and the server are hacked, an attacker cannot acquire the key by controlling the operating systems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an embodiment of a method for a terminal to interact with a KDC in the present application;
fig. 2 is a flowchart of another embodiment of a method for a terminal to interact with a KDC;
fig. 3 is a flowchart illustrating an embodiment of a method for a terminal to interact with a server according to the present application;
FIG. 4 is a flow chart of an embodiment of an encryption method of the present application;
FIG. 5 is a flowchart of an embodiment of a decryption method of the present application;
FIG. 6 is a schematic structural diagram of an embodiment of an encryption apparatus according to the present application;
fig. 7 is a schematic structural diagram of an embodiment of a decryption apparatus in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the embodiment of the present application, the preparation work required before the terminal and the server perform authentication includes:
a cipher card is added in each of the first terminal, the server and the key distribution center, and the cipher card is a classic device capable of providing encryption and decryption operation and performing key protection. The physical interfaces of the cipher card are usually in a PCIE form, and are directly inserted into PCIE slots of the terminal, the server, and the key distribution center, respectively. The cipher card is controlled to complete the encryption and decryption functions of the cipher key through the drive provided by the cipher card manufacturer.
Secondly, the connection of the physical link is completed for the terminal, the server and the key distribution center. Namely, the terminal, the server and the key distribution center are connected by a network cable.
And thirdly, presetting authentication keys in the terminal, the server and the key distribution center respectively.
Specifically, a Ukey is inserted into the key distribution center, and the Ukey is a matching component of the password card and is used for authenticating the user by the password card. The authentication mode of the password card for the user comprises the following steps: the Ukey is inserted into the USB interface of the password card, and then a program given by the password card manufacturer is operated to input a password (PIN code).
In the embodiment of the present application, the same authentication key needs to be preset in the cryptographic card of the key distribution center and the cryptographic card of the terminal, and the same authentication key needs to be preset in the cryptographic card of the key distribution center and the cryptographic card of the server, and for convenience of description, the same authentication key is preset in the cryptographic card of the key distribution center and the cryptographic card of the terminal, which are referred to as a first authentication key; the same authentication key is preset in the password card of the key distribution center and the password card of the server side, and is called as a second authentication key. In addition, in the embodiment of the present application, the cryptographic card of the key distribution center needs to be preset with an authentication key specific to the cryptographic card of the key distribution center, and for convenience of description, the authentication key specific to the cryptographic card of the key distribution center is referred to as a third authentication key.
Specifically, the process of presetting the first authentication key in the cryptographic card of the key distribution center and the cryptographic card of the terminal may include:
after the user is authenticated by the cipher card of the key distribution center, the user can export, import, update and the like the key in the cipher card. Specifically, the user performs an operation of "generate authentication key and encrypt derivation", at which time the authentication key is generated within the cryptographic card of the key distribution center, and the authentication key generated by the cryptographic card is derived into the Ukey.
And then, inserting the Ukey into the password card of the terminal, and performing the authentication process of the password card of the terminal to the user in the same way, wherein the specific authentication process is the same as the authentication process of the password card of the key distribution center to the user, and the details are not repeated here. After the user is authenticated by the terminal password card, the user performs an operation of "importing an authentication key", at this time, the authentication key in the Ukey is imported into the terminal password card, and at this time, the same first authentication key exists in the terminal password card and the password card of the key distribution center.
Similarly, the process of presetting the second authentication key in the cryptographic card of the key distribution center and the cryptographic card of the server may include:
The Ukey is inserted into a USB interface of a password card of the key distribution center, and then a program given by a password card manufacturer is operated to input a password (PIN code). After the user is authenticated by the password card of the key distribution center, the user performs an operation of "generating an authentication key and deriving encryption", at which time, a second authentication key is generated in the password card of the key distribution center, and the second authentication key generated by the password card is derived into the Ukey.
And then, inserting the Ukey into the password card of the server, and performing the authentication process of the password card of the server to the user in the same way, wherein the specific authentication process is the same as the authentication process of the password card of the key distribution center to the user, and the details are not repeated here. After the authentication process of the password card of the server to the user is completed, the user executes the operation of 'importing the authentication key', at this time, a second authentication key in the Ukey is imported into the password card of the server, and at this time, the same second authentication key exists in the password card of the server and the password card of the key distribution center.
The process of presetting the third authentication key in the cryptographic card of the key distribution center may include:
the Ukey is inserted into a USB interface of a password card of the key distribution center, and then a program given by a password card manufacturer is operated to input a password (PIN code). After the user is authenticated by the password card of the key distribution center, the user performs an operation of "generating an authentication key", and at this time, a third authentication key is generated in the password card of the key distribution center.
At this time, the preparation work required before the terminal and the server are authenticated is completed, a first authentication key, a second authentication key and a third authentication key exist in the password card of the key distribution center, and the first authentication key exists in the password card of the terminal; a second authentication key is present in the cryptographic card of the server.
Referring to fig. 1, a method for a terminal to interact with a KDC in an embodiment of the present application is shown, and may include:
step 101: the terminal sends a first message to the KDC.
In this step, the first message includes the name/ID of the terminal, the IP address of the terminal, and the life cycle of the terminal. It can be seen that the first message is non-key data.
Step 102: and the KDC verifies whether the terminal is legal or not by comparing the information in the first message with the information in the database. If the terminal is illegal, ending; if the terminal is legal, step 103 is executed.
Step 103: KDC generates TGT.
In this step, the TGT is ciphertext obtained by encrypting first information that the KDC needs to send to the terminal and second information that the KDC needs to send to the terminal, respectively. The first information that the KDC needs to send to the terminal includes: the terminal verifies data information required by the TGS and a session key for communication between the terminal and the TGS, and for convenience of description, the session key for communication between the terminal and the TGS is called a first session key; the data information required by the terminal for verifying the TGS may include: TGS name/ID, timestamp, and TGT lifecycle; it can be seen that the data information required for the terminal to verify TGS is non-key data.
The second information which is required to be sent to the terminal by the KDC comprises first data information and a first session key which are required by the TGS verification terminal; the first data information required by the TGS to authenticate the terminal may include: the name/ID of the terminal, the TGS name/ID, the timestamp, the IP address of the terminal and the TGT life cycle, and it can be seen that the first data information required by the TGS to verify the terminal is non-key data.
The TGT comprises a first ciphertext required to be sent to the terminal by the KDC and a second ciphertext required to be sent to the terminal by the KDC.
Specifically, the KDC invokes the encryption program, so that the process of controlling the cryptographic card to generate the first ciphertext that the KDC needs to send to the terminal by the encryption program may include steps a1 to a step a 5:
step A1: and acquiring first non-key data which needs to be sent to the terminal by the KDC.
In this step, the first non-key data that the KDC needs to send to the terminal is the data information that the terminal needs to verify the TGS.
Step A2: and inputting first non-key data which is required to be sent to the terminal by the KDC into a password card of the KDC.
Step A3: a cryptographic card controlling the KDC generates a first session key.
Step A4: and controlling a password card of the KDC to perform a first encryption operation.
Specifically, the cipher card controlling the KDC encrypts first non-key data that the KDC needs to send to the terminal by using the first session key to obtain a first non-key data cipher text that the KDC needs to send to the terminal.
Step A5: and controlling the password card of the KDC to perform a second encryption operation.
Specifically, the cryptographic card controlling the KDC encrypts the first session key by using the first authentication key to obtain a first session key ciphertext that the KDC needs to send to the terminal.
At this time, a first non-key data ciphertext required to be sent to the terminal by the KDC and a first session key ciphertext required to be sent to the terminal by the KDC form a first ciphertext required to be sent to the terminal by the KDC.
Because the first session key ciphertext required to be sent to the terminal by the KDC is obtained by encrypting the first authentication key, the terminal can decrypt the first session key ciphertext required to be sent to the terminal by the KDC to obtain a first session key; and the terminal can decrypt the first non-key data ciphertext needing to be sent to the terminal by the KDC by using the first session key. Therefore, the cryptographic card of the terminal can decrypt the first ciphertext that the KDC needs to send to the terminal.
Specifically, the process of the KDC calling the encryption program to generate the second ciphertext that the KDC needs to send to the terminal may include steps B1 to B5:
step B1: and acquiring second non-key data which needs to be sent to the terminal by the KDC.
In this step, the second non-key data that the KDC needs to send to the terminal is the first data information required by the TGS verification terminal.
Step B2: and inputting second non-key data which is required to be sent to the terminal by the KDC into a password card of the KDC.
Step B3: the cryptographic card is controlled to generate a first intermediate session key.
In this step, the first intermediate session key is used to encrypt second non-key data that the KDC needs to send to the terminal.
Step B4: and controlling a password card of the KDC to perform a first encryption operation.
Specifically, the cipher card controlling the KDC encrypts second non-key data that the KDC needs to send to the terminal by using the first intermediate session key to obtain a second non-key data cipher text that the KDC needs to send to the terminal.
Step B5: and controlling the password card of the KDC to perform a second encryption operation.
Specifically, the cipher card controlling the KDC encrypts the first session key and the first intermediate session key respectively by using the third authentication key to obtain a second session key ciphertext and a third session key ciphertext that the KDC needs to send to the terminal.
At this time, a second non-key data ciphertext of which the KDC needs to be sent to the terminal, a second session key ciphertext of which the KDC needs to be sent to the terminal, and a third session key ciphertext form a second ciphertext of which the KDC needs to be sent to the terminal.
Because the cipher card of the terminal does not have the third authentication key, the terminal cannot decrypt the second session key ciphertext and the third session key ciphertext which are required to be sent to the terminal by the KDC; therefore, the terminal cannot acquire the first intermediate session key, and the password card of the terminal cannot decrypt second non-key data which needs to be sent to the terminal by the KDC.
At this time, a first ciphertext that the KDC needs to be sent to the terminal and a second ciphertext that the KDC needs to be sent to the terminal form the TGT.
Step 104: the KDC sends a TGT to the terminal.
In practical application, the KDC combines the first ciphertext and the second ciphertext into a data packet, and sends the data packet to the terminal.
Step 105: the terminal decrypts the TGT.
The terminal can decrypt the first ciphertext needing to be sent to the terminal by the KDC, but cannot decrypt the second ciphertext needing to be sent to the terminal by the KDC. Therefore, in this step, the terminal decrypts the TGT, i.e. the terminal's crypto card decrypts the first ciphertext that the KDC needs to send to the terminal.
Specifically, the terminal calls a decryption program to decrypt a first ciphertext that the KDC needs to send to the terminal, and the specific process may include steps C1 to C3:
step C1: the ciphertext to be decrypted is identified from the TGT.
In this step, the ciphertext to be decrypted is a first non-key data ciphertext that KDC needs to send to the terminal in the TGT, and a first session key ciphertext that KDC needs to send to the terminal.
Step C2: and inputting the ciphertext to be decrypted into a password card of the terminal.
Step C3: and the cipher card of the control terminal respectively decrypts each cipher text to be decrypted.
In this step, the cipher card of the control terminal decrypts the first session key ciphertext by using the first authentication key to obtain a first session key; and then, the cipher card of the control terminal decrypts the first non-key data cipher text by adopting the first session key to obtain first non-key data which needs to be sent to the terminal by the KDC.
Because the first non-key data which needs to be sent to the terminal by the KDC is the data information needed by the terminal for verifying the TGS, the terminal verifies the TGS by adopting the first non-key data which needs to be sent to the terminal by the KDC.
Referring to fig. 2, a method for interaction between a terminal and a KDC in another embodiment of the present application is shown, where the method may include:
step 201: and the terminal generates a non-key data ciphertext which is required to be sent to the KDC by the terminal.
In this step, the non-key data that the terminal needs to send to the KDC may include: terminal name/ID and timestamp.
Specifically, the terminal calls the encryption program, so that the encryption program controls the cryptocard to generate a non-key data ciphertext which the terminal needs to send to the KDC, and the specific process may include steps D1 to D2:
step D1: and inputting the non-key data which is required to be sent to the KDC by the terminal into the password card of the terminal.
Step D2: and the password card of the control terminal carries out first encryption operation.
Specifically, the cipher card of the control terminal encrypts non-key data which needs to be sent to the KDC by using the first session key, so as to obtain a non-key data cipher text which needs to be sent to the KDC by the terminal.
Step 202: and the terminal sends a non-key data ciphertext, first server information and a second ciphertext to the KDC, wherein the non-key data ciphertext is required to be sent to the KDC by the terminal, and the second ciphertext is required to be sent to the terminal by the KDC.
In this step, the first server information may include: service name/ID, life cycle of the service.
Step 203: and the KDC judges whether the service exists or not according to the service name/ID and the life cycle of the service.
If not, ending; if so, go to step 204.
Step 204: and the KDC decrypts the ciphertext to be decrypted.
In this step, the ciphertext to be decrypted includes: the method comprises the steps that a non-key data ciphertext needing to be sent to a KDC by a terminal, a second non-key data ciphertext needing to be sent to the terminal by the KDC, a second session key ciphertext needing to be sent to the terminal by the KDC and a third session key ciphertext needing to be sent to the terminal by the KDC. It can be seen that in this step, the ciphertext to be decrypted includes at least one non-key data ciphertext and at least one session key ciphertext. And each non-key data ciphertext is obtained by the encryption end through a first encryption operation, and each session key ciphertext is obtained by the encryption end through a second encryption operation.
Specifically, the KDC invokes the decryption program, so that the decryption program decrypts the non-key data ciphertext that the KDC needs to send to the terminal and the second ciphertext that the KDC needs to send to the terminal, and may include steps E1 to E4:
step E1: and acquiring a ciphertext to be decrypted.
Step E2: and inputting the ciphertext to be decrypted into the password card.
Step E3: and the control cipher card respectively decrypts the second session key ciphertext and the third session key ciphertext by adopting a third authentication key to obtain a first session key and a first intermediate session key.
Step E4: and the control cipher card decrypts a non-key data cipher text which needs to be sent to the KDC by the terminal and a second non-key data cipher text which needs to be sent to the terminal by the KDC by using the first session key and the first intermediate session key to obtain first data information required by the TGS verification terminal and second data information required by the TGS verification terminal.
Specifically, the control cipher card respectively decrypts a non-key data cipher text which needs to be sent to the KDC by the terminal and a second non-key data cipher text which needs to be sent to the terminal by the KDC by using the first session key, and only second data information which is needed by the TGS verification terminal can be obtained; and then, the KDC controls the cipher card to decrypt a second non-key data cipher text which needs to be sent to the terminal by the KDC by adopting the first intermediate session key to obtain first data information needed by the TGS verification terminal.
Step 205: and the KDC verifies whether the terminal is legal or not.
Specifically, the TGS verifies whether the terminal name/ID in the first data information required by the terminal is the same as the terminal name/ID in the second data information required by the TGS verification terminal by comparing, if so, it indicates that the terminal is legal, and performs step 206; if not, the terminal is not legal, and the operation is ended.
Step 206: and generating a third ciphertext required to be sent to the terminal by the KDC and a fourth ciphertext (ST) required to be sent to the terminal by the KDC.
Specifically, the third ciphertext that the KDC needs to send to the terminal includes: and a third non-key data ciphertext required to be sent to the terminal by the KDC and a fourth session key ciphertext required to be sent to the terminal by the KDC. And the third non-key data ciphertext which needs to be sent to the terminal by the KDC is obtained by encrypting the second server information by the KDC. The service end is a service end which provides the current required service for the terminal; the second server information may include: the server name/ID, timestamp, and the lifetime of the ST.
And in order to reduce the storage burden of the KDC, the KDC sends the ST to the terminal, and then the terminal sends the ST to the server. The ST includes: a fourth non-key data ciphertext of which the KDC needs to be sent to the terminal, a fifth session key ciphertext of which the KDC needs to be sent to the terminal and a sixth session key ciphertext of which the KDC needs to be sent to the terminal are required, but the terminal is required to be ensured not to decrypt the ciphertext in the ST.
Specifically, the process of generating the third ciphertext that the KDC needs to be sent to the terminal may include steps F1 to F4:
Step F1: and acquiring third non-key data which needs to be sent to the terminal by the KDC.
In this step, the third non-key data that the KDC needs to send to the terminal is the second server information.
Step F2: and controlling the cryptographic card to generate a second session key.
In this step, the second session key is a session key for communication between the terminal and the server.
Step F3: and controlling the password card to perform first encryption operation on third non-key data which is required to be sent to the terminal by the KDC.
Specifically, the control cipher card encrypts third non-key data, which is required to be sent by the KDC to the terminal, by using the second session key, so as to obtain a third non-key data cipher text, which is required to be sent by the KDC to the terminal.
Step F4: and controlling the password card to perform second encryption operation on the second session key.
Specifically, the control cipher card encrypts the second session key by using the first authentication key to obtain a fourth session key ciphertext, wherein the fourth session key ciphertext is required to be sent to the terminal by the KDC.
The process that the KDC generates the fourth ciphertext required to be sent to the terminal by the KDC can comprise the steps G1-G4:
step G1: and acquiring fourth non-key data which needs to be sent to the terminal by the KDC.
In this step, the fourth non-key data that the KDC needs to send to the terminal is the first data information that the server verifies the terminal needs. The first data information required by the server to verify the terminal may include: the terminal name/ID, the server name/ID, the IP address of the terminal, the timestamp, and the life cycle of the ST, it can be seen that all the contents included in the first data information required by the server to verify the terminal are non-key data.
Step G2: the cryptographic card is controlled to generate a second intermediate session key.
In this step, the second intermediate session key is used to encrypt fourth non-key data that the KDC needs to send to the terminal, so that the terminal cannot decrypt the fourth non-key data.
Step G3: and controlling the password card to perform first encryption operation on fourth non-key data which needs to be sent to the terminal by the KDC.
Specifically, the control cipher card encrypts fourth non-key data, which is required to be sent by the KDC to the terminal, by using the second intermediate session key, to obtain a fourth non-key data cipher text, which is required to be sent by the KDC to the terminal.
Step G4: and controlling the password card to respectively carry out second encryption operation on the second session key and the second intermediate session key.
Specifically, the control cipher card uses a second authentication key to encrypt the second session key and the second intermediate session key respectively to obtain a fifth session key ciphertext and a sixth session key ciphertext, wherein the fifth session key ciphertext and the sixth session key ciphertext are required to be sent to the terminal by the KDC.
At this time, a fourth non-key data ciphertext that the KDC needs to send to the terminal, a fifth session key ciphertext that the KDC needs to send to the terminal, and a sixth session key ciphertext form an ST.
Step 207: and the KDC sends a third ciphertext and the ST which are required to be sent to the terminal by the KDC to the terminal.
Because the cryptographic card of the terminal does not have the second authentication key, the terminal cannot acquire the second session key and the second intermediate session key from the ST, and further cannot decrypt the ST, and further cannot obtain the first data information required by the server to verify the terminal.
Step 208: and the terminal decrypts the ciphertext to be decrypted.
In this step, the ciphertext to be decrypted includes a third ciphertext that the KDC needs to send to the terminal.
Specifically, the process of the terminal calling the decryption program to decrypt the third ciphertext that the KDC needs to send to the terminal may include steps H1 to H4:
step H1: and acquiring a ciphertext to be decrypted.
Step H2: and inputting a third ciphertext required to be sent to the terminal by the KDC into the password card of the terminal.
Step H3: and the cipher card of the control terminal decrypts each cipher text in the third cipher text which is required to be sent to the terminal by the KDC.
Specifically, the cipher card of the control terminal decrypts each cipher text in the third cipher text which is required to be sent to the terminal by the KDC by using the first authentication key, so that the cipher card of the terminal obtains the second session key.
Step H4: and the password card of the control terminal decrypts the third non-key data ciphertext required to be sent to the terminal by the KDC.
Specifically, the cryptographic card of the control terminal decrypts a third non-key data ciphertext that the KDC needs to send to the terminal, using the second session key, to obtain third non-key data that the KDC needs to send to the terminal, that is, the second server information.
Referring to fig. 3, an interaction method between a terminal and a server in the present application is shown, which may include:
Step 301: the terminal generates a first non-key data ciphertext which is required to be sent to the server side by the terminal.
In this step, the first non-key data ciphertext that the terminal needs to send to the server is obtained by the terminal calling an encryption program installed on the terminal to encrypt non-key data that the terminal needs to send to the server by the encryption program, where the non-key data that the terminal needs to send to the server is: and the server side verifies second data information required by the terminal.
Specifically, the process of the terminal calling the encryption program to generate the first non-key data ciphertext that the terminal needs to send to the server may include step I1 to step I3:
step I1: and acquiring non-key data which is required to be sent to the server by the terminal.
Step I2: inputting the non-key data which is required to be sent to the server side by the terminal into the password card of the terminal.
Step I3: and the password card of the control terminal carries out first encryption operation on the non-key data which is required to be sent to the server side by the terminal.
Specifically, the cipher card of the control terminal encrypts non-key data, which needs to be sent to the server by the terminal, by using the second session key, so as to obtain a first non-key data cipher text, which needs to be sent to the server by the terminal.
Step 302: and the terminal sends the ST and a first non-key data ciphertext which is required to be sent to the server by the terminal to the server.
Step 303: and the server decrypts the first non-key data cipher text which is required to be sent to the server by the ST and the terminal.
Specifically, the server side calls a decryption program, so that the decryption program decrypts the ST and a first non-key data ciphertext that the terminal needs to send to the server side, and the specific process may include steps J1 to J3:
step J1: and acquiring a ciphertext to be decrypted.
In this step, the ciphertext to be decrypted is the ST and the first non-key data ciphertext that the terminal needs to send to the server.
Step J2: and inputting the ST and a first non-key data ciphertext required to be sent to the server by the terminal into a password card of the server.
Step J3: and controlling the password card of the server to decrypt the ciphertext to be decrypted.
Specifically, the cryptographic card of the control server decrypts, by using the second authentication key, a fifth session key ciphertext that the KDC needs to send to the terminal and a sixth session key ciphertext that the KDC needs to send to the terminal, respectively, so as to obtain the second session key and the second intermediate session key. And then, the cipher card of the control server side decrypts a first non-key data cipher text which needs to be sent to the server side by the terminal and a fourth non-key data cipher text which needs to be sent to the terminal by the KDC by adopting a second session key and a second intermediate session key respectively, so as to obtain first data information and second data information which are needed by the verification terminal of the server side.
Step 304: the server derives the first data information and the second data information required by the server authentication terminal from the password card.
Step 305: the server side verifies whether the terminal is legal or not.
If not, ending; if it is legal, go to step 306.
Step 306: and the server generates a non-key data ciphertext which is required to be sent to the terminal by the server.
In this step, the non-key data ciphertext that the server needs to send to the terminal is obtained by the server calling an encryption program, so that the encryption program encrypts the non-key data that the server needs to send to the terminal.
Specifically, the process of calling the encryption program by the server to encrypt the non-key data that the server needs to send to the terminal by the encryption program may include steps K1 to K3:
step K1: and acquiring non-key data which needs to be sent to the terminal by the server.
Step K2: and inputting the non-key data which is required to be sent to the terminal by the server into the password card of the server.
Step K3: and controlling a password card of the server to perform first encryption operation on non-key data which needs to be sent to the terminal by the server.
Specifically, the cipher card controlling the server side encrypts non-key data, which needs to be sent to the terminal by the server side, by using the second session key, so as to obtain a non-key data cipher text, which needs to be sent to the terminal by the server side.
Step 307: and the server derives the non-key data ciphertext which is required to be sent to the terminal by the server from the password card.
Step 308: and the server side sends the non-key data ciphertext which is required to be sent to the terminal by the server side to the terminal.
Step 309: the terminal decrypts the non-key data ciphertext which is required to be sent to the terminal by the server side.
Specifically, the terminal calls a decryption program installed on the terminal, so that the decryption program decrypts the non-key data ciphertext which is required to be sent to the terminal by the server. The specific decryption process may include steps L1 to L4:
step L1: and acquiring a ciphertext to be decrypted.
In this step, the ciphertext to be decrypted is a non-key data ciphertext that the server needs to send to the terminal.
Step L2: and inputting the non-key data ciphertext which is required to be sent to the terminal by the server into the password card of the terminal.
Step L3: and the password card of the control terminal decrypts the non-key data ciphertext which is required to be sent to the terminal by the server side.
Specifically, the cipher card of the control terminal decrypts the non-key data cipher text which needs to be sent to the terminal by the server by using the second session key, so as to obtain the non-key data which needs to be sent to the terminal by the server.
Step L4: and deriving non-key data which is required to be sent to the terminal by the server from the password card of the terminal.
Step 310: and the terminal verifies the server side.
And if the verification is passed, finishing the authentication between the terminal and the server.
It should be noted that, in the embodiment of the present application, the terminal, the server, and the KDC are all first devices, and are also second devices at the same time. When the terminal, the server and the KDC are used as encryption terminals, the first device is used, and when the terminal, the server and the KDC are used as decryption terminals, the second device is used.
In each of the above embodiments, on one hand, the first device inputs only non-key data that needs to be sent to the first target device into the cryptographic card, and generates a ciphertext that needs to be sent to the first target device based on the data to be encrypted, where the ciphertext is generated in the cryptographic card, and therefore, the data sent by the first device is the non-key data; on the other hand, the password card is controlled to only encrypt the non-key data by adopting a first encryption operation and only encrypt the session key data by adopting a second encryption operation, so that each ciphertext obtained by the password card only comprises the non-key data or the session key data; when the ciphertext obtained by the cipher card is decrypted, the data decrypted by each ciphertext is non-key data or session key data; moreover, under the condition of no user operation, the cryptographic card cannot output the session key data, so that the non-key data can be derived from the cryptographic card only, and the data transmitted outwards by the first device is ensured to be the non-key data. Therefore, in the embodiment of the application, data transmitted among the KDC, the terminal, and the server are non-key data, and even if the operating systems of any devices among the KDC, the terminal, and the server are hacked, an attacker cannot acquire the key by controlling the operating systems.
Referring to fig. 4, an encryption method in the present application is shown, which may include:
the method is applied to a first device, wherein the first device can be any one of a terminal, a server and a KDC.
Step 401: non-key data to be sent to the first target device is obtained.
In this step, the first target device is an opposite end that needs to send data, for example, the terminal sends data to the server, and at this time, the server is the first target device.
Step 402: non-key data to be sent to the first target device is input to the cryptographic card.
Step 403: and controlling the password card to perform a first encryption operation, wherein the first encryption operation is only used for encrypting the non-key data.
Step 404: and under the condition that the session key needs to be sent to the first target equipment, controlling the password card to perform a second encryption operation, wherein the second encryption operation is only used for encrypting the session key.
The method embodiment may be applied to a terminal, a server, and a KDC, and for a specific application process, a specific implementation process has been described in detail in the method embodiments corresponding to fig. 1, fig. 2, and fig. 3, which are not described herein again.
Referring to fig. 5, a decryption method in the present application is shown, which may include:
The method is applied to the second device, wherein the second device can be any one of a terminal, a server and a KDC.
Step 501: and receiving the ciphertext to be decrypted.
Wherein, the ciphertext comprises at least one non-key data ciphertext; generating a non-key data ciphertext by an encryption terminal through a first encryption operation; and in the case that the session key ciphertext is also included in the ciphertext, the session key ciphertext is generated by the encryption terminal through a second encryption operation.
Step 502: and inputting the ciphertext into the password card.
Step 503: and the control cipher card respectively decrypts each cipher text to be decrypted, decrypts the non-key data cipher text to obtain non-key data, and decrypts the session key cipher text to obtain the session key.
Step 504: non-key data is derived from the cryptographic card of the second device.
It should be noted that the decryption method can be applied to the terminal, the server and the KDC.
In the decryption process aiming at the terminal, the server and the KDC, the contents included in the ciphertext to be decrypted are different, and some ciphertexts to be decrypted include both non-key data ciphertext and session key ciphertext; and some ciphertexts to be decrypted only comprise non-key data ciphertexts. In this embodiment, when the ciphertext to be decrypted includes both the non-key data ciphertext and the session key ciphertext, the non-key data ciphertext in the ciphertext to be decrypted is referred to as a first target non-key data ciphertext; and when the ciphertext to be decrypted only comprises the non-key data ciphertext, the non-key data ciphertext is called as a second target non-key data ciphertext.
Specifically, when the ciphertext to be decrypted of the second device includes at least one first target non-key data ciphertext and at least one session key ciphertext, a corresponding authentication key is preset in a cryptographic card of the second device. Specifically, when the second device is a terminal, the authentication key corresponding to the second device is a first authentication key; when the second device is a KDC, the authentication key corresponding to the second device is a third authentication key; and when the second device is the server, the authentication key corresponding to the second device is the second authentication key.
The decryption process of the ciphertext to be decrypted by the second device comprises the following steps: the second equipment calls a decryption program, so that the decryption program controls the cipher card of the second equipment to decrypt at least one session key ciphertext by adopting the authentication key corresponding to the second equipment, and the cipher card of the second equipment obtains at least one session key; then, the decryption program controls the cipher card of the second device to decrypt the first target non-key data cipher text by using the decrypted session key, so that the cipher card of the second device obtains the first target non-key data; and derives the first target non-key data from the cryptographic card of the second device.
For example, when the second device is a terminal, in the embodiment corresponding to fig. 1, the terminal invokes a decryption program, so that the decryption program controls the cryptographic card of the terminal to use the first authentication key to decrypt the first session key ciphertext, so that the cryptographic card of the terminal obtains the first session key; the cipher card of the terminal is controlled to decrypt the first non-key data cipher text by adopting the first session key, so that first non-key data are obtained in the cipher card of the terminal; and derives the first non-key data from the cryptographic card of the terminal.
When the ciphertext to be decrypted of the second device includes a second target non-key data ciphertext, a target session key exists in a cryptographic card of the second device, and the target session key is used for communicating with a device that sends the second target non-key data ciphertext. For example, in the embodiment corresponding to fig. 3, in the process of interaction between the terminal and the server, when the terminal decrypts the non-key data ciphertext that the server needs to send to the terminal, the second target non-key data ciphertext is the non-key data ciphertext that the server needs to send to the terminal; the cipher card of the terminal already has a second session key for communicating with the server, and at this time, the target session key is the second session key.
The decryption process of the ciphertext to be decrypted by the second device comprises the following steps: and controlling the cipher card of the second device to decrypt the second target non-key data cipher text by adopting the target session key so that the cipher card of the second device obtains the second target non-key data.
Taking the decryption process of the non-key data ciphertext which needs to be sent to the terminal by the server side by the terminal in the interaction process of the terminal and the server side as an example, the decryption process of the non-key data ciphertext which needs to be sent to the terminal by the server side by the terminal comprises the following steps: and the terminal calls the decryption program, so that the password card of the terminal is controlled by the decryption program to decrypt the non-key data ciphertext which needs to be sent to the terminal by the server by adopting the second session key, and the non-key data which needs to be sent to the terminal by the server is obtained. At this time, the second target non-key data is the non-key data that the server needs to send to the terminal.
The above describes a specific decryption process of the ciphertext to be decrypted by the second device when the ciphertext to be decrypted includes different ciphertexts; in this embodiment, the second device is taken as an example to describe the decryption process, and as to the detailed decryption process of the server and the KDC, reference may be made to the method embodiments corresponding to fig. 1, fig. 2, and fig. 3, which are not described herein again.
Referring to fig. 6, an encryption apparatus in the present application is shown, and is applied to a first device, where a password card is preset in the first device, and the encryption apparatus may include:
a first obtaining unit 601, configured to obtain non-key data to be sent to a first target device;
a first input unit 602, configured to input, to the cryptographic card, the non-key data to be sent to the first target device;
a first control unit 603, configured to control the cryptographic card to perform a first encryption operation, where the first encryption operation is to encrypt only the non-key data;
a second control unit 604, configured to control the cryptographic card to perform a second encryption operation when the session key needs to be sent to the first target device, where the second encryption operation is to encrypt only the session key.
When the first device is a KDC, the encryption apparatus may further include:
a third control unit, configured to control the cryptographic card to generate the session key that needs to be sent to the first target device before the second control unit 604 controls the cryptographic card to perform the second encryption operation.
The password card is preset with a first authentication key shared with the terminal, a second authentication key shared with the server and a unique third authentication key; the apparatus may further include:
A fourth control unit, configured to control the cryptographic card of the KDC to generate an intermediate session key before the first control unit 603 controls the cryptographic card to perform the first encryption operation; the intermediate session key is used for encrypting non-key data to be sent to the first target equipment;
the first control unit 603 is specifically configured to:
controlling a cipher card of the KDC to encrypt the non-key data to be sent to the first target equipment by using the intermediate session key;
the second control unit 604 is specifically configured to:
and controlling the cryptographic card to respectively encrypt the intermediate session key and the session key to be sent to the first target device by using the third authentication key.
A first authentication key shared with the terminal, a second authentication key shared with the server and a unique third authentication key are preset in the cryptocard of the KDC;
the first control unit 603 is specifically configured to:
controlling the cryptographic card to encrypt the non-key data to be sent to the first target equipment by adopting the session key to be sent to the first target equipment;
The second control unit 604 is specifically configured to:
and controlling the password card to encrypt the session key to be sent to the first target equipment by adopting the first authentication key.
When the first device is a terminal or a server, a session key for communicating with the first target device exists in the password card;
the first control unit 603 is specifically configured to:
and controlling the cryptographic card to encrypt the non-key data to be sent to the first target equipment by adopting the session key for communicating with the first target equipment.
Referring to fig. 7, a decryption apparatus in the present application is shown, applied to a second device, where a password card is preset in the second device, and the apparatus includes:
a second obtaining unit 701, configured to obtain a ciphertext to be decrypted; the ciphertext comprises at least one non-key data ciphertext; the non-key data ciphertext is generated by an encryption terminal through a first encryption operation; under the condition that the ciphertext also comprises a session key ciphertext, the session key ciphertext is generated by the encryption terminal through a second encryption operation;
a second input unit 702, configured to input the ciphertext into the cryptographic card;
A fifth control unit 703, configured to control the cryptographic card to decrypt each ciphertext, decrypt the non-key data ciphertext to obtain non-key data, and decrypt the session key ciphertext to obtain a session key;
a deriving unit 704 configured to derive the non-key data from a cryptographic card of the second device.
The ciphertext to be decrypted acquired by the second acquiring unit 701 is at least one first target non-key data ciphertext and at least one session key ciphertext; an authentication key corresponding to the second equipment is preset in the password card;
the fifth control unit 703 is specifically configured to:
controlling the cipher card to decrypt the at least one session key ciphertext by adopting an authentication key corresponding to the second device, so that the cipher card of the second device obtains at least one session key;
and controlling the cipher card to decrypt the first target non-key data ciphertext by using the at least one session key, so that the cipher card obtains first target non-key data.
The ciphertext to be decrypted acquired by the second acquiring unit 701 is a second target non-key data ciphertext; a target session key exists in the password card; the target session key is used for communicating with a device that sends the second target non-key data ciphertext;
The fifth control unit 703 is specifically configured to:
and controlling the cipher card to decrypt the second target non-key data cipher text by adopting the target session key so that the cipher card obtains the second target non-key data.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. In this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. The terms "comprising," "including," and the like, as used herein, are to be construed in an inclusive sense as opposed to an exclusive or exhaustive sense; that is, it is meant by "including but not limited to". The invention can be applied to various fields, such as a mobile phone, a mobile phone.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (12)
1. An encryption method is applied to a first device, a password card is preset in the first device, and when the first device is a KDC, a first authentication key shared with a terminal, a second authentication key shared with a server and a unique third authentication key are preset in the password card, and the method comprises the following steps:
acquiring non-key data to be sent to first target equipment;
inputting the non-key data to be sent to the first target equipment to the password card;
controlling a password card of the KDC to generate an intermediate session key; the intermediate session key is used for encrypting non-key data to be sent to the first target equipment;
controlling the cryptographic card to perform a first encryption operation, wherein the first encryption operation is to encrypt only the non-key data, and the controlling the cryptographic card to perform the first encryption operation comprises: controlling a cipher card of the KDC to encrypt the non-key data to be sent to the first target equipment by using the intermediate session key;
under the condition that the session key needs to be sent to the first target device, controlling the cryptographic card to generate the session key that needs to be sent to the first target device, and controlling the cryptographic card to perform a second encryption operation, where the second encryption operation is to encrypt only the session key, and the controlling the cryptographic card to perform the second encryption operation includes: and controlling the cryptographic card to respectively encrypt the intermediate session key and the session key to be sent to the first target device by using the third authentication key.
2. The method according to claim 1, wherein the cryptocard of the KDC is pre-configured with a first authentication key shared with the terminal, a second authentication key shared with the server, and a unique third authentication key;
the controlling the password card to perform a first encryption operation further comprises:
controlling the cryptographic card to encrypt the non-key data to be sent to the first target equipment by adopting the session key to be sent to the first target equipment;
the controlling the password card to perform a second encryption operation further comprises:
and controlling the password card to encrypt the session key to be sent to the first target equipment by adopting the first authentication key.
3. The method according to claim 1, wherein when the first device is a terminal or a server, a session key for communicating with the first target device exists in the cryptographic card;
the controlling the password card to perform a first encryption operation further comprises:
and controlling the cryptographic card to encrypt the non-key data to be sent to the first target equipment by adopting the session key for communicating with the first target equipment.
4. A decryption method, applied to a second device, where a password card is preset in the second device, the method comprising:
obtaining a ciphertext to be decrypted from the data packet; the ciphertext comprises at least one non-key data ciphertext; the non-key data ciphertext is generated by an encryption terminal through a first encryption operation; under the condition that the ciphertext also comprises a session key ciphertext, the session key ciphertext is generated by the encryption terminal through a second encryption operation;
inputting the ciphertext into the password card;
controlling the cipher card to decrypt each cipher text respectively, decrypting the non-key data cipher text to obtain non-key data, and decrypting the session key cipher text to obtain a session key;
deriving the non-key data from a cryptographic card of the second device;
the data packet further includes ciphertext data obtained by the encryption method according to claim 1.
5. The method of claim 4, wherein the ciphertext comprises at least one first target non-key data ciphertext and at least one session key ciphertext; an authentication key corresponding to the second equipment is preset in the password card;
The controlling the crypto card to decrypt each ciphertext respectively includes:
controlling the cipher card to decrypt the at least one session key ciphertext by adopting an authentication key corresponding to the second device, so that the cipher card of the second device obtains at least one session key;
and controlling the cipher card to decrypt the first target non-key data ciphertext by using the at least one session key, so that the cipher card obtains first target non-key data.
6. The method of claim 4, wherein the ciphertext is a second target non-key data ciphertext; a target session key exists in the password card; the target session key is used for communicating with a device that sends the second target non-key data ciphertext;
the controlling the crypto card to decrypt each ciphertext respectively includes:
and controlling the cipher card to decrypt the second target non-key data cipher text by adopting the target session key so that the cipher card obtains the second target non-key data.
7. An encryption device, applied to a first device, where a cryptographic card is preset in the first device, and when the first device is a KDC, a first authentication key shared with a terminal, a second authentication key shared with a server, and a unique third authentication key are preset in the cryptographic card, the encryption device comprising:
The first acquisition unit is used for acquiring non-key data which needs to be sent to the first target equipment;
the first input unit is used for inputting the non-key data which needs to be sent to the first target equipment into the password card;
the first control unit is used for controlling the password card to carry out first encryption operation, and the first encryption operation is only used for encrypting the non-key data;
the second control unit is used for controlling the cryptographic card to perform a second encryption operation under the condition that the session key needs to be sent to the first target device, wherein the second encryption operation is only used for encrypting the session key;
the device further comprises:
the third control unit is used for controlling the cryptographic card to generate the session key which needs to be sent to the first target device before the second control unit controls the cryptographic card to perform the second encryption operation;
a fourth control unit, configured to control the cryptographic card of the KDC to generate an intermediate session key before the first control unit controls the cryptographic card to perform the first encryption operation; the intermediate session key is used for encrypting non-key data to be sent to the first target equipment;
the first control unit is specifically configured to:
Controlling a cipher card of the KDC to encrypt the non-key data to be sent to the first target equipment by using the intermediate session key;
the second control unit is specifically configured to:
and controlling the cryptographic card to respectively encrypt the intermediate session key and the session key to be sent to the first target device by using the third authentication key.
8. The apparatus according to claim 7, wherein the cryptocard of the KDC is pre-configured with a first authentication key shared with the terminal, a second authentication key shared with the server, and a unique third authentication key;
the first control unit is further specifically configured to:
controlling the cryptographic card to encrypt the non-key data to be sent to the first target equipment by adopting the session key to be sent to the first target equipment;
the second control unit is further specifically configured to:
and controlling the password card to encrypt the session key to be sent to the first target equipment by adopting the first authentication key.
9. The apparatus according to claim 7, wherein when the first device is a terminal or a server, a session key for communicating with the first target device exists in the cryptographic card;
The first control unit is further specifically configured to:
and controlling the cryptographic card to encrypt the non-key data to be sent to the first target equipment by adopting the session key for communicating with the first target equipment.
10. A decryption apparatus, applied to a second device, where a password card is preset in the second device, the apparatus comprising:
the second acquisition unit is used for acquiring the ciphertext to be decrypted from the data packet; the ciphertext comprises at least one non-key data ciphertext; the non-key data ciphertext is generated by an encryption terminal through a first encryption operation; under the condition that the ciphertext also comprises a session key ciphertext, the session key ciphertext is generated by the encryption terminal through a second encryption operation;
the second input unit is used for inputting the ciphertext into the password card;
the fifth control unit is used for controlling the cipher card to decrypt each cipher text respectively, decrypting the non-key data cipher text to obtain non-key data, and decrypting the session key cipher text to obtain a session key;
a deriving unit configured to derive the non-key data from a cryptographic card of the second device;
The data packet further includes ciphertext data obtained by the encryption method according to claim 1.
11. The apparatus according to claim 10, wherein the ciphertext to be decrypted obtained by the second obtaining unit is at least one first target non-key data ciphertext and at least one session key ciphertext; an authentication key corresponding to the second equipment is preset in the password card;
the fifth control unit is specifically configured to:
controlling the cipher card to decrypt the at least one session key ciphertext by adopting an authentication key corresponding to the second device, so that the cipher card of the second device obtains at least one session key;
and controlling the cipher card to decrypt the first target non-key data ciphertext by using the at least one session key, so that the cipher card obtains first target non-key data.
12. The apparatus according to claim 10, wherein the ciphertext to be decrypted obtained by the second obtaining unit is a second target non-key data ciphertext; a target session key exists in the password card; the target session key is used for communicating with a device that sends the second target non-key data ciphertext;
The fifth control unit is specifically configured to:
and controlling the cipher card to decrypt the second target non-key data cipher text by adopting the target session key so that the cipher card obtains the second target non-key data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811253673.2A CN111107038B (en) | 2018-10-25 | 2018-10-25 | Encryption method, decryption method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811253673.2A CN111107038B (en) | 2018-10-25 | 2018-10-25 | Encryption method, decryption method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111107038A CN111107038A (en) | 2020-05-05 |
| CN111107038B true CN111107038B (en) | 2022-07-29 |
Family
ID=70418385
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811253673.2A Active CN111107038B (en) | 2018-10-25 | 2018-10-25 | Encryption method, decryption method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111107038B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964805A (en) * | 2010-10-28 | 2011-02-02 | 北京握奇数据系统有限公司 | Method, equipment and system for safely sending and receiving data |
| CN103458400A (en) * | 2013-09-05 | 2013-12-18 | 中国科学院数据与通信保护研究教育中心 | Key management method for voice encryption communication system |
| CN104917604A (en) * | 2014-03-12 | 2015-09-16 | 北京信威通信技术股份有限公司 | Key distribution method |
| CN106506470A (en) * | 2016-10-31 | 2017-03-15 | 大唐高鸿信安(浙江)信息科技有限公司 | network data security transmission method |
| CN108650210A (en) * | 2018-03-14 | 2018-10-12 | 深圳市中易通安全芯科技有限公司 | A kind of Verification System and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6478749B2 (en) * | 2015-03-24 | 2019-03-06 | 株式会社東芝 | Quantum key distribution apparatus, quantum key distribution system, and quantum key distribution method |
-
2018
- 2018-10-25 CN CN201811253673.2A patent/CN111107038B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964805A (en) * | 2010-10-28 | 2011-02-02 | 北京握奇数据系统有限公司 | Method, equipment and system for safely sending and receiving data |
| CN103458400A (en) * | 2013-09-05 | 2013-12-18 | 中国科学院数据与通信保护研究教育中心 | Key management method for voice encryption communication system |
| CN104917604A (en) * | 2014-03-12 | 2015-09-16 | 北京信威通信技术股份有限公司 | Key distribution method |
| CN106506470A (en) * | 2016-10-31 | 2017-03-15 | 大唐高鸿信安(浙江)信息科技有限公司 | network data security transmission method |
| CN108650210A (en) * | 2018-03-14 | 2018-10-12 | 深圳市中易通安全芯科技有限公司 | A kind of Verification System and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111107038A (en) | 2020-05-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108810029B (en) | Authentication system and optimization method between micro-service architecture services | |
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| CN107800539B (en) | Authentication method, authentication device and authentication system | |
| CN108599925B (en) | Improved AKA identity authentication system and method based on quantum communication network | |
| US8130961B2 (en) | Method and system for client-server mutual authentication using event-based OTP | |
| KR101265873B1 (en) | Distributed single sign-on service | |
| CN111512608B (en) | Trusted execution environment based authentication protocol | |
| CN108282329B (en) | Bidirectional identity authentication method and device | |
| CN111464301B (en) | Key management method and system | |
| CN109728909A (en) | Identity identifying method and system based on USBKey | |
| CN107809311B (en) | Asymmetric key issuing method and system based on identification | |
| CA2518032A1 (en) | Methods and software program product for mutual authentication in a communications network | |
| CN108650028B (en) | Multiple identity authentication system and method based on quantum communication network and true random number | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| US8397281B2 (en) | Service assisted secret provisioning | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN108964897B (en) | Identity authentication system and method based on group communication | |
| KR102575725B1 (en) | Apparatus, system and method for controlling charging of electric vehicle | |
| CN112766962A (en) | Method for receiving and sending certificate, transaction system, storage medium and electronic device | |
| CN107682152B (en) | Group key negotiation method based on symmetric cipher | |
| CN108259486B (en) | End-to-end key exchange method based on certificate | |
| CN113868684A (en) | Signature method, device, server, medium and signature system | |
| CN114362946B (en) | Key agreement method and system | |
| CN105612728A (en) | Secured data channel authentication implying a shared secret | |
| CN114765543A (en) | Encryption communication method and system of quantum cryptography network expansion equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |