CN117914624A - Data encryption method, system, electronic equipment and medium - Google Patents
Data encryption method, system, electronic equipment and medium Download PDFInfo
- Publication number
- CN117914624A CN117914624A CN202410242733.XA CN202410242733A CN117914624A CN 117914624 A CN117914624 A CN 117914624A CN 202410242733 A CN202410242733 A CN 202410242733A CN 117914624 A CN117914624 A CN 117914624A
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- parallel
- ciphertext
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 37
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004891 communication Methods 0.000 claims description 8
- 230000006870 function Effects 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013496 data integrity verification Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of data encryption, and aims to provide a data encryption method, a data encryption system, electronic equipment and a medium. The method comprises the following steps: receiving data to be encrypted, and grouping the data to be encrypted according to a preset valid bit number to obtain a plurality of grouping data; then, a parallel encryption module consisting of a plurality of encryption engines is adopted to encrypt a plurality of group data in parallel so as to obtain a plurality of groups of ciphertext data corresponding to the group data; inputting a plurality of groups of ciphertext data into a parallel GHASH module, so that the parallel GHASH module carries out hash operation on the plurality of groups of ciphertext data based on a parallel GCM GHASH algorithm to obtain an integrity check value of the plurality of groups of ciphertext data; and combining a plurality of groups of ciphertext data with the integrity check value to obtain an encryption result of the data to be encrypted. The invention can meet the high bandwidth requirement and has faster data encryption speed.
Description
Technical Field
The invention belongs to the technical field of data encryption, and particularly relates to a data encryption method, a data encryption system, electronic equipment and a medium.
Background
Ethernet technology has now been widely used in most Wide Area Networks (WANs) responsible for providing global telecommunications, wireless and internet services, and its low cost and high performance has also made it a popular medium in many emerging applications. Ethernet, while an invention has been invented for over 40 years to date, still has a significant impact on almost every aspect of networks and communication systems. With the intellectualization of more and more machines, the application scenario of the ethernet or the "industrial ethernet" for the internet of things is rapidly expanded.
However, in public network applications, there are many security holes, which are prone to information leakage, information destruction, illegal information propagation, and network resource misuse, so that it is necessary to take powerful security measures for a secure network environment.
As early as 2004, GCM algorithm (GCM is a complete splice of galois/counter mode, GCM algorithm means that the symmetric encryption adopts counter mode and has GMAC message authentication code) has been proposed as an operation mode of AES (Advanced Encryption Standard ) encryption and decryption, which is also formally called NIST (National Institute of STANDARDS AND technology ) encryption authentication standard in 2005. In the ieee802.1ae standard published in 2006, the GCM algorithm is the default cryptographic authentication algorithm for this protocol. The GCM algorithm can be applied to both the ieee802.1ae standard and the internet security protocol suite (Internet Protocol Security, IPSec). In addition, if the GCM algorithm is used for authentication, and encryption operation is not performed, the GCM algorithm can be used as an authentication mode, namely GMAC authentication.
However, in using the prior art, the inventors found that there are at least the following problems in the prior art:
The GCM algorithm performs block encryption on the message data according to different Count values (the number of digital cells in a designated area) to obtain encrypted data, and then performs exclusive-or operation on the encrypted data and a plaintext to generate ciphertext. The underlying block encryption algorithm of the GCM algorithm is a symmetric encryption algorithm, the data bit width is 128 bits, and the implementation of GHASH (hash function-based encryption algorithm) is also based on 128 bits, so that the highest processing bandwidth of data is only 128 bits/second in the case of standard implementation is necessarily determined.
In addition, encryption implementation modes including multiple parallel encryption cores and multiplication modules are adopted, the encryption implementation is realized through the multiple parallel encryption cores and the multiplication modules communicated with the multiple parallel encryption cores, bandwidth is increased by adopting the multiple parallel encryption cores, namely in the implementation process, message data are grouped according to 128 bits, each group of data are respectively and independently encrypted through the multiple encryption cores in parallel to generate multiple 128-bit ciphertext data, then the multiplication modules sequentially perform exclusive-or operation on multiple groups of ciphertext data and plaintext of a corresponding message to obtain an exclusive-or result, and finally hash values of the exclusive-or result are calculated, so that an encryption result including the ciphertext data and the hash values is obtained. However, the implementation of the prior art does not cover the full bandwidth scenario of the input data, and ciphertext data obtained by a plurality of parallel encryption cores is sequentially transmitted to a multiplication module of the GHASH, and the multiplication module can only calculate one 128-bit ciphertext data in one period, so that the prior art is limited in data encryption bandwidth by the multiplication module operated by 128 bits, and cannot meet the full bandwidth input requirement of the data in the high bandwidth scenario.
Therefore, it is necessary to research a data encryption method, system, electronic device and medium capable of meeting the high bandwidth requirement and having a high encryption speed.
Disclosure of Invention
The invention aims to solve the technical problems at least to a certain extent, and provides a data encryption method, a system, electronic equipment and a medium.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in a first aspect, the present invention provides a data encryption method, including:
Receiving data to be encrypted, and grouping the data to be encrypted according to a preset effective bit number to obtain a plurality of grouping data; wherein the data bit number of each packet data is the same as the effective bit number;
Inputting the plurality of group data into a parallel encryption module so that the parallel encryption module encrypts the plurality of group data in parallel to obtain a plurality of groups of ciphertext data corresponding to the plurality of group data; the parallel encryption module comprises a plurality of encryption engines, wherein the encryption engines are used for encrypting a plurality of packet data in parallel;
inputting a plurality of groups of ciphertext data into a parallel GHASH module, so that the parallel GHASH module carries out hash operation on the plurality of groups of ciphertext data based on a parallel GCM GHASH algorithm to obtain an integrity check value of the data to be encrypted;
And combining a plurality of groups of ciphertext data, the integrity check value, a preset data head and a preset serial number to obtain an encryption result of the data to be encrypted.
The invention can meet the high bandwidth requirement and has faster data encryption speed. Specifically, in the implementation process, after receiving data to be encrypted, the method groups the data to be encrypted according to a preset effective digit to obtain a plurality of group data; then, a parallel encryption module consisting of a plurality of encryption engines is adopted to encrypt a plurality of group data in parallel so as to obtain a plurality of groups of ciphertext data corresponding to the group data; then, inputting a plurality of groups of ciphertext data into a parallel GHASH module, so that the parallel GHASH module carries out hash operation on the plurality of groups of ciphertext data based on a parallel GCM GHASH algorithm to obtain an integrity check value of the plurality of groups of ciphertext data; and finally, combining a plurality of groups of ciphertext data with the integrity check value to obtain an encryption result of the data to be encrypted. The invention can achieve parallel encryption processing in the data encryption process and ensure high bandwidth requirement by increasing the parallelism of the encryption engine and modifying the algorithm combination relation at the same time and carrying out hash operation on a plurality of groups of ciphertext data in parallel based on the parallel GCM GHASH algorithm through the parallel GHASH module.
In one possible design, the data to be encrypted includes plaintext and a plaintext key; correspondingly, after the parallel encryption module encrypts the plurality of group data in parallel, the obtained plurality of groups of ciphertext data comprise ciphertext and ciphertext keys.
In one possible design, the fields in the encryption result include a destination address, a source address, an optional field, security data, and an integrity check value; wherein the optional fields include an ethertype of MACsec frame, TAG control information, association number, information of short frame, packet number, and an integrity check value.
In one possible design, the GCM algorithm is used when any encryption engine encrypts the corresponding packet data.
In one possible design, the significant number of bits is 128 bits; the integrity check value of the data to be encrypted comprises a plurality of hash values obtained by carrying out hash operation on a plurality of groups of ciphertext data in parallel; the hash value corresponding to the ith group of ciphertext data is as follows:
Wherein, A i is { destination address, source address, optional field } in the ith group of ciphertext data; h is the encryption result of the cipher text key pair 128-bit all 0 data in the ith group of cipher text data; m is the group number of the data head in the data to be encrypted, which is grouped according to the effective bit number; n is the group number of ciphertext data; 0 128-U represents the number of bits U of a group of ciphertext data, if the number of bits U does not reach the number of valid bits, 128-U0 s are needed to be supplemented to reach the number of valid bits; len () represents a length operation function; c i is ciphertext in the ith group of ciphertext data; one is exclusive or symbol; and I is a spliced symbol.
In a second aspect, the present invention provides a data encryption system for implementing a data encryption method according to any one of the preceding claims; the data encryption system includes:
The data receiving module is used for receiving data to be encrypted, and grouping the data to be encrypted according to a preset effective bit number to obtain a plurality of grouping data; wherein the data bit number of each packet data is the same as the effective bit number;
The data encryption module is in communication connection with the data receiving module and is used for inputting a plurality of group data into the parallel encryption module so that the parallel encryption module encrypts the plurality of group data in parallel to obtain a plurality of groups of ciphertext data corresponding to the plurality of group data; the parallel encryption module comprises a plurality of encryption engines, wherein the encryption engines are used for encrypting a plurality of packet data in parallel; the data encryption module is further used for inputting a plurality of groups of ciphertext data into the parallel GHASH module, so that the parallel GHASH module performs hash operation on the plurality of groups of ciphertext data in parallel based on a parallel GCM GHASH algorithm to obtain an integrity check value of the data to be encrypted;
And the data output module is in communication connection with the data encryption module and is used for combining a plurality of groups of ciphertext data, the integrity check value, a preset data head and a preset serial number to obtain an encryption result of the data to be encrypted.
In a third aspect, the present invention provides an electronic device, comprising:
a memory for storing computer program instructions; and
A processor for executing the computer program instructions to perform the operations of the data encryption method according to any one of the preceding claims.
In a fourth aspect, the present invention provides a computer readable storage medium storing computer program instructions readable by a computer, the computer program instructions being configured to perform operations of a data encryption method according to any one of the preceding claims when run.
Drawings
Fig. 1 is a flowchart of a data encryption method in embodiment 1;
FIG. 2 is a schematic diagram of the structure of fields in the encryption result;
Fig. 3 is a schematic structural diagram of a parallel encryption module and a parallel GHASH module;
fig. 4 is a block diagram of a data encryption system in embodiment 2.
Detailed Description
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the present invention will be briefly described below with reference to the accompanying drawings and the description of the embodiments or the prior art, and it is obvious that the following description of the structure of the drawings is only some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort to a person skilled in the art. It should be noted that the description of these examples is for aiding in understanding the present invention, but is not intended to limit the present invention.
Example 1:
The present embodiment discloses a data encryption method, which may be performed by, but not limited to, a computer device or a virtual machine with a certain computing resource, for example, an electronic device such as a personal computer, a smart phone, a personal digital assistant, or a wearable device, or a virtual machine.
As shown in fig. 1, a data encryption method may include, but is not limited to, the following steps:
S1, receiving data to be encrypted, and grouping the data to be encrypted according to a preset effective bit number to obtain a plurality of grouping data; wherein the data bit number of each packet data is the same as the effective bit number; specifically, in this embodiment, the number of valid bits is 128 bits. When the data to be encrypted is grouped, if the data bit of the last group data is not more than the significant bit, the data bit is supplemented with 0.
Specifically, in this embodiment, the data to be encrypted includes plaintext and a plaintext key; correspondingly, after the parallel encryption module encrypts the plurality of group data in parallel, the obtained plurality of groups of ciphertext data comprise ciphertext and ciphertext keys.
S2, inputting the plurality of group data into a parallel encryption module so that the parallel encryption module encrypts the plurality of group data in parallel to obtain a plurality of groups of ciphertext data corresponding to the plurality of group data; the parallel encryption module comprises a plurality of encryption engines, wherein the encryption engines are used for encrypting a plurality of packet data in parallel; it should be noted that, the encryption engine in the parallel encryption module is an encryption core, and the plurality of encryption engines can encrypt a plurality of packet data simultaneously, and can obtain a plurality of groups of ciphertext data corresponding to the plurality of packet data simultaneously.
Specifically, in this embodiment, when any encryption engine encrypts the corresponding packet data, the GCM algorithm is adopted. In addition, the encryption engine supported by the present embodiment may employ algorithms including algorithms supporting AES-128/AES-192/AES-256 and algorithms supporting SM4 cryptographic algorithms, which are not limited herein.
S3, inputting multiple groups of ciphertext data into a Parallel GHASH module (also called as a Parallel-GCM GHASH module) so that the Parallel GHASH module carries out hash operation on the multiple groups of ciphertext data based on a Parallel GCM GHASH algorithm to obtain an integrity check value of the data to be encrypted; it should be noted that, the parallel GHASH module performs parallel computation through the GHASH algorithm, and may obtain encryption results corresponding to multiple groups of ciphertext data at the same time. The GHASH algorithm is a data integrity verification algorithm, is widely applied to the fields of data communication and data storage, and is used for verifying whether data is tampered in the transmission or storage process by performing exclusive-or operation on input ciphertext data and ciphertext keys and combining multiplication operation and exclusive-or operation.
In this embodiment, the number of valid bits is 128 bits. The integrity check value of the data to be encrypted comprises a plurality of hash values obtained by carrying out hash operation on a plurality of groups of ciphertext data in parallel; the hash value corresponding to the ith group of ciphertext data is as follows:
Wherein, A i is { destination address DA, source address SA, optional field SecTag } in the ith group of ciphertext data; h is the encryption result of the cipher text key pair 128-bit all 0 data in the ith group of cipher text data; m is the group number of the data head in the data to be encrypted, which is generally 2 groups, according to the effective bit number; n is the group number of ciphertext data; 0 128-U represents the number of bits U of a group of ciphertext data, if the number of bits U does not reach the number of valid bits, 128-U0 s are needed to be supplemented to reach the number of valid bits; len () represents a length operation function in bits, len (a) and Len (C) represent header portion bit numbers, 64 bits represent, equivalently, the upper 64 bits=len (a), the lower 64 bits=len (C), and 128 bits in total agree with X m+n bits wide; c i is ciphertext in the ith group of ciphertext data; one is exclusive or symbol; and I is a spliced symbol.
For convenience of representation, in this embodiment, 60-Octet Frame in AnnexC C.6 section of IEEE802.1ae standard is taken as an example, the input Bus bit width is 512 bits, the preset valid bit number is 128 bits, and the parallelism of the parallel encryption module and the parallel GHASH module is 4. Firstly, when the parallel GHASH module carries out hash operation on a plurality of groups of ciphertext data in parallel based on a parallel GCM GHASH algorithm, hash values corresponding to the ith group of ciphertext data are as follows:
next, the above expression is converted into a single-row expression:
GHASH(H,A,C)=X6=A1*H6⊕A2*H5⊕C3*H4⊕C4*H3⊕C5*H2⊕(len(A)||len(C)*H;
Wherein a 1 is 128 bits: DA (6B) +SA (6B) + EType (2B) +TCI/AN (1B) +SL (1B);
A 2 is 128 bits: sc=1, pn (4B) +sci (8B) +0 (4B);
sc=0, pn (4B) +0 (12B);
C 3~C5 is 128 bits: the 16-byte grouping of ciphertext data does not meet the requirement of 0 filling when 16 bytes are aligned;
(len (A) len (C) is 128 bits, 8 bytes high, A 1 and A 2 total bytes low, 8 bytes low, C 3~C5 total bytes;
the calculation result of the first clock cycle is: a 1*H4⊕A2*H3⊕C3*H2⊕C4*H1;
The result of the second clock cycle is :((A1*H4⊕A2*H3⊕C3*H2⊕C4*H1)⊕C5)*H2⊕(len(A)||len(C)*H.
S4, combining a plurality of groups of ciphertext data, the integrity check value, a preset data head and a preset serial number to obtain an encryption result of the data to be encrypted.
In this embodiment, the encryption result is obtained by constructing an IEEE802.1AE standard (the IEEE802.1AE standard defines a data encryption and authentication mechanism, which can implement secure transmission of data). Specifically, as shown in fig. 2, the fields in the encryption result include a destination address DA, a source address SA, optional fields SecTag, secure Data and an integrity check value ICV, which have the same meaning as the common Mac frame; wherein the optional field SecTag includes AN ethertype MACSEC ETHERTYPE of MACsec frame, TAG control information TCI, association number AN, information SL of short frame, packet number PN, and integrity check value SCI.
Note that, the destination address is DA (Destination Address); the source address is SA (Source Address), which has the same meaning as the common Mac frame; the optional field is abbreviated as ecTag, and the length of the optional field can be selected to be 8 bytes and 16 bytes; the Secure Data is abbreviated as Secure Data; the integrity check Value is abbreviated as ICV (INTEGRITY CHECK Value); wherein, in optional field SecTag, the ethertype of MACsec frame can be abbreviated MACSEC ETHERTYPE, which is a fixed value of 0x88e5 with length of 2 bytes, indicating that the frame is a MacSec frame; TAG control information may be abbreviated as TCI, which is 1 byte in length, for containing some flags such as version number (V), end Station (ES), presence or absence of SCI (SC), single Copy Broadcast (SCB), encrypted payload (E), modification text (C) and Association Number (AN); the association number may be abbreviated as AN; the short frame information may be abbreviated as SL, of length 1 byte, bit7-6 being 0 and Bit5-0 being a valid Bit, if SL has a value less than 48, indicating a byte between the last byte of optional field SecTag and the first byte of ICV, otherwise, SL is set to 0. The number of packets PN (Packet Num) is 4 bytes in length and is mainly used to prevent replay attacks, in each MacSec frame of data to be encrypted, PN is unique, usually incremental, and PN is also part of the Initial Value (IV) of the cipher suite; the secure channel identifier SCI (Security Context Identifier) is 8 bytes in length and can be used to identify to which security association the traffic belongs; an integrity check Value ICV (INTEGRITY CHECK Value) may be appended to each MacSec frame and ensure the integrity of the data to be encrypted, the length of the integrity check Value ICV being between 8-16 bytes depending on the cipher suite.
Specifically, in this embodiment, the combination of the secure channel identifier SCI and PN is used to generate the 96-bit initial value IV, and the integrity check value ICV is 16 bytes.
As an example, when the preset valid bit number is 128 bits and the received data to be encrypted is 512 bits, in the implementation process of the embodiment, the data to be encrypted is first divided into 4 groups, that is, 4 groups of group data; it should be understood that in this embodiment, the data to be encrypted may be, but is not limited to, 512 bits.
Then, 4 grouping data are encrypted in parallel by adopting a parallel encryption module formed by 4 encryption engines, so that 4 groups of ciphertext data corresponding to the 4 grouping data are obtained.
Then, the parallel GHASH module performs hash operation on multiple groups of ciphertext data based on the parallel GCM GHASH algorithm, in this process, taking 60-Octet Frame in AnnexC c.6 in the ieee802.1ae standard as an example, when performing hash operation on the first packet data, if the mask bit of the packet data is 4' b0000, the obtained calculation result of the first period is: when Hash 0=a 1*H4⊕A2*H3⊕C3*H2⊕C4*H1 performs Hash operation on the second packet data, if the mask bit of the packet data is 4' b1100, the calculation result of the second period is: hash1=128' H0H 4⊕128'h0*H3⊕(Hash0⊕C5)*H2, wherein, when carrying out Hash operation on each group data, namely carrying out Hash operation on each period, the corresponding group data is firstly carried out with an Xor output register, wherein, the main function of the Xor output register is that 4 groups of multiplication results are subjected to exclusive OR, and if a mask bit is 1, 128 bits of 0 are replaced for one multiplication result, because the value of the default Xor output register is 0, the user can know which group data is subjected to exclusive OR operation with the Xor output register according to the mask bit, and again, taking 60-Octet Frame in AnnexC C.6 section in IEEE802.1ae standard as an example, the calculation result of the first period indicates that 512 bits of data to be encrypted are all 42effectively used, the default value 0 of the Xor output register is compared with A32, the exclusive OR result is H 4, the calculation result of the second period indicates that the low-bit Xor data to be encrypted with the Xor is effectively used, and the Hash result of the second period indicates that the value of the Xor to be encrypted is completely encrypted is 5.
And finally, combining 4 groups of ciphertext data, the integrity check value, a preset data head and a preset serial number to obtain an encryption result of the data to be encrypted.
In this embodiment, a schematic structural diagram of the parallel encryption module and the parallel GHASH module is shown in fig. 3.
The embodiment can meet the requirement of high bandwidth, and the data encryption speed is faster. Specifically, in the implementation process of the embodiment, after receiving data to be encrypted, grouping the data to be encrypted according to a preset valid bit number to obtain a plurality of grouping data; then, a parallel encryption module consisting of a plurality of encryption engines is adopted to encrypt a plurality of group data in parallel so as to obtain a plurality of groups of ciphertext data corresponding to the group data; then, inputting a plurality of groups of ciphertext data into a parallel GHASH module, so that the parallel GHASH module carries out hash operation on the plurality of groups of ciphertext data based on a parallel GCM GHASH algorithm to obtain an integrity check value of the plurality of groups of ciphertext data; and finally, combining a plurality of groups of ciphertext data with the integrity check value to obtain an encryption result of the data to be encrypted. According to the embodiment, the parallelism of the encryption engine is increased, the algorithm combination relation is modified, and the parallel GHASH module is used for carrying out hash operation on multiple groups of ciphertext data in parallel based on the parallel GCM GHASH algorithm, so that parallel encryption processing in the data encryption process can be achieved, and high bandwidth requirements are guaranteed.
Example 2:
The embodiment discloses a data encryption system for realizing the data encryption method in the embodiment 1; as shown in fig. 4, the data encryption system includes:
The data receiving module is used for receiving data to be encrypted, and grouping the data to be encrypted according to a preset effective bit number to obtain a plurality of grouping data; wherein the data bit number of each packet data is the same as the effective bit number;
The data encryption module is in communication connection with the data receiving module and is used for inputting a plurality of group data into the parallel encryption module so that the parallel encryption module encrypts the plurality of group data in parallel to obtain a plurality of groups of ciphertext data corresponding to the plurality of group data; the parallel encryption module comprises a plurality of encryption engines, wherein the encryption engines are used for encrypting a plurality of packet data in parallel; the data encryption module is further used for inputting a plurality of groups of ciphertext data into the parallel GHASH module, so that the parallel GHASH module performs hash operation on the plurality of groups of ciphertext data in parallel based on a parallel GCM GHASH algorithm to obtain an integrity check value of the data to be encrypted;
And the data output module is in communication connection with the data encryption module and is used for combining a plurality of groups of ciphertext data, the integrity check value, a preset data head and a preset serial number to obtain an encryption result of the data to be encrypted.
It should be noted that, the working process, working details and technical effects of the data encryption system provided in embodiment 2 can be referred to embodiment 1, and are not described herein.
Example 3:
On the basis of embodiment 1 or 2, this embodiment discloses an electronic device, which may be a smart phone, a tablet computer, a notebook computer, a desktop computer, or the like. Electronic devices may be referred to as user terminals, portable terminals, desktop terminals, etc., the electronic devices including:
a memory for storing computer program instructions; and
A processor configured to execute the computer program instructions to perform the operations of the data encryption method according to any one of embodiment 1.
Example 4:
On the basis of any one of embodiments 1 to 3, this embodiment discloses a computer-readable storage medium for storing computer-readable computer program instructions configured to perform the operations of the data encryption method described in embodiment 1 when run.
It will be apparent to those skilled in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, or they may alternatively be implemented in program code executable by computing devices, such that they may be stored in a memory device for execution by the computing devices, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps within them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solution of the present invention, and not limiting thereof; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some of the technical features thereof can be replaced by equivalents. Such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (8)
1. A data encryption method, characterized in that: comprising the following steps:
Receiving data to be encrypted, and grouping the data to be encrypted according to a preset effective bit number to obtain a plurality of grouping data; wherein the data bit number of each packet data is the same as the effective bit number;
Inputting the plurality of group data into a parallel encryption module so that the parallel encryption module encrypts the plurality of group data in parallel to obtain a plurality of groups of ciphertext data corresponding to the plurality of group data; the parallel encryption module comprises a plurality of encryption engines, wherein the encryption engines are used for encrypting a plurality of packet data in parallel;
inputting a plurality of groups of ciphertext data into a parallel GHASH module, so that the parallel GHASH module carries out hash operation on the plurality of groups of ciphertext data based on a parallel GCM GHASH algorithm to obtain an integrity check value of the data to be encrypted;
And combining a plurality of groups of ciphertext data, the integrity check value, a preset data head and a preset serial number to obtain an encryption result of the data to be encrypted.
2. A data encryption method according to claim 1, characterized in that: the data to be encrypted comprises a plaintext and a plaintext key; correspondingly, after the parallel encryption module encrypts the plurality of group data in parallel, the obtained plurality of groups of ciphertext data comprise ciphertext and ciphertext keys.
3. A data encryption method according to claim 1, characterized in that: the fields in the encryption result comprise a destination address, a source address, an optional field, security data and an integrity check value; wherein the optional fields include an ethertype of MACsec frame, TAG control information, association number, information of short frame, packet number, and an integrity check value.
4. A data encryption method according to claim 1, characterized in that: when any encryption engine encrypts the corresponding packet data, the encryption engine is realized by adopting a GCM algorithm.
5. A data encryption method according to claim 1, characterized in that: the number of the valid bits is 128 bits; the integrity check value of the data to be encrypted comprises a plurality of hash values obtained by carrying out hash operation on a plurality of groups of ciphertext data in parallel; the hash value corresponding to the ith group of ciphertext data is as follows:
Wherein, A i is { destination address, source address, optional field } in the ith group of ciphertext data; h is the encryption result of the cipher text key pair 128-bit all 0 data in the ith group of cipher text data; m is the group number of the data head in the data to be encrypted, which is grouped according to the effective bit number; n is the group number of ciphertext data; 0 128-U represents the number of bits U of a group of ciphertext data, if the number of bits U does not reach the number of valid bits, 128-U0 s are needed to be supplemented to reach the number of valid bits; len () represents a length operation function; c i is ciphertext in the ith group of ciphertext data; one is exclusive or symbol; and I is a spliced symbol.
6. A data encryption system, characterized by: for implementing the data encryption method according to any one of claims 1 to 7; the data encryption system includes:
The data receiving module is used for receiving data to be encrypted, and grouping the data to be encrypted according to a preset effective bit number to obtain a plurality of grouping data; wherein the data bit number of each packet data is the same as the effective bit number;
The data encryption module is in communication connection with the data receiving module and is used for inputting a plurality of group data into the parallel encryption module so that the parallel encryption module encrypts the plurality of group data in parallel to obtain a plurality of groups of ciphertext data corresponding to the plurality of group data; the parallel encryption module comprises a plurality of encryption engines, wherein the encryption engines are used for encrypting a plurality of packet data in parallel; the data encryption module is further used for inputting a plurality of groups of ciphertext data into the parallel GHASH module, so that the parallel GHASH module performs hash operation on the plurality of groups of ciphertext data in parallel based on a parallel GCM GHASH algorithm to obtain an integrity check value of the data to be encrypted;
And the data output module is in communication connection with the data encryption module and is used for combining a plurality of groups of ciphertext data, the integrity check value, a preset data head and a preset serial number to obtain an encryption result of the data to be encrypted.
7. An electronic device, characterized in that: comprising the following steps:
a memory for storing computer program instructions; and
A processor for executing the computer program instructions to perform the operations of the data encryption method of any one of claims 1 to 5.
8. A computer readable storage medium storing computer program instructions readable by a computer, characterized by: the computer program instructions are configured to perform the operations of the data encryption method of any one of claims 1 to 5 when run.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410242733.XA CN117914624A (en) | 2024-03-04 | 2024-03-04 | Data encryption method, system, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410242733.XA CN117914624A (en) | 2024-03-04 | 2024-03-04 | Data encryption method, system, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117914624A true CN117914624A (en) | 2024-04-19 |
Family
ID=90694925
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410242733.XA Pending CN117914624A (en) | 2024-03-04 | 2024-03-04 | Data encryption method, system, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117914624A (en) |
-
2024
- 2024-03-04 CN CN202410242733.XA patent/CN117914624A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hasan et al. | Lightweight cryptographic algorithms for guessing attack protection in complex internet of things applications | |
| US20050232430A1 (en) | Security countermeasures for power analysis attacks | |
| Szalachowski et al. | CMAC, CCM and GCM/GMAC: Advanced modes of operation of symmetric block ciphers in wireless sensor networks | |
| CN116321129B (en) | Lightweight dynamic key-based power transaction private network communication encryption method | |
| CN111555859A (en) | SM4-GCM algorithm and application in network security protocol | |
| US8442217B2 (en) | Method of implementing one way hash functions and apparatus therefor | |
| Gouvêa et al. | High speed implementation of authenticated encryption for the MSP430X microcontroller | |
| Stallings | NIST block cipher modes of operation for authentication and combined confidentiality and authentication | |
| CN116488795B (en) | GCM-AES processing method and device | |
| Abbas et al. | An efficient implementation of PBKDF2 with RIPEMD-160 on multiple FPGAs | |
| Jasim et al. | Analysis the Structures of Some Symmetric Cipher Algorithms Suitable for the Security of IoT Devices | |
| Buell | Modern symmetric ciphers—Des and Aes | |
| Misra et al. | A New Encryption/Decryption Approach Using AES | |
| Singh et al. | Study & analysis of cryptography algorithms: RSA, AES, DES, T-DES, blowfish | |
| CN114679252A (en) | Resource sharing method for MACsec AES algorithm | |
| Mohan et al. | Revised aes and its modes of operation | |
| CN117914624A (en) | Data encryption method, system, electronic equipment and medium | |
| Nguyen et al. | Implementation of 2.6 Gbps super-high speed AES-CCM security protocol for IEEE 802.11 i | |
| CN112910630A (en) | Method and device for replacing expanded key | |
| Leon et al. | Performance analysis of the confidentiality security service in the IEEE 802.11 using WEP, AES-CCM, and ECC | |
| Kiningham et al. | CESEL: Securing a Mote for 20 Years. | |
| Yoo | Fast software implementation of AES-CCM on multiprocessors | |
| US20230283452A1 (en) | Method and apparatus supporting tunable alignment for cipher/authentication implementations | |
| Mohamed | Wireless Communication Systems: Confidentiality: Encryption and Decryption | |
| Henricksen | Tiny Dragon-an encryption algorithm for wireless sensor networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |