TWI761243B - Encryption system and encryption method for group instant massaging - Google Patents

Abstract

An encryption system and an encryption method for group instant messaging are provided. The encryption method includes: a first terminal generates a second group key, an ephemeral public key, and an ephemeral private key corresponding to the ephemeral public key based on ECC algorithm if a first group key is invalid; The first terminal generates a group key ciphertext according to the second group key, the ephemeral private key, and a second public key corresponding to a second terminal; in response to receiving the group key ciphertext, a server transmits key information corresponding to the second group key to the first terminal; in response to receiving the key information from the server, the first terminal updates a first member key corresponding to the first terminal according to the second group key; and the first terminal communicates with the second terminal according to the first member key.

Description

Encryption system and encryption method for group instant messaging

The present invention relates to a communication technology, and in particular, to an encryption system and an encryption method for group instant communication.

The following is the encryption method of the current common group instant messaging service: a set of message keys are randomly generated each time a message is sent, and the keys are synchronized to the receiving end through asymmetric encryption, and the receiving end can pass the personal The private key decrypts the message key and uses the message key to decrypt the message. However, the above-mentioned methods do not have a perfect solution for mitigating the impact of the number of members on performance and having both security and usability, and there is still room for improvement.

The present invention provides an encryption system and an encryption method for group instant messaging, which can be used for group instant messaging services.

An encryption system for group instant messaging of the present invention includes a first terminal device, a second terminal device and a server. The server is communicatively connected to the first terminal device and the second terminal device, wherein the server transmits the group key status to the first terminal device; in response to the group key status indicating that the first group key is invalid, the first terminal device The second group key, the temporary public key and the temporary private key corresponding to the temporary public key are generated based on the elliptic curve cryptography algorithm; the first terminal device is based on the second group key, the temporary private key and the temporary private key corresponding to the second terminal. the second public key of the device generates a group key ciphertext; in response to receiving the group key ciphertext from the first terminal device, the server transmits key information corresponding to the second group key to the first terminal device; In response to receiving the key information from the server, the first terminal device updates the first member key corresponding to the first terminal device according to the second group key; and the first terminal device communicates with the second terminal according to the first member key device to communicate.

In an embodiment of the present invention, the above-mentioned first terminal device updates a second member key stored in the first terminal device and corresponding to the second terminal device according to the second group key; The two terminal devices receive the encrypted message and decrypt the encrypted message through the second member key.

In an embodiment of the present invention, the above-mentioned first terminal device generates an encrypted message according to the first member key, and transmits the encrypted message to the second terminal device.

In an embodiment of the present invention, the above-mentioned first terminal device generates the shared secret according to the temporary private key and the second public key based on the elliptic curve Diffie-Hellman key exchange algorithm; and the first terminal device is based on the symmetric The encryption algorithm generates the group key ciphertext according to the shared secret and the second group key.

In an embodiment of the present invention, before executing the symmetric encryption algorithm, the first terminal device executes a secure hash algorithm on the shared secret.

In an embodiment of the present invention, the above-mentioned second terminal device receives the group key ciphertext, the temporary public key and the first public key corresponding to the first terminal device from the server; the second terminal device is based on the elliptic curve Di The Fischer-Hellman key exchange algorithm obtains the shared secret based on the temporary public key and the second private key corresponding to the second public key; and the second terminal device obtains the shared secret based on the symmetric decryption algorithm corresponding to the symmetric encryption algorithm The shared secret and the group key ciphertext obtain the second group key.

In an embodiment of the present invention, before executing the symmetric decryption algorithm, the second terminal device executes a secure hash algorithm on the shared secret.

In an embodiment of the present invention, the above-mentioned second terminal device updates the first member key stored in the second terminal device and corresponding to the first terminal device according to the second group key; The two group keys are updated and stored in the second terminal device and correspond to the second member key of the second terminal device.

In an embodiment of the present invention, the above-mentioned server transmits the group key ciphertext to the second terminal device in response to the second terminal device logging into the group instant messaging.

In an embodiment of the present invention, the above-mentioned first terminal device performs the first hash message authentication code operation on the first member key to generate the first message key; and the first terminal device performs the first hash message key operation on the first member key. The two-hash message authenticator operates to update the first member key.

In an embodiment of the present invention, the above-mentioned first terminal device encrypts the message according to the first message key to generate the encrypted message.

In an embodiment of the present invention, the above-mentioned second terminal device receives the encrypted message and the key information from the first terminal device; in response to receiving the key information, the second terminal device executes the first hash message on the first member key an authenticator operation to obtain a first message key; and in response to receiving the key information, the second terminal device performs a second hash message authentication code operation on the first member key to update the first member key stored in the second terminal .

In an embodiment of the present invention, the above-mentioned second terminal device decrypts the encrypted message according to the first message key to obtain the message.

In an embodiment of the present invention, the above-mentioned first terminal device generates a first public key corresponding to the first terminal device and a first private key corresponding to the first public key based on an elliptic curve cryptographic algorithm, and based on the public Key cryptography produces a certificate and a digital signature corresponding to the certificate. The first terminal device sends the first public key, the certificate and the digital signature to the server to register and join the group instant messaging.

In an embodiment of the present invention, the above-mentioned first terminal device generates a first public key, a first private key, a second group key, a temporary public key, and a temporary public key based on a definition domain corresponding to an elliptic curve cryptographic algorithm private key.

In an embodiment of the present invention, the above-mentioned server receives change information from members of the group instant messaging, and invalidates the first group key according to the change information.

In an embodiment of the present invention, the above-mentioned server receives a message from the first terminal device, wherein the message includes a digital signature; and the server verifies the digital signature according to the certificate to determine whether the source of the message is correct.

In an embodiment of the present invention, the second terminal device receives a message from the first terminal device, wherein the message includes a digital signature; and the second terminal device verifies the digital signature according to the certificate to determine whether the source of the message is correct.

An encryption method for group instant messaging of the present invention includes: a server is connected to a first terminal device and a second terminal device for communication; the server transmits a group key state to the first terminal device; in response to the group key state Indicates that the first group key is invalid, and the first terminal device generates a second group key, a temporary public key and a temporary private key corresponding to the temporary public key based on the elliptic curve cryptographic algorithm; the first terminal device generates a second group key according to the second group The group key, the temporary private key, and the second public key corresponding to the second terminal device generate the group key ciphertext; in response to receiving the group key ciphertext from the first terminal device, the server transmits the ciphertext corresponding to the second group the key information of the group key to the first terminal device; in response to receiving the key information from the server, the first terminal device updates the first member key corresponding to the first terminal device according to the second group key; A terminal device communicates with the second terminal device according to the first member key.

Based on the above, in the present invention, the terminal device using the service can generate the public key. Use the public key and temporary private key to perform ECDH operation and symmetric encryption to achieve end-to-end encryption and transmit the group key to each member. Unified control of member changes and group key status through the server to ensure that member changes do not affect security. Expand the group key to the member key inside the terminal device, and use the ratchet method to generate the message key and the next round member key based on the member key, thereby reducing the impact of the number of members on performance and providing forward security (forward secret, FS). Finally, all data that needs to be transmitted from the terminal device through the network are combined with digital signatures, and the receiving end can perform signature verification after receiving the data to ensure the integrity of the data and verify the identity of the transmitting end.

The present invention provides an encryption system and an encryption method for group instant messaging, which can synchronize group keys based on an asymmetric encryption method, calculate the expanded member keys in a terminal device, and then use the member keys to derive message keys The key is used for message encryption, so as to achieve endpoint encryption, and effectively reduce the impact of the number of members on the amount of computation and transmission. In the present invention, one person in the group can synchronize the group key, the server can manage the state of the group key, and in the terminal device, the group key is derived into several member keys, which are then derived from the member keys. The message key for encrypting and decrypting messages is released to reduce the impact of the number of people on the computation and transmission volume, and to ensure the security of communication when group members change.

1 is a schematic diagram of an encryption system 10 for group instant messaging according to an embodiment of the present invention. The encryption system 10 may include a server 100 and a group 200 for performing group instant messaging, wherein the group 200 may include terminal devices Multiple terminal devices such as a or terminal device b. The server 100 can communicate with each terminal device in the group 200 .

The server 100 has a processing unit (such as a processor but not limited thereto), a communication unit (such as various communication chips, mobile communication chips, bluetooth chips, WiFi chips, etc., but not limited thereto) and a storage unit (for example, a The necessary components for running the management server 110 such as mobile random access memory, flash memory, hard disk, etc., are not limited thereto.

Terminal device a (or terminal device b) may include, server, client, desktop computer, notebook computer, network computer, workstation, personal digital assistant (PDA), personal computer (personal computer) , PC), tablet or telephone device, etc. Terminal device a (or terminal device b) may contain at least but not limited to transceiver circuits, analog-to-digital (A/D)/digital-to-analog (D/A) converters, processing circuits, optional memory circuits, and one or multiple antenna units.

以及對應於公鑰

的私鑰

。具體來說，終端裝置a可根據ECC演算法的定義域

產生終端裝置a的公鑰

以及私鑰

。 FIG. 2 illustrates a signaling diagram of a registration process according to an embodiment of the present invention. In step S201, the terminal device a may generate a public key corresponding to the terminal device a based on an elliptic curve cryptography (ECC) algorithm

and corresponding to the public key

's private key

. Specifically, the terminal device a may be based on the definition domain of the ECC algorithm

Generate the public key of the terminal device a

and private key

.

、對應於憑證

的簽章公鑰

、對應於簽章公鑰

的簽章私鑰

以及使用簽章私鑰

對公鑰

簽章而產生的數位簽章

。憑證

可用以驗證數位簽章

。舉例來說，假設終端裝置a想透過伺服器100傳送一個訊息給終端裝置b。終端裝置a可將數位簽章

加入所述訊息中。在終端裝置b接收到所述訊息後，終端裝置b可根據終端裝置b內的數位憑證鏈驗證憑證

為可信任之憑證，隨後再使用憑證

驗證所述訊息中的數位簽章

。若驗證的結果為成功且能正常地使用公鑰

解密所述訊息，則終端裝置b可判斷訊息確實來自於終端裝置a。也就是說，訊息的來源是正確的。若驗證的結果為失敗或無法通過公鑰

正常地解密所述訊息，則終端裝置b可判斷訊息並非來自於終端裝置a。也就是說，訊息的來源是錯誤的。 In one embodiment, the terminal device a may further generate a credential of the terminal device a

, corresponding to the certificate

's signature public key

, corresponding to the signature public key

The signature private key of

and use the signature private key

to the public key

digital signature

. certificate

Can be used to verify digital signatures

. For example, it is assumed that the terminal device a wants to send a message to the terminal device b through the server 100 . Terminal device a can digitally sign

to the message. After the terminal device b receives the message, the terminal device b can verify the certificate according to the digital certificate chain in the terminal device b

is a trusted certificate, and then use the certificate

Verify the digital signature in the message

. If the verification result is successful and the public key can be used normally

After decrypting the message, the terminal device b can determine that the message really comes from the terminal device a. That is, the source of the message is correct. If the result of verification is failed or cannot pass the public key

If the message is decrypted normally, the terminal device b can determine that the message does not come from the terminal device a. That is, the source of the message is wrong.

與簽章私鑰

。 In one embodiment, the terminal device a can generate the signature public key according to public-key cryptography

and signature private key

.

、憑證

以及數位簽章

傳送至伺服器100，藉以註冊加入群組即時通訊。群組200中的每一個終端裝置（例如：終端裝置b）可存取伺服器100以自伺服器100取得公鑰

、憑證

或數位簽章

等資訊。 In step S202, the terminal device a may convert the public key corresponding to the terminal device a

,certificate

and digital signature

It is sent to the server 100 to register to join the group instant messaging. Each terminal device (eg: terminal device b) in the group 200 can access the server 100 to obtain the public key from the server 100

,certificate

or digital signature

and other information.

以及對應於公鑰

的私鑰

。具體來說，終端裝置b可根據ECC演算法的定義域

產生終端裝置b的公鑰

以及私鑰

。也就是說，公鑰

、私鑰

、公鑰

以及私鑰

是基於相同的定義域產生的。 In step S203, the terminal device b may generate a public key corresponding to the terminal device b based on an elliptic curve cryptography (ECC) algorithm

and corresponding to the public key

's private key

. Specifically, the terminal device b can be based on the definition domain of the ECC algorithm

Generate the public key of the terminal device b

and private key

. That is, the public key

, private key

, public key

and private key

are generated based on the same domain of definition.

、對應於憑證

的簽章公鑰

、對應於簽章公鑰

的簽章私鑰

以及使用簽章私鑰

對公鑰

簽章而產生的數位簽章

。憑證

可用以驗證數位簽章

。舉例來說，假設終端裝置b想透過伺服器100傳送一個訊息給終端裝置a。終端裝置b可將數位簽章

加入所述訊息中。在終端裝置a接收到所述訊息後，終端裝置a可根據終端裝置a內的數位憑證鏈驗證憑證

為可信任之憑證，隨後再使用憑證

驗證所述訊息中的數位簽章

。若驗證的結果為成功且能正常地使用

解密所述訊息，則終端裝置a可判斷訊息確實來自於終端裝置b。也就是說，訊息的來源是正確的。若驗證的結果為失敗或無法通過

正常地解密所述訊息，則終端裝置a可判斷訊息並非來自於終端裝置b。也就是說，訊息的來源是錯誤的。 In one embodiment, the terminal device b can further generate the certificate of the terminal device b

, corresponding to the certificate

's signature public key

, corresponding to the signature public key

The signature private key of

and use the signature private key

to the public key

digital signature

. certificate

Can be used to verify digital signatures

. For example, it is assumed that the terminal device b wants to send a message to the terminal device a through the server 100 . Terminal device b can digitally sign

to the message. After the terminal device a receives the message, the terminal device a can verify the certificate according to the digital certificate chain in the terminal device a

is a trusted certificate, and then use the certificate

Verify the digital signature in the message

. If the verification result is successful and can be used normally

After decrypting the message, terminal device a can determine that the message really comes from terminal device b. That is, the source of the message is correct. If the verification result is failed or failed

If the message is decrypted normally, the terminal device a can determine that the message does not come from the terminal device b. That is, the source of the message is wrong.

與簽章私鑰

。 In one embodiment, the terminal device b can generate the signature public key according to public key cryptography

and signature private key

.

、憑證

以及數位簽章

傳送至伺服器100，藉以註冊加入群組即時通訊。群組200中的每一個終端裝置（例如：終端裝置a）可存取伺服器100以自伺服器100取得公鑰

、憑證

以及數位簽章

等資訊。 In step S204, the terminal device b may convert the public key corresponding to the terminal device b

,certificate

and digital signature

It is sent to the server 100 to register to join the group instant messaging. Each terminal device (eg: terminal device a) in the group 200 can access the server 100 to obtain the public key from the server 100

,certificate

and digital signature

and other information.

FIG. 3 shows a signaling diagram of a member change procedure according to an embodiment of the present invention. In step S301 , the server 100 may receive change information from members of the group instant messaging (ie, members of the group 200 , such as terminal device a or terminal device b). The change information may indicate that a certain terminal device in the group 200 has performed at least one of the following steps: withdrawing from the group 200 by itself, withdrawing other members from the group 200 or adding a new member to the group 200 .

。伺服器100可根據異動資訊而使群組金鑰

失效。值得注意的是，群組金鑰

例如是依據定義域

而產生的。也就是說，群組金鑰

、公鑰

、私鑰

、公鑰

以及私鑰

是基於相同的定義域產生的。 In step S302, the server 100 may invalidate the group key of the group 200 according to the change information. For example, suppose the initial group key of group chat (or group 200) is the group key

. The server 100 can use the group key according to the change information

invalid. It's worth noting that the group key

For example, according to the domain of definition

generated. That is, the group key

, public key

, private key

, public key

and private key

are generated based on the same domain of definition.

已經失效。在步驟S304中，伺服器100可在終端裝置b登入群組即時通訊時傳送群組金鑰狀態至終端裝置b，其中所述群組金鑰狀態可指示群組金鑰

已經失效。也就是說，在群組金鑰

失效後，伺服器100可將指示群組金鑰

失效的群組金鑰狀態廣播給群組200中的成員。 In step S303, the server 100 may transmit the group key status to the terminal device a, wherein the group key status may indicate the group key

has expired. In step S304, the server 100 may transmit the group key status to the terminal device b when the terminal device b logs in to the group instant messaging, wherein the group key status may indicate the group key

has expired. That is, in the group key

After the expiration, the server 100 can indicate the group key

The expired group key status is broadcast to members in group 200 .

失效，終端裝置a可基於ECC演算法產生群組金鑰

、臨時公鑰

以及對應於臨時公鑰

的臨時私鑰

。群組金鑰

、臨時公鑰

以及臨時私鑰

例如是依據定義域

而產生的。也就是說，群組金鑰

、臨時公鑰

以及臨時私鑰

是基於與群組金鑰

相同的定義域產生的。 FIG. 4 illustrates a signaling diagram of a key synchronization process according to an embodiment of the present invention. In step S401, the group key is indicated in response to the group key status

If it fails, the terminal device a can generate the group key based on the ECC algorithm

, temporary public key

and corresponding to the ephemeral public key

ephemeral private key

. group key

, temporary public key

and the temporary private key

For example, according to the domain of definition

generated. That is, the group key

, temporary public key

and the temporary private key

is based on the group key

generated from the same domain.

、臨時私鑰

、以及對應於群組200中的成員的公鑰產生將發送給所述成員的群組金鑰密文。以終端裝置b為例，終端裝置a可根據群組金鑰

、臨時私鑰

以及終端裝置b的公鑰

產生將被發送給終端裝置b的群組金鑰密文

。 In step S402, the terminal device a can use the group key

, temporary private key

, and corresponding to the public keys of members in group 200 to generate a group key ciphertext to be sent to said members. Taking terminal device b as an example, terminal device a can

, temporary private key

and the public key of terminal device b

Generate group key ciphertext to be sent to terminal device b

.

以及公鑰

產生對應於終端裝置a和終端裝置b的共享秘密（或密鑰加密鑰（key-encryption key））

，如方程式（1）所示，其中

代表對公鑰P和私鑰R執行ECDH運算。

…(1) Specifically, the terminal device a may obtain the temporary private key based on the elliptic curve Diffie-Hellman key exchange (EDCH) algorithm

and public key

Generate a shared secret (or key-encryption key) corresponding to terminal device a and terminal device b

, as shown in equation (1), where

Represents an ECDH operation on the public key P and the private key R.

…(1)

執行安全雜湊演算法（secure hash algorithm，SHA），藉以調整共享秘密

的尺寸以使共享秘密

適應於即將使用的對稱加密演算法。舉例來說，在對共享秘密

執行AES-256對稱加密演算法之前，終端裝置a可先對共享秘密

執行SHA-256安全雜湊演算法，藉以將共享秘密

的尺寸調整為適用於AES-256的256位元。 Then, the terminal device a can respond to the shared secret

Execute a secure hash algorithm (SHA) to adjust the shared secret

size to enable the shared secret

Adapt to the symmetric encryption algorithm to be used. For example, in the shared secret

Before executing the AES-256 symmetric encryption algorithm, the terminal device a can

Executes the SHA-256 secure hash algorithm, whereby the shared secret is

is resized to 256 bits for AES-256.

以及群組金鑰

產生群組金鑰密文

，如方程式（2）所示，其中

代表基於AES演算法使用金鑰k對明文p（plaintext）進行加密。

…(2) Then, the terminal device a can use the shared secret based on the symmetric encryption algorithm

and group key

Generate group key ciphertext

, as shown in equation (2), where

Represents the encryption of the plaintext p (plaintext) with the key k based on the AES algorithm.

…(2)

以及臨時公鑰

的金鑰訊息至伺服器100。在步驟S404中，伺服器100可驗證金鑰訊息的合法性。 In step S403, the terminal device a may transmit a ciphertext containing at least the group key

and the ephemeral public key

the key message to the server 100. In step S404, the server 100 may verify the validity of the key message.

是失效的，則伺服器100可判斷金鑰訊息是合法的。 In one embodiment, the server 100 can determine whether the key message is valid according to the current group key state of the group 200 . If the group key status indicates that the current group key of the group 200 is invalid (or does not exist), the server 100 may determine that the key message is valid. If the group key status indicates that the current group key of the group 200 is valid, the server 100 may determine that the key message is invalid. For example, if the group key status indicates the current group key for group 200

If it is invalid, the server 100 can determine that the key message is valid.

。若金鑰訊息中缺少了某一位成員的群組金鑰密文，則伺服器100可判斷金鑰訊息是非法的。 In one embodiment, the server 100 may determine that the key message is valid based on the members in the group 200 and the group key ciphertext in the key message matching, and may determine that the key message is valid based on the members in the group 200 and the key The group key ciphertext in the message does not match and the key message is judged to be invalid. For example, assume that group 200 includes multiple members, wherein the multiple members include terminal device a and terminal device b. In this way, the key message received by the server 100 from the terminal device a needs to include a plurality of group key ciphertexts respectively corresponding to a plurality of other members except the terminal device a, wherein the plurality of group key ciphertexts Contains the group key ciphertext corresponding to terminal device b

. If the group key ciphertext of a certain member is missing from the key message, the server 100 may determine that the key message is invalid.

判斷來自終端裝置a的金鑰訊息是否是合法的。若金鑰訊息包含與憑證

匹配的數位簽章

，則伺服器100可判斷金鑰訊息是合法的。若金鑰訊息不包含與憑證

匹配的數位簽章

，則伺服器100可判斷金鑰訊息是非法的。 In one embodiment, the server 100 may

It is judged whether the key message from the terminal device a is legitimate. If the key message contains and the certificate

matching digital signature

, the server 100 can determine that the key message is valid. If the key message does not contain and certificate

matching digital signature

, the server 100 can determine that the key message is illegal.

的金鑰資訊至終端裝置a，其中金鑰資訊可包含對應於群組金鑰

的群組金鑰識別碼

。值得注意的是，伺服器100並不需要也無法解密群組金鑰密文

以取得群組金鑰

，而僅需要將與群組金鑰密文

相對應的群組金鑰識別碼

傳送給終端裝置a即可。終端裝置a可響應於接收到群組金鑰識別碼

而判斷伺服器100已經同意使用群組金鑰

。因此，終端裝置a將可使用群組金鑰

來執行群組即時通訊。 In step S405, if the key message is valid, the server 100 may transmit the corresponding group key

The key information of the terminal device a, wherein the key information may contain the corresponding group key

group key identifier for

. It is worth noting that the server 100 does not need and cannot decrypt the group key ciphertext

to get the group key

, but only need to be ciphertext with the group key

Corresponding group key identifier

It is sufficient to transmit it to the terminal device a. Terminal device a may respond to receiving the group key identification code

And it is determined that the server 100 has agreed to use the group key

. Therefore, terminal device a will be able to use the group key

to perform group chat.

更新儲存在終端裝置a的多個成員金鑰，其中所述多個成員金鑰分別對應於群組200中的多個成員。舉例來說，終端裝置a可根據群組金鑰

更新儲存在終端裝置a且對應於終端裝置a的成員金鑰

。此外，終端裝置a可根據群組金鑰

更新儲存在終端裝置a且對應於終端裝置b的成員金鑰

。更新成員金鑰的詳細步驟可參考如圖5所示的步驟S504。終端裝置a可通過成員金鑰

以與群組200中的成員（例如：終端裝置b）進行通訊。舉例來說，終端裝置a可利用成員金鑰

對訊息進行加密以產生加密訊息，並可將加密訊息傳送給終端裝置b。終端裝置b可利用成員金鑰

解密所述加密訊息以取得所述訊息。 In step S406, in response to receiving the key information, the terminal device a can

A plurality of member keys stored in the terminal device a are updated, wherein the plurality of member keys respectively correspond to a plurality of members in the group 200 . For example, the terminal device a can use the group key

Update the member key stored in terminal device a and corresponding to terminal device a

. In addition, the terminal device a can use the group key

Update the member key stored in terminal device a and corresponding to terminal device b

. For the detailed steps of updating the member key, please refer to step S504 shown in FIG. 5 . Terminal device a can pass the membership key

to communicate with members of the group 200 (eg, terminal device b). For example, terminal device a may utilize the membership key

The message is encrypted to generate an encrypted message, and the encrypted message can be transmitted to the terminal device b. Terminal device b can use the membership key

Decrypt the encrypted message to obtain the message.

以及群組金鑰

產生對應於終端裝置a的成員金鑰

，如方程式（3）所示。

…(3) In one embodiment, the terminal device a can use the public key according to the elliptic curve-based Diffie-Hellman key exchange algorithm

and group key

Generate a member key corresponding to terminal device a

, as shown in equation (3).

…(3)

以及群組金鑰

產生對應於終端裝置b的成員金鑰

，如方程式（4）所示。

…(4) In one embodiment, the terminal device a can use the public key according to the elliptic curve-based Diffie-Hellman key exchange algorithm

and group key

Generate a member key corresponding to terminal device b

, as shown in equation (4).

…(4)

至終端裝置b。舉例來說，伺服器100可響應於偵測到終端裝置b登入群組200的群組即通訊而傳送群組金鑰密文

至終端裝置b。 In step S407, if the key message is valid, the server 100 can transmit the group key ciphertext

to terminal device b. For example, the server 100 may transmit the group key ciphertext in response to detecting that the terminal device b is logged into the group ie communication of the group 200

to terminal device b.

以取得群組金鑰

。具體來說，終端裝置b可自伺服器100取得群組金鑰密文

、臨時公鑰

以及終端裝置a的公鑰

。終端裝置b可基於橢圓曲線迪菲-赫爾曼密鑰交換演算法而根據臨時公鑰

以及終端裝置b的私鑰

產生對應於終端裝置a和終端裝置b的共享秘密

，如方程式（5）所示，其中

代表對公鑰P和私鑰R執行ECDH運算。

…(5) In step S408, the terminal device b can decrypt the group key ciphertext

to get the group key

. Specifically, the terminal device b can obtain the group key ciphertext from the server 100

, temporary public key

and the public key of terminal device a

. The terminal device b may use the ephemeral public key based on the elliptic curve Diffie-Hellman key exchange algorithm

and the private key of terminal device b

Generate a shared secret corresponding to terminal device a and terminal device b

, as shown in equation (5), where

Represents an ECDH operation on the public key P and the private key R.

…(5)

執行安全雜湊演算法，藉以調整共享秘密

的尺寸以使共享秘密

適應於即將使用的對稱解密演算法。舉例來說，在對共享秘密

執行AES-256對稱解密演算法之前，終端裝置b可先對共享秘密

執行SHA-256安全雜湊演算法，藉以將共享秘密

的尺寸調整為適用於AES-256的256位元。 Then, the terminal device b can

Execute a secure hash algorithm to adjust the shared secret

size to enable the shared secret

Adapt to the symmetric decryption algorithm to be used. For example, in the shared secret

Before executing the AES-256 symmetric decryption algorithm, the terminal device b can

Executes the SHA-256 secure hash algorithm, whereby the shared secret is

is resized to 256 bits for AES-256.

解密群組金鑰密文

以取得群組金鑰

，如方程式（6）所示，其中

代表基於AES演算法使用共享秘密k對密文c（ciphertext）進行解密。

…(6) Then, the terminal device b can use the shared secret based on the symmetric decryption algorithm

Decrypt the group key ciphertext

to get the group key

, as shown in equation (6), where

Represents the decryption of the ciphertext c (ciphertext) using the shared secret k based on the AES algorithm.

…(6)

，終端裝置b可根據群組金鑰

更新儲存在終端裝置b的多個成員金鑰，其中所述多個成員金鑰分別對應於群組200中的多個成員。舉例來說，終端裝置b可根據群組金鑰

更新儲存在終端裝置b且對應於終端裝置a的成員金鑰

。此外，終端裝置b可根據群組金鑰

更新儲存在終端裝置b且對應於終端裝置b的成員金鑰

。更新成員金鑰的詳細步驟可參考如圖5所示的步驟S507。終端裝置b可通過成員金鑰

以與群組200中的成員（例如：終端裝置a）進行通訊。舉例來說，終端裝置b可利用成員金鑰

對訊息進行加密以產生加密訊息，並可將加密訊息傳送給終端裝置a。終端裝置a可利用成員金鑰

解密所述加密訊息以取得所述訊息。 In step S409, in response to obtaining the group key

, the terminal device b can use the group key

A plurality of member keys stored in the terminal device b are updated, wherein the plurality of member keys respectively correspond to a plurality of members in the group 200 . For example, terminal device b can use the group key

Update the member key stored in terminal device b and corresponding to terminal device a

. In addition, the terminal device b can use the group key

Update the member key stored in terminal device b and corresponding to terminal device b

. For the detailed steps of updating the member key, please refer to step S507 shown in FIG. 5 . Terminal device b can pass the membership key

to communicate with members of the group 200 (eg, terminal device a). For example, terminal device b may utilize the membership key

The message is encrypted to generate an encrypted message, and the encrypted message can be transmitted to the terminal device a. Terminal device a can use the membership key

Decrypt the encrypted message to obtain the message.

以及群組金鑰

產生對應於終端裝置a的成員金鑰

，如方程式（7）所示。

…(7) In one embodiment, the terminal device b can use the public key according to the elliptic curve-based Diffie-Hellman key exchange algorithm

and group key

Generate a member key corresponding to terminal device a

, as shown in equation (7).

…(7)

以及群組金鑰

產生對應於終端裝置b的成員金鑰

，如方程式（8）所示。

…(8) In one embodiment, the terminal device b can use the public key according to the elliptic curve-based Diffie-Hellman key exchange algorithm

and group key

Generate a member key corresponding to terminal device b

, as shown in Equation (8).

…(8)

執行如方程式（9）所示的雜湊訊息鑑別碼（hashed message authentication code，HMAC）運算以產生訊息金鑰

，其中

代表對金鑰k以及常數A執行雜湊訊息鑑別碼運算。

…(9) FIG. 5 illustrates a signaling diagram of a group instant messaging program according to an embodiment of the present invention. In step S501, the terminal device a can register the member key

A hashed message authentication code (HMAC) operation as shown in equation (9) is performed to generate a message key

,in

Represents the hash message authentication code operation performed on the key k and the constant A.

…(9)

對訊息進行加密以產生加密訊息。具體來說，終端裝置a可對訊息M進行如方程式（10）所示的對稱加密演算法以產生加密訊息CT，其中

代表基於AES演算法使用金鑰k對明文p進行加密。

…(10) In step S502, the terminal device a can use the message key according to the

The message is encrypted to produce an encrypted message. Specifically, the terminal device a can perform the symmetric encryption algorithm shown in equation (10) on the message M to generate the encrypted message CT, wherein

Represents the encryption of plaintext p using key k based on the AES algorithm.

…(10)

以及成員金鑰世代資訊，其中成員金鑰世代資訊指示當前終端裝置a之成員金鑰

的世代。假設成員金鑰

為終端裝置a的第一世代的成員金鑰，則成員金鑰世代資訊可向終端裝置b指示加密訊息CT是基於終端裝置a的第一世代的成員金鑰

來加密的。因此，終端裝置b應該使用第一世代的成員金鑰

來解密加密訊息CT。 In step S503, the terminal device a may transmit the encrypted message CT and key information to the terminal device b, wherein the key information may include, for example, a group key identifier

and member key generation information, wherein the member key generation information indicates the member key of the current terminal device a

generation. Assume member key

is the member key of the first generation of terminal device a, then the member key generation information can indicate to terminal device b that the encrypted message CT is based on the member key of the first generation of terminal device a

to be encrypted. Therefore, the terminal device b should use the member key of the first generation

to decrypt the encrypted message CT.

執行如方程式（11）所示的雜湊訊息鑑別碼運算以更新儲存在終端裝置a中的終端裝置a的成員金鑰的世代，其中

代表對金鑰k以及常數B執行雜湊訊息鑑別碼運算，其中常數B與常數A相異。假設成員金鑰

為終端裝置a的第一世代的成員金鑰，則終端裝置a可更新成員金鑰

以產生終端裝置a的第二世代的成員金鑰

。

…(11) In step S504, the terminal device a can register the member key

A hash message authentication code operation as shown in Equation (11) is performed to update the generation of the member key of terminal device a stored in terminal device a, where

Represents the hash message authentication code operation performed on the key k and the constant B, where the constant B is different from the constant A. Assume member key

is the member key of the first generation of terminal device a, then terminal device a can update the member key

to generate the member key of the second generation of terminal device a

.

…(11)

執行如方程式（12）所示的雜湊訊息鑑別碼運算以更新儲存在終端裝置a中的終端裝置b的成員金鑰的世代，其中

代表對金鑰k以及常數B執行雜湊訊息鑑別碼運算，其中常數B與常數A相異。假設成員金鑰

為終端裝置b的第一世代的成員金鑰，則終端裝置a可更新成員金鑰

以產生終端裝置b的第二世代的成員金鑰

。

…(12) In addition, the terminal device a can register the membership key

A hash message authentication code operation as shown in equation (12) is performed to update the generation of the member key of terminal device b stored in terminal device a, where

Represents the hash message authentication code operation performed on the key k and the constant B, where the constant B is different from the constant A. Assume member key

is the member key of the first generation of terminal device b, then terminal device a can update the member key

to generate the member key of the second generation of terminal device b

.

…(12)

執行如方程式（13）所示的雜湊訊息鑑別碼運算以產生訊息金鑰

，其中

代表對金鑰k以及常數A執行雜湊訊息鑑別碼運算。

…(13) In step S505, in response to receiving the encrypted message CT and the key information, the terminal device b can store the member key of the terminal device a stored in the terminal device b

Perform the hash message authentication code operation as shown in equation (13) to generate the message key

,in

Represents the hash message authentication code operation performed on the key k and the constant A.

…(13)

對加密訊息CT進行解密以 取得訊息M。具體來說，終端裝置a可對加密訊息CT進行如方程式（14）所示的對稱解密演算法以產生訊息M，其中

代表基於AES演算法使用金鑰k對密文c進行加密。

…(14) In step S506, the terminal device b can use the message key according to the

The encrypted message CT is decrypted to obtain the message M. Specifically, the terminal device a may perform the symmetric decryption algorithm shown in equation (14) on the encrypted message CT to generate the message M, where

Represents the encryption of the ciphertext c with the key k based on the AES algorithm.

…(14)

執行如方程式（15）所示的雜湊訊息鑑別碼運算以更新儲存在終端裝置b中的終端裝置a的成員金鑰的世代，其中

代表對金鑰k以及常數B執行雜湊訊息鑑別碼運算。假設成員金鑰

為終端裝置a的第一世代的成員金鑰，則終端裝置b可更新成員金鑰

以產生終端裝置a的第二世代的成員金鑰

。

…(15) In step S507, the terminal device b can register the member key

A hash message authentication code operation as shown in equation (15) is performed to update the generation of the member key of terminal device a stored in terminal device b, where

Represents the hash message authentication code operation performed on the key k and the constant B. Assume member key

is the member key of the first generation of terminal device a, then terminal device b can update the member key

to generate the member key of the second generation of terminal device a

.

…(15)

執行如方程式（16）所示的雜湊訊息鑑別碼運算以更新儲存在終端裝置b中的終端裝置b的成員金鑰的世代，其中

代表對金鑰k以及常數B執行雜湊訊息鑑別碼運算。假設成員金鑰

為終端裝置b的第一世代的成員金鑰，則終端裝置b可更新成員金鑰

以產生終端裝置b的第二世代的成員金鑰

。

…(16) In addition, the terminal device b can

A hash message authentication code operation as shown in equation (16) is performed to update the generation of the member key of terminal device b stored in terminal device b, where

Represents the hash message authentication code operation performed on the key k and the constant B. Assume member key

is the member key of the first generation of terminal device b, then terminal device b can update the member key

to generate the member key of the second generation of terminal device b

.

…(16)

FIG. 6 is a flowchart illustrating an encryption method for group instant messaging according to an embodiment of the present invention, wherein the encryption method can be implemented by the encryption system shown in FIG. 1 . In step S601, the server is communicatively connected to the first terminal device and the second terminal device. In step S602, the server transmits the group key status to the first terminal device. In step S603, in response to the group key status indicating that the first group key is invalid, the first terminal device generates a second group key, a temporary public key, and a data corresponding to the temporary public key based on an elliptic curve cryptography algorithm Temporary private key. In step S604, the first terminal device generates a group key ciphertext according to the second group key, the temporary private key and the second public key corresponding to the second terminal device. In step S605, in response to receiving the group key ciphertext from the first terminal device, the server transmits key information corresponding to the second group key to the first terminal device. In step S606, in response to receiving the key information from the server, the first terminal device updates the first member key corresponding to the first terminal device according to the second group key. In step S607, the first terminal device communicates with the second terminal device according to the first member key.

To sum up, the features and effects of the present invention may include: the server does not directly participate in the key negotiation, so that the endpoint encryption effect is achieved; the endpoint encryption protection is still available after the group members change; (for example: adding group members does not reduce the performance of instant messaging); each message key is generated using a ratchet method to ensure forward security; key synchronization only needs to be performed by one member, reducing the cost of key synchronization complexity; and combined with digital signatures to ensure message integrity and identity authentication.

The present invention can provide the following security: (1) Forward security for the member key and the message key: the key is derived using a one-way hash function, assuming that a third party can obtain the message key of a certain generation In this case, the previous message key cannot be effectively reversed, and the same member key cannot be effectively reversed to the previous generation key. (2) It can ensure the integrity of the message and identity authentication: any message sent from the terminal in this method uses a digital signature for the content, and the message received by the same terminal checks the digital signature before performing subsequent actions. Achieve message integrity and identity authentication, effectively reduce the possibility of man-in-the-middle attacks, and reduce users' manual operations to confirm each other's identities (for example, two parties confirm each other's public key fingerprints face-to-face), improving usability and reliability. (3) End-point encrypted communication that still maintains security for member changes: This method manages the group key state through the server to ensure that any change can immediately and effectively invalidate the group key state, forcing the terminal to use the following message The new group key is used for key synchronization and encryption of messages, ensuring that old members cannot decrypt subsequent new messages, and new members cannot decrypt old messages in the past.

10: Encryption system 100: Server 200: Group a, b: terminal device S201, S202, S203, S204, S301, S302, S303, S304, S401, S402, S403, S404, S405, S406, S407, S408, S409, S501, S502, S503, S504, S505, S506, S507, S601, S602, S603, S604, S605, S606, S607: Steps

FIG. 1 is a schematic diagram illustrating an encryption system for group instant messaging according to an embodiment of the present invention. FIG. 2 illustrates a signaling diagram of a registration process according to an embodiment of the present invention. FIG. 3 shows a signaling diagram of a member change procedure according to an embodiment of the present invention. FIG. 4 illustrates a signaling diagram of a key synchronization process according to an embodiment of the present invention. FIG. 5 illustrates a signaling diagram of a group instant messaging program according to an embodiment of the present invention. FIG. 6 is a flowchart illustrating an encryption method for group instant messaging according to an embodiment of the present invention.

S601, S602, S603, S604, S605, S606, S607: Steps

Claims (19)

An encryption system for group instant messaging, comprising: a first terminal device; the second terminal device; and a server, communicatively connected to the first terminal device and the second terminal device, wherein the server transmits the group key status to the first terminal device; In response to the group key status indicating that the first group key is invalid, the first terminal device generates a second group key, a temporary public key, and a temporary public key corresponding to the temporary public key based on an elliptic curve cryptography algorithm temporary private key; generating, by the first terminal device, a group key ciphertext according to the second group key, the temporary private key and the second public key corresponding to the second terminal device; In response to receiving the group key ciphertext from the first terminal device, the server transmits key information corresponding to the second group key to the first terminal device; In response to receiving the key information from the server, the first end device updates a first member key corresponding to the first end device according to the second group key; and The first terminal device communicates with the second terminal device according to the first member key. The encryption system of claim 1, wherein the first terminal device updates the second member key stored in the first terminal device and corresponding to the second terminal device according to the second group key; and The first terminal device receives an encrypted message from the second terminal device, and decrypts the encrypted message through the second member key. The encryption system of claim 1, wherein The first terminal device generates an encrypted message according to the first member key, and transmits the encrypted message to the second terminal device. The encryption system of claim 1, wherein The first terminal device generates a shared secret according to the temporary private key and the second public key based on an elliptic curve Diffie-Hellman key exchange algorithm; and The first terminal device generates the group key ciphertext according to the shared secret and the second group key based on a symmetric encryption algorithm. The encryption system of claim 4, wherein Before executing the symmetric encryption algorithm, the first terminal device executes a secure hash algorithm on the shared secret. The encryption system of claim 4, wherein The second terminal device receives the group key ciphertext, the temporary public key and the first public key corresponding to the first terminal device from the server; the second terminal device obtains the shared secret according to the temporary public key and the second private key corresponding to the second public key based on the elliptic curve Diffie-Hellman key exchange algorithm; and The second terminal device obtains the second group key according to the shared secret and the group key ciphertext based on a symmetric decryption algorithm corresponding to the symmetric encryption algorithm. The encryption system of claim 6, wherein Before executing the symmetric decryption algorithm, the second terminal device executes a secure hash algorithm on the shared secret. The encryption system of claim 6, wherein the second terminal device updates the first member key stored in the second terminal device and corresponding to the first terminal device according to the second group key; and The second terminal device updates a second member key stored in the second terminal device and corresponding to the second terminal device according to the second group key. The encryption system of claim 6, wherein The server transmits the group key ciphertext to the second terminal device in response to the second terminal device logging into the group instant messaging. The encryption system of claim 3, wherein the first terminal device performs a first hash message authentication code operation on the first member key to generate a first message key; and The first terminal device performs a second hash message authentication code operation on the first member key to update the first member key. The encryption system of claim 10, wherein The first terminal device encrypts a message according to the first message key to generate the encrypted message. The encryption system of claim 10, wherein the second terminal device receives the encrypted message and key information from the first terminal device; In response to receiving the key information, the second terminal device performs the first hash message authentication code operation on the first member key to obtain the first message key; and In response to receiving the key information, the second terminal device performs the second hash message authentication code operation on the first member key to update the first member key stored in the second terminal . The encryption system of claim 12, wherein The second terminal device decrypts the encrypted message according to the first message key to obtain the message. The encryption system of claim 1, wherein The first terminal device generates a first public key corresponding to the first terminal device and a first private key corresponding to the first public key based on the elliptic curve cryptography algorithm, and based on public key cryptography A student-generated credential and a digital signature corresponding to said credential; and The first terminal device transmits the first public key, the certificate and the digital signature to the server to register to join the group instant messaging. The encryption system of claim 14, wherein The first terminal device generates the first public key, the first private key, the second group key, the temporary public key, and the the temporary private key. The encryption system of claim 1, wherein The server receives change information from members of the group instant messaging, and invalidates the first group key according to the change information. The encryption system of claim 14, wherein the server receives a message from the first terminal device, wherein the message includes the digital signature; and The server verifies the digital signature according to the certificate to determine whether the source of the message is correct. The encryption system of claim 14, wherein the second terminal device receives a message from the first terminal device, wherein the message includes the digital signature; and The second terminal device verifies the digital signature according to the certificate to determine whether the source of the message is correct. An encryption method for group instant messaging, comprising: The server is communicatively connected to the first terminal device and the second terminal device; the server transmits the group key status to the first terminal device; In response to the group key status indicating that the first group key is invalid, the first terminal device generates a second group key, a temporary public key, and a temporary public key corresponding to the temporary public key based on an elliptic curve cryptography algorithm temporary private key; generating, by the first terminal device, a group key ciphertext according to the second group key, the temporary private key and the second public key corresponding to the second terminal device; In response to receiving the group key ciphertext from the first terminal device, the server transmits key information corresponding to the second group key to the first terminal device; In response to receiving the key information from the server, the first end device updates a first member key corresponding to the first end device according to the second group key; and The first terminal device communicates with the second terminal device according to the first member key.

Images