CN101325483B - Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method - Google Patents

Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method Download PDF

Info

Publication number
CN101325483B
CN101325483B CN 200810134568 CN200810134568A CN101325483B CN 101325483 B CN101325483 B CN 101325483B CN 200810134568 CN200810134568 CN 200810134568 CN 200810134568 A CN200810134568 A CN 200810134568A CN 101325483 B CN101325483 B CN 101325483B
Authority
CN
China
Prior art keywords
key
algorithm
encryption
message digest
decryption
Prior art date
Application number
CN 200810134568
Other languages
Chinese (zh)
Other versions
CN101325483A (en
Inventor
刘国荣
庄一嵘
金华敏
Original Assignee
中国电信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国电信股份有限公司 filed Critical 中国电信股份有限公司
Priority to CN 200810134568 priority Critical patent/CN101325483B/en
Publication of CN101325483A publication Critical patent/CN101325483A/en
Application granted granted Critical
Publication of CN101325483B publication Critical patent/CN101325483B/en

Links

Abstract

The invention discloses a symmetric cipher key updating method and symmetric cipher key updating device, as well as symmetric enciphering method and symmetric deciphering method. The symmetric cipher key updating method includes steps of generating a ternary cipher key packet, including an encryption key, parameters for selecting enciphering/deciphering algorithm and parameters for selecting message summarization algorithm; and transmitting the ternary cipher key packet to cipher key users. The cipher key users determine the enciphering/deciphering algorithm and the message summarization algorithm through the ternary cipher key packet, and perform the enciphering/deciphering operations. The invention method and device adopt a variable enciphering and message summarization algorithm, the algorithm and cipher key can both independently vary, thereby effectively guaranteeing the safety of data transmission and memory.

Description

对称密钥更新方法和对称密钥更新装置 Symmetric key and the symmetric key updating method updating means

技术领域 FIELD

[0001] 本发明涉及加密技术,尤其涉及一种对称密钥更新方法和对称密钥更新装置。 [0001] The present invention relates to encryption technology, and particularly to a method for updating a symmetric key and the symmetric key updating means. 背景技术 Background technique

[0002] 网络传输安全是开放性互联网的一个热点问题。 [0002] transmission network security is a hot issue openness of the Internet. 对数据进行加密和消息摘要运算是最常用的传输安全保障措施。 Data encryption and message digest operation is the most common transport security measures. 数据存储和传输安全保障中的常用的算法包括对称加密算法和非对称加密算法,其中,对称加密算法加、解密时使用相同密钥。 Data storage and transmission of conventional security algorithms include symmetric encryption algorithm and an asymmetrical encryption algorithm, wherein the symmetric encryption algorithm encryption, decryption using the same key. 对称加密算法具有运算速度快、可支持较长的密钥长度等优点。 Symmetric encryption algorithm having fast calculation support longer key lengths and so on. 目前常用的加密算法都是对外公开的,密钥是唯一不公开的信息,因此算法的安全性主要取决于密钥的安全性。 The most commonly used encryption algorithms are open to the public, is the only key information is not public, so the security of the algorithm depends on the security of keys. 防破解的主要措施包括选用长度尽量长和组成尽量复杂的密钥,以及定期更新密钥。 The main measures include the selection of anti-crack length as long as possible and try to make up complex key, and regularly update key.

[0003] 对称加密算法要求加解密双方的密钥保持一致,因此,密钥管理是使用这类算法时的一个难题。 [0003] symmetric encryption algorithm requires both the decryption key is consistent, therefore, key management is a problem when using such algorithms. 目前大部分应用中,密钥需要人工更新,工作量大,因此更新周期一般都比较长,数月、数年甚至于根本就不更新。 Currently most applications, the need to manually update the key, heavy workload, so the update cycle is generally longer than that, months, years and even did not update. 加密算法的破解主要是时间问题,在已知加密算法和密文的情况下,密钥更新周期越长,意味着风险越大。 Crack the encryption algorithm is mainly a matter of time, in the case of a known encryption algorithm and ciphertext, key update cycle longer, which means the greater the risk.

发明内容 SUMMARY

[0004] 本发明要解决的一个技术问题是提供一种具有较高安全性的对称密钥的更新方法。 [0004] A technical problem to be solved by the present invention is to provide a method for updating higher security symmetric key.

[0005] 本发明提供一种对称密钥的更新方法,包括步骤:在密钥管理者和密钥使用者之间建立安全的连接;密钥管理者和密钥使用者之间协商加解密算法和消息摘要算法;密钥管理者生成三元密钥组,该三元密钥组包括加密密钥、用于选择加/解密算法的参数和用于选择消息摘要算法的参数;密钥管理者将三元密钥组及生效起始时间发送给密钥使用者;加解密双方在约定的生效起始时间启用新的三元密钥组,对传输数据进行加/解密和消息摘要运算。 [0005] The present invention provides a method for updating the symmetric key, comprising the steps of: establishing a secure connection between the key and the key management user; encryption algorithm negotiated between the user keys and the key manager and the message digest algorithm; group key management key generating three yuan, the triplet key group includes an encryption key, a parameter for selecting the encryption / decryption algorithm and parameters for selection message digest algorithm; key manager ternary key group and the key to a start time of commencement user; both enable the new decryption key group in triples commencement agreed time, the transmitted data encryption / decryption and message digest calculation.

[0006] 根据本发明的对称密钥的更新方法的一个实施例,安全的连接可以是加密套接字协议层SSL,或者,该安全的连接发送的数据由预先配置的对称加密算法、消息摘要算法和密钥加密。 [0006] The symmetric key update method according to an embodiment of the invention, secure connections may be the SSL Secure Sockets Layer, or data that is sent by the security preconfigured symmetric encryption algorithm, the message digest encryption algorithm and key.

[0007] 根据本发明的的对称密钥的更新方法的一个实施例,该方法还包括步骤:保存三元密钥组的历史记录;解密方在解密和验证时,如果用当前使用的三元密钥组解密和验证失败,逆序回溯若干个历史记录,尝试使用历史三元密钥组解密和验证。 [0007] According to one embodiment of the symmetric key update method according to the present invention, the method further comprising the step of: saving a history of three yuan key group; decrypted at decrypting and verifying party, if the currently used Ternary key group decryption and verification fails, the reverse back a number of historical records, the history of three yuan try to use the key group decryption and verification. 根据本发明的的对称密钥的更新方法的一个实施例,该方法还包括步骤:根据三元密钥组确定加密密钥、加密算法和消息摘要算法;根据所述加密密钥和加密算法对数据进行加密,并通过所述消息摘要算法生成消息摘要。 According to an embodiment of the symmetric key update method according to the present invention, the method further comprising the step of: determining three yuan key group encryption key and an encryption algorithm according to message digest algorithm; according to the encryption key and the encryption algorithm data is encrypted, and generates a message digest of the message digest algorithm.

[0008] 根据本发明的的对称密钥的更新方法的一个实施例,该方法还包括步骤:根据三元密钥组确定解密密钥、解密算法和消息摘要算法;根据所述解密密钥和解密算法对数据进行解密,通过所述消息摘要算法验证数据的完整性。 [0008] According to one embodiment of the symmetric key update method according to the present invention, the method further comprising the step of: determining three yuan key group decryption key and decryption algorithm according to message digest algorithm; and in accordance with the decryption key decryption algorithm to decrypt the data integrity of the message digest algorithm by the authentication data.

4[0009] 本发明要解决的另一个技术问题是提供一种具有较高安全性的对称密钥的更新 4 [0009] Another technical problem to be solved by the present invention is to provide a high security updates having symmetric key

直ο Straight ο

[0010] 本发明提供的对称密钥的更新装置,包括:协商模块,用于接收加解密算法和/或消息摘要算法的集合,确定并返回自身支持的加解密算法和/或消息摘要算法的交集;生成模块,用于由密钥管理者生成三元密钥组,该三元密钥组包括加密密钥、用于选择加/解密算法的参数和用于选择消息摘要算法的参数;发送模块用于由密钥管理者将该三元密钥组及生效起始时间发送给密钥使用者;其中,在密钥管理者和密钥使用者之间建立安全的连接以协商、更新算法和密钥;在约定的生效起始时间启用新的三元密钥组,对传输数据进行加/解密和消息摘要运算。 [0010] Symmetric key update apparatus of the present invention provides, comprising: a negotiation module for receiving a set of decryption algorithm add and / or message digest algorithm, and return to the encryption algorithm supported by the and / or message digest algorithm intersection; generating module for generating three yuan group key by the key manager, the triplet key group includes an encryption key, a parameter for selecting the encryption / decryption algorithm and parameters for selection message digest algorithm; transmitting means for transmitting a key from the key management group and the three yuan start time of commencement to the key user; wherein establishing a secure connection between the user and the key to the key management negotiation, update algorithm and a key; enable new three key group at the appointed time to take effect starting, the transmitted data encryption / decryption and message digest calculation.

[0011] 根据本发明的对称密钥的更新装置的一个实施例,安全的连接为加密套接字协议层SSL,或者,所述安全的连接发送的数据由预先配置的对称加密算法、消息摘要算法和密钥加密。 Data that is sent [0011] In accordance with one embodiment of the symmetric key update apparatus of the present invention, secure connections for the SSL Secure Sockets Layer, or the security of a symmetric encryption algorithm preconfigured message digest encryption algorithm and key. .

[0012] 本发明提供的对称密钥的更新方法和装置,更新的密钥信息包括加解密算法和消息摘要算法相关的参数,有效保障数据传输和存储的安全,具有较高的安全性。 [0012] The updating method and apparatus of the present invention provides a symmetric key, the key information includes a parameter update encryption and decryption algorithm associated with the message digest algorithm, effectively protect the security of data transmission and storage, has a high safety.

附图说明 BRIEF DESCRIPTION

[0013] 图1为根据本发明的对称密钥的更新方法的一个实施例的流程图; [0013] FIG. 1 is a flowchart of one embodiment according to the symmetric key update method according to the present invention;

[0014] 图2为根据本发明的对称密钥的更新方法的另一个实施例的流程图; [0014] FIG 2 is a flowchart according to another symmetric key update method according to the present embodiment of the invention;

[0015] 图3为根据本发明的对称加密方法的一个实施例的流程图; [0015] FIG. 3 is a flow diagram of one embodiment of a symmetric encryption method of the present invention;

[0016] 图4为根据本发明的对称解密方法的一个实施例的流程图; [0016] FIG. 4 is a symmetric decryption method according to the present invention is a flow diagram of the embodiment;

[0017] 图5为单点登录的应用例的流程图; [0017] FIG. 5 is a flowchart illustrating an application example of single sign-on;

[0018] 图6为根据本发明的对称密钥的更新装置的一个实施例的结构示意图; [0018] FIG. 6 is a schematic view of one embodiment of apparatus according to the symmetric key updating according to the invention;

[0019] 图7为根据本发明的对称密钥的更新装置的另一个实施例的结构示意图。 [0019] FIG. 7 is a schematic structural diagram of another embodiment according to the symmetric key update apparatus of the present invention.

具体实施方式 Detailed ways

[0020] 下面参照附图对本发明进行更全面的描述,其中说明本发明的示例性实施例。 [0020] The following more fully described with reference to the accompanying drawings of the present invention, wherein the exemplary embodiments described exemplary embodiment of the present invention.

[0021] 在下文的描述中,通常需要由加解密双方中的一方负责算法和密钥管理,为描述方便起见,将管理算法和密钥的一方称为密钥管理者,另一方称为密钥使用者。 [0021] In the following description, typically the one responsible in both encryption and decryption algorithms and key management, convenience of description, the one of the algorithm and the key management is called the key manager, the other is known as cipher key users. 同时需要指出的是,在一些应用中,加解密可由一方实现。 At the same time it should be noted that, in some applications, encryption and decryption by the party to achieve.

[0022] 图1为根据本发明的对称密钥的更新方法的一个实施例的流程图。 [0022] FIG. 1 is a flowchart according to one embodiment of the symmetric key update method according to the present invention.

[0023] 如图1所示,在步骤101,密钥管理者生成三元密钥组,三元密钥组包括加密密钥、 用于选择加/解密算法的参数和用于选择消息摘要算法的参数。 [0023] As shown in FIG 1, in step 101, the key management key generating three yuan, triples key group includes an encryption key, a parameter for selecting the encryption / decryption algorithms for selecting message digest algorithm parameters. 其中,加密密钥可由任意可见字符组成,且长度较长,用于选择算法的参数可以用整数表示。 Wherein the encryption key by any visible characters, and longer length, the parameters for selection algorithm may be represented by an integer.

[0024] 在步骤103,密钥管理者将三元密钥组发送给密钥使用者。 [0024] In step 103, the key manager sends the user to the key three yuan key group. 密钥使用者用获得的新的三元密钥组更新对称加解密算法的密钥、加解密算法和消息摘要算法。 Symmetric key encryption algorithm to update the user key with a new set of triples obtained key, and encryption and decryption algorithm message digest algorithm.

[0025] 图2为根据本发明的对称密钥的更新方法的另一实施例的流程图。 [0025] FIG 2 is a flowchart according to another embodiment of the symmetric key update method according to the present invention.

[0026] 如图2所示,在步骤201,在密钥管理者和密钥使用者之间建立安全的连接。 [0026] As shown in FIG. 2, in step 201, to establish a secure connection between the key and the key manager user. 力卩、解密双方建立一个连接以协商、更新算法和密钥。 Force Jie, decrypt both sides to establish a connection to negotiate, updating algorithm and key. 该连接应采用可靠、安全的传输方式,确保算法和密钥数据传输的可靠性和安全性。 The connection should be reliable, secure transmission, to ensure the reliability and security algorithms and key data transfer. 连接的可靠性可以由传输协议保障,如TCP协议。 The reliability of connection can be ensured by the transport protocol, such as TCP. 连接的安全性保障可以由双方预先配置的对称加密算法、消息摘要算法和密钥对协商/更新消息进行加密、消息摘要运算保障,并在使用过程中以本方案描述的方法自动更新,也可以由其他安全措施保障,如SSL。 Symmetric encryption algorithm guarantees the security of the connection may be pre-configured by both parties, the message digest algorithm and key negotiation / update message is encrypted message digest computing security, and automatically updated to the method described in the present embodiment during use, it can be by other security measures to protect, such as SSL. 需要注意的是,对一个服务器实现加解密的情形,不需要建立连接。 Note that, to achieve encryption and decryption of the case for a server, without establishing a connection.

[0027] 在步骤203,密钥管理者和密钥使用者之间协商加解密算法和消息摘要算法。 [0027] In step 203 between the key management and key decryption algorithm negotiation and user message digest algorithm. 加解密双方建立连接后,密钥使用者将自己支持的加密和消息摘要算法的集合发送给密钥管理者,密钥管理者从该集合中找出与自己支持的算法的交集,并通知密钥使用者,双方确认后本阶段结束。 The two sides established a connection encryption and decryption, key users will send their own set of supported encryption and message digest algorithm to the key managers, key managers identify with their support of the intersection algorithm from the set and notify secret key users, both sides confirmed after the end of the stage. 需要指出的是,算法协商的步骤是可选的。 It should be noted that the steps of the algorithm negotiation is optional. 如果预先配置了双方支持的算法集,则不需要进行协商;对一个服务器实现加解密的情形,也不需要协商。 If a pre-configured set of algorithms supported by both sides, it does not need to consult; a server implementation of encryption and decryption of the case, do not need to negotiate.

[0028] 在步骤205,密钥管理者生成三元密钥组,将三元密钥组及生效起始时间发给密钥使用者。 [0028] In step 205, the manager generates a key set of three yuan keys, key groups and ternary active start to issue the user key. 生效起始时间可以用特殊值表示立即生效。 Commencement time can be expressed by the special value take effect immediately.

[0029] 在步骤207,加解密双方在约定的生效起始时间启用新的三元密钥组,对传输数据进行加/解密和消息摘要运算。 [0029] In step 207, both the encryption and decryption keys to enable new three groups agreed Commencement time, the transmitted data encryption / decryption and message digest calculation. 可以将原三元密钥组记录到历史记录中,双方维护若干个最近的历史三元密钥组及其生效起止时间,以便对算法更新前已经加密的数据进行解密。 Can record the original three yuan set of keys to the history, the two sides maintain several recent history of three yuan set of keys and entry into force starting and ending time, before the algorithm to decrypt the encrypted data has been updated. 解密方在解密和验证时,如果用当前使用的三元密钥组解密和验证失败,可以逆序回溯若干个历史记录,尝试使用历史三元密钥组解密和验证。 Decrypting party verification and decryption, if the decryption key group ternary currently in use and validation fails, can reverse back several history, history of attempts to use three yuan key group decryption and validation.

[0030] 算法更新可以由管理者控制,按一定的周期更新,如每天更新一次,或者按照需要随时更新。 [0030] The algorithm may be controlled by the update manager to update a certain period, such as updated once a day, at any time or updated as required.

[0031] 根据本发明的对称密钥的更新方法的一个实施例,密钥管理者可独立地产生三个随机数,其中一个作为加密密钥,另两个分别用于选择加(解)密算法和消息摘要算法。 [0031] In accordance with one embodiment of the symmetric key update method according to the present invention, the key manager can independently generate three random numbers, one of which as an encryption key, the other two are used to select the (de) Adhesion algorithm and the message digest algorithm. 其中,密钥可由字符组成,长度较长。 Wherein the key characters may be longer length. 根据随机数选择加密算法和消息摘要算法的方法可以采用但不限于以下方法:产生整数型的随机数,或者将字符串型的随机数转化为整数,然后对算法个数取模,余数对应于算法的序号,从而选择出相应的算法。 The random number and the encryption algorithm selection method according to message digest algorithm may be employed but is not limited to the following methods: generating a random integer number, or random number string is converted to an integer, and the number of arithmetic modulo remainder corresponding to serial algorithm, to select the appropriate algorithm. 如有η个加密算法&、 A1……Alri,产生的随机数为i,则第(i%n)个算法即Ai%n为本次选择的算法。 If η encryption algorithm &, A1 ...... Alri, the generated random number is i, the first (i% n) algorithms i.e. Ai% n times the present algorithm selected.

[0032] 图3为根据本发明的对称加密方法的一个实施例的流程图。 [0032] FIG. 3 is a flowchart of a symmetric encryption method according to the present invention.

[0033] 如图3所示,在步骤301,根据三元密钥组确定加密密钥、加密算法和消息摘要算法。 [0033] As shown, in step 301, terpolymers key group is determined according to the encryption key, the encryption algorithm and the message digest algorithm 3.

[0034] 在步骤303,根据加密密钥和加密算法对数据进行加密,并通过消息摘要算法生成消息摘要。 [0034] In step 303, according to the encryption key and the encryption algorithm to encrypt the data, and generates a message digest message digest algorithm.

[0035] 根据本发明的对称加密方法的一个实施例,三元密钥组包括整数型的加密算法参数和摘要算法参数,根据三元密钥组确定密钥算法和消息摘要算法的步骤包括:对所述加密算法参数对加密算法的个数取模,选择算法序号对应于余数的加密算法;对所述摘要算法参数对消息摘要算法的个数取模,选择算法序号对应于余数的消息摘要算法。 [0035] According to one embodiment, ternary group key encryption algorithms include integer parameters and the digest algorithm parameters, terpolymers key group is determined according to step algorithm and the key message digest algorithm comprises a symmetric encryption method of the present invention: the parameters of the encryption algorithm of the encryption algorithm modulo number, the encryption algorithm selection algorithm number corresponds to the number of I; the number of parameters to the message digest algorithm modulo digest algorithm selection algorithm number corresponds to the remainder of the message digest algorithm.

[0036] 图4为根据本发明的对称解密方法的一个实施例的流程图。 [0036] FIG. 4 is a symmetric decryption method according to the present invention is a flow diagram of the embodiment.

[0037] 如图4所示,在步骤401,根据三元密钥组确定解密密钥、解密算法和消息摘要算法。 [0037] FIG 4, in step 401, determined according to three yuan key group decryption key, the decryption algorithm and the message digest algorithm.

[0038] 在步骤403,根据解密密钥和解密算法对数据进行解密,通过消息摘要算法验证数据的完整性。 [0038] In step 403, in accordance with the decryption key and decryption algorithm to decrypt the data integrity of the message digest algorithm by the authentication data.

[0039] 在步骤405,判断解密/验证是否成功,如果验证成功,则解密过程结束,否则执行步骤407。 [0039] In step 405, judgment decryption / verification is successful, if the validation is successful, the decryption process ends, otherwise step 407.

[0040] 在步骤407,查找三元密钥组的历史记录,判断是否存在历史记录(步骤409),如果存在,则继续执行步骤411,否则,验证失败。 [0040] In step 407, the search history, key group of three yuan, to determine whether there is a history (step 409), if present, proceed to Step 411, otherwise, authentication fails.

[0041] 在步骤411,用历史记录中的三元密钥组解密/验证数据。 [0041] In step 411, history decryption key group triples / verification data.

[0042] 需要指出的是,在另一个实施例中,可以不包含步骤405至步骤411。 [0042] It is noted that, in another embodiment, may not comprise step 405 to step 411.

[0043] 根据本发明的对称解密方法的一个实施例,三元密钥组包括整数型的加密算法参数和摘要算法参数。 [0043] According to one embodiment of the present invention symmetric decryption method, ternary, group key encryption algorithms include integer parameters and the digest algorithm parameters. 根据三元密钥组确定密钥算法和消息摘要算法的步骤包括:对加密算法参数对解密算法的个数取模,选择算法序号对应于余数的解密算法;对摘要算法参数对消息摘要算法的个数取模,选择算法序号对应于余数的消息摘要算法。 The key group is determined in step three yuan key algorithm and a message digest algorithms include: the number of parameters of the encryption algorithm and decryption algorithm modulo algorithm decryption algorithm selection number corresponding to the number of I; message digest algorithm digest algorithm parameters modulo number, the message digest algorithm selection algorithm number corresponds to the remainder.

[0044] 下面介绍本发明的可变三元密钥组生成及自动更新方法在单点登录中的一个应用例。 [0044] The following describes an application example of the variable three yuan, and automatically update the key group generation method of the present invention in a single sign-in. 单点登录是一种方便用户访问多个系统的技术,用户只需在登录时进行一次注册,就可以在多个系统间自由穿梭,不必重复输入用户名和口令来确定身份。 Single sign-on is a convenient user access to multiple systems technology, users only need to register once at login, you can freely shuttle between multiple systems without having to repeatedly enter a user name and password to determine the identity.

[0045] 图5示出该单点登录的流程图。 [0045] FIG. 5 shows a flowchart of the single sign-on. 如图5所示,用户通过客户端访问应用系统受限资源(步骤501)。 5, the user restricted resources (step 501) by the client to access the application system. 如果尚未登录,应用系统将请求重定向到认证中心,并将客户端的cookie 传递给认证中心(步骤503、50幻。认证中心检查客户端cookie的合法性(步骤507),如果cookie有效,即cookie记录用户此前已登录,且尚在有效期,该用户通过验证;否则执行认证流程,要求用户输入用户名、口令进行验证(步骤509)。如果认证通过,为客户端设置或者更新cookie (步骤511、513),将认证结果重定向到应用系统(步骤515)。应用系统检查认证结果(步骤517),用户验证后,决定是否允许访问(步骤519)。如果认证通过,登录其它相关的应用系统时,只须验证客户端cookie,就可验证通过,不需要再次输入用户名、 口令。 If you have not logged in, the application system redirects the request to the certification center, transfer to cookie and client authentication center (step 503,50 magic. Certification Center to check the legitimacy of the client cookie (step 507), if the cookie is valid, that cookie Prior to recording the user is logged in, and is still valid, the user is authenticated; otherwise the implementation of the certification process requires the user to enter a user name and password for authentication (step 509) If the authentication, configuring or updating cookie (step 511 for the client, after 513), will be redirected to the application authentication result (step 515). application of the system checks the authentication result (step 517), user authentication, decides whether to allow access (step 519). If the authentication, login other related applications , simply verify that the client cookie, can be verified, do not need to enter a user name and password again.

[0046] 在上述流程中,该技术依赖于认证中心在客户端记录的cookie,因此必须对cookie采取加密和防篡改的安全保障措施,同时,认证结果从认证中心重定向到应用系统过程中,也须确保传输的安全性。 [0046] In the above process, the technique relies on the client side cookie Certification Center records, security measures must be taken to encryption and anti-tampering of cookie, at the same time, the authentication result from the authentication center to redirect the application process, and to ensure that the security of transmission. 因此,cookie必须在认证中心经加密、消息摘要运算后, 发放、存储于客户端。 Therefore, cookie must be approved by the encrypted message digest operation, issued in the certification center, is stored in the client. 验证时,cookie通过重定向传回给认证中心,由认证中心进行解密验证;用户身份认证结果则由认证中心经加密和消息摘要运算后,传输给应用系统,由应用系统解密认证结果。 Verifying, by Cookie redirected back to the authentication center, the decryption verification by the authentication center; user authentication result by the authentication center after the encrypted message digest calculation, transmitted to the application, the application decrypts the authentication result. 下表1示出了要加密数据以及加解密双方: Table 1 shows the data to be encrypted and decryption both:

[0047] [0047]

Figure CN101325483BD00071

[0048] 表1 [0048] TABLE 1

[0049] 上述应用例采用本发明的可变三元密钥组生成和自动更新技术,确保cookie 和认证结果的安全性:本实例需维护两组三元密钥组,一组由认证中心单独维护,用于cookie的加、解密;另一组由认证中心和应用系统共同维护,认证中心加密认证结果,应用系统解密该结果。 [0049] Application of the above-described embodiment employs the variable three yuan key group generation automatic updates of the present invention and technology to ensure cookie and security authentication result: This example required to maintain the two key three yuan group, a group by the certification authority alone maintenance for the cookie encryption and decryption; another group jointly maintained by the certification center systems and applications, and certification Center encrypted authentication result, the application of the system decrypts the result.

[0050] 图6为根据本发明的对称密钥的更新装置的一个实施例的结构示意图。 [0050] FIG. 6 is a schematic view of one embodiment of apparatus according to the symmetric key updating according to the present invention. 如图6所示,该更新装置包括生成模块61和发送模块62。 6, the update means comprising generating module 61 and a sending module 62. 其中,生成模块61用于生成三元密钥组, 该三元密钥组包括加密密钥、用于选择加/解密算法的参数和用于选择消息摘要算法的参数;发送模块62用于将所述三元密钥组发送给密钥使用者。 Wherein the generating module 61 for generating three yuan key group, the triplet key group includes an encryption key, a parameter for selecting the encryption / decryption algorithm and parameters for selection message digest algorithm; transmitting module 62 for the ternary or key set to the key user.

[0051] 图7为根据本发明的对称密钥的更新装置的另一个实施例的结构示意图。 [0051] FIG. 7 is a schematic structural diagram of another embodiment according to the symmetric key update apparatus of the present invention. 如图7 所示,该更新装置包括协商模块70、生成模块71、发送模块72和可选的记录存储模块73。 As shown in FIG 7, the updating means includes a negotiation module 70, generating module 71, a sending module 72 and an optional memory module 73 records. 其中,协商模块70用于接收加解密算法和/或消息摘要算法的集合,确定并返回自身支持的加解密算法和/或消息摘要算法的交集。 Wherein the negotiation module 70 for receiving a set of decryption algorithm applied and / or message digest algorithm, and return to the intersection supported by the encryption and decryption algorithms and / or message digest algorithm. 生成模块71和发送模块72的功能和图6中的对应模块相似。 Similar generating module 71 and a sending module 72 and a corresponding function module 6. 记录存储模块73用于存储三元密钥组的历史记录。 Record storage module 73 for storing a history of three yuan key group.

[0052] 根据本发明的更新装置的一个实施例,发送模块还用于发送三元密钥组的生效时间到密钥使用者。 [0052] According to an embodiment of the present invention, updating means, the transmission module is further configured to send the effective time of three yuan key group key to the user.

[0053] 本发明的对称密钥的加解密方法及其更新方法和装置,三元密钥组中除了包括密钥,还包括用于选择加/解密算法和消息摘要算法的参数,采用可变的加密和消息摘要算法,算法和密钥都可独立变化,有效保障数据传输和存储的安全性。 [0053] Symmetric key encryption method of the present invention and a method and apparatus for updating ternary key group includes a key, in addition, further comprising means for selecting parameters plus / decryption algorithm and a message digest algorithm, using variable encryption and message digest algorithm, algorithm and key can be varied independently, effectively protect the security of data transmission and storage. 本发明的对称密钥的更新方法和装置,可以自动更新三元密钥组,可按需要灵活设置更新周期,且更新过程不需要人工干预,大大简化算法和密钥管理,提高加密保障的安全性。 Symmetric key update method and apparatus of the present invention, can be automatically updated three yuan key groups, may need to flexibly set the update cycle, and the update process does not require human intervention, greatly simplifying the algorithm and key management, improve the security of the encrypted security sex. 此外,本发明的方法和装置实现简单,加解密双方增加少量软件逻辑即可实现,且运算要求不高,不需要其它额外的投资。 Further, the method and apparatus of the present invention is simple to implement, both encryption and decryption software logic to achieve a slight increase, and less demanding operation, No additional investment.

[0054] 综上所述,本发明采用可变三元密钥组对数据进行加密和消息摘要运算,且三元密钥组定期更新,可以有效保障数据传输和存储的安全性。 [0054] In summary, the present invention uses a variable three yuan group key for encrypting data and message digest operation key group and three yuan updated regularly, can effectively guarantee the security of data transmission and storage.

[0055] 本发明的描述是为了示例和描述起见而给出的,而并不是无遗漏的或者将本发明限于所公开的形式。 [0055] The description of the present invention are exemplary and given in order of description, and not to be exhaustive or to limit the invention to the form disclosed. 很多修改和变化对于本领域的普通技术人员而言是显然的。 Many modifications and variations to those of ordinary skill in the art is obvious. 选择和描述实施例是为了更好说明本发明的原理和实际应用,并且使本领域的普通技术人员能够理解本发明从而设计适于特定用途的带有各种修改的各种实施例。 The embodiments were chosen and described in order to best explain the principles and practical applications of the present invention and enable one of ordinary skill in the art to understand the invention for various design suited to the particular use with a variety of modified embodiments.

Claims (12)

1. 一种对称密钥的更新方法,其特征在于,包括步骤: 在密钥管理者和密钥使用者之间建立安全的连接;密钥管理者和密钥使用者之间协商加解密算法和消息摘要算法; 密钥管理者生成三元密钥组,所述三元密钥组包括加密密钥、用于选择加/解密算法的参数和用于选择消息摘要算法的参数;密钥管理者将所述三元密钥组及生效起始时间发送给密钥使用者; 加解密双方在约定的生效起始时间启用新的三元密钥组,对传输数据进行加/解密和消息摘要运算。 1. A method for updating a symmetric key, characterized by, comprising the steps of: establishing a secure connection between the key and the key management user; encryption algorithm negotiated between the user keys and the key manager and the message digest algorithm; group key management key generating three yuan, the three-way encryption key group includes a key for selecting the parameter encryption / decryption algorithm and parameters used for selecting the message digest algorithm; key management It will take effect and the three-way starting time set key to the key user; both enable the new decryption key group in triples commencement agreed time, the transmitted data encryption / decryption and message digest operations.
2.根据权利要求1所述的对称密钥的更新方法,其特征在于,所述安全的连接为加密套接字协议层SSL,或者,所述安全的连接发送的数据由预先配置的对称加密算法、消息摘要算法和密钥加密。 The updating method according to claim 1 symmetric key, wherein said secure connection to the SSL Secure Sockets Layer, or symmetric encryption of the secure connection data transmitted by the pre-configuration algorithms, message digest algorithms, and key encryption.
3.根据权利要求1或2所述的对称密钥的更新方法,其特征在于,生效起始时间用特殊值表示立即生效。 The updating method of claim 12 or claim symmetric key, wherein the active start time value is represented by a special effect immediately.
4.根据权利要求1所述的对称密钥的更新方法,其特征在于,还包括步骤: 保存三元密钥组的历史记录;解密方在解密和验证时,如果用当前使用的三元密钥组解密和验证失败,逆序回溯若干个历史记录,尝试使用历史三元密钥组解密和验证。 The updating method according to claim 1 symmetric key, characterized by further comprising the step of: saving a history of three yuan key group; decrypted at decrypting and verifying party, if the current density used Ternary key group decryption and verification fails, the reverse back a number of historical records, the history of three yuan try to use the key group decryption and verification.
5.根据权利要求1所述的对称密钥的更新方法,其特征在于,还包括步骤: 根据三元密钥组确定加密密钥、加密算法和消息摘要算法;根据所述加密密钥和加密算法对数据进行加密,并通过所述消息摘要算法生成消息摘要。 The updating method according to claim 1 symmetric key, characterized by further comprising the step of: determining three yuan key group encryption key and an encryption algorithm according to message digest algorithm; according to the encryption key and the encryption algorithm to encrypt the data, and generates a message digest of the message digest algorithm.
6.根据权利要求5所述的对称密钥的更新方法,其特征在于,所述三元密钥组包括整数型的加密算法参数和摘要算法参数;所述根据三元密钥组确定加密算法和消息摘要算法的步骤包括: 对所述加密算法参数对加密算法的个数取模,选择算法序号对应于余数的加密算法; 对所述摘要算法参数对消息摘要算法的个数取模,选择算法序号对应于余数的消息摘要算法。 6. The symmetric key update method according to claim 5, characterized in that the key group including the three-way encryption algorithm integer parameters and the digest algorithm parameters; determining an encryption algorithm according to the key group three yuan step message digest algorithms include: the number of parameters of the encryption algorithm modulo the encryption algorithm, the encryption algorithm selection algorithm number corresponds to the number of I; the number of parameters to the message digest algorithm modulo digest algorithm, select message digest algorithm algorithm number corresponds to the remainder.
7.根据权利要求1所述的对称密钥的更新方法,其特征在于,还包括步骤: 根据三元密钥组确定解密密钥、解密算法和消息摘要算法;根据所述解密密钥和解密算法对数据进行解密,通过所述消息摘要算法验证数据的完整性。 The updating method according to claim 1 symmetric key, characterized by further comprising steps of: determining three yuan key group decryption key, the message digest algorithm and decryption algorithm; and the decryption according to the decryption key algorithm to decrypt the data integrity of the message digest algorithm by the authentication data.
8.根据权利要求7所述的对称密钥的更新方法,其特征在于,所述三元密钥组包括整数型的解密算法参数和摘要算法参数;所述根据三元密钥组确定解密算法和消息摘要算法的步骤包括: 对所述解密算法参数对解密算法的个数取模,选择算法序号对应于余数的解密算法; 对所述摘要算法参数对消息摘要算法的个数取模,选择算法序号对应于余数的消息摘要算法 8. The method of updating the symmetric key according to claim 7, characterized in that the three-way key group includes integer and decryption algorithm parameters digest algorithm parameters; determining the key group decryption algorithm according to three yuan step message digest algorithms include: the number of the decryption algorithm to the decryption algorithm modulo parameter selection algorithm number corresponds to the remainder of the decryption algorithm; the number of parameters to the message digest algorithm modulo digest algorithm, select algorithm number corresponds to the remainder of the message digest algorithm
9. 一种对称密钥的更新装置,其特征在于,包括:协商模块,用于接收加解密算法和/或消息摘要算法的集合,确定并返回自身支持的加解密算法和/或消息摘要算法的交集;生成模块,用于由密钥管理者生成三元密钥组,所述三元密钥组包括加密密钥、用于选择加/解密算法的参数和用于选择消息摘要算法的参数;发送模块,用于由密钥管理者将所述三元密钥组及生效起始时间发送给密钥使用者; 其中,在密钥管理者和密钥使用者之间建立安全的连接以协商、更新算法和密钥;在约定的生效起始时间启用新的三元密钥组,对传输数据进行加/解密和消息摘要运算。 A symmetric key updating means, wherein, comprising: a negotiation module for receiving a set of decryption algorithm add and / or message digest algorithm, and return to the encryption algorithm supported by the and / or message digest algorithm intersection; generating module for generating three yuan group key by the key manager, the three-way encryption key group includes a key for selecting the parameter encryption / decryption algorithm parameters and for selecting the message digest algorithm ; sending module, configured by the key managers will take effect and the three-way key set start time to send a user key; wherein the key manager is established between the user and the key to secure the connection negotiation, and key update algorithm; enable new three key group at the appointed time to take effect starting, the transmitted data encryption / decryption and message digest calculation.
10.根据权利要求9所述的对称密钥的更新装置,其特征在于,所述安全的连接为加密套接字协议层SSL,或者,所述安全的连接发送的数据由预先配置的对称加密算法、消息摘要算法和密钥加密。 10. The symmetric key updating means according to claim 9, wherein said secure connection to the SSL Secure Sockets Layer, or symmetric encryption of the secure connection data transmitted by the pre-configuration algorithms, message digest algorithms, and key encryption.
11.根据权利要求9所述的对称密钥的更新装置,其特征在于,生效起始时间用特殊值表示立即生效。 11. The symmetric key updating means according to claim 9, characterized in that, effective immediately take effect starting time represented by a special value.
12.根据权利要求9至11中任意一项所述的对称密钥的更新装置,其特征在于,还包括:记录存储模块,用于存储三元密钥组的历史记录。 12.9 updating means 11 to any one of the symmetric key according to claim, characterized in that, further comprising: a record storage means for storing a history of three yuan key group.
CN 200810134568 2008-07-28 2008-07-28 Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method CN101325483B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200810134568 CN101325483B (en) 2008-07-28 2008-07-28 Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200810134568 CN101325483B (en) 2008-07-28 2008-07-28 Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method

Publications (2)

Publication Number Publication Date
CN101325483A CN101325483A (en) 2008-12-17
CN101325483B true CN101325483B (en) 2011-06-15

Family

ID=40188837

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810134568 CN101325483B (en) 2008-07-28 2008-07-28 Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method

Country Status (1)

Country Link
CN (1) CN101325483B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106936782A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 Encryption method and encryption device

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015113197A1 (en) * 2014-01-28 2015-08-06 华为技术有限公司 Apparatus and method for encrypting data
CN104363209B (en) * 2014-10-29 2019-04-05 中国建设银行股份有限公司 A kind of key management method and device
CN105610783B (en) * 2015-11-05 2018-11-30 珠海格力电器股份有限公司 A kind of data transmission method and Internet of things system
CN106936794A (en) * 2015-12-30 2017-07-07 阿里巴巴集团控股有限公司 Method, the device of a kind of method, device and setting key for changing key
CN107809436A (en) * 2017-11-10 2018-03-16 北京世纪鼎点软件有限公司 Authority discrimination method, encryption method, the apparatus and system of Internet video access

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1426185A (en) 2001-12-13 2003-06-25 华为技术有限公司 Method for realizing secrete communication by autonomously selecting enciphered algorithm
CN1695123A (en) 2002-09-18 2005-11-09 Jgr阿奎西申公司 Dynamic negotiation of security arrangements between web services
CN1879384A (en) 2003-09-11 2006-12-13 保罗·詹森·罗杰斯 Method and apparatus for use in security
CN1938980A (en) 2004-02-13 2007-03-28 Ivi斯马特技术公司 Method and apparatus for cryptographically processing data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1426185A (en) 2001-12-13 2003-06-25 华为技术有限公司 Method for realizing secrete communication by autonomously selecting enciphered algorithm
CN1695123A (en) 2002-09-18 2005-11-09 Jgr阿奎西申公司 Dynamic negotiation of security arrangements between web services
CN1879384A (en) 2003-09-11 2006-12-13 保罗·詹森·罗杰斯 Method and apparatus for use in security
CN1938980A (en) 2004-02-13 2007-03-28 Ivi斯马特技术公司 Method and apparatus for cryptographically processing data

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106936782A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 Encryption method and encryption device

Also Published As

Publication number Publication date
CN101325483A (en) 2008-12-17

Similar Documents

Publication Publication Date Title
Peyravian et al. Methods for protecting password transmission
US5737419A (en) Computer system for securing communications using split private key asymmetric cryptography
EP1697818B1 (en) Authentication system for networked computer applications
US7171001B2 (en) Method and apparatus for managing secure collaborative transactions
US6970562B2 (en) System and method for crypto-key generation and use in cryptosystem
US7574600B2 (en) System and method for combining user and platform authentication in negotiated channel security protocols
AU2009215815B2 (en) Systems and methods for secure workgroup management and communication
US7231526B2 (en) System and method for validating a network session
CA2446304C (en) Use and generation of a session key in a secure socket layer connection
US6996841B2 (en) Negotiating secure connections through a proxy server
KR101130356B1 (en) Efficient and secure authentication of computing systems
US8340283B2 (en) Method and system for a PKI-based delegation process
CN100477833C (en) Authentication method
US8059818B2 (en) Accessing protected data on network storage from multiple devices
US6256733B1 (en) Access and storage of secure group communication cryptographic keys
Todorov Mechanics of user identification and authentication: Fundamentals of identity management
KR100990320B1 (en) Method and system for providing client privacy when requesting content from a public server
US7039713B1 (en) System and method of user authentication for network communication through a policy agent
US7017041B2 (en) Secure communications network with user control of authenticated personal information provided to network entities
US9819666B2 (en) Pass-thru for client authentication
US9565180B2 (en) Exchange of digital certificates in a client-proxy-server network configuration
CA2423636C (en) Methods for authenticating potential members invited to join a group
JP5009294B2 (en) Distributed Single Sign-On Service
KR101459802B1 (en) Authentication delegation based on re-verification of cryptographic evidence
DE60314060T2 (en) Method and device for key management for secure data transmission

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted