CN116527232A

CN116527232A - Data encryption and decryption methods, devices and storage medium

Info

Publication number: CN116527232A
Application number: CN202210077837.0A
Authority: CN
Inventors: 柳晟; 程超峰
Original assignee: China Mobile Communications Group Co Ltd; Beijing University of Posts and Telecommunications; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Communications Group Co Ltd; Beijing University of Posts and Telecommunications; China Mobile Communications Ltd Research Institute
Priority date: 2022-01-24
Filing date: 2022-01-24
Publication date: 2023-08-01

Abstract

The invention discloses a data encryption and decryption method, a device and a storage medium, comprising the following steps: the seed secret key is subjected to Hash operation and then encrypted through an SHA algorithm to obtain an operation secret key; carrying out quantum noise encryption on the binary data stream by using the operation key to generate a quantum noise encryption signal; the encrypted signal is loaded onto an optical carrier for transmission. The seed secret key is subjected to Hash operation and then encrypted through an SHA algorithm to obtain an operation secret key; receiving a binary data stream encrypted by quantum noise from an optical carrier; and decrypting the quantum noise encrypted signal by using the operation key to obtain a binary data stream. The invention has strong capability of resisting exhaustive attack and password analysis and high speed of generating key stream.

Description

Data encryption and decryption methods, devices and storage medium

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a data encryption method, a data decryption device, and a storage medium.

Background

Existing stream key expansion schemes are mainly generated by linear feedback shift registers or PRNGs (pseudo random number generators, pseudorandom number generator).

The disadvantage of the prior art is that both schemes have ciphertext information that is broken, resulting in eavesdropping.

Disclosure of Invention

The invention provides a data encryption and decryption method, a data encryption and decryption device and a storage medium, which are used for solving the problem that ciphertext information is cracked and thus eavesdropped in a stream key expansion scheme.

The invention provides the following technical scheme:

a method of data encryption, comprising:

the seed secret key is subjected to Hash operation and then encrypted through an SHA algorithm to obtain an operation secret key;

carrying out quantum noise encryption on the binary data stream by using the operation key to generate a quantum noise encryption signal;

the encrypted signal is loaded onto an optical carrier for transmission.

In practice, the SHA algorithm is a SHA256 algorithm.

In practice, further comprising:

two keys are obtained after encryption by the SHA256 algorithm, one key is used as an operation key, and the other key is used as a vector value in the next stage of encryption.

In implementation, before the Hash operation is performed on the seed secret key, the method further includes:

determining a vector value shared with an encrypted signal receiving end;

and performing exclusive OR operation on the vector value and the seed secret key, and then performing Hash operation.

In an implementation, before performing the exclusive-or operation on the vector value and the seed key, the method further includes:

and performing exclusive or operation with the seed secret key after performing partial shift operation on the vector value by using a shift register.

A data decryption method, comprising:

receiving a binary data stream encrypted by quantum noise from an optical carrier;

and decrypting the quantum noise encrypted signal by using the operation key to obtain a binary data stream.

In practice, the SHA algorithm is a SHA256 algorithm.

In practice, further comprising:

determining a vector value shared with an encrypted signal receiving end;

A data encryption apparatus comprising:

a processor for reading the program in the memory, performing the following process:

loading the encrypted signal onto an optical carrier for transmission;

and a transceiver for receiving and transmitting data under the control of the processor.

In practice, the SHA algorithm is a SHA256 algorithm.

In practice, further comprising:

determining a vector value shared with an encrypted signal receiving end;

A data encryption apparatus comprising:

the key module is used for carrying out Hash operation on the seed key and then encrypting the seed key through an SHA algorithm to obtain an operation key;

the encryption module is used for carrying out quantum noise encryption on the binary data stream by utilizing the operation key to generate a quantum noise encryption signal;

and the transmitting module is used for loading the encrypted signal onto the optical carrier for transmission.

In practice, the key module is further used to employ the SHA256 algorithm.

In implementation, the key module is further configured to obtain two keys after encryption by using the SHA256 algorithm, where one key is used as an operation key, and the other key is used as a vector value in the next stage of encryption.

In the implementation, the key module is further used for determining a vector value shared with the encrypted signal receiving end before the seed key is subjected to Hash operation; and performing exclusive OR operation on the vector value and the seed secret key, and then performing Hash operation.

In an implementation, the key module is further configured to perform an exclusive-or operation with the seed key after performing a partial shift operation on the vector value by using the shift register before performing the exclusive-or operation on the vector value and the seed key.

A data decryption apparatus comprising:

decrypting the quantum noise encrypted signal by using the operation key to obtain a binary data stream;

In practice, the SHA algorithm is a SHA256 algorithm.

In practice, further comprising:

determining a vector value shared with an encrypted signal receiving end;

A data decryption apparatus comprising:

the receiving module is used for receiving the binary data stream encrypted by the quantum noise from the optical carrier;

and the decryption module is used for decrypting the quantum noise encrypted signal by using the operation key to obtain a binary data stream.

In practice, the key module is further used to employ the SHA256 algorithm

A computer readable storage medium storing a computer program which when executed by a processor implements the data encryption and/or data decryption method described above.

The invention has the following beneficial effects:

in the technical scheme provided by the embodiment of the invention, the seed secret key is adopted to carry out Hash operation and then is encrypted by the SHA algorithm to obtain the operation secret key, and then the operation secret key is used to carry out quantum noise encryption on the binary data stream, so that the Hash algorithm has high security and strong capability of resisting exhaustive attack and password analysis.

Because the output feedback mode is adopted, namely the output of the cryptographic algorithm is fed back to the input of the cryptographic algorithm, the error of a certain bit in the transmission process does not affect other bits, the fault tolerance rate is higher, the block cipher can be changed into a synchronous stream cipher, the key expansion scheme does not need to be filled, and the key stream generation speed is very high.

Because the SHA algorithm is adopted, the generated abstract information is irreversible, and the probability of the abstract information of different character strings is very low, the encryption algorithm used as the key expansion is particularly suitable.

Furthermore, the seed Key is further protected by combining the seed Key Key and the shifted vector value IV, and meanwhile, the seed Key is used as the unique input of the SHA function, so that the safety is improved.

Furthermore, the security is further improved due to the fact that the shift register is introduced to protect vector values, and the hidden danger that an attacker spoofs the receiver to use different IV is eliminated.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:

FIG. 1 is a schematic diagram of an LFSR key expansion scheme in an embodiment of the present invention;

FIG. 2 is a schematic diagram of PRNG spreading in an embodiment of the present invention;

FIG. 3 is a schematic diagram of a data encryption method according to an embodiment of the present invention;

FIG. 4 is a schematic diagram of a data decryption method according to an embodiment of the present invention;

fig. 5 is a schematic diagram of a key expansion implementation based on a Hash algorithm in an embodiment of the present invention;

FIG. 6 is a schematic diagram of a process for encrypting and decrypting a quantum noise stream in an embodiment of the invention;

FIG. 7 is a schematic diagram of a data encryption device according to an embodiment of the present invention;

fig. 8 is a schematic diagram of a data decryption device according to an embodiment of the present invention.

Detailed Description

The inventors noted during the course of the invention that:

1. LFSR (linear feedback shift register ) expansion.

FIG. 1 is a schematic diagram of an LFSR key expansion scheme, as shown, using a Geffe generator to generate keys, which are made up of three LFSRs. Each LFSR has a different generator polynomial and initial state, and generates a keystream via a nonlinear boolean synthesizer.

2. PRNG spreading.

FIG. 2 is a schematic diagram of PRNG expansion, as shown, in which the PRNG expansion is a pseudo-random number generator expansion scheme, the key K enters a pseudo-random number generator, and a corresponding algorithm is provided in the pseudo-random number generator to generate a pseudo-random number and output a keystream.

Based on the mathematical properties of LFSR stream ciphers, QNSC (quantum noise stream cipher ) may be attacked, such as a fast correlation attack. The eavesdropper uses heterodyne measurement and quick correlation attack to obtain a seed Key Key (LFSR initial state), so that ciphertext information is cracked, and the purpose of successful eavesdropping is achieved.

The PRNG extension scheme mainly uses a deterministic algorithm, such as RC4, RC4 being a stream cipher designed by Ron Rivest for RSA corporation in 1987, which is a variable length key, byte-oriented stream cipher. The existence of a vulnerability of RC4 is disclosed, wherein the vulnerability is that a weak key exists when the connection is enough, so that the ciphertext is easy to be deciphered.

Aiming at the problems, the embodiment of the invention aims at providing a key expansion scheme for a quantum noise stream encryption system, and the key expansion scheme is characterized in that the high security of a Hash algorithm (Hash) is achieved, the conventional computer cannot finish violent cracking, the Hash key expansion scheme for the quantum noise stream encryption is reasonably designed, and the security of the quantum noise stream encryption system is further improved.

The following describes specific embodiments of the present invention with reference to the drawings.

In the description, description will be made from the implementation of the encryption side and the decryption side, respectively, and then an example of the implementation of the two in cooperation will be also given to better understand the implementation of the scheme given in the embodiment of the present invention. The above description does not mean that the two are implemented in a matched manner or separately, in fact, when encryption and decryption are implemented separately, the two are implemented separately, and when the two are combined, a better technical effect is obtained.

FIG. 3 is a schematic flow chart of an implementation of the data encryption method, and as shown in the figure, may include:

step 301, performing Hash operation on the seed secret key, and encrypting the seed secret key through an SHA algorithm to obtain an operation secret key;

step 302, performing quantum noise encryption on a binary data stream by using an operation key to generate a quantum noise encryption signal;

step 303, loading the encrypted signal onto an optical carrier for transmission.

FIG. 4 is a schematic flow chart of an implementation of the data decryption method, which may include:

step 401, carrying out Hash operation on the seed secret key, and encrypting the seed secret key through an SHA algorithm to obtain an operation secret key;

step 402, receiving binary data stream encrypted by quantum noise from an optical carrier;

step 403, decrypting the quantum noise encrypted signal by using the operation key to obtain a binary data stream.

Specifically, aiming at the security problem existing in the key expansion, the technical scheme provided by the embodiment of the invention is a key expansion scheme based on Hash expansion, and the key expansion scheme with higher security is reasonably designed by referring to the working mode of block cipher output feedback, so that the anti-interception capability of information is enhanced, and the protection of illegal eavesdroppers is realized.

The Hash algorithm refers to mapping binary values of arbitrary length to shorter fixed length binary values, which are called Hash values. Hash values are a unique and extremely compact representation of a piece of data. If a piece of plaintext is hashed and even only one letter of the piece is changed, the subsequent hash value will yield an unused value. It is not theoretically possible to find the hash as the same worth of two different inputs. The Hash algorithm is used for encrypting the seed key with extremely high security.

The output feedback mode refers to feeding back the output of the cryptographic algorithm into its input. One of its features is that an error in a bit during transmission does not affect other bits. The block cipher may also be changed to a synchronous stream cipher, which generates a key stream faster.

Fig. 5 is a schematic diagram of a key expansion implementation based on the Hash algorithm, and as shown in the figure, each stage may be as follows:

stage 1: an initial vector IV is introduced.

determining a vector value shared with an encrypted signal receiving end;

For convenience of description and distinction, in the example, the vector value shared by the transmitting end and the receiving end is referred to as: initial vector IV.

Specifically, the initial vector IV is introduced mainly by performing an exclusive-or operation with the seed Key, while protecting the seed Key of the first round. The IV must be shared by both transceivers, and for added security, the IV may be protected as a seed key, so a simpler shift register may also be introduced to perform a partial shift operation on the IV, see in particular the following description. One reason for protecting the initial vector IV is: an attacker may fool the recipient into letting it use a different IV and then invert some bits of the IV.

Stage 2: the key and the shifted IV are exclusive-ored.

Specifically, the seed key and the shifted initial vector are subjected to exclusive OR operation to obtain an input A of a Hash algorithm _i 。

For example: the 8bit seed key11000101 is exclusive-or with the 8bit shifted initial vector 10100001 to obtain the output A ₁ 01100100. This is also a measure of phase change protection of the seed Key so that the seed Key cannot be directly exposed after the Hash algorithm reverse operation.

Stage 3: ai is encrypted by the SHA algorithm.

In practice, the SHA algorithm is a SHA256 algorithm.

Specifically, SHA (secure hash algorithm ) is a series of cryptographic hash functions issued by the National Institute of Standards and Technology (NIST) of the National Security Agency (NSA) design. There are five algorithms for the SHA family, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512, respectively. The secure hash algorithm can generate summary information with a certain length according to the character strings, the summary information is irreversible, and the probability that the summary information of different character strings is the same is extremely low, so that the encryption algorithm serving as key expansion is particularly suitable. For messages less than 2-64 bits in length, SHA1 generates a 160-bit message digest. Information cannot be recovered from the message digest; two different messages will not produce the same message digest, (but the same message digest will occur with a probability of 1/(1 x10 x 48), which is typically ignored in use). For SHA384 and SHA512, they are safer, but more performance consuming and not yet used on a large scale. Thus, SHA256 may be employed in practice as an encryption function.

K ₁ ＝SHA(A ₁ )

In a specific implementation, the method further comprises:

Specifically, A ₁ After passing through the SHA encryption function, 2 keys are generated, and the two keys are consistent. Here set to K ₁ And Z ₁ ，K ₁ Z as a key for encrypting plaintext ₁ As input to the next stage key expansion, the function is similar to the initial vector IV.

Stage 4: and generating a key in a circulating way.

Specifically, each stage generates a subkey K _i And Z _i ，K _i As encrypted plaintext, Z _i Used as input for the next stage.

The following stages are illustrated by circles in the figure.

The following is an example.

Fig. 6 is a schematic diagram of a quantum noise stream encryption and decryption flow, as shown in the figure, in which the quantum noise stream encryption is shown in the figure, and the two communication parties generate an operation key by using a shared seed key through a key expansion scheme based on a Hash algorithm. Alice performs quantum noise encryption on the binary data stream using the running key to generate a quantum noise encrypted signal. The signal is loaded onto an optical carrier via an electro-optical modulator.

The receiving end extracts the signal from the optical carrier through photoelectric conversion. Bob decrypts the extracted signal using the running key to recover the original binary data stream.

Fig. 6 shows a specific implementation of a seed key scheme based on a Hash function and a running key refresh. Let ks=10110, and kr= 0011010001110101101 … …, which is an operation key extended by a pseudo-random number generator. The sender encrypts the binary information P with the running key KR, in this example, the Y00 encryption protocol is adopted, assuming that the binary information p=1, ten bits are intercepted from the running key, 0011010100, the highest bit is xored with P, then the lowest bit is replaced, the encrypted information c= 0011010101 is obtained, and after 1024×284 qam (quadrature amplitude modulation ) modulation, the encrypted information c= 0011010101 is put into an optical fiber channel for transmission.

After receiving the QAM signal and judging the binary C, the receiving end uses the secret key to exclusive or again to obtain the original binary information. The C received by the illegal receiving end is affected by noise, and the illegal party does not know the key, and cannot recover the information. Each binary message requires a different ten-bit running key to be intercepted for encryption.

When the running key is exhausted, the legal parties generate a new seed key ksnew=11011 by using the same hash function H and the running key KR. Where ksnew=h (kR). KSNew is used for replacing KS, then key expansion and encryption transmission are repeated, and the process is continuously circulated until communication is finished, so that refreshing of a seed key is realized, and the safety of communication is ensured.

The key expansion module can be effectively applied to a quantum noise stream encryption system or other key expansion parts of an encryption communication system. The safety of the system is improved, and therefore reliable guarantee is provided for the communication system.

Based on the same inventive concept, the embodiments of the present invention further provide a data encryption device, a data decryption device, and a computer readable storage medium, and because the principles of solving the problems of these devices are similar to those of the data encryption method and the data decryption method, the implementation of these devices may refer to the implementation of the method, and the repetition is omitted.

In implementing the technical scheme provided by the embodiment of the invention, the method can be implemented as follows.

Fig. 7 is a schematic structural diagram of a data encryption device, as shown in the figure, the device includes:

the processor 700 is configured to read the program in the memory 720, and execute the following procedures:

loading the encrypted signal onto an optical carrier for transmission;

a transceiver 710 for receiving and transmitting data under the control of the processor 700.

In practice, the SHA algorithm is a SHA256 algorithm.

In practice, further comprising:

determining a vector value shared with an encrypted signal receiving end;

Wherein in fig. 7, a bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by processor 700 and various circuits of memory represented by memory 720, linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 710 may be a number of elements, i.e. comprising a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 700 is responsible for managing the bus architecture and general processing, and the memory 720 may store data used by the processor 700 in performing operations.

The embodiment of the invention also provides a data encryption device, which comprises:

In practice, the key module is further used to employ the SHA256 algorithm.

For convenience of description, the parts of the above apparatus are described as being functionally divided into various modules or units, respectively. Of course, the functions of each module or unit may be implemented in the same piece or pieces of software or hardware when implementing the present invention.

Fig. 8 is a schematic structural diagram of a data decryption device, as shown in the figure, the device includes:

processor 800, for reading the program in memory 820, performs the following processes:

a transceiver 810 for receiving and transmitting data under the control of the processor 800.

In practice, the SHA algorithm is a SHA256 algorithm.

In practice, further comprising:

determining a vector value shared with an encrypted signal receiving end;

Wherein in fig. 8, a bus architecture may comprise any number of interconnected buses and bridges, and in particular, one or more processors represented by processor 800 and various circuits of memory represented by memory 820, linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. Transceiver 810 may be a plurality of elements, i.e., including a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 800 is responsible for managing the bus architecture and general processing, and the memory 820 may store data used by the processor 800 in performing operations.

The embodiment of the invention also provides a data decryption device, which comprises:

In practice, the key module is further used to employ the SHA256 algorithm

The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the data encryption and/or data decryption method when being executed by a processor.

Reference may be made in particular to the implementation of a data encryption and/or data decryption method.

In summary, in the technical scheme provided by the embodiment of the invention, the key expansion scheme for quantum noise stream encryption is reasonably designed by referring to the working mode of packet encryption and the security that the Hash algorithm is difficult to crack.

Furthermore, the initial vector is protected through the shift register, so that the safety is improved.

Further, the joint seed Key and the shifted initial vector IV further protect the seed Key as a unique input to the SHA function.

The Hash algorithm has high security and strong capability of resisting exhaustive attack and password analysis.

The key expansion scheme does not require padding, and generates a key with a fast flow rate similar to a stream cipher.

Errors occurring in a certain bit in the transmission process can not affect other bits, and the fault tolerance rate is high.

It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A data encryption method, comprising:

carrying out Hash operation on the seed secret key, and encrypting by a secure Hash algorithm SHA algorithm to obtain an operation secret key;

the encrypted signal is loaded onto an optical carrier for transmission.

2. The method of claim 1, wherein the SHA algorithm is a SHA256 algorithm.

3. The method as recited in claim 2, further comprising:

4. A method as claimed in any one of claims 1 to 3, wherein prior to performing the Hash operation on the seed key, further comprising:

determining a vector value shared with an encrypted signal receiving end;

5. The method of claim 4, further comprising, prior to xoring the vector value with the seed key:

6. A data decryption method, comprising:

7. The method of claim 6, wherein the SHA algorithm is a SHA256 algorithm.

8. The method as recited in claim 7, further comprising:

9. The method according to any one of claims 6 to 8, further comprising, before performing the Hash operation on the seed key:

determining a vector value shared with an encrypted signal receiving end;

10. The method of claim 9, further comprising, prior to xoring the vector value with the seed key:

11. A data encryption apparatus, comprising:

loading the encrypted signal onto an optical carrier for transmission;

12. A data encryption apparatus, comprising:

13. A data decryption apparatus, comprising:

14. A data decryption apparatus, comprising:

15. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 10.