CN102307096A - Pseudo-Rivest, Shamir and Adleman (RSA)-key-based application method for recent public key cryptography algorithm - Google Patents
Pseudo-Rivest, Shamir and Adleman (RSA)-key-based application method for recent public key cryptography algorithm Download PDFInfo
- Publication number
- CN102307096A CN102307096A CN201110248050A CN201110248050A CN102307096A CN 102307096 A CN102307096 A CN 102307096A CN 201110248050 A CN201110248050 A CN 201110248050A CN 201110248050 A CN201110248050 A CN 201110248050A CN 102307096 A CN102307096 A CN 102307096A
- Authority
- CN
- China
- Prior art keywords
- rsa
- key
- pseudo
- public key
- ibe
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a pseudo-Rivest, Shamir and Adleman (RSA)-key-based application method for a recent public key cryptography algorithm. A data encryption system based on the method consists of a cryptographic module, an identity based encryption (IBE) key server, a pseudo RSA digital certificate signing and issuing tool or system and cryptography application software, wherein the cryptographic module realizes a standard cryptographic module interface supporting an RSA algorithm function, and embeds a key of the recent public key cryptography algorithm into the data structure of a corresponding RSA key to form a pseudo RSA key; the pseudo RSA digital certificate signing and issuing tool or system generates a pseudo RSA digital certificate for the application software to use based on the pseudo RSA key; and the cryptographic module automatically converts the cryptographic calling of the cryptography application software for the pseudo RSA key into the cryptographic calling for a corresponding recent public key cryptography algorithm and a corresponding key. By the method, the technical problems of the recent public key cryptography algorithm about specific application and realization are solved.
Description
Technical field
The invention belongs to the encryption technology field, be a kind of solution recently public key encryption algorithm (public key encryption algorithm that promptly proposes recently, uses) at present in practical application, can't obtain effectively to use the Application and implementation method based on the public key encryption algorithm recently of pseudo-RSA key of this technical problem through the standard cipher interface.
Background technology
Public key encryption (Public Key Cryptography); Be also referred to as asymmetric-key encryption (Asymmetric Key Cryptography); Relate to a pair of key that is mutually related (be called public-key cryptography to); One of them can disclose; Be called PKI (Public Key), be used for the encryption of data and the checking of digital signature; Another is underground, is called private key (Private Key), is had and is preserved by specific entity, is used for the deciphering and the digital signature of enciphered data.The DEA that can realize public key encryption has multiple; The algorithm that obtains extensive use at present comprises with three inventors, Rivest, Shamir and Adleman; The RSA Algorithm of name, and DSA (Digital Signature Algorithm) algorithm etc.For RSA, DSA public key encryption algorithm; Current encrypting module can be through the crypto module interface of standard; Crypto module interface CryptoSPI (Cryptography System Programming Interface) like the crypto module CSP in the Windows system (Cryptographic Service Provider); And widely used crypto module interface PKCS#11 (Public key Cryptography Standards 11), corresponding crypto-operation function is provided.For the crypto module that has adopted these standard interfaces; Operating system; Application software can be loaded them automatically; Application software can be called corresponding crypto module through corresponding password API; Can call Windows CSP crypto module through the CryptoAPI (Cryptography Application Programming Interface) of Windows like the application under the Windows based on CryptoSPI crypto module interface, and under other operating systems (like Unix; Linux) application can be called accordingly crypto module based on the PKCS#11 interface (application under the Windows also can) through PKCS#11.
The DSA cryptographic algorithm can only be used for digital signature; And RSA Algorithm both can be used for data encryption, can be used for digital signature again, therefore; RSA Algorithm is present most widely used public key encryption algorithm, and most crypto module, operating system, application software all provide the support to RSA Algorithm.Except RSA, DSA public key encryption algorithm, ECC (Elliptic Curve Cryptography) algorithm, IBE (Identity Based Encryption) algorithm also are to obtain the public key encryption algorithm that people pay attention to recently.But; Present crypto module standard interface; Like CryptoSPI, PKCS#11; Though on principle, can support these public key encryption algorithms that propose recently, use through expansion; But to how through relevant interface provide these recently the password calling function of algorithm also do not provide concrete and clear and definite regulation; Therefore; Each developer can go to develop, realize relevant cryptographic function, thereby make relevant crypto module lack versatility and interoperability to the support of associated encryption algorithm by the mode of oneself; In this simultaneously; Relevant operating system; Like Windows; Also not to how using these public key encryption algorithms recently that corresponding support is provided; There is not CSP type and the related data structure of regulation like present widely used Windows operating system (comprising Windows XP, Windows 2003 etc.) to ECC, IBE; At last; Reason (as itself being not know the old application of public key encryption algorithm recently) owing to two reasons in front and application software self; Present application software existing or exploitation recently can't also can't be passed through the cryptographic function of public key encryption algorithm recently such as standard cipher interface interchange ECC, IBE; If certain application software will be used ECC, IBE cryptographic algorithm; The developer must developing special (off-gauge) crypto module, and carry out special, specific calling by relative application software.Such result is that a lot of standard application like Outlook, all can't be called these public key encryption algorithms recently through the password API and the corresponding setting of standard automatically.Method of the present invention will address this problem exactly, makes present application software to use public key encryption algorithms recently such as ECC, IBE automatically through standard cipher API (like CryptoAPI, PKCS#11).
Summary of the invention
The purpose of this invention is to provide a kind of types of applications software can be through supporting the standard cipher API (like Windows CryptoAPI, PKCS#11 etc.) of RSA Algorithm, call automatically and pellucidly ECC, IBE etc. at present the public key encryption algorithm recently clearly do not supported as yet of standard cipher interface carry out the Application and implementation method based on the public key encryption algorithm recently of pseudo-RSA key of crypto-operation.
Key of the present invention is by means of pseudo-RSA key (pseudo-RSA PKI, pseudo-RSA private key), and feasible use to pseudo-RSA key is converted into the corresponding use of the key of public key encryption algorithm (like ECC PKI, private key) recently.Here said pseudo-RSA key; Comprise pseudo-RSA PKI and pseudo-RSA private key; It is so a kind of key; Its key data the same with RSA key (PKI, private key) on data structure; But what deposit in its key data is not real RSA key data, but the key data (like ECC PKI, IBE private key) of corresponding public key encryption algorithm recently (like ECC, IBE).
To achieve these goals, the technical scheme that the present invention adopted is:
A kind of Application and implementation method of the public key encryption algorithm recently based on pseudo-RSA key comprises data encryption system, and said data encryption system is made up of following several parts:
Crypto module a: software or a soft or hard module that has realized supporting the standard cipher module interface (like CryptoSPI, PKCS#11) of RSA cryptographic algorithms funcall; It provides calls the cryptographic function of public key encryption algorithm recently; Comprise the key operation of public key encryption algorithm recently; Like key generation, derivation, importing and deletion etc.; And based on the crypto-operation of public key encryption algorithm recently; Encrypt, decipher digital signature, signature verification etc. like data.
IBE key server (Key Server): just need this key server when having only said crypto module that IBE cryptographic algorithm function is provided; It is responsible for verifying, the corresponding relation between maintenance customer and its identify label, for the user produces the corresponding IBE private key of its identify label.
Pseudo-RSA digital certificate is signed and issued instrument or system: generate pseudo-RSA digital certificate based on pseudo-RSA PKI.
Encryption application software: call said crypto module through the standard cipher API, use recently that public key encryption algorithm carries out data encryption, deciphering, the software program of digital signature, signature verification or system.
The above recently public key encryption algorithm be meant other public key encryption algorithms that propose recently, use outside RSA, the DSA algorithm, like ECC, IBE.
Said pseudo-RSA digital certificate is based on the digital certificate of the reference format of X509, and just the certificate owner's on the certificate RSA PKI is not real RSA PKI, but said pseudo-RSA PKI.
Said pseudo-RSA digital certificate is signed and issued function class that instrument or system and common digital certificate sign and issue instrument or system seemingly, and its main difference is that it is to be used to sign and issue pseudo-RSA digital certificate, rather than common digital certificate.
Overall operation principle of the present invention and process prescription are following.
Encryption application software is by common mode; Through the standard cipher API, call the cryptographic function of the RSA cryptographic algorithms of crypto module, like key operation such as key generation, derivation, importing and deletions; And data encryption, deciphering, crypto-operations such as digital signature, signature verification.
Call for producing the right interface function of RSA key, it is right that said crypto module does not produce real RSA key, but it is right to produce the key of said public key encryption algorithm recently.If what said crypto module was realized is the IBE cryptographic algorithm; Then said crypto module produce the IBE key to the time; Directly do not produce the IBE private key for the user; But it is mutual with the IBE key server; After accomplishing user identity discriminating and the checking of identify label belongingness, confirming; By the IBE key server is that the user produces the corresponding IBE private key of its identify label, and then, it is right to generate the IBE key on this basis.
Interface function for deriving RSA key (RSA PKI, RSA private key) calls; If what the key that will derive was corresponding is the key of said public key encryption algorithm recently; Then said crypto module is not derived RSA key, but derives this corresponding pseudo-RSA key (pseudo-RSA PKI, pseudo-RSA private key) of key of public key encryption algorithm recently; Otherwise, derive RSA key by common mode.
Interface function for importing RSA key (RSA PKI, RSA private key) calls; Said crypto module checks at first whether the RSA key that will import is a pseudo-RSA key; If; Then said crypto module is isolated the key of corresponding public key encryption algorithm recently from the pseudo-RSA key that will import, and it is imported in the crypto module; Otherwise said crypto module imports RSA key by common mode.
(encrypt, decipher for using RSA key (PKI or private key) to carry out crypto-operation like data; Digital signature, signature verification etc.) interface function call; Said crypto module confirms that at first the RSA key that will use is a real RSA key; Still a corresponding key of public key encryption algorithm (like ECC, IBE key) recently; If a real RSA key then uses this RSA key to carry out the associated cryptographic computing by RSA cryptographic algorithms; Otherwise, adopt the key of the public key encryption algorithm recently of corresponding public key encryption algorithm recently and correspondence to carry out the associated cryptographic computing.
Present encryption application software is not directly to use to the use of RSA key (PKI, private key) usually, but carry out through the RSA digital certificate.In the present invention; In order to make application software can use recently the key of public key encryption algorithm pellucidly (like the ECC PKI; Private key); Equally need be by means of the RSA digital certificate; Concrete way is; Right for each to the key of said public key encryption algorithm recently; Sign and issue the digital certificate that an X509 form is signed and issued by instrument or system by pseudo-RSA digital certificate; Certificate holder's (certificate has main body) on the certificate PKI is the pseudo-RSA PKI of this key to correspondence, promptly generates a key with said public key encryption algorithm recently to corresponding pseudo-RSA digital certificate.Use through this puppet RSA digital certificate; Encryption application software will by common mode call the crypto-operation function that crypto module provides based on RSA cryptographic algorithms (as encrypt, deciphering; The signature signature verification); And in fact crypto module will use the corresponding secret key of the corresponding public key encryption algorithm recently of pseudo-RSA certificate, accomplish based on the crypto-operation of public key encryption algorithm recently.
Novelty of the present invention is: by pseudo-RSA key; Recently the crypto module of public key encryption algorithm (like ECC, IBE) function is provided; Can be through crypto module interface standard, that support the RSA Algorithm function; Like Windows CryptoSPI, PKCS#11, the crypto-operation function of public key encryption algorithm recently is provided externally; In this simultaneously; Application software can be through the corresponding standard cipher API of supporting the RSA Algorithm function; Like Windows CryptoAPI, PKCS#11; Using recently, public key encryption algorithm carries out data encryption and crypto-operations such as deciphering, digital signature and signature verification; And this uses recently, and the process of public key encryption algorithm is transparent to using software; Be that they need not to make any modification, also do not know and using public key encryption algorithm recently.
Method of the present invention has solved present standard cipher interface, operating system and application software well can not support the technical problem of public key encryption algorithm recently such as ECC, IBE well, promptly solved public key encryption algorithm recently concrete use and realization aspect the technical problem that faced.
Description of drawings
Fig. 1 is the system block diagram of data encryption system of the present invention.
Embodiment
Below in conjunction with accompanying drawing practical implementation of the present invention is further described.
As shown in Figure 1, form by following several parts based on data encryption system of the present invention:
Crypto module; A software or a soft or hard module that has realized supporting the standard cipher module interface (like CryptoSPI, PKCS#11) of RSA cryptographic algorithms funcall; It provides calls the cryptographic function of public key encryption algorithm recently; Its function comprises the key operation of public key encryption algorithm recently; Like generation, derivation, importing and deletion etc.; And based on the cryptographic calculation of public key encryption algorithm recently, as data encrypt, deciphering, digital signature, signature verification etc.
IBE key server (Key Server); Only provide IBE cryptographic algorithm function just to need this key server at said crypto module; It is responsible for verifying, the corresponding relation between maintenance customer and its identify label, for the user produces the corresponding I BE private key of its identify label.
Pseudo-RSA digital certificate is signed and issued instrument or system, generates pseudo-RSA digital certificate based on pseudo-RSA PKI.
Encryption application software calls said crypto module through the standard cipher API, uses recently that public key encryption algorithm carries out data encryption, deciphering, the software program of digital signature, signature verification or system.
Crypto module need realize supporting the standard cipher module interface (like Windows CryptoSPI, PKCS#11 etc.) of RSA Algorithm funcall, realize that this point is not difficult, only needs to get final product according to corresponding crypto module interface specification.
The IBE key server is a service system based on C/S model, and its client promptly is said encrypting module.The IBE key server can adopt common development of information system technology, and like C/C++ or C#, Net or J2EE open language mention environment, and relevant database development technology; The generation of its IBE key can realize with reference to relevant specification, like RFC5091.The IBE key generates and both can in software, realize, also can realize with hardware.Information interaction between IBE key server and encrypting module can adopt existing secure infomation passageway technology, like SSL etc.
The realization that pseudo-RSA digital certificate is signed and issued instrument or system can realize based on the cryptographic function exploitation that OpenSSL tool storage room or Windows CryptoAPI provide; Perhaps, through being signed and issued system, existing digital certificate transforms realization.
For application software, need not carry out any modification, they use RSA cryptographic algorithms to carry out relevant data encryption, deciphering, crypto-operations such as digital signature, signature verification by the mode of common use RSA key or RSA digital certificate.
The concrete realization of correlation function of the present invention is described below.
Call for producing the right interface function of RSA key, whether said crypto module is the IBE algorithm according to the public key encryption algorithm recently of its realization, and its processing procedure is different:
Situation 1. is not if the public key encryption algorithm recently that crypto module is realized is the IBE algorithm, and then said crypto module carries out relevant operation as follows:
The key of public key encryption algorithm (like the ECC algorithm) is right recently to produce one, in internal memory or storage medium, generates corresponding key to object, and " return " key" is to handle, the pointer of object or quote then.
Situation 2. is if the public key encryption algorithm recently that said crypto module is realized is the IBE algorithm, and then said crypto module carries out relevant operation with the IBE key server by following workflow:
Steps A 1. crypto modules are through special man-machine interface, and the prompting user imports its identify label;
After steps A 2. users input, the submission identify label, crypto module connects the IBE key server;
Steps A 3.IBE key server requires that the user is carried out identity and differentiates;
Steps A 4. crypto modules are through man-machine interface, and the prompting user submits or select its identity documents (like user name/password, digital certificate) to;
Identity documents and relevant private data (like password, certificate private key) thereof that steps A 5. crypto modules utilize the user to submit to or select, mutual with the IBE key server, accomplish user identity and differentiate;
After steps A 6. user identity were differentiated and passed through, the IBE key server confirmed that further the user is the real owner of identify label;
Steps A 7. users are that the IBE key server produced the corresponding IBE private key of User Identity, then, the IBE private key is returned to crypto module after identify label owner checking was passed through;
The IBE private key that steps A 8. crypto modules return based on the IBE key server generates corresponding IBE PKI, then, in internal memory or storage medium, produces corresponding IBE key to object, and is last, returns the IBE key to handle, the pointer of object or quote.
In above steps A 5, the IBE key server is differentiated and can be adopted the identity authentication technique based on user name/password, dynamic password or identity digital certificate etc. according to concrete safety requirements user's identity; If user's identity documents is the identity digital certificate; Then crypto module differs surely and directly to obtain to be kept at the private key of the user identity digital certificate in other crypto modules or the storage medium (like smart card, USB Key); But it can use the private key of this certificate to accomplish user identity through corresponding password interface and differentiate required crypto-operation operation, carry out digital signature like the random challenge information that the IBE key server is sent.
In above steps A 6; The IBE key server confirms that the user is that the real owner of identify label has a variety of approach; As identify label be included in the identity documents (such as; It is exactly the account name of user on the IBE server; Or the user's common name in the digital certificate; Or the E-mail address in the certificate etc.); Perhaps; The user has imported its identify label when the IBE key server is registered; And this sign is had through other reliable approach checkings by the user; Confirm; Such as, if identify label is Mobile Directory Number or E-mail address, then can sends confirmation codes and verify etc. to corresponding mobile mobile phone or E-mail address.
Interface function for deriving RSA key (PKI or private key) calls, and said crypto module is operated as follows:
Confirm that the RSA key that will derive is a real RSA key, a still corresponding key of public key encryption algorithm (like ECC, IBE key) recently is if a real RSA key then derives by common RSA key and accomplishes relevant operation; Otherwise; Produce a RSA key (PKI or private key) data structure; The key (like the IBE PKI or the private key of correspondence) of the public key encryption algorithm recently that the RSA key that will derive is corresponding is put in this RSA key data structure; Then; In this RSA key data structure, put into the characteristic place value of making an appointment in the untapped specific digits; Afterwards, this RSA key data structure is returned as the key data of deriving.
For above latter event; Promptly the key of Dao Chuing is the corresponding situation of the key of public key encryption algorithm recently; The key data structure of the key that returns has the key data structure identical with common RSA key; But what wherein comprise is not real RSA key; But the key of corresponding public key encryption algorithm recently; Therefore, this key that returns is pseudo-RSA key.And here, the characteristic place value of the specific digits in the key data structure of pseudo-RSA key, or special numerical digit string, perhaps, by corresponding public key encryption algorithm recently key produce through specific computing (like hash operations).
Be implemented in and embed the key of public key encryption algorithm (like ECC PKI or private key) recently in RSA key (PKI or the private key) data structure; And the characteristic place value that adding is made an appointment in the untapped specific digits in this data structure is not difficult; Because; Has certain key strength (as 224; 192) ECC; The shared numerical digit ratio of key data structure of the key of public key algorithm (PKI and private key) such as IBE etc. recently have suitable key strength (as 2048; 1024) the shared numerical digit of key data structure of RSA key (PKI and private key) to reduce a lot; Therefore; Can easily in the key data structure of the suitable RSA key of key strength, put into the corresponding secret key data of corresponding public key encryption algorithm recently, and unnecessary; Add predetermined in advance characteristic place value in the untapped specific digits.If the key data structure of the RSA key of a certain key strength is not enough to deposit corresponding non-RSA key data, then can adopt the higher RSA key of key strength.
Interface function for importing RSA key (PKI or private key) calls, and said crypto module is operated as follows:
Specific digits in the key data structure of the RSA key that inspection will import; See whether its value is the characteristic place value of making an appointment; Whether the RSA key that i.e. inspection will import is pseudo-RSA key; If then from the key data that imports, isolate the corresponding secret key (like corresponding ECC PKI or private key) of corresponding public key encryption algorithm recently; Otherwise, accomplish import operation by common RSA key.
What need explanation is; In the IBE data encryption; Usually we just call PKI to identify label; But it is to be not enough to accomplish relevant data encryption computing that identify label is only arranged; Relevant IBE open parameters (like corresponding elliptic curve parameter and accomplish the required IBE open parameters of bilinear mappings etc.) also need be arranged; Therefore, said in the present invention IBE PKI not only comprises identify label, and comprises the required relevant IBE open parameters of completion crypto-operation.
Interface function for using RSA key (PKI or private key) to carry out crypto-operation (encrypt, decipher digital signature, signature verification etc. like data) calls, and said crypto module is operated as follows:
Confirm that the RSA key that will use is a real RSA key; Still a corresponding key of public key encryption algorithm (like ECC, IBE key) recently; If a real RSA key then uses this RSA key to carry out the associated cryptographic computing by RSA cryptographic algorithms; Otherwise, adopt the key of the public key encryption algorithm recently of corresponding public key encryption algorithm recently and correspondence to carry out the associated cryptographic computing.
For signing and issuing of pseudo-RSA digital certificate, its practical implementation method is following:
If the public key encryption algorithm recently that said crypto module is realized is not the IBE algorithm; Then sign and issue instrument or system by said pseudo-RSA digital certificate; The pseudo-RSA PKI that calls derivation with the interface function of the derivation RSA key of foregoing crypto module is a certificate holder PKI; Sign and issue the digital certificate of an X509 form, supply encryption application software to use.
If the public key encryption algorithm recently that said crypto module is realized is the IBE algorithm; Then cross pseudo-RSA digital certificate with enciphered data deciphering square tube and sign and issue instrument or system data encryption side; Generate corresponding pseudo-RSA digital certificate independently of one another, supply encryption application software to use.In order to realize this purpose; Said encrypting module is except the interface function of realizing said standard cipher module interface defined; Also have special additional interface function to be used for producing, derive the corresponding pseudo-RSA PKI of identify label (also being the IBE PKI), supply data encryption side to generate pseudo-RSA digital certificate.Said encrypting module is handled calling this interface function by following process:
Step B1. is through special man-machine interface, prompting user input (enciphered data recipient, i.e. data decryption side) identify label;
Step B2. generates the corresponding IBE PKI of identify label according to the identify label of IBE open parameters and user's input;
Step B3. produces a RSA public key data structure; Step B2 is produced the IBE PKI to be put in this RSA public key data structure; And in this RSA public key data structure, put into the characteristic place value of making an appointment in the untapped specific digits; Afterwards, this RSA public key data structure is returned as the public key data that derives.
Extra being used to produces, derives the interface function of the corresponding pseudo-RSA PKI of identify label more than having had, and the IBE key is following to the production process of the pseudo-RSA digital certificate of correspondence:
Data encryption side utilizes the additional interface function of the corresponding pseudo-RSA PKI of generation, the derivation identify label of foregoing crypto module; Obtain the corresponding pseudo-RSA PKI of deciphering side's identify label (being the IBE PKI), and generate a pseudo-RSA digital certificate with this pseudo-RSA PKI; Enciphered data deciphering side; Be the owner of identify label; Call the right interface function of generation RSA key of foregoing crypto module through the password API; It is right to produce the corresponding IBE key of self identify label; Interface function with the derivation RSA key of foregoing crypto module calls then; Derive the corresponding pseudo-RSA PKI of IBE PKI with the mode that derives the RSA PKI, i.e. the pseudo-RSA PKI that identify label is corresponding, and with pseudo-RSA digital certificate of this pseudo-RSA PKI generation; The independent separately pseudo-RSA digital certificate that generates in enciphered data encryption side, deciphering side can be the certificate from signature; Also can right and wrong from the certificate of signature, but the pseudo-RSA digital certificate that both independently generate separately has identical subject (Subject Name), issuer name (Issuer Name) and sequence number (Serial Number).
Sign and issue in the system at common digital certificate, the digital certificate request of signing and issuing that the user submits to not only includes client public key, and will carry out digital signature with the request of signing and issuing of the corresponding private key cert of this PKI; And the certificate issuance system is before signing and issuing digital certificate, need be with the digital signature of the public key verifications certificate issuance request in the certificate issuance request.In the present invention, the user RSA PKI in the digital certificate is pseudo-RSA PKI, and to this, pseudo-RSA digital certificate is signed and issued the digital signature that instrument or system can adopt one of following dual mode cert to sign and issue in the request and handled:
The digital signature that mode 1. does not use the RSA PKI cert in the certificate issuance request to sign and issue request verifies that the value of this digital signature can be a random number, or the particular value of making an appointment; Perhaps,
Whether the value of the specific digits of the RSA public key data in the mode 2. inspection certificate issuance requests is the characteristic place value; Thereby confirm whether it is pseudo-RSA PKI; If; Then from this puppet RSA PKI, isolate the corresponding PKI of public key algorithm recently, and verify with the digital signature that isolated PKI cert is signed and issued in the request; Otherwise, directly use the RSA PKI in the certificate issuance request to sign and issue the digital signature in the request by the usual way authentication certificate.
Use when public key encryption algorithm (like ECC, IBE etc.) carries out encryption of blocks of data recently, the required random parameters of deciphering is kept in the encrypted data chunk simultaneously.Since one recently the length of the encrypted data chunk of public key encryption algorithm be far smaller than the length of the rsa encryption data block of equal Cipher Strength usually; To adopt the border of public key encryption algorithm data encrypted piece recently and the boundary alignment of corresponding rsa encryption data block (as 1024) in order making, can behind the encrypted data chunk of one or more public key encryption algorithms recently, to add the random bytes string.
The unaccounted concrete technology implementation of this specification is well-known, self-explantory for those skilled in the relevant art.
The content of not doing in this specification to describe in detail belongs to this area professional and technical personnel's known prior art.
Claims (10)
1. the Application and implementation method based on the public key encryption algorithm recently of pseudo-RSA key comprises data encryption system, and said data encryption system is made up of following several parts:
Crypto module a: software or a soft or hard module that has realized supporting the standard cipher module interface of RSA cryptographic algorithms funcall; It provides calls the cryptographic function of public key encryption algorithm recently; Comprise the key operation of public key encryption algorithm recently, and based on the crypto-operation of public key encryption algorithm recently;
The IBE key server: only when said crypto module provides IBE cryptographic algorithm function, just need this key server, it is responsible for verifying, the corresponding relation between maintenance customer and its identify label, for the user produces the corresponding IBE private key of its identify label;
Pseudo-RSA digital certificate is signed and issued instrument or system: generate pseudo-RSA digital certificate based on pseudo-RSA PKI;
Encryption application software: call said crypto module through the standard cipher API, use recently that public key encryption algorithm carries out data encryption, deciphering, the software program of digital signature, signature verification or system;
Said public key encryption algorithm recently refers to other public key encryption algorithms that propose recently, use outside RSA, the DSA algorithm, that the standard cipher module interface can not be supported;
Said pseudo-RSA key comprises pseudo-RSA PKI and pseudo-RSA private key, its key data the same with RSA key on data structure, but what deposit in the key data is not real RSA key data, but the key data of corresponding public key algorithm recently;
Said pseudo-RSA digital certificate is based on the digital certificate of the reference format of X509, and the certificate owner's on this certificate RSA PKI is not real RSA PKI, but said pseudo-RSA PKI;
Said pseudo-RSA digital certificate is signed and issued function class that instrument or system and common digital certificate sign and issue instrument or system seemingly, and its main difference is that it is to be used to sign and issue pseudo-RSA digital certificate, rather than common digital certificate.
2. the Application and implementation method of a kind of public key encryption algorithm recently based on pseudo-RSA key according to claim 1; It is characterized in that: if the public key encryption algorithm recently that said crypto module is realized is not the IBE algorithm; Then call for producing the right interface function of RSA key, said crypto module is operated as follows:
The key of public key encryption algorithm is right recently to produce one, in internal memory or storage medium, generates corresponding key to object, and " return " key" is to handle, the pointer of object or quote then.
3. the Application and implementation method of a kind of public key encryption algorithm recently based on pseudo-RSA key according to claim 1; It is characterized in that: if the public key encryption algorithm recently that said crypto module is realized is the IBE algorithm; Then call for producing the right interface function of RSA key, said crypto module and IBE key server are operated by following workflow:
Step 1. crypto module is through special man-machine interface, and the prompting user imports its identify label;
After step 2. user input, the submission identify label, crypto module connects the IBE key server;
Step 3.IBE key server requires that the user is carried out identity and differentiates;
Step 4. crypto module is through man-machine interface, and the prompting user submits or select its identity documents to;
Identity documents and relevant private data thereof that step 5. crypto module utilizes the user to submit to or selects, mutual with the IBE key server, accomplish user identity and differentiate;
After step 6. user identity was differentiated and passed through, the IBE key server confirmed that further the user is the real owner of identify label;
Step 7. user is that the IBE key server produced the corresponding IBE private key of User Identity, then, the IBE private key is returned to crypto module after identify label owner checking was passed through;
The IBE private key that step 8. crypto module returns based on the IBE key server generates corresponding IBE PKI, then, in internal memory or storage medium, produces corresponding IBE key to object, and is last, returns the IBE key to handle, the pointer of object or quote.
4. the Application and implementation method of a kind of public key encryption algorithm recently based on pseudo-RSA key according to claim 1 is characterized in that: said crypto module calls as follows for the interface function of deriving RSA key and operates:
Confirm that the RSA key that will derive is a real RSA key, the still corresponding key of public key encryption algorithm recently is if a real RSA key then derives by common RSA key and accomplishes relevant operation; Otherwise; Produce a RSA key data structure; The key of the public key encryption algorithm recently that the RSA key that will derive is corresponding is put in this RSA key data structure; Then; In this RSA key data structure, put into the characteristic place value of making an appointment in the untapped specific digits; Afterwards, this RSA key data structure is returned as the key data of deriving.
5. the Application and implementation method of a kind of public key encryption algorithm recently based on pseudo-RSA key according to claim 4; It is characterized in that: said characteristic place value; Can be special numerical digit string, also can produce through specific computing by the key of corresponding public key encryption algorithm recently.
6. according to the Application and implementation method of claim 1 or 4 described a kind of public key encryption algorithms recently based on pseudo-RSA key, it is characterized in that: said crypto module calls as follows for the interface function that imports RSA key and operates:
Specific digits in the key data structure of the RSA key that inspection will import; See whether its value is the characteristic place value of making an appointment; Whether the RSA key that i.e. inspection will import is pseudo-RSA key; If then from the key data that imports, isolate the corresponding secret key of corresponding public key encryption algorithm recently; Otherwise, accomplish import operation by common RSA key.
7. the Application and implementation method of a kind of public key encryption algorithm recently based on pseudo-RSA key according to claim 1; It is characterized in that: if the realization of said encrypting module is the IBE cryptographic algorithm; Then this crypto module is except the interface function of realizing said standard cipher module interface defined; Also have special additional interface function to be used to produce, derive the corresponding pseudo-RSA PKI of identify label; Also be the corresponding pseudo-RSA PKI of IBE PKI, supply data encryption side to generate pseudo-RSA digital certificate; To calling of this interface function, said encrypting module is operated by following process:
Step 1. is through special man-machine interface, and the prompting user imports identify label;
Step 2. generates the corresponding IBE PKI of identify label according to the identify label of IBE open parameters and user's input;
Step 3. produces a RSA public key data structure; The IBE PKI that step 2 produces is put in this RSA public key data structure; And in this RSA public key data structure, put into the characteristic place value of making an appointment in the untapped specific digits; Afterwards, this RSA public key data structure is returned as the public key data that derives.
8. the Application and implementation method of a kind of public key encryption algorithm recently based on pseudo-RSA key according to claim 1 is characterized in that: said crypto module calls as follows for the interface function that uses RSA key to carry out crypto-operation and operates:
Confirm that the RSA key that will use is a real RSA key, the still corresponding key of public key encryption algorithm recently is if a real RSA key then uses this RSA key to carry out the associated cryptographic computing by RSA cryptographic algorithms; Otherwise, adopt the key of the public key encryption algorithm recently of corresponding public key encryption algorithm recently and correspondence to carry out the associated cryptographic computing.
9. according to the Application and implementation method of claim 1 or 3 or 4 or 7 described a kind of public key encryption algorithms recently based on pseudo-RSA key; It is characterized in that: if the public key encryption algorithm recently that said crypto module is realized is not the IBE algorithm; Then sign and issue instrument or system by said pseudo-RSA digital certificate; The pseudo-RSA PKI that calls derivation with the interface function through the described derivation RSA key of claim 4 is a certificate holder PKI; Sign and issue the digital certificate of an X509 form, supply encryption application software to use; Otherwise cross pseudo-RSA digital certificate with enciphered data deciphering square tube and sign and issue instrument or system data encryption side, generates corresponding pseudo-RSA digital certificate independently of one another, supplies encryption application software to use, and concrete grammar is following:
Data encryption side utilizes the additional interface function of the corresponding pseudo-RSA PKI of generation, the derivation identify label of the described crypto module of claim 7; Obtain the corresponding pseudo-RSA PKI of deciphering side's identify label; Be the corresponding pseudo-RSA PKI of IBE PKI, and generate a pseudo-RSA digital certificate with this pseudo-RSA PKI; Enciphered data deciphering side; Be the owner of identify label; Call the right interface function of the described generation RSA key of claim 3 through the password API; It is right to produce the corresponding IBE key of self identify label; Interface function with the described derivation RSA key of claim 4 calls then; Derive the corresponding pseudo-RSA PKI of IBE PKI with the mode that derives the RSA PKI, i.e. the pseudo-RSA PKI that identify label is corresponding, and with pseudo-RSA digital certificate of this pseudo-RSA PKI generation; The independent separately pseudo-RSA digital certificate that generates in enciphered data encryption side, deciphering side can be the certificate from signature; Also can right and wrong from the certificate of signature, but the pseudo-RSA digital certificate that both independently generate separately has identical subject, issuer name and sequence number.
10. according to the Application and implementation method of claim 1 or 4 described a kind of public key encryption algorithms recently based on pseudo-RSA key, it is characterized in that: said pseudo-RSA digital certificate is signed and issued the digital signature that instrument or system adopt one of following dual mode cert to sign and issue in the request and is handled:
The digital signature that mode 1. does not use the RSA PKI cert in the certificate issuance request to sign and issue request verifies that the value of this digital signature can be a random number, or the particular value of making an appointment; Perhaps,
Whether the value of the specific digits of the RSA public key data in the mode 2. inspection certificate issuance requests is the characteristic place value; Thereby confirm whether it is pseudo-RSA PKI; If; Then from this puppet RSA PKI, isolate the corresponding PKI of public key algorithm recently; And verify with the digital signature that isolated PKI cert is signed and issued in the request; Otherwise, directly use the RSA PKI in the certificate issuance request to sign and issue the digital signature in the request by the usual way authentication certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110248050 CN102307096B (en) | 2011-08-26 | 2011-08-26 | Data cryption system for Pseudo-Rivest, Shamir and Adleman (RSA)-key-based recently public key cryptography algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110248050 CN102307096B (en) | 2011-08-26 | 2011-08-26 | Data cryption system for Pseudo-Rivest, Shamir and Adleman (RSA)-key-based recently public key cryptography algorithm |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102307096A true CN102307096A (en) | 2012-01-04 |
| CN102307096B CN102307096B (en) | 2013-10-16 |
Family
ID=45380911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110248050 Active CN102307096B (en) | 2011-08-26 | 2011-08-26 | Data cryption system for Pseudo-Rivest, Shamir and Adleman (RSA)-key-based recently public key cryptography algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102307096B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078743A (en) * | 2013-01-15 | 2013-05-01 | 武汉理工大学 | E-mail IBE (Internet Booking Engine) encryption realizing method |
| CN103117861A (en) * | 2013-01-31 | 2013-05-22 | 武汉理工大学 | Pseudo RSA (Rivest Shamir Adleman) based method for transmitting IBE key information (identity based encryption) in IBE |
| CN103326861A (en) * | 2013-06-04 | 2013-09-25 | 北京华大信安科技有限公司 | Method and device for conducting RSA safety signing on data and safety chip |
| CN103532704A (en) * | 2013-10-08 | 2014-01-22 | 武汉理工大学 | E-mail IBE (identity based encryption) system aiming at OWA (outlook web access) |
| CN103560882A (en) * | 2013-10-29 | 2014-02-05 | 武汉理工大学 | Elliptic curve cryptosystem based on identity |
| CN103825741A (en) * | 2014-01-24 | 2014-05-28 | 安徽云盾信息技术有限公司 | Solving method of injecting signed certificate in encryption equipment production process |
| CN104363091A (en) * | 2014-12-01 | 2015-02-18 | 国家计算机网络与信息安全管理中心 | Encryption and decryption method capable of automatically retrieving keys and selecting algorithms |
| CN106059760A (en) * | 2016-07-12 | 2016-10-26 | 武汉理工大学 | Cipher system for calling system private key from user side cipher module |
| CN107295000A (en) * | 2017-07-12 | 2017-10-24 | 郑州云海信息技术有限公司 | A kind of communication means and system based on certificate |
| CN107317684A (en) * | 2017-08-22 | 2017-11-03 | 浪潮(北京)电子信息产业有限公司 | The method for safely carrying out and system of a kind of network adapter |
| CN107896231A (en) * | 2017-12-27 | 2018-04-10 | 江苏联宏智慧能源股份有限公司 | A kind of data ciphering method of energy hosted platform system remote communication |
| CN110691060A (en) * | 2018-07-06 | 2020-01-14 | 武汉信安珞珈科技有限公司 | Method and system for realizing remote equipment password service based on CSP interface |
| CN112580061A (en) * | 2019-09-27 | 2021-03-30 | 科大国盾量子技术股份有限公司 | Calling method of quantum encryption and decryption application interface and related equipment |
| CN112737779A (en) * | 2020-12-30 | 2021-04-30 | 深圳市宝能投资集团有限公司 | Service method and device for cipher machine, cipher machine and storage medium |
| CN114128218A (en) * | 2019-07-17 | 2022-03-01 | 微软技术许可有限责任公司 | Certificate management in isolated computer networks |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050084100A1 (en) * | 2003-10-17 | 2005-04-21 | Terence Spies | Identity-based-encryption system with district policy information |
| CN101567780A (en) * | 2009-03-20 | 2009-10-28 | 武汉理工大学 | Key management and recovery method for encrypted digital certificate |
-
2011
- 2011-08-26 CN CN 201110248050 patent/CN102307096B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050084100A1 (en) * | 2003-10-17 | 2005-04-21 | Terence Spies | Identity-based-encryption system with district policy information |
| CN101567780A (en) * | 2009-03-20 | 2009-10-28 | 武汉理工大学 | Key management and recovery method for encrypted digital certificate |
Non-Patent Citations (1)
| Title |
|---|
| 王玮,等: "基于SJW86-A加密卡的Cryptoki实现", 《中国科技论文在线》, 14 April 2011 (2011-04-14), pages 1 - 4 * |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078743A (en) * | 2013-01-15 | 2013-05-01 | 武汉理工大学 | E-mail IBE (Internet Booking Engine) encryption realizing method |
| CN103078743B (en) * | 2013-01-15 | 2015-07-08 | 武汉理工大学 | E-mail IBE (Internet Booking Engine) encryption realizing method |
| CN103117861A (en) * | 2013-01-31 | 2013-05-22 | 武汉理工大学 | Pseudo RSA (Rivest Shamir Adleman) based method for transmitting IBE key information (identity based encryption) in IBE |
| CN103117861B (en) * | 2013-01-31 | 2015-04-08 | 武汉理工大学 | Pseudo RSA (Rivest Shamir Adleman) based method for transmitting IBE key information (identity based encryption) in IBE |
| CN103326861B (en) * | 2013-06-04 | 2016-12-28 | 北京华大信安科技有限公司 | A kind of data are carried out the method for RSA security signature, device and safety chip |
| CN103326861A (en) * | 2013-06-04 | 2013-09-25 | 北京华大信安科技有限公司 | Method and device for conducting RSA safety signing on data and safety chip |
| CN103532704A (en) * | 2013-10-08 | 2014-01-22 | 武汉理工大学 | E-mail IBE (identity based encryption) system aiming at OWA (outlook web access) |
| CN103532704B (en) * | 2013-10-08 | 2016-08-17 | 武汉理工大学 | A kind of Email IBE encryption system for OWA |
| CN103560882A (en) * | 2013-10-29 | 2014-02-05 | 武汉理工大学 | Elliptic curve cryptosystem based on identity |
| CN103560882B (en) * | 2013-10-29 | 2016-08-17 | 武汉理工大学 | A kind of elliptic curve cipher system based on mark |
| CN103825741A (en) * | 2014-01-24 | 2014-05-28 | 安徽云盾信息技术有限公司 | Solving method of injecting signed certificate in encryption equipment production process |
| CN104363091A (en) * | 2014-12-01 | 2015-02-18 | 国家计算机网络与信息安全管理中心 | Encryption and decryption method capable of automatically retrieving keys and selecting algorithms |
| CN106059760A (en) * | 2016-07-12 | 2016-10-26 | 武汉理工大学 | Cipher system for calling system private key from user side cipher module |
| CN107295000A (en) * | 2017-07-12 | 2017-10-24 | 郑州云海信息技术有限公司 | A kind of communication means and system based on certificate |
| CN107317684A (en) * | 2017-08-22 | 2017-11-03 | 浪潮(北京)电子信息产业有限公司 | The method for safely carrying out and system of a kind of network adapter |
| CN107896231A (en) * | 2017-12-27 | 2018-04-10 | 江苏联宏智慧能源股份有限公司 | A kind of data ciphering method of energy hosted platform system remote communication |
| CN107896231B (en) * | 2017-12-27 | 2020-12-01 | 江苏联宏智慧能源股份有限公司 | Data encryption method for remote communication of energy hosting platform system |
| CN110691060A (en) * | 2018-07-06 | 2020-01-14 | 武汉信安珞珈科技有限公司 | Method and system for realizing remote equipment password service based on CSP interface |
| CN110691060B (en) * | 2018-07-06 | 2022-08-09 | 武汉信安珞珈科技有限公司 | Method and system for realizing remote equipment password service based on CSP interface |
| CN114128218A (en) * | 2019-07-17 | 2022-03-01 | 微软技术许可有限责任公司 | Certificate management in isolated computer networks |
| CN114128218B (en) * | 2019-07-17 | 2023-12-01 | 微软技术许可有限责任公司 | Isolating certificate management in computer networks |
| CN112580061A (en) * | 2019-09-27 | 2021-03-30 | 科大国盾量子技术股份有限公司 | Calling method of quantum encryption and decryption application interface and related equipment |
| CN112580061B (en) * | 2019-09-27 | 2023-04-07 | 科大国盾量子技术股份有限公司 | Calling method of quantum encryption and decryption application interface and related equipment |
| CN112737779A (en) * | 2020-12-30 | 2021-04-30 | 深圳市宝能投资集团有限公司 | Service method and device for cipher machine, cipher machine and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102307096B (en) | 2013-10-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102307096B (en) | Data cryption system for Pseudo-Rivest, Shamir and Adleman (RSA)-key-based recently public key cryptography algorithm | |
| US10666428B2 (en) | Efficient methods for protecting identity in authenticated transmissions | |
| CN110383757B (en) | System and method for secure processing of electronic identities | |
| CN111080295B (en) | Electronic contract processing method and device based on blockchain | |
| CN102255729B (en) | IBE (Internet Booking Engine) data encryption system based on medium digital certificate | |
| CN103716322B (en) | Secret key download method, management method, download management method, secret key download device, secret key management device and secret key download management system | |
| CN103714642B (en) | Key downloading method, management method, downloading management method and device and system | |
| US9900148B1 (en) | System and method for encryption | |
| CN103701609A (en) | Bidirectional authentication method and system for server and operating terminal | |
| CN103560882A (en) | Elliptic curve cryptosystem based on identity | |
| CN109547208B (en) | Online distribution method and system for master key of financial electronic equipment | |
| CN105162607A (en) | Authentication method and system of payment bill voucher | |
| CN108173659A (en) | A kind of certificate management method based on UKEY equipment, system and terminal device | |
| CN104104505A (en) | Electronic signature device, realization method and client | |
| CN116743375A (en) | Key transmission method, device, equipment and storage medium | |
| CN118296632A (en) | Financial data security management method and system based on multi-stage encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING ITRUSCHINA CO., LTD. Effective date: 20121214 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Long Yihong Inventor after: Tang Zhihong Inventor before: Long Yihong |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: LONG YIHONG TO: LONG YIHONG TANG ZHIHONG |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20121214 Address after: 430070 Hubei Province, Wuhan city Hongshan District Luoshi Road No. 122 Applicant after: Wuhan University of Technology Applicant after: Beijing iTrusChina Co., Ltd. Address before: 430070 Hubei Province, Wuhan city Hongshan District Luoshi Road No. 122 Applicant before: Wuhan University of Technology |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |