CN113645235A - Distributed data encryption and decryption system and encryption and decryption method - Google Patents

Distributed data encryption and decryption system and encryption and decryption method Download PDF

Info

Publication number
CN113645235A
CN113645235A CN202110914330.1A CN202110914330A CN113645235A CN 113645235 A CN113645235 A CN 113645235A CN 202110914330 A CN202110914330 A CN 202110914330A CN 113645235 A CN113645235 A CN 113645235A
Authority
CN
China
Prior art keywords
key
packet
serial number
computer
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110914330.1A
Other languages
Chinese (zh)
Inventor
张牧宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202110914330.1A priority Critical patent/CN113645235A/en
Publication of CN113645235A publication Critical patent/CN113645235A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme

Abstract

The invention discloses a distributed data encryption and decryption system and an encryption and decryption method, which relate to the field of network security, wherein the system comprises: a master key computer and a plurality of data processing computers; a master key computer to: generating a symmetric key; receiving packet serial numbers provided by each data processing computer; providing the packet key to each data processing computer according to the symmetric key and the packet serial number; providing the encryption key serial numbers to the data processing computers; providing the encryption key and the encryption key serial number to the receiving party; each data processing computer to: receiving a data packet; generating a packet sequence number; encrypting the data packet by using the packet key to obtain an encrypted data packet; packaging the encrypted data packet, the packet serial number and the encryption key serial number into a combined data packet; the combined data packet is provided to the recipient. Therefore, the whole encryption and decryption system has high performance of processing big data, high safety and simplified processing flow.

Description

Distributed data encryption and decryption system and encryption and decryption method
Technical Field
The invention relates to the technical field of network security, in particular to a distributed data encryption and decryption system and an encryption and decryption method.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
In the current internet era, data security is increasingly important. In existing data transmission, encryption measures are generally adopted to ensure the security of data. In the process, the algorithm structure of the hardware encryption machine is standard, and the key is independently stored in the hardware equipment, so that the security is far higher than that of software encryption.
In a system architecture with a high data security requirement, a hardware encryption machine is generally adopted to provide encryption service, and other computers in the system access the hardware encryption machine in a service calling mode to complete corresponding encryption and decryption operations.
However, with the development of data technology, the processing requirement of big data is increasingly frequent, and the access amount of processing platforms such as financial transactions is greatly increased, so that the traditional hardware encryption machine is difficult to meet the requirements in terms of data amount and access amount. The use of multiple encryptors results in increased complexity of key storage, which increases the complexity of the system. On one hand, the safety of the whole system is reduced because a plurality of encryptors store the secret key; on the other hand, when a plurality of encryptors exchange external keys, the same key certificate needs to be distributed to all encryptors, so that the process is complicated, and the problem of data asynchronism is easily caused. In a security system, the adoption of multiple encryption machines leads to the enhancement of complexity and the increase of key nodes, so that the risk of data leakage is increased and the vulnerability of the system is aggravated.
Disclosure of Invention
The embodiment of the invention provides a distributed data encryption system, which is used for improving the safety of data transmission and simplifying the processing flow, and comprises the following components:
a master key computer and a plurality of data processing computers; wherein:
a master key computer to: randomly generating a symmetric key for a plaintext to be encrypted; receiving packet serial numbers provided by each data processing computer; providing the packet key to each data processing computer according to the symmetric key and the packet serial number of each data processing computer; encrypting the symmetric key to obtain an encrypted key; encrypting the key serial number corresponding to the symmetric key to obtain an encrypted key serial number; providing the encryption key serial numbers to the data processing computers; providing the encryption key and the encryption key serial number to the receiving party;
each data processing computer to: receiving a data packet split from a plaintext to be encrypted; randomly generating a packet sequence number for the data packet; encrypting the data packet by using the packet key to obtain an encrypted data packet; packaging the encrypted data packet, the packet serial number and the encryption key serial number into a combined data packet; the combined data packet is provided to the recipient.
The embodiment of the present invention further provides a distributed data decryption system, configured to improve security of data transmission and simplify a processing flow, where the system includes:
a master key computer and a plurality of data processing computers; wherein:
a master key computer to: receiving an encryption key and an encryption key sequence number; decrypting the encryption key and the encryption key serial number to obtain a symmetric key and a key serial number corresponding to the symmetric key; determining the package key of each data processing computer according to the package serial number and the encryption key serial number provided by each data processing computer;
each data processing computer to: receiving a combined data packet formed by packaging an encrypted data packet, a packet serial number and an encryption key serial number; extracting an encrypted data packet, a packet serial number and an encryption key serial number from the combined data packet; providing the packet serial number and the encryption key serial number to a master key computer; and decrypting the encrypted data packet by using the packet key to obtain a plaintext data packet.
An embodiment of the present invention further provides a master key computer in a distributed data encryption system, which is used to improve security of data transmission and simplify a processing flow, the distributed data encryption system further includes a plurality of data processing computers, and the master key computer includes:
a key generation module: the device is used for randomly generating a symmetric key for a plaintext to be encrypted;
receive packet sequence number module: used for receiving the packet serial number provided by each data processing computer; the packet serial number is generated randomly by each data processing computer for the data packet split from the plaintext to be encrypted;
providing a package key module: the data processing computer is used for providing the packet key for each data processing computer according to the symmetric key and the packet serial number of each data processing computer;
an encryption key module: the symmetric key is used for encrypting to obtain an encryption key;
encryption key sequence number module: the encryption device is used for encrypting the key serial number corresponding to the symmetric key to obtain an encryption key serial number;
providing an encryption key sequence number module: for providing encryption key serial numbers to the respective data processing computers;
a first sending module: for providing the encryption key and the encryption key sequence number to the receiving party.
An embodiment of the present invention further provides a data processing computer in a distributed data encryption system, which is used to improve security of data transmission and simplify a processing flow, where the distributed data encryption system includes a master key computer and a plurality of data processing computers, and each data processing computer includes:
a data packet receiving module: the device is used for receiving a data packet split from a plaintext to be encrypted;
a packet sequence number generation module: randomly generating a packet sequence number for the data packet;
an encrypted data packet module: the data packet encryption device is used for encrypting the data packet by using the packet key to obtain an encrypted data packet; the packet key is generated by the master key computer according to a symmetric key randomly generated for a plaintext to be encrypted and the packet serial number of each data processing computer;
a packaging module: the encryption key serial number is used for encrypting the data packet to obtain an encryption key serial number; the encryption key serial number is obtained by encrypting the key serial number corresponding to the symmetric key by the master key computer;
a second sending module: for providing the combined data packet to the recipient.
An embodiment of the present invention further provides a master key computer in a distributed data decryption system, so as to improve security of data transmission and simplify a processing flow, where the distributed data decryption system further includes a plurality of data processing computers, and the master key computer includes:
a key receiving module: for receiving an encryption key and an encryption key sequence number;
a decryption key module: the key sequence number is used for decrypting the encryption key and the encryption key sequence number to obtain a symmetric key and a key sequence number corresponding to the symmetric key;
a package key processing module: the encryption key sequence number is used for determining the encryption key of each data processing computer according to the packet sequence number and the encryption key sequence number provided by each data processing computer, and the packet key is provided for each data processing computer and used for decrypting the data packet to obtain a plaintext data packet.
An embodiment of the present invention further provides a data processing computer in a distributed data decryption system, configured to improve security of data transmission and simplify a processing flow, where the distributed data decryption system includes a master key computer and a plurality of data processing computers, and each data processing computer includes:
a receiving combined data packet module: the system comprises a data receiving module, a data transmitting module, a data receiving module and a data transmitting module, wherein the data receiving module is used for receiving a combined data packet formed by packaging an encrypted data packet, a packet serial number and an encryption key serial number;
an extraction module: used for extracting the encrypted data packet, the packet serial number and the encryption key serial number from the combined data packet;
a third sending module: the host key computer is used for providing the package serial number and the encryption key serial number to the host key computer;
and a data packet decryption module: and the computer is used for receiving the packet key provided by the master key computer according to the packet serial number and the encryption key serial number, and decrypting the encrypted data packet by using the packet key to obtain a plaintext data packet.
The embodiment of the invention also provides a distributed data encryption method, which is used for improving the safety of data transmission and simplifying the processing flow and comprises the following steps:
each data processing computer receives a data packet split from a plaintext to be encrypted;
the master key computer randomly generates a symmetric key for a plaintext to be encrypted;
each data processing computer randomly generates a packet sequence number for the data packet;
the master key computer receives the packet serial numbers provided by the data processing computers; providing the packet key to each data processing computer according to the symmetric key and the packet serial number of each data processing computer;
the master key computer encrypts the symmetric key to obtain an encrypted key; encrypting the key serial number corresponding to the symmetric key to obtain an encrypted key serial number; providing the encryption key serial numbers to the data processing computers;
encrypting the data packet by each data processing computer by using a packet key to obtain an encrypted data packet; packaging the encrypted data packet, the packet serial number and the encryption key serial number into a combined data packet;
the master key computer provides the encryption key and the encryption key serial number to the receiving party;
each data processing computer provides the combined data packet to the recipient.
The embodiment of the invention also provides a distributed data decryption method, which is used for improving the security of data transmission and simplifying the processing flow and comprises the following steps:
the master key computer receives the encryption key and the encryption key sequence number; decrypting the encryption key and the encryption key serial number to obtain a symmetric key and a key serial number corresponding to the symmetric key;
each data processing computer receives a combined data packet formed by packaging an encrypted data packet, a packet serial number and an encryption key serial number; extracting an encrypted data packet, a packet serial number and an encryption key serial number from the combined data packet; providing the packet serial number and the encryption key serial number to a master key computer;
the master key computer determines the packet key of each data processing computer according to the packet serial number and the encryption key serial number provided by each data processing computer;
and each data processing computer decrypts the encrypted data packet by using the packet key to obtain a plaintext data packet.
The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the distributed data encryption or decryption method when executing the computer program.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program for executing the above-described distributed data encryption or decryption method is stored in the computer-readable storage medium.
In the embodiment of the invention, data encryption and decryption are realized in a distributed mode, so that the data processing capacity in the encryption and decryption process can be improved, and the processing requirements of high concurrency or large data volume are met; the key distribution function is provided by one master key computer, specific data packets are not touched, each data processing computer provides calculation power to encrypt and decrypt the data packets, each data processing computer cannot access the symmetric key randomly generated by the master key computer for plaintext to be encrypted, the computer providing the key is separated from the computer providing the calculation power, and even if one data processing computer is attacked by a hacker, only the data packet currently being processed is cracked, and the rest data packets are still safe, so that the whole encryption and decryption system not only has high performance of processing big data, but also has high safety, and the processing flow is simplified.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
FIG. 1 is a schematic diagram of a distributed data encryption system according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a distributed data decryption system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a master key computer in a distributed data encryption system according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a data processing computer in a distributed data encryption system according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a master key computer in a distributed data decryption system according to an embodiment of the present invention;
FIG. 6 is a diagram of a data processing computer in a distributed data decryption system according to an embodiment of the present invention;
FIG. 7 is a flow chart of a distributed data encryption method according to an embodiment of the present invention;
FIG. 8 is a flowchart of a distributed data decryption method according to an embodiment of the present invention;
FIG. 9 is a flowchart illustrating an embodiment of a distributed data encryption method according to the present invention;
fig. 10 is a flowchart illustrating an embodiment of a distributed data decryption method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
An embodiment of the present invention provides a distributed data encryption system, and fig. 1 is a schematic diagram of a distributed data encryption system provided in an embodiment of the present invention, and as shown in fig. 1, the system may include:
a master key computer 101 and a plurality of data processing computers 102; wherein:
a master key computer 101 for: randomly generating a symmetric key for a plaintext to be encrypted; receiving packet sequence numbers provided by the data processing computers 102; providing the packet key to each data processing computer 102 based on the symmetric key and the packet sequence number of each data processing computer 102; encrypting the symmetric key to obtain an encrypted key; encrypting the key serial number corresponding to the symmetric key to obtain an encrypted key serial number; providing the encryption key serial numbers to the respective data processing computers 102; providing the encryption key and the encryption key serial number to the receiving party;
each data processing computer 102 for: receiving a data packet split from a plaintext to be encrypted; randomly generating a packet sequence number for the data packet; encrypting the data packet by using the packet key to obtain an encrypted data packet; packaging the encrypted data packet, the packet serial number and the encryption key serial number into a combined data packet; the combined data packet is provided to the recipient.
In the embodiment of the invention, data encryption is realized in a distributed mode, so that the data processing capacity in the encryption process can be improved, and the processing requirements of high concurrency or large data volume are met; the key distribution function is provided by one master key computer, specific data packets are not touched, each data processing computer provides calculation power to encrypt the data packets, each data processing computer cannot access a symmetric key randomly generated by the master key computer for plaintext to be encrypted, the computer providing the key is separated from the computer providing the calculation power, even if one data processing computer is attacked by a hacker, only the data packet currently being processed has the risk of being cracked, and the rest data packets are still safe, so that the whole encryption system not only has high performance of processing big data, but also has high safety, and the processing flow is simplified.
In the distributed data encryption system and the distributed data decryption system of the embodiment of the invention, the main key computer conforms to the relevant standard of a hardware encryption machine, can provide the functions of standard symmetric encryption and decryption, asymmetric encryption and decryption and signature encryption and verification, and can import the relevant certificate file. The data processing computer is a computer device for realizing data encryption and decryption.
In one embodiment, randomly generating a symmetric key for the plaintext to be encrypted may be: and randomly generating a symmetric key for a plaintext to be encrypted by adopting a symmetric encryption algorithm. For example, DES (DES Symmetric encryption) Symmetric encryption algorithm is adopted to randomly generate a Symmetric key for plaintext to be encrypted, DES is a relatively traditional Symmetric encryption method, the same key is used for encryption operation and decryption operation, and a sender of information and a receiver of information must share the Symmetric key when transmitting and processing information. For example, the master Key computer generates a symmetric random Key SM4Key (the above-mentioned symmetric Key).
In one embodiment, providing the packet key to each data processing computer based on the symmetric key, the packet sequence number of each data processing computer may be: the symmetric key is used as a key, the packet serial number of each data processing computer is used as a plaintext, the packet key of each data processing computer is obtained through calculation, and the packet key is provided for each data processing computer.
For example, a cryptographic grouping algorithm is used to generate a packet key for each data processing computer based on the symmetric key and the packet serial number of each data processing computer, and to provide the corresponding packet key to each data processing computer. For example, each data processing computer generates a random packet sequence number PacNo (the packet sequence number) for its own data packet, and the master Key computer performs a cryptographic grouping algorithm according to the SM4Key (the symmetric Key) and each PacNo (the packet sequence number), generates different packeys (the packet keys), and returns the different packeys (the packet keys) to each data processing computer.
In the above embodiment, the mathematical model of the cipher block algorithm is a sequence of numbers (packet serial numbers of the data processing computers described above) represented by encoding a plaintext message, and the sequence is divided into groups of length n (which can be regarded as vectors of length n), and each group is converted into an output number (the packet key) sequence of equal length under the control of a key (the symmetric key). A cryptographic grouping algorithm is employed to ensure that each data processing computer uses a different key. Even if one data processing computer is hacked by a hacker, only the data packet currently being processed is at risk of being cracked, and the rest of the data packets are still safe.
In the specific implementation, an AES (Advanced Encryption Standard) block cipher is adopted, the AES block cipher divides packet serial numbers (cleartext) into one group, the lengths of the groups are equal, and a group of data is encrypted by using a symmetric key each time until the whole packet serial number is encrypted.
In one embodiment, the symmetric key is encrypted, and the obtained encryption key may be: and acquiring the public key of the receiver by adopting an asymmetric encryption algorithm, and encrypting the symmetric key to obtain an encryption key.
In the above embodiment, the asymmetric encryption algorithm requires two keys: a public key (public key for short) and a private key (private key for short). The public key and the private key are a pair, and if data is encrypted by the public key, the data can be decrypted only by the corresponding private key. This algorithm is called asymmetric encryption algorithm because two different keys are used for encryption and decryption.
In specific implementation, the public key of a receiver can be obtained by adopting an RSA algorithm, the symmetric key is encrypted to obtain an encryption key, the RSA algorithm is a common asymmetric encryption algorithm proposed by Rivest, Shamir and Adleman, the algorithm can be used for data encryption and digital signature, and the principle is that the difficulty of factorization is increased by generating two large prime numbers, so that an eavesdropper is prevented from cracking the password.
In an embodiment, encrypting the key sequence number corresponding to the symmetric key to obtain the encryption key sequence number may be: and acquiring a public key of the receiver by adopting an asymmetric encryption algorithm, and encrypting a key serial number corresponding to the symmetric key to obtain an encrypted key serial number.
In specific implementation, the RSA algorithm may be adopted to obtain the public key of the receiver, and encrypt the key serial number (SM4KeyN) corresponding to the symmetric key to obtain the encrypted key serial number (SM4 KeyNo).
In one embodiment, the providing of the encryption key sequence number to each data processing computer may be: the encryption key serial number is encrypted by ZMK (i.e. the master key MK is stored in the local or shared network and used for encrypting the data key to be transmitted on the communication line), and transmitted in SSH (Secure Shell protocol) mode, and provided to each corresponding data processing computer.
In one embodiment, receiving the data packet split from the plaintext to be encrypted may be: and (3) splitting the big data, namely splitting the plaintext to be encrypted into N relatively small data packets PacData (the data packets), and distributing the data packets PacData to N data processing computers.
In one embodiment, randomly generating a packet sequence number for a data packet may be: the master key computer generates a key serial number SM4KeyN (a key serial number corresponding to the above-mentioned symmetric key).
In one embodiment, encrypting the data packet with the packet key may obtain the encrypted data packet by: each data processing computer encrypts its own packet, the packet split from the plaintext to be encrypted, using the obtained PacKey (the above-mentioned packet key), to obtain an encrypted packet PacDataSec (the above-mentioned encrypted packet).
In one embodiment, the packing of the encrypted data packet, the packet sequence number, and the encryption key sequence number into a combined data packet may be: each data processing computer packetizes PacDataSec (the encrypted packet), PacNo (plaintext packet sequence number), and SM4KeyNo (the encryption key sequence number), and generates a PackComp (the combined packet).
In one embodiment, providing the combined packet to the recipient may be: the encryption process is complete and the encryption results are SM4KeySec (the encryption key), SM4KeyNo (the encryption key serial number), and PackComp1 (the combined packet) -PackComp (the combined packet), all of which are encrypted and can be securely transmitted over the public network to the recipient.
An embodiment of the present invention provides a distributed data decryption system, and fig. 2 is a schematic diagram of the distributed data decryption system provided in the embodiment of the present invention, and as shown in fig. 2, the system may include:
a master key computer 201 and a plurality of data processing computers 202; wherein:
a master key computer 201 for: receiving an encryption key and an encryption key sequence number; decrypting the encryption key and the encryption key serial number to obtain a symmetric key and a key serial number corresponding to the symmetric key; determining the packet key of each data processing computer 202 according to the packet serial number and the encryption key serial number provided by each data processing computer 202;
each data processing computer 202 for: receiving a combined data packet formed by packaging an encrypted data packet, a packet serial number and an encryption key serial number; extracting an encrypted data packet, a packet serial number and an encryption key serial number from the combined data packet; providing the packet serial number, the encryption key serial number to the master key computer 201; and decrypting the encrypted data packet by using the packet key to obtain a plaintext data packet.
In the embodiment of the invention, data decryption is realized in a distributed mode, so that the data processing capacity in the decryption process can be improved, and the processing requirements of high concurrency or large data volume are met; the key distribution function is provided by one master key computer, specific data packets are not touched, each data processing computer provides calculation power to decrypt the data packets, each data processing computer cannot access the symmetric key randomly generated by the master key computer for plaintext to be encrypted, and the computer providing the key is separated from the computer providing the calculation power.
In one embodiment, an encryption key and an encryption key sequence number are received; decrypting the encryption key and the encryption key serial number to obtain the symmetric key and the key serial number corresponding to the symmetric key, which may be: SM4KeySec (the encryption Key) and SM4KeyNo (the encryption Key serial number) are transmitted to the receiver master Key computer, and then SM4KeySec is decrypted using the private Key to obtain a random symmetric Key SM4Key (the symmetric Key), whose corresponding serial number is SM4KeyN (the Key serial number corresponding to the symmetric Key).
In one embodiment, determining the packet key of each data processing computer according to the packet serial number and the encryption key serial number provided by each data processing computer may be: the master Key computer determines the corresponding SM4Key (the symmetric Key) from the serial number SM4KeyNo (the encryption Key serial number). Then, the corresponding packet Key PacKey (the above-mentioned packet Key) of the data packet is calculated according to the packet algorithm using SM4Key (the above-mentioned symmetric Key) and PacNo (the above-mentioned packet sequence number).
In one embodiment, the receiving of the combined data packet formed by packaging the encrypted data packet, the packet serial number and the encryption key serial number may be: the encrypted packet PackComp1 (the combined packet), PackComp (the combined packet), is distributed to N different processing computers. In the actual use process, the data processing computers of the two parties (the sender and the receiver) can be different, so that the situation that one machine processes a plurality of packets can occur.
In one embodiment, the extraction of the encrypted data packet, the packet sequence number, and the encryption key sequence number from the combined data packet may be: the data processing computer obtains three contents, PacDataSec (the encrypted packet), PacNo (the packet serial number), and SM4KeyNo (the encryption key serial number), from the encrypted packet PackComp (the combined packet).
In one embodiment, providing the packet serial number, the encryption key serial number to the master key computer may be: the data processing computer transmits PacNo (the above-mentioned packet serial number) and SM4KeyNo (the above-mentioned encryption key serial number) to the master key computer.
In one embodiment, decrypting the encrypted data packet with the packet key to obtain the plaintext data packet may be: the data processing computer decrypts PacDataSec (the encrypted data packet) using PacKey (the packet key) to obtain plaintext again.
In an embodiment, the master key computer is specifically operable to: and decrypting the encryption key and the encryption key serial number encrypted by the public key of the local machine by using the private key of the local machine to obtain the symmetric key and the key serial number corresponding to the symmetric key.
In the above embodiment, the public key is the non-secret half of the key pair used with the private key algorithm. The public key is typically used to encrypt session keys, verify digital signatures, or encrypt data that can be decrypted with a corresponding private key. The public key and the private key are a key pair (namely, a public key and a private key) obtained through an algorithm, and one of the public key and the private key is published to the outside and is called as a public key; the other one itself holds, called the private key. When using this key pair, if one of the keys is used to encrypt a piece of data, the other key must be used to decrypt the piece of data. If the public key is used for encrypting data, the data must be decrypted by the private key, and if the data is encrypted by the private key, the data must also be decrypted by the public key, otherwise the decryption will not be successful.
When the method is implemented specifically, the main key computer obtains a public key and a private key by using an asymmetric key algorithm, the private key is stored in the local computer, the public key is opened, and when the encryption key and the encryption key serial number are received, the encryption key and the encryption key serial number encrypted by the local computer public key are decrypted by using the local private key to obtain the symmetric key and the key serial number corresponding to the symmetric key.
In an embodiment, the master key computer is specifically operable to: determining a symmetric key corresponding to the encryption key serial number according to the encryption key serial number provided by each data processing computer; and determining the packet key of each data processing computer according to the symmetric key corresponding to the encryption key serial number and the packet serial number provided by each data processing computer.
In the above embodiment, according to the encryption key serial number provided by each data processing computer, the symmetric key determined to correspond to the encryption key serial number may be: and if the decrypted key serial numbers are consistent, the symmetric keys of the two are consistent, and the symmetric key corresponding to the encrypted key serial number provided by the data processing computer can be determined according to the symmetric key corresponding to the encrypted key serial number provided by the sender.
Determining the packet key of each data processing computer according to the symmetric key corresponding to the encryption key serial number and the packet serial number provided by each data processing computer may be: and determining the packet key of each data processing computer by adopting a cipher grouping algorithm according to the symmetric key corresponding to the encryption key serial number and the packet serial number provided by each data processing computer.
The invention divides a large amount of data to be encrypted into smaller data packets, then distributes the smaller data packets to each data processing computer, each data processing computer generates a random serial number, a master key computer generates a random symmetric key, the key is used as a master key, completely different grouping sub-keys are generated for the random serial number through a grouping algorithm, and the data processing computers respectively adopt the completely different sub-keys to carry out encryption and decryption operations. The implementation process of the invention has higher security, and even if one of the sub-keys is exposed, other encrypted data packets are not influenced. When all encrypted data packets are ready, the random symmetric key is also asymmetrically encrypted, and the process is the same as that in the digital envelope technology.
The invention adopts a sub-packet encryption and decryption strategy to decompose the big data and perform distributed computing processing. The key system is separated from the computing resources, and the data processing computer only provides computing power, so that the operations such as external key exchange and the like are not involved in principle, and the safety of the system is improved. The data processing computer is lower in reliability than the main key computer, and adopts a cipher grouping algorithm to isolate encryption keys from each other, so that the risk is reduced to a minimum range.
The invention has the following advantages: in large-scale data or large concurrent access encryption and decryption operations, the processing efficiency can be greatly improved; the system cost is higher, and the hardware encryption machine is obviously reduced; the safety is guaranteed, and the risk range can be obviously reduced; the system is easy to maintain.
An embodiment of the present invention provides a master key computer in a distributed data encryption system, where the distributed data encryption system further includes a plurality of data processing computers, fig. 3 is a schematic diagram of a master key computer in a distributed data encryption system provided in an embodiment of the present invention, and as shown in fig. 3, the master key computer may include:
the generate key module 301: the device is used for randomly generating a symmetric key for a plaintext to be encrypted;
receive packet sequence number module 302: used for receiving the packet serial number provided by each data processing computer; the packet serial number is generated randomly by each data processing computer for the data packet split from the plaintext to be encrypted;
provide package key module 303: the data processing computer is used for providing the packet key for each data processing computer according to the symmetric key and the packet serial number of each data processing computer so as to encrypt the data packet by each data processing computer;
encryption key module 304: the symmetric key is used for encrypting to obtain an encryption key;
encryption key sequence number module 305: the encryption device is used for encrypting the key serial number corresponding to the symmetric key to obtain an encryption key serial number;
provide encryption key sequence number module 306: for providing encryption key serial numbers to the respective data processing computers;
the first transmission module 307: for providing the encryption key and the encryption key sequence number to the receiving party.
In an embodiment, the provide package key module is specifically configured to: and generating a packet key for each data processing computer by adopting a cipher grouping algorithm according to the symmetric key and the packet serial number of each data processing computer, and providing the corresponding packet key for each data processing computer.
In an embodiment, the encryption key module is specifically configured to: and acquiring the public key of the receiver by adopting an asymmetric encryption algorithm, and encrypting the symmetric key to obtain an encryption key.
In an embodiment, the encryption key sequence number module may be specifically configured to: and acquiring a public key of the receiver by adopting an asymmetric encryption algorithm, and encrypting a key serial number corresponding to the symmetric key to obtain an encrypted key serial number.
An embodiment of the present invention provides a data processing computer in a distributed data encryption system, and fig. 4 is a schematic diagram of a data processing computer in a distributed data encryption system provided in an embodiment of the present invention, where the distributed data encryption system includes a master key computer and a plurality of data processing computers, and as shown in fig. 4, each data processing computer may include:
the receive packet module 401: the device is used for receiving a data packet split from a plaintext to be encrypted;
generate packet sequence number module 402: randomly generating a packet sequence number for the data packet;
the encrypted packet module 403: the data packet encryption device is used for encrypting the data packet by using the packet key to obtain an encrypted data packet; the packet key is generated by the master key computer according to a symmetric key randomly generated for a plaintext to be encrypted and the packet serial number of each data processing computer;
the packing module 404: the encryption key serial number is used for encrypting the data packet to obtain an encryption key serial number; the encryption key serial number is obtained by encrypting the key serial number corresponding to the symmetric key by the master key computer;
the second sending module 405: for providing the combined data packet to the recipient.
An embodiment of the present invention provides a master key computer in a distributed data decryption system, and fig. 5 is a schematic diagram of a master key computer in a distributed data decryption system provided in an embodiment of the present invention, where the distributed data decryption system further includes a plurality of data processing computers, and as shown in fig. 5, the master key computer may include:
the receive key module 501: for receiving an encryption key and an encryption key sequence number;
decryption key module 502: the key sequence number is used for decrypting the encryption key and the encryption key sequence number to obtain a symmetric key and a key sequence number corresponding to the symmetric key;
the process package key module 503: the encryption key sequence number is used for determining the encryption key of each data processing computer according to the packet sequence number and the encryption key sequence number provided by each data processing computer, and the packet key is provided for each data processing computer and used for decrypting the data packet to obtain a plaintext data packet.
In an embodiment, the decryption module is specifically configured to:
and decrypting the encryption key and the encryption key serial number encrypted by the public key of the local machine by using the private key of the local machine to obtain the symmetric key and the key serial number corresponding to the symmetric key.
In an embodiment, the processing package key module is specifically configured to:
determining a symmetric key corresponding to the encryption key serial number according to the encryption key serial number provided by each data processing computer;
and determining the packet key of each data processing computer according to the symmetric key corresponding to the encryption key serial number and the packet serial number provided by each data processing computer.
Fig. 6 is a schematic diagram of a data processing computer in a distributed data decryption system provided in an embodiment of the present invention, where the distributed data decryption system includes a master key computer and a plurality of data processing computers, and as shown in fig. 6, each data processing computer may include:
the receive combined packet module 601: the system comprises a data receiving module, a data transmitting module, a data receiving module and a data transmitting module, wherein the data receiving module is used for receiving a combined data packet formed by packaging an encrypted data packet, a packet serial number and an encryption key serial number;
the extraction module 602: used for extracting the encrypted data packet, the packet serial number and the encryption key serial number from the combined data packet;
the third sending module 603: the host key computer is used for providing the package serial number and the encryption key serial number to the host key computer;
the decrypt packet module 604: and the computer is used for receiving the packet key provided by the master key computer according to the packet serial number and the encryption key serial number, and decrypting the encrypted data packet by using the packet key to obtain a plaintext data packet.
An embodiment of the present invention further provides a distributed data encryption method, which is applied to the above-mentioned distributed data encryption system, and is configured to improve security of data transmission and simplify a processing flow, as shown in fig. 7, the method includes:
701, each data processing computer receives a data packet split from a plaintext to be encrypted;
step 702, the master key computer randomly generates a symmetric key for a plaintext to be encrypted;
703, each data processing computer randomly generates a packet sequence number for the data packet;
step 704, the master key computer receives the packet serial numbers provided by the data processing computers; providing the packet key to each data processing computer according to the symmetric key and the packet serial number of each data processing computer;
step 705, the master key computer encrypts the symmetric key to obtain an encrypted key; encrypting the key serial number corresponding to the symmetric key to obtain an encrypted key serial number; providing the encryption key serial numbers to the data processing computers;
step 706, encrypting the data packet by each data processing computer by using a packet key to obtain an encrypted data packet; packaging the encrypted data packet, the packet serial number and the encryption key serial number into a combined data packet;
step 707, the master key computer provides the encryption key and the encryption key serial number to the receiver;
at step 708, each data processing computer provides the combined data packet to the recipient.
To further improve the security of data transmission, step 704 may include the following steps:
the master key computer generates a packet key for each data processing computer by adopting a cipher grouping algorithm according to the symmetric key and the packet serial number of each data processing computer, and provides the corresponding packet key for each data processing computer.
To further improve the security of data transmission, the step 705 may include the following steps:
the main key computer adopts an asymmetric encryption algorithm to obtain a public key of a receiver, and encrypts the symmetric key to obtain an encryption key.
To further improve the security of data transmission, the step 705 may include the following steps:
the main key computer adopts an asymmetric encryption algorithm to obtain a public key of a receiver, and encrypts a key serial number corresponding to the symmetric key to obtain an encrypted key serial number.
An embodiment of the present invention further provides a distributed data decryption method, which is applied to the distributed data encryption system, and is configured to improve security and efficiency of receiving big data, as shown in fig. 8, the method includes:
step 801, a master key computer receives an encryption key and an encryption key serial number; decrypting the encryption key and the encryption key serial number to obtain a symmetric key and a key serial number corresponding to the symmetric key;
step 802, each data processing computer receives a combined data packet formed by packaging an encrypted data packet, a packet serial number and an encryption key serial number; extracting an encrypted data packet, a packet serial number and an encryption key serial number from the combined data packet; providing the packet serial number and the encryption key serial number to a master key computer;
step 803, the master key computer determines the packet key of each data processing computer according to the packet serial number and the encryption key serial number provided by each data processing computer;
and step 804, each data processing computer decrypts the encrypted data packet by using the packet key to obtain a plaintext data packet.
In order to further improve the security of data transmission, the step 801 may include the following steps:
the main key computer decrypts the encryption key and the encryption key serial number encrypted by the local public key by using the local private key to obtain the symmetric key and the key serial number corresponding to the symmetric key.
In order to further improve the security of data transmission, the step 801 may include the following steps:
the master key computer determines a symmetric key corresponding to the encryption key serial number according to the encryption key serial number provided by each data processing computer;
and determining the packet key of each data processing computer according to the symmetric key corresponding to the encryption key serial number and the packet serial number provided by each data processing computer.
Fig. 9 is a schematic flowchart of an embodiment of a distributed data encryption method according to the present invention, and as shown in fig. 9, the flowchart includes:
1. and splitting big data. And splitting a plaintext to be encrypted into N relatively small data packets PacData, and distributing the data packets PacData to N data processing computers.
2. The master Key computer generates a symmetric random Key SM4Key and also generates a Key serial number SM4 KeyN.
3. Each data processing computer generates a random packet sequence number PacNo for its own data packet.
4. And each data processing computer sends the PacNo to the master Key computer, and the master Key computer performs a cryptographic grouping algorithm according to the SM4Key and each PacNo to generate different PacKey and returns the different PacKey to each data processing computer.
5. And the master Key computer carries out asymmetric encryption on the SM4Key by using the public Key of the receiver to obtain a ciphertext SM4 KeySec.
6. And each data processing computer encrypts the own data packet by using the obtained PacKey to obtain an encrypted data packet PacDataSec.
7. Each data processing computer packages PacDataSec, PacNo, SM4KeyNo to generate PackComp.
8. The encryption process is complete and the encryption results are SM4KeySec, SM4KeyNo, and PackComp1 — PackComp. The content is encrypted in its entirety and can be securely transmitted over a public network to a recipient.
Fig. 10 is a flowchart illustrating an embodiment of a distributed data decryption method according to an embodiment of the present invention, where as shown in fig. 10, the flowchart includes:
1, SM4KeySec and SM4KeyNo are transmitted to a main Key computer of a receiving party, and then the SM4KeySec is decrypted by using a private Key to obtain a random symmetric Key SM4Key, wherein the corresponding serial number of the random symmetric Key SM4Key is SM4 KeyN.
2. Encrypted data packet PackComp1 — PackComN is distributed to N different processing computers. (in actual use, the data processing computers of the two parties can be different, so that the situation that one machine processes a plurality of packets can occur)
3. The data processing computer obtains three items of contents including PacDataSec, PacNo and SM4KeyNo from the encrypted data packet PackCom.
4. And the data processing computer sends the PacNo and the SM4KeyNo to the master Key computer, and the master Key computer determines the corresponding SM4Key according to the serial number SM4 KeyNo. And then calculating a corresponding grouping Key PacKey of the data packet according to a grouping algorithm by using the SM4Key and PacNo.
5. The master key computer transmits the PacKey to the corresponding data processing computer in an SSH mode by ZMK encryption. (ZMK is an encryption key for secure transmission of information in a system, SSH is a secure shell protocol, and the goal of this step is to securely transfer a PacKey to a data processing computer)
6. And the data processing computer decrypts the PacDataSec by using the PacKey to obtain the plaintext again.
The embodiment of the invention also provides computer equipment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the distributed data encryption \ decryption method when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, which stores a computer program for executing the distributed data encryption \ decryption method.
In the embodiment of the invention, data encryption and decryption are realized in a distributed mode, so that the data processing capacity in the encryption and decryption process can be improved, and the processing requirements of high concurrency or large data volume are met; the key distribution function is provided by one master key computer, specific data packets are not touched, each data processing computer provides calculation power to encrypt and decrypt the data packets, each data processing computer cannot access the symmetric key randomly generated by the master key computer for plaintext to be encrypted, the computer providing the key is separated from the computer providing the calculation power, and even if one data processing computer is attacked by a hacker, only the data packet currently being processed is cracked, and the rest data packets are still safe, so that the whole encryption and decryption system not only has high performance of processing big data, but also has high safety, and the processing flow is simplified.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (25)

1. A distributed data encryption system, comprising:
a master key computer and a plurality of data processing computers; wherein:
a master key computer to: randomly generating a symmetric key for a plaintext to be encrypted; receiving packet serial numbers provided by each data processing computer; providing the packet key to each data processing computer according to the symmetric key and the packet serial number of each data processing computer; encrypting the symmetric key to obtain an encrypted key; encrypting the key serial number corresponding to the symmetric key to obtain an encrypted key serial number; providing the encryption key serial numbers to the data processing computers; providing the encryption key and the encryption key serial number to the receiving party;
each data processing computer to: receiving a data packet split from a plaintext to be encrypted; randomly generating a packet sequence number for the data packet; encrypting the data packet by using the packet key to obtain an encrypted data packet; packaging the encrypted data packet, the packet serial number and the encryption key serial number into a combined data packet; the combined data packet is provided to the recipient.
2. The system of claim 1, wherein the master key computer is specifically configured to:
and generating a packet key for each data processing computer by adopting a cipher grouping algorithm according to the symmetric key and the packet serial number of each data processing computer, and providing the corresponding packet key for each data processing computer.
3. The system of claim 1, wherein the master key computer is specifically configured to:
and acquiring the public key of the receiver by adopting an asymmetric encryption algorithm, and encrypting the symmetric key to obtain an encryption key.
4. The system of claim 1, wherein the master key computer is specifically configured to:
and acquiring a public key of the receiver by adopting an asymmetric encryption algorithm, and encrypting a key serial number corresponding to the symmetric key to obtain an encrypted key serial number.
5. A distributed data decryption system, comprising:
a master key computer and a plurality of data processing computers; wherein:
a master key computer to: receiving an encryption key and an encryption key sequence number; decrypting the encryption key and the encryption key serial number to obtain a symmetric key and a key serial number corresponding to the symmetric key; determining the package key of each data processing computer according to the package serial number and the encryption key serial number provided by each data processing computer;
each data processing computer to: receiving a combined data packet formed by packaging an encrypted data packet, a packet serial number and an encryption key serial number; extracting an encrypted data packet, a packet serial number and an encryption key serial number from the combined data packet; providing the packet serial number and the encryption key serial number to a master key computer; and decrypting the encrypted data packet by using the packet key to obtain a plaintext data packet.
6. The system of claim 5, wherein the master key computer is specifically configured to:
and decrypting the encryption key and the encryption key serial number encrypted by the public key of the local machine by using the private key of the local machine to obtain the symmetric key and the key serial number corresponding to the symmetric key.
7. The system of claim 5, wherein the master key computer is specifically configured to:
determining a symmetric key corresponding to the encryption key serial number according to the encryption key serial number provided by each data processing computer;
and determining the packet key of each data processing computer according to the symmetric key corresponding to the encryption key serial number and the packet serial number provided by each data processing computer.
8. A master key computer in a distributed data encryption system, the distributed data encryption system further comprising a plurality of data processing computers, the master key computer comprising:
a key generation module: the device is used for randomly generating a symmetric key for a plaintext to be encrypted;
receive packet sequence number module: used for receiving the packet serial number provided by each data processing computer; the packet serial number is generated randomly by each data processing computer for the data packet split from the plaintext to be encrypted;
providing a package key module: the data processing computer is used for providing the packet key for each data processing computer according to the symmetric key and the packet serial number of each data processing computer so as to encrypt the data packet by each data processing computer;
an encryption key module: the symmetric key is used for encrypting to obtain an encryption key;
encryption key sequence number module: the encryption device is used for encrypting the key serial number corresponding to the symmetric key to obtain an encryption key serial number;
providing an encryption key sequence number module: for providing encryption key serial numbers to the respective data processing computers;
a first sending module: for providing the encryption key and the encryption key sequence number to the receiving party.
9. The master key computer of claim 8, wherein the provide package key module is specifically configured to:
and generating a packet key for each data processing computer by adopting a cipher grouping algorithm according to the symmetric key and the packet serial number of each data processing computer, and providing the corresponding packet key for each data processing computer.
10. The master key computer of claim 8, wherein the encryption key module is specifically to:
and acquiring the public key of the receiver by adopting an asymmetric encryption algorithm, and encrypting the symmetric key to obtain an encryption key.
11. The master key computer of claim 8, wherein the encryption key sequence number module is specifically configured to:
and acquiring a public key of the receiver by adopting an asymmetric encryption algorithm, and encrypting a key serial number corresponding to the symmetric key to obtain an encrypted key serial number.
12. A data processing computer in a distributed data encryption system, the distributed data encryption system comprising a master key computer and a plurality of data processing computers, each data processing computer comprising:
a data packet receiving module: the device is used for receiving a data packet split from a plaintext to be encrypted;
a packet sequence number generation module: randomly generating a packet sequence number for the data packet;
an encrypted data packet module: the data packet encryption device is used for encrypting the data packet by using the packet key to obtain an encrypted data packet; the packet key is generated by the master key computer according to a symmetric key randomly generated for a plaintext to be encrypted and the packet serial number of each data processing computer;
a packaging module: the encryption key serial number is used for encrypting the data packet to obtain an encryption key serial number; the encryption key serial number is obtained by encrypting the key serial number corresponding to the symmetric key by the master key computer;
a second sending module: for providing the combined data packet to the recipient.
13. A master key computer in a distributed data decryption system, the distributed data decryption system further comprising a plurality of data processing computers, the master key computer comprising:
a key receiving module: for receiving an encryption key and an encryption key sequence number;
a decryption key module: the key sequence number is used for decrypting the encryption key and the encryption key sequence number to obtain a symmetric key and a key sequence number corresponding to the symmetric key;
a package key processing module: the encryption key sequence number is used for determining the encryption key of each data processing computer according to the packet sequence number and the encryption key sequence number provided by each data processing computer, and the packet key is provided for each data processing computer and used for decrypting the data packet to obtain a plaintext data packet.
14. The master key computer of claim 13, wherein the decryption module is specifically configured to:
and decrypting the encryption key and the encryption key serial number encrypted by the public key of the local machine by using the private key of the local machine to obtain the symmetric key and the key serial number corresponding to the symmetric key.
15. The master key computer of claim 13, wherein the process package key module is specifically configured to:
determining a symmetric key corresponding to the encryption key serial number according to the encryption key serial number provided by each data processing computer;
and determining the packet key of each data processing computer according to the symmetric key corresponding to the encryption key serial number and the packet serial number provided by each data processing computer.
16. A data processing computer in a distributed data decryption system, the distributed data decryption system comprising a master key computer and a plurality of data processing computers, each data processing computer comprising:
a receiving combined data packet module: the system comprises a data receiving module, a data transmitting module, a data receiving module and a data transmitting module, wherein the data receiving module is used for receiving a combined data packet formed by packaging an encrypted data packet, a packet serial number and an encryption key serial number;
an extraction module: used for extracting the encrypted data packet, the packet serial number and the encryption key serial number from the combined data packet;
a third sending module: the host key computer is used for providing the package serial number and the encryption key serial number to the host key computer;
and a data packet decryption module: and the computer is used for receiving the packet key provided by the master key computer according to the packet serial number and the encryption key serial number, and decrypting the encrypted data packet by using the packet key to obtain a plaintext data packet.
17. A distributed data encryption method, comprising:
each data processing computer receives a data packet split from a plaintext to be encrypted;
the master key computer randomly generates a symmetric key for a plaintext to be encrypted;
each data processing computer randomly generates a packet sequence number for the data packet;
the master key computer receives the packet serial numbers provided by the data processing computers; providing the packet key to each data processing computer according to the symmetric key and the packet serial number of each data processing computer;
the master key computer encrypts the symmetric key to obtain an encrypted key; encrypting the key serial number corresponding to the symmetric key to obtain an encrypted key serial number; providing the encryption key serial numbers to the data processing computers;
encrypting the data packet by each data processing computer by using a packet key to obtain an encrypted data packet; packaging the encrypted data packet, the packet serial number and the encryption key serial number into a combined data packet;
the master key computer provides the encryption key and the encryption key serial number to the receiving party;
each data processing computer provides the combined data packet to the recipient.
18. The method of claim 17, wherein the master key computer provides the packet key to each data processing computer based on the symmetric key, the packet sequence number of each data processing computer, including,
the master key computer generates a packet key for each data processing computer by adopting a cipher grouping algorithm according to the symmetric key and the packet serial number of each data processing computer, and provides the corresponding packet key for each data processing computer.
19. The method of claim 17, wherein the master key computer encrypts the symmetric key to obtain an encryption key, comprising,
the main key computer adopts an asymmetric encryption algorithm to obtain a public key of a receiver, and encrypts the symmetric key to obtain an encryption key.
20. The method of claim 17, wherein the master key computer encrypts a key serial number corresponding to the symmetric key to obtain an encrypted key serial number, comprising,
the main key computer adopts an asymmetric encryption algorithm to obtain a public key of a receiver, and encrypts a key serial number corresponding to the symmetric key to obtain an encrypted key serial number.
21. A distributed data decryption method, comprising:
the master key computer receives the encryption key and the encryption key sequence number; decrypting the encryption key and the encryption key serial number to obtain a symmetric key and a key serial number corresponding to the symmetric key;
each data processing computer receives a combined data packet formed by packaging an encrypted data packet, a packet serial number and an encryption key serial number; extracting an encrypted data packet, a packet serial number and an encryption key serial number from the combined data packet; providing the packet serial number and the encryption key serial number to a master key computer;
the master key computer determines the packet key of each data processing computer according to the packet serial number and the encryption key serial number provided by each data processing computer;
and each data processing computer decrypts the encrypted data packet by using the packet key to obtain a plaintext data packet.
22. The method of claim 21, wherein the master key computer decrypts the encryption key and the encryption key serial number to obtain the symmetric key, the key serial number corresponding to the symmetric key, including,
the main key computer decrypts the encryption key and the encryption key serial number encrypted by the local public key by using the local private key to obtain the symmetric key and the key serial number corresponding to the symmetric key.
23. The method of claim 21 wherein the master key computer determines the packet key for each data processing computer based on the packet serial number, the encryption key serial number provided by each data processing computer, including,
the master key computer determines a symmetric key corresponding to the encryption key serial number according to the encryption key serial number provided by each data processing computer;
and determining the packet key of each data processing computer according to the symmetric key corresponding to the encryption key serial number and the packet serial number provided by each data processing computer.
24. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 17 to 23 when executing the computer program.
25. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any of claims 17 to 23.
CN202110914330.1A 2021-08-10 2021-08-10 Distributed data encryption and decryption system and encryption and decryption method Pending CN113645235A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110914330.1A CN113645235A (en) 2021-08-10 2021-08-10 Distributed data encryption and decryption system and encryption and decryption method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110914330.1A CN113645235A (en) 2021-08-10 2021-08-10 Distributed data encryption and decryption system and encryption and decryption method

Publications (1)

Publication Number Publication Date
CN113645235A true CN113645235A (en) 2021-11-12

Family

ID=78420533

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110914330.1A Pending CN113645235A (en) 2021-08-10 2021-08-10 Distributed data encryption and decryption system and encryption and decryption method

Country Status (1)

Country Link
CN (1) CN113645235A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584301A (en) * 2022-03-04 2022-06-03 中国银行股份有限公司 Data transmission method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111143870A (en) * 2019-12-30 2020-05-12 兴唐通信科技有限公司 Distributed encryption storage device, system and encryption and decryption method
CN111654511A (en) * 2020-07-13 2020-09-11 中国银行股份有限公司 Chained data encryption method, chained data decryption method and corresponding systems
CN112084525A (en) * 2020-10-23 2020-12-15 北京东方通科技股份有限公司 Distributed key encryption method and device, electronic equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111143870A (en) * 2019-12-30 2020-05-12 兴唐通信科技有限公司 Distributed encryption storage device, system and encryption and decryption method
CN111654511A (en) * 2020-07-13 2020-09-11 中国银行股份有限公司 Chained data encryption method, chained data decryption method and corresponding systems
CN112084525A (en) * 2020-10-23 2020-12-15 北京东方通科技股份有限公司 Distributed key encryption method and device, electronic equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584301A (en) * 2022-03-04 2022-06-03 中国银行股份有限公司 Data transmission method and device

Similar Documents

Publication Publication Date Title
US10785019B2 (en) Data transmission method and apparatus
CN109800584B (en) Identity or attribute encryption calculation method and system based on Intel SGX mechanism
US11128447B2 (en) Cryptographic operation method, working key creation method, cryptographic service platform, and cryptographic service device
US11870891B2 (en) Certificateless public key encryption using pairings
CN109800588B (en) Dynamic bar code encryption method and device and dynamic bar code decryption method and device
CN110889696A (en) Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology
US20230188325A1 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
US11528127B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
GB2603495A (en) Generating shared keys
US11563566B2 (en) Key splitting
CN112861164B (en) Encryption method, decryption method, data processing method, terminal and encryption machine
EP3010173B1 (en) Key storage device, key storage method, and program therefor
CN112948867A (en) Method and device for generating and decrypting encrypted message and electronic equipment
CN113645235A (en) Distributed data encryption and decryption system and encryption and decryption method
US20230153445A1 (en) Enhanced security systems and methods using a hybrid security solution
CN116567624A (en) 5G feeder terminal communication safety protection method, device and storage medium
CN115834038A (en) Encryption method and device based on national commercial cryptographic algorithm
CN112149166B (en) Unconventional password protection method and intelligent bank machine
CN112583580B (en) Quantum key processing method and related equipment
CN107483387A (en) A kind of method of controlling security and device
CN116599772B (en) Data processing method and related equipment
US11743039B2 (en) System and method for data encryption using key derivation
CN114124369B (en) Multi-group quantum key cooperation method and system
CN113259093B (en) Hierarchical signature encryption system based on identity-based encryption and construction method
CN117749360A (en) Collaborative key management method, collaborative key management system, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20211112