CN103516511B - A kind of method and device that AES and key are detected - Google Patents
A kind of method and device that AES and key are detected Download PDFInfo
- Publication number
- CN103516511B CN103516511B CN201310412383.9A CN201310412383A CN103516511B CN 103516511 B CN103516511 B CN 103516511B CN 201310412383 A CN201310412383 A CN 201310412383A CN 103516511 B CN103516511 B CN 103516511B
- Authority
- CN
- China
- Prior art keywords
- algorithm
- tested terminal
- aes
- key
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 152
- 238000004364 calculation method Methods 0.000 claims abstract description 45
- 238000012360 testing method Methods 0.000 claims abstract description 30
- 230000003993 interaction Effects 0.000 claims abstract description 10
- 238000007689 inspection Methods 0.000 claims abstract description 6
- 238000001514 detection method Methods 0.000 claims description 83
- 238000009826 distribution Methods 0.000 claims description 27
- 238000005516 engineering process Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 238000013461 design Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 238000004590 computer program Methods 0.000 description 4
- 238000011156 evaluation Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000001427 coherent effect Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000005728 strengthening Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- UGAJKWZVPNVCIO-UHFFFAOYSA-N Terminalin Chemical compound O1C(=O)C(C2=3)=C(C4=C(O)C(O)=C(O)C=C4C(=O)O4)C4=C(O)C=3OC(=O)C3=C2C1=C(O)C(OC1=O)=C3C2=C1C=C(O)C(O)=C2O UGAJKWZVPNVCIO-UHFFFAOYSA-N 0.000 description 1
- QTNGLMWAVBOBLJ-UHFFFAOYSA-N Terminaline Natural products C1CC2C(O)C(O)CCC2(C)C2C1C1CCC(C(C)N(C)C)C1(C)CC2 QTNGLMWAVBOBLJ-UHFFFAOYSA-N 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000032696 parturition Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 229930183689 terminalin Natural products 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Abstract
The invention provides a kind of method and device that AES and key are detected. Described method comprises: tested terminal is identified, obtained the type of tested terminal and the encryption device using thereof; The encryption device using according to tested terminal, determines the algorithm types detecting; To the algorithm types detecting, select the correlation computations example of setting to carry out computing, and compare with the ciphertext that tested terminal carries out generating after cryptographic calculations according to the plaintext of input, generate the testing result of the algorithm types to detecting; Obtain length, intensity, life cycle and the interaction protocol of the key that tested terminal uses, carry out cryptographic calculations according to the technical specification of setting, the testing result of raw pairwise key. The present invention's algorithm that identification terminal equipment uses automatically, checks the specification that whether meets national Password Management office; Compatible each class interface, is encrypted the compliance inspection of algorithm use and key management to terminal, prevent terminal and illegal terminal access in violation of rules and regulations.
Description
Technical field
The present invention relates to encryption technology, relate in particular to a kind of detection method and device to AES and key, concreteSay it is a kind of unified AES towards power grid enterprises' service application and key detection method and device.
Background technology
Encryption technology is the core technology of information security field. It can effectively solve information confidentiality, integrality andAuthenticity problem. In current power business advanced IT application and intelligent grid technology constantly under universal background, more and moreMany power equipments are progressively realized intellectuality, electric power enterprise especially in power grid enterprises interactive data information present level how muchNumber increases, and uses encryption technology to protect critical data wherein to become problem demanding prompt solution.
The use of encryption technology has been deep into the various aspects of power grid enterprises' informatization at present, power transmission and transformation state prisonThe systems such as examining system, safe access platform, marketing user profile acquisition system generally adopt the crucial letter of encryption technology protectionBreath safety. Concerning the information system of use encryption technology, its security mainly depends on two aspects: (1) makesWith the security of AES. AES is the basic of safety information system, and an AES inferior can makeWhole system becomes to be had no can say safely; (2) safety of encryption key. If the key of encrypting is lost, attackThe person of hitting not only can directly obtain critical data with key, can also pass through cipher key attacks AES, and it is right to realizeCracking of algorithm, thus operation system is implemented to attack. Therefore, strengthen AES and encryption device key managementThe test and appraisal of the level of security of mechanism are particularly important, and advanced key assessment method contributes to strengthen power grid enterprises to be made keyWith management, strengthen the use safety of encryption technology and key.
Most of operation systems of applying in power grid enterprises at present claim and have used the special cryptographic algorithm of close office of state, but itsValidity and security be not through checking; Meanwhile, the administrative staff of partial service system lack cipher key application safetyUnderstanding, causes the preservation of key and use to have hidden danger. Therefore, how the use of encryption technology and key is advisedModel, effectively management, develop advanced AES and key test and appraisal technology, and the key of Erecting and improving detects certification bodySystem be solve safety issue that current power grid enterprises operation systems faces important channel. By to AES,Encryption device, key management apparatus carry out security evaluation and test, can provide safer making for power grid enterprises' operation systemUse environment.
Be the important content of information security test and appraisal for the safety determination technology of AES and key management, it is structureBuild the basis of operation system information security system. Realize the unified test and appraisal of the automation for AES and key managementTechnology, for improving the ability of discovery of power grid enterprises to AES and password product safety hidden danger, ensures AESHave important practical significance with security, elder generation's property of password product.
Current main flow encryption detection device can be divided into software realization and realize two classes with hardware implementation, and they are logicalThe AES coupling use-case storehouse of normal use standard, carries out white-box testing to the AES of giving fixed system, by comparisonPlain/cipher text in ciphering process is to judging whether this system encryption algorithm meets design standard and security requirement.But this system generally cannot be identified the AES of system to be detected automatically, also cannot be automatically according to system to be detectedThe level of security of system provides evaluation to the compliance of its AES, and lacks magnanimity key management level is evaluatedFunction, can not meet the requirement of power grid enterprises to cryptosystem evaluation and test.
Summary of the invention
The object of the invention is unified AES and key management test and appraisal side that design realizes a kind of service-oriented applicationMethod and device, for the security level required of the types of applications system using in power grid enterprises, identify the industry of enterprise automaticallyBusiness security of system grade, and use the commercial cipher AES of national regulation to carry out matching detection, realization to business isThe unified of system security detects, and lacks unified standard, key management level ginseng to solve current operation system password equipmentPoor uneven problem.
In order to achieve the above object, the embodiment of the present invention provides a kind of method that AES and key are detected,Described method comprises: tested terminal is identified, obtained the type of described tested terminal and the password that uses is establishedStandby; The encryption device using according to described tested terminal, determines the algorithm types detecting; To the calculation of described detectionMethod type, selects the correlation computations example of setting to carry out computing, and carries out according to the plaintext of input with described tested terminalThe ciphertext generating after cryptographic calculations is compared, and generates the testing result of the algorithm types to described detection; Described in obtainingLength, intensity, life cycle and the interaction protocol of the key that tested terminal is used, according to the technical specification of settingCarry out cryptographic calculations, generate the testing result to described key.
Further, in one embodiment, described tested terminal is identified, obtained the type of described tested terminalAnd the encryption device using, comprising: according to the type of described tested terminal, determine which described tested terminal adoptsPlant power distribution network security protection type; According to described power distribution network security protection type, determine that described tested terminal is used closeDecoding apparatus.
Further, in one embodiment, the described encryption device using according to described tested terminal, determines that institute examinesThe algorithm types of surveying, comprising: judge whether described tested terminal supports domestic AES; If support, determine instituteThe type of stating the domestic AES of tested terminal use is asymmetric arithmetic or digest algorithm.
Further, in one embodiment, the described algorithm types to described detection, selects the correlation computations of setting to showExample is carried out computing, and compares with the ciphertext that described tested terminal carries out generating after cryptographic calculations according to the plaintext of inputRight, the testing result of the algorithm types of generation to described detection, comprising: according to the algorithm types of described detection, selectThe correlation computations example of setting is carried out computing, generating standard ciphertext; According to relevant interface, to described tested terminal inputExpressly; Described tested equipment, according to the plaintext of described input, adopts corresponding cryptographic algorithm, completes cryptographic calculations, rawBecome to detect ciphertext; Described detection ciphertext and the specification ciphertext obtaining according to the correlation computations example calculations of setting are comparedRight, if consistent, the algorithm types that described detection is described is domestic AES, if inconsistent, described inspection is describedThe algorithm types of surveying is non-domestic AES.
Further, in one embodiment, described method also comprises: according to the type of described tested terminal, generate energyEnough identify the unified interface of various tested terminal interface types.
In order to achieve the above object, the embodiment of the present invention also provides a kind of dress that AES and key are detectedPut, it is characterized in that, described device comprises: recognition of devices module, for tested terminal is identified, obtain instituteState the type of tested terminal and the encryption device using thereof; Algorithm identified module, for according to described tested terminal instituteThe encryption device using, determines the algorithm types detecting; Algorithm detection module, for the class of algorithms to described detectionType, selects the correlation computations example of setting to carry out computing, and carries out password with described tested terminal according to the plaintext of inputThe ciphertext generating after calculating is compared, and generates the testing result of the algorithm types to described detection; Key detection module,For obtaining length, intensity, life cycle and the interaction protocol of the key that described tested terminal uses, according to establishingFixed technical specification is carried out cryptographic calculations, generates the testing result to described key.
Further, in one embodiment, described recognition of devices module, for tested terminal is identified, is obtained instituteState the type of tested terminal and the encryption device using thereof, comprising: power distribution network security protection type decision module, useAccording to the type of described tested terminal, determine which kind of power distribution network security protection type is described tested terminal adopt; PasswordEquipment determination module, for according to described power distribution network security protection type, determines that the password of described tested terminal use is establishedStandby.
Further, in one embodiment, described algorithm identified module is close for what use according to described tested terminalDecoding apparatus, determines the algorithm types detecting, and comprising: support determination module, for whether judging described tested terminalSupport domestic AES; Algorithm determination module, the class of the domestic AES using for definite described tested terminalType is asymmetric arithmetic or digest algorithm.
Further, in one embodiment, described algorithm detection module, for the algorithm types to described detection, is selectedThe correlation computations example of setting is carried out computing, and carries out giving birth to after cryptographic calculations according to the plaintext of input with described tested terminalThe ciphertext becoming is compared, and generates the testing result of the algorithm types to described detection, comprising: specification ciphertext generates mouldPiece, for according to the algorithm types of described detection, selects the correlation computations example of setting to carry out computing, and generating standard is closeLiterary composition; Expressly input module, for according to relevant interface, inputs expressly to described tested terminal; Detect ciphertext and generate mouldPiece, according to the plaintext of described input, adopts corresponding cryptographic algorithm for described tested equipment, completes cryptographic calculations,Generate and detect ciphertext; Ciphertext comparing module, for by described detection ciphertext with according to set correlation computations example calculationsThe specification ciphertext obtaining is compared, if consistent, the algorithm types that described detection is described is domestic AES, asFruit is inconsistent, and the algorithm types that described detection is described is non-domestic AES.
Further, in one embodiment, the described device that AES and key are detected also comprises: unifiedInterface generation module, for according to the type of described tested terminal, generation can be identified various tested terminal interface typesUnified interface.
Method and the device that AES and key are detected of the embodiment of the present invention, realized national password pipeThe input and output result of the SM1 of reason office, SM2, SM3, SM4 algorithm is furtherd investigate, and can automatically identify endThe algorithm that end equipment uses, and can carry out verification to algorithm, checks the specification that whether meets national Password Management office,Guarantee to use the algorithm that correctly closes rule; Can evaluate and test magnanimity key management, management suggestion is provided, prevent keyLose or abuse condition generation; The present invention can compatible each class interface, terminal is encrypted to algorithm and uses and keyThe compliance inspection of management, prevents terminal and illegal terminal access in violation of rules and regulations; The present invention not only can make by sense terminals equipmentWith cryptographic algorithm whether meet the regulation of national Password Management office, also the key management level to whole system is carried outEvaluating, is that a cryptographic algorithm that integrates detects evaluating method and the system evaluated with key management.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existingHave the accompanying drawing of required use in technical description to be briefly described, apparently, the accompanying drawing in the following describes onlyBe some embodiments of the present invention, for those skilled in the art, do not paying under the prerequisite of creative work,Can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the method flow diagram of the embodiment of a kind of method that AES and key are detected of the present invention;
Fig. 2 is the method flow diagram of the step S101 in embodiment illustrated in fig. 1;
Fig. 3 is the method flow diagram of the step S102 in embodiment illustrated in fig. 1;
Fig. 4 is the method flow diagram of the step S103 in embodiment illustrated in fig. 1;
Fig. 5 is the method stream of another embodiment of a kind of method that AES and key are detected of the present inventionCheng Tu;
Fig. 6 is the structural representation of a kind of device that AES and key are detected of the embodiment of the present invention;
Fig. 7 is the structural representation of the recognition of devices module 101 in embodiment illustrated in fig. 5;
Fig. 8 is the structural representation of the algorithm identified module 102 in embodiment illustrated in fig. 5;
Fig. 9 is the structural representation of the algorithm detection module 103 in embodiment illustrated in fig. 5;
Figure 10 is that the structure of another embodiment of a kind of device that AES and key are detected of the present invention is shownIntention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, completeDescribe, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment wholely.Based on the embodiment in the present invention, those of ordinary skill in the art obtain under creative work prerequisite not makingEvery other embodiment, belongs to the scope of protection of the invention.
The method that AES and key are detected and device in the present invention have mainly been realized in electric power networksUnified detection is carried out in the cryptographic algorithm that the various terminal devices that use use, the security of key, whether assesses itReach the requirement of regulation, in not allowing to access network for terminal device in violation of rules and regulations.
Fig. 1 is the method flow diagram that AES and key are detected of the embodiment of the present invention. As shown in the figure, originallyThe method that AES and key are detected of embodiment comprises: step S101, tested terminal is identified,Obtain the type of described tested terminal and the encryption device using thereof; Step S102, according to described tested terminal instituteThe encryption device using, determines the algorithm types detecting; Step S103, to the algorithm types of described detection, choosingSelect the correlation computations example of setting and carry out computing, and carry out after cryptographic calculations according to the plaintext of input with described tested terminalThe ciphertext generating is compared, and generates the testing result of the algorithm types to described detection; Step S104, obtains instituteState length, intensity, life cycle and the interaction protocol of the key that tested terminal uses, according to the technology rule of settingModel carries out cryptographic calculations, generates the testing result to described key.
In the present embodiment, as shown in Figure 2, described, tested terminal is identified, obtained described tested terminalIn the step S101 of type and the encryption device that uses thereof, comprising:
Step S1011, according to the type of described tested terminal, determines which kind of power distribution network safety is described tested terminal adoptType of protection; Step S1012, according to described power distribution network security protection type, determines that described tested terminal is used closeDecoding apparatus.
In the present embodiment, taking electric power special equipment " low and medium voltage distribution network automated system security protection system " as example,The power distribution network security protection type of how to confirm equipment and the type of encryption device are described: 1) adjust according to national gridThe related request of [2011] No. 168 " about the notices of strengthening distribution automation system security protection work ", pinTo the security protection of power distribution network, adopt unilateral authentication, unilateral authentication+symmetric cryptography, unilateral authentication+asymmetric encryptionOne of three classes; 2), according to the sense terminals type providing, can determine it adopts above-mentioned which class power distribution network safetyType of protection; 3) according to determined power distribution network security protection type, can determine encryption device type used.
In the present embodiment, as shown in Figure 3, at the described encryption device using according to described tested terminal, determineIn the step S102 of the algorithm types detecting, comprising: step S1021, judges whether described tested terminal is supportedDomestic AES; Step S1022, if supported, determines the class of the domestic AES of described tested terminal useType is asymmetric arithmetic or digest algorithm.
In the present embodiment, taking electric power special equipment " server password machine " as example, illustrate what how to confirm detectedAlgorithm types: the 1) requirement for server password machine according to national grid, this equipment need be supported domestic AES;2) domestic AES comprises symmetry, asymmetric, digest algorithm, is respectively SM1/2/3, in view of SM1 algorithm notOpen, native system is for asymmetric, digest algorithm, and SM1, SM2 complete detection; 3) domestic AES,By relevant specification of country GM/T0003-2012 " SM2 ellipse curve public key cipher algorithm " and GM/T0004-2012The algorithm examples that " SM3 cryptographic Hash algorithm " provides completes coherent detection.
In the present embodiment, as shown in Figure 4, in the described algorithm types to described detection, select the correlometer of settingCalculate example and carry out computing, and carry out with the ciphertext that described tested terminal carries out generating after cryptographic calculations according to the plaintext of inputComparison, generates in the step S103 of testing result of the algorithm types to described detection, comprising:
Step S1031, according to the algorithm types of described detection, selects the correlation computations example of setting to carry out computing, rawBecome specification ciphertext; Step S1032, according to relevant interface, to described tested terminal input expressly; Step S1033,Described tested equipment, according to the plaintext of described input, adopts corresponding cryptographic algorithm, completes cryptographic calculations, generates and detectsCiphertext; Step S1034, by described detection ciphertext and the specification ciphertext obtaining according to the correlation computations example calculations of settingCompare, if consistent, the algorithm types that described detection is described is domestic AES, if inconsistent, explanationThe algorithm types of described detection is non-domestic AES.
In step S1031, according to the algorithm types of described detection, select the correlation computations example of setting to carry out computing,Generating standard ciphertext, refers to and selects to adopt the correlation computations example being provided by national Password Management office, completes calculating.Domestic AES, by national algorithm responsible institution, national Password Management office releases. For symmetrical, asymmetric,Digest algorithm, mainly follows specification and is: GM/T0002-2012 " SM4 block cipher ", GM/T0003-2012" SM2 ellipse curve public key cipher algorithm ", GM/T0004-2012 " SM3 cryptographic Hash algorithm ".
In step S1032, according to relevant interface, to described tested terminal input expressly, to realize tested terminalPassword detect. Wherein, in the present embodiment, expressly referring to can be by the information of equipment Direct Recognition. Input expresslyObject, be to complete cryptographic calculations processing by associated terminal, be output as ciphertext.
In step S1033, described tested equipment, according to the plaintext of described input, adopts corresponding cryptographic algorithm, completeBecome cryptographic calculations, generate and detect ciphertext, refer to: the relevant api interface providing according to terminal device, relies on terminalSelf crypto module, board or chip, adopt the cryptographic algorithm responding, and completes cryptographic calculations.
In step S1034, described detection ciphertext is close with the specification obtaining according to the correlation computations example calculations of settingLiterary composition is compared, if consistent, the algorithm types that described detection is described is domestic AES, if inconsistent, saysThe algorithm types of bright described detection is non-domestic AES. In the present embodiment, the ciphertext of tested terminal output, isBy associated cryptographic module, board or the chip of tested terminal self, according to the cryptographic algorithm calling, complete calculating,Plaintext is calculated as to ciphertext, the result of output. Bright, ciphertext comparison baseline that this detection adopts, be all derived from country close" SM4 grouping is close for " computing example " in following three specifications that code management board issues: GM/T0002-2012Code calculation ", GM/T0003-2012 " SM2 ellipse curve public key cipher algorithm ", GM/T0004-2012 " SM3Cryptographic Hash algorithm "; Comparison result comprises consistent, non-uniform two kinds. If the consistent explanation algorithm that adopts is domesticAES is errorless, if the non-domestic AES of response algorithm that inconsistent explanation adopts.
In step S104, obtain the key that described tested terminal uses length, intensity, life cycle andInteraction protocol, carries out cryptographic calculations according to the technical specification of setting, and generates the testing result to described key. In this realityExecute in example, length, intensity, life cycle and the interaction protocol of key, be the outer setting condition of algorithm, noSame algorithm classification, identical algorithm prototype, its said external configuration condition is have points of resemblance also more. Only have by closeWhether yardage is calculated, and compares bright ciphertext correlation computations result, could to adopting related algorithm to complete judgement.
In another embodiment, as shown in Figure 5, the method that AES and key are detected of the present invention is also wrappedDraw together: step S105, according to the type of described tested terminal, generation can be identified various tested terminal interface typesUnified interface. Sense terminals is followed the GM/T0018-2012 " encryption device Application Interface Specification " being promulgated by close office of stateAnd GM/T0019-2012 " universal code service interface specification " completes the design of unified interface, tested terminal is adoptedWith associated cryptographic equipment, follow above-mentioned specification, dock with checkout equipment.
Fig. 6 is the structural representation of a kind of device that AES and key are detected of the embodiment of the present invention. AsShown in figure, the device that AES and key are detected of the present embodiment comprises:
Recognition of devices module 101, for tested terminal is identified, obtains type and the institute thereof of described tested terminalThe encryption device using; Algorithm identified module 102, for the encryption device using according to described tested terminal, reallyThe fixed algorithm types detecting; Algorithm detection module 103, for the algorithm types to described detection, selection is setCorrelation computations example is carried out computing, and with described tested terminal carry out generating after cryptographic calculations according to the plaintext of input closeLiterary composition is compared, and generates the testing result of the algorithm types to described detection; Key detection module 104, for obtainingLength, intensity, life cycle and the interaction protocol of the key that described tested terminal is used, according to the technology of settingSpecification is carried out cryptographic calculations, generates the testing result to described key.
In the present embodiment, as shown in Figure 7, described recognition of devices module 101 is for tested terminal is identified,Obtain the type of described tested terminal and the encryption device using thereof, comprising: power distribution network security protection type decision mouldPiece 1011, for according to the type of described tested terminal, determines which kind of power distribution network safety is described tested terminal adopt anti-Protect type; Encryption device determination module 1012, for according to described power distribution network security protection type, determines described quiltThe encryption device that inspection terminal is used.
In the present embodiment, taking electric power special equipment " low and medium voltage distribution network automated system security protection system " as example,The power distribution network security protection type of how to confirm equipment and the type of encryption device are described: 1) adjust according to national gridThe related request of [2011] No. 168 " about the notices of strengthening distribution automation system security protection work ", pinTo the security protection of power distribution network, adopt unilateral authentication, unilateral authentication+symmetric cryptography, unilateral authentication+asymmetric encryptionOne of three classes; 2), according to the sense terminals type providing, can determine it adopts above-mentioned which class power distribution network safetyType of protection; 3) according to determined power distribution network security protection type, can determine encryption device type used.
In the present embodiment, as shown in Figure 8, described algorithm identified module 102 is for making according to described tested terminalWith encryption device, determine the algorithm types that detects, comprising: support determination module 1021, described in judgingWhether tested terminal supports domestic AES; Algorithm determination module 1022, for determining that described tested terminal is usedThe type of domestic AES, be asymmetric arithmetic or digest algorithm.
In the present embodiment, taking electric power special equipment " server password machine " as example, illustrate what how to confirm detectedAlgorithm types: the 1) requirement for server password machine according to national grid, this equipment need be supported domestic AES;2) domestic AES comprises symmetry, asymmetric, digest algorithm, is respectively SM1/2/3, in view of SM1 algorithm notOpen, native system is for asymmetric, digest algorithm, and SM1, SM2 complete detection; 3) domestic AES,By relevant specification of country GM/T0003-2012 " SM2 ellipse curve public key cipher algorithm " and GM/T0004-2012The algorithm examples that " SM3 cryptographic Hash algorithm " provides completes coherent detection.
In the present embodiment, as shown in Figure 9, described algorithm detection module 103 is for the algorithm types to described detection,Select the correlation computations example of setting to carry out computing, and carry out cryptographic calculations with described tested terminal according to the plaintext of inputThe ciphertext of rear generation is compared, and generates the testing result of the algorithm types to described detection, comprising: specification ciphertext is rawBecome module 1031, for according to the algorithm types of described detection, select the correlation computations example of setting to carry out computing,Generating standard ciphertext; Expressly input module 1032, for according to relevant interface, inputs expressly to described tested terminal;Detect ciphertext generation module 1033, according to the plaintext of described input, adopt corresponding password for described tested equipmentAlgorithm, completes cryptographic calculations, generates and detects ciphertext; Ciphertext comparing module 1034, for by described detection ciphertext withCompare according to the specification ciphertext that obtains of correlation computations example calculations of setting, if consistent, described detection is describedAlgorithm types is domestic AES, if inconsistent, the algorithm types that described detection is described is non-domestic AES.
In the present embodiment, specification ciphertext generation module 1031 is according to the algorithm types of described detection, and selection is setCorrelation computations example is carried out computing, and generating standard ciphertext refers to and selects to adopt the phase being provided by national Password Management officeClose sample calculation, complete calculating. Domestic AES, by national algorithm responsible institution, national Password Management office pushes awayGo out. For symmetrical, asymmetric, digest algorithm, mainly follow specification and be: GM/T0002-2012 " SM4 groupingCryptographic algorithm ", GM/T0003-2012 " SM2 ellipse curve public key cipher algorithm ", GM/T0004-2012 " SM3Cryptographic Hash algorithm ".
In the present embodiment, expressly input module 1032, according to relevant interface, is inputted expressly to described tested terminal,To realize, the password of tested terminal is detected. Wherein, in the present embodiment, expressly referring to can be by equipment Direct RecognitionInformation. Input object expressly, is to complete cryptographic calculations processing by associated terminal, is output as ciphertext.
In the present embodiment, detect ciphertext generation module 1033 according to the plaintext of described input, adopt corresponding passwordAlgorithm, completes cryptographic calculations, generates and detects ciphertext, refers to: the relevant api interface providing according to terminal device,Rely on crypto module, board or the chip of terminal self, adopt the cryptographic algorithm of response, complete cryptographic calculations.
In the present embodiment, ciphertext comparing module 1034 is by described detection ciphertext and according to the correlation computations example of settingThe specification ciphertext calculating is compared, if consistent, the algorithm types that described detection is described is domestic AES,If inconsistent, the algorithm types that described detection is described is non-domestic AES. In the present embodiment, tested terminalThe ciphertext of output, is associated cryptographic module, board or the chip by tested terminal self, calculates according to the password callingMethod, completes calculating, and plaintext is calculated as to ciphertext, the result of output. Bright, ciphertext comparison baseline that this detection adopts,All be derived from " computing example " in following three specifications that national Password Management office issues: GM/T0002-2012" SM4 block cipher ", GM/T0003-2012 " SM2 ellipse curve public key cipher algorithm ", GM/T0004-2012 " SM3 cryptographic Hash algorithm "; Comparison result comprises consistent, non-uniform two kinds. If unanimously explanationThe algorithm that adopts is that domestic AES is errorless, if the non-domestic AES of response algorithm that inconsistent explanation adopts.
In the present embodiment, key detection module 104 obtain the key that described tested terminal uses length, intensity,Life cycle and interaction protocol, carry out cryptographic calculations according to the technical specification of setting, and generates the detection to described keyResult. In the present embodiment, the length of key, intensity, life cycle and interaction protocol, be the outside of algorithmCondition is set, different algorithm classifications, identical algorithm prototype, its said external configuration condition is have points of resemblance also more.Only have by cryptographic calculations, compare bright ciphertext correlation computations result, could to whether adopting related algorithm to complete judgement.
In another embodiment, as shown in figure 10, the described device that AES and key are detected also comprises:Unified interface generation module 105, for according to the type of described tested terminal, generation can be identified various tested terminalsThe unified interface of interface type. Sense terminals is followed the GM/T0018-2012 being promulgated by close office of state, and " encryption device shouldWith interface specification " and GM/T0019-2012 " universal code service interface specification " complete the design of unified interface,The associated cryptographic equipment that tested terminal adopts, follows above-mentioned specification, docks with checkout equipment.
The present invention designed a kind of unified AES towards power business application and key detection and assessment method andDevice, lacks the problems such as unified standard, key management level are uneven to solve operation system encryption device. To industryThe security of business system encryption algorithm and key management is tested and assessed comprehensively, sets up and is applicable to the each operation system of power grid enterprisesStandardised generic evaluation system, realize to operation system encryption device cipher key application security mechanism and AES behaviorUnified detection.
The main advantage of the embodiment of the present invention is the following aspects:
1) design for power industry specially
The present invention carries out detailed statistics to power industry especially power grid enterprises' business application system AES situationAnd investigation, design the unified evaluating system for power industry specially.
2) specially for the cryptographic algorithm design of national Password Management office
The present invention carries out the input and output result of the national Password Management SM1 of office, SM2, SM3, SM4 algorithm deeplyEnter research, the algorithm that identification terminal equipment uses automatically, and can carry out verification to algorithm, check and whether meetThe specification of Password Management office of country, guarantees to use the algorithm that correctly closes rule.
3) be suitable for magnanimity key management
Power industry system is huge, user is numerous, and each operation system all may produce the key of magnanimity, system of the present inventionCan evaluate and test magnanimity key management, management suggestion is provided, prevent that key from losing or abuse condition occurs.
4) compatible strong, be suitable for various terminal interface devices
Power system network situation complexity, terminal situation is also very complicated, Installed System Memory use serial ports, Ethernet interface,The wireless terminal that waits polytype interface; The present invention can compatible each class interface, terminal is encrypted to algorithm uses andThe compliance inspection of key management, prevents terminal and illegal terminal access in violation of rules and regulations.
5) integrate cryptographic algorithm and detect the detection system of evaluating with key management
Whether the cryptographic algorithm that the present invention not only can sense terminals equipment uses meets the regulation of national Password Management office,Also the key management level to whole system is evaluated, be a collect cryptographic algorithm detect with key management evaluate inThe detection system of one.
6) hardware is realized, and performance is higher
The present invention uses hardware to realize testing process, adopt the chip of high speed processing to finish the work, and can reduce detectionTime, increase work efficiency.
7) dispose simply, terminal is transparent
System of the present invention is disposed simple, adopts automation installation script, configures simple to operation. When system works to endHold transparently, do not change the original access way of terminal. Can reduce maintenance cost, the operability of improving product upgrade maintenance andEase for use.
In key context of detection, although academic theory has correlative study in automation context of detection, there is no pin at presentTo the special detection system of power industry application; Power industry terminal situation, interface and algorithm are all comparatively complicated, thisBright is detection method and the device that the special circumstances for power industry are developed specially, and it is different that it will fill up power industryThe blank of the aspects such as construction system integration management, the detection of application close coupling key, possesses stronger practicality and novelty.And, realize aspect from function, although can use multiple key management product and AES detection systemBe used in combination and substitute the present invention program, but this needs that also cannot meet power industry completely that substitute, therefore originallyInvention has originality in power industry application, cannot use other products and technology to substitute.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer journeyOrder product. Therefore, the present invention can adopt complete hardware implementation example, complete implement software example or in conjunction with software and hardwareThe form of the embodiment of aspect. And the present invention can adopt in one or more computer available programs that wherein includeThe computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of codeThe form of the computer program of upper enforcement.
The present invention is that reference is according to the stream of the method for the embodiment of the present invention, equipment (system) and computer programJourney figure and/or block diagram are described. Should understand can be by computer program instructions realization flow figure and/or block diagramFlow process in each flow process and/or square frame and flow chart and/or block diagram and/or the combination of square frame. These can be providedComputer program instructions is established to all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processingStandby processor, to produce a machine, makes to hold by the processor of computer or other programmable data processing deviceThe instruction of row produces for realizing flow process of flow chart or multiple flow process and/or square frame of block diagram or multiple sideThe device of the function of specifying in frame.
These computer program instructions also can be stored in can vectoring computer or other programmable data processing device with spyDetermine in the computer-readable memory of mode work, the instruction that makes to be stored in this computer-readable memory produces bagDraw together the manufacture of command device, this command device is realized at flow process of flow chart or multiple flow process and/or block diagram oneThe function of specifying in individual square frame or multiple square frame. These computer program instructions also can be loaded into computer or other can be compiledOn journey data processing equipment, make to carry out sequence of operations step to produce on computer or other programmable devicesThe processing that calculation machine is realized, thus the instruction of carrying out on computer or other programmable devices is provided for realizing in flow processThe step of the function of specifying in flow process of figure or multiple flow process and/or square frame of block diagram or multiple square frame.
In the present invention, apply specific embodiment principle of the present invention and embodiment have been set forth, above embodimentExplanation just for helping to understand method of the present invention and core concept thereof; Meanwhile, for the general technology of this areaPersonnel, according to thought of the present invention, all will change in specific embodiments and applications, in sum,This description should not be construed as limitation of the present invention.
Claims (10)
1. method AES and key being detected, is characterized in that, described method comprises:
Tested terminal is identified, obtained the type of described tested terminal and the encryption device using thereof;
The encryption device using according to described tested terminal, determines the algorithm types detecting;
To the algorithm types of described detection, select set correlation computations example carry out computing, and with described tested terminalThe ciphertext of carrying out generating after cryptographic calculations according to the plaintext of input is compared, the algorithm types of generation to described detectionTesting result;
Obtain length, intensity, life cycle and the interaction protocol of the key that described tested terminal uses, according to establishingFixed technical specification is carried out cryptographic calculations, generates the testing result to described key.
2. the method that AES and key are detected according to claim 1, is characterized in that instituteState tested terminal identified, obtain the type of described tested terminal and the encryption device using thereof, comprising:
According to the type of described tested terminal, determine which kind of power distribution network security protection type is described tested terminal adopt;
According to described power distribution network security protection type, determine the encryption device that described tested terminal is used.
3. the method that AES and key are detected according to claim 1, is characterized in that instituteState the encryption device using according to described tested terminal, determine the algorithm types detecting, comprising:
Judge whether described tested terminal supports domestic AES;
If supported, determine the type of the domestic AES of described tested terminal use, for asymmetric arithmetic is still pluckedWant algorithm.
4. the method that AES and key are detected according to claim 1, is characterized in that instituteState the algorithm types to described detection, select set correlation computations example carry out computing, and with described tested terminal rootThe ciphertext of carrying out generating after cryptographic calculations according to the plaintext of input is compared, and generates the inspection of the algorithm types to described detectionSurvey result, comprising:
According to the algorithm types of described detection, select the correlation computations example of setting to carry out computing, generating standard ciphertext;
According to relevant interface, to described tested terminal input expressly;
Described tested terminal, according to the plaintext of described input, adopts corresponding cryptographic algorithm, completes cryptographic calculations, generatesDetect ciphertext;
Described detection ciphertext and the specification ciphertext obtaining according to the correlation computations example calculations of setting are compared, ifUnanimously, the algorithm types that described detection is described is domestic AES, if inconsistent, the algorithm of described detection is describedType is non-domestic AES.
5. the method that AES and key are detected according to claim 1, is characterized in that instituteThe method of stating also comprises: according to the type of described tested terminal, generation can be identified the system of various tested terminal interface typesOne interface.
6. device AES and key being detected, is characterized in that, described device comprises:
Recognition of devices module, for tested terminal is identified, the type and the institute thereof that obtain described tested terminal are usedEncryption device;
Algorithm identified module, for the encryption device using according to described tested terminal, determines the class of algorithms detectingType;
Algorithm detection module, for the algorithm types to described detection, selects the correlation computations example of setting to carry out computing,And compare with the ciphertext that described tested terminal carries out generating after cryptographic calculations according to the plaintext of input, generate describedThe testing result of the algorithm types detecting;
Key detection module, for the length, intensity, life cycle of obtaining the key that described tested terminal uses withAnd interaction protocol, carry out cryptographic calculations according to the technical specification of setting, generate the testing result to described key.
7. the device that AES and key are detected according to claim 6, is characterized in that instituteState recognition of devices module for tested terminal is identified, obtain the type of described tested terminal and use closeDecoding apparatus, comprising:
Power distribution network security protection type decision module, for according to the type of described tested terminal, determines described tested endWhich kind of power distribution network security protection type end adopts;
Encryption device determination module, for according to described power distribution network security protection type, determines that described tested terminal is usedEncryption device.
8. the device that AES and key are detected according to claim 6, is characterized in that instituteState the encryption device of algorithm identified module for using according to described tested terminal, determine the algorithm types detecting,Comprise:
Support determination module, for judging whether described tested terminal supports domestic AES;
Algorithm determination module, the type of the domestic AES using for definite described tested terminal, is asymmetric calculationMethod or digest algorithm.
9. the device that AES and key are detected according to claim 6, is characterized in that instituteState algorithm detection module for the algorithm types to described detection, select the correlation computations example of setting to carry out computing, andCompare with the ciphertext that described tested terminal carries out generating after cryptographic calculations according to the plaintext of input, generate described inspectionThe testing result of the algorithm types of surveying, comprising:
Specification ciphertext generation module, for according to the algorithm types of described detection, selects the correlation computations example of setting to enterRow operation, generating standard ciphertext;
Expressly input module, for according to relevant interface, inputs expressly to described tested terminal;
Detect ciphertext generation module, according to the plaintext of described input, adopt corresponding password to calculate for described tested terminalMethod, completes cryptographic calculations, generates and detects ciphertext;
Ciphertext comparing module, for the specification obtaining by described detection ciphertext and according to the correlation computations example calculations of settingCiphertext is compared, if consistent, the algorithm types that described detection is described is domestic AES, if inconsistent,The algorithm types that described detection is described is non-domestic AES.
10. the device that AES and key are detected according to claim 6, is characterized in that instituteStating the device that AES and key are detected also comprises: unified interface generation module, and for according to described testedThe type of terminal, generation can be identified the unified interface of various tested terminal interface types.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310412383.9A CN103516511B (en) | 2013-09-11 | 2013-09-11 | A kind of method and device that AES and key are detected |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310412383.9A CN103516511B (en) | 2013-09-11 | 2013-09-11 | A kind of method and device that AES and key are detected |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103516511A CN103516511A (en) | 2014-01-15 |
| CN103516511B true CN103516511B (en) | 2016-05-04 |
Family
ID=49898595
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310412383.9A Active CN103516511B (en) | 2013-09-11 | 2013-09-11 | A kind of method and device that AES and key are detected |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103516511B (en) |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103888444B (en) * | 2014-02-24 | 2018-07-10 | 国家电网公司 | A kind of safe distribution of electric power authentication device and its method |
| CN104469809B (en) * | 2014-11-26 | 2018-10-23 | 大唐移动通信设备有限公司 | A kind of method and device of the LTE measurement methods of determining terminal |
| CN105303117B (en) * | 2015-09-17 | 2019-04-09 | 中国科学院数据与通信保护研究教育中心 | A kind of detection method and system of SM2 algorithm routine |
| CN107623568B (en) * | 2016-07-15 | 2022-09-06 | 青岛博文广成信息安全技术有限公司 | SM4 white box implementation method based on S box dependent on secret key |
| CN106549968A (en) * | 2016-11-22 | 2017-03-29 | 浪潮(苏州)金融技术服务有限公司 | A kind of detection method and device |
| CN107818265B (en) * | 2017-10-23 | 2020-04-24 | 中国银行股份有限公司 | Encryption method, device and system |
| CN107911215B (en) * | 2017-11-21 | 2020-09-29 | 中国银行股份有限公司 | HSM key verification method and device |
| CN109558707B (en) * | 2018-11-16 | 2021-05-07 | 北京梆梆安全科技有限公司 | Method and device for detecting security level of encryption function and mobile device |
| CN109658093B (en) * | 2019-01-04 | 2023-04-28 | 中国银行股份有限公司 | Key type processing method and device for bank card password |
| CN110620671B (en) * | 2019-08-30 | 2024-04-09 | 厦门一通灵信息科技有限公司 | Encryption algorithm evaluation method, medium, equipment and device |
| CN110572639A (en) * | 2019-09-30 | 2019-12-13 | 公安部第一研究所 | video encryption and decryption evaluation tool and method based on GB35114 standard |
| CN111881462A (en) * | 2020-07-17 | 2020-11-03 | 张睿 | Online analysis technology for commercial password application encryption effectiveness |
| CN111984997A (en) * | 2020-08-19 | 2020-11-24 | 北京人大金仓信息技术股份有限公司 | Method and device for determining whether database encryption algorithm is damaged or not and electronic equipment |
| CN112039730B (en) * | 2020-08-31 | 2022-06-07 | 海南大学 | Performance evaluation method of encryption algorithm and storage medium |
| CN113420310B (en) * | 2021-07-01 | 2022-05-17 | 上海交通大学 | State cryptographic algorithm detection method in Android application |
| CN113709137A (en) * | 2021-08-25 | 2021-11-26 | 广东财经大学 | Password evaluation test system and password evaluation test method |
| CN114244503A (en) * | 2021-12-01 | 2022-03-25 | 福建金密网络安全测评技术有限公司 | Performance test method for password equipment |
| CN115987483B (en) * | 2022-12-19 | 2024-01-30 | 豪符密码检测技术(成都)有限责任公司 | Method for detecting white box password |
| CN116070250B (en) * | 2023-03-07 | 2023-06-23 | 卓望数码技术(深圳)有限公司 | Password algorithm evaluation method and device for android system application program |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1681238A (en) * | 2004-04-08 | 2005-10-12 | 株式会社日立制作所 | Key allocating method and key allocation system for encrypted communication |
| CN101207401A (en) * | 2006-12-22 | 2008-06-25 | 大唐移动通信设备有限公司 | Apparatus, base station, terminal unit and method for obtaining signal-noise ratio and amplitude-noise ratio |
| CN102571357A (en) * | 2012-02-24 | 2012-07-11 | 飞天诚信科技股份有限公司 | Signature realization method and signature realization device |
-
2013
- 2013-09-11 CN CN201310412383.9A patent/CN103516511B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1681238A (en) * | 2004-04-08 | 2005-10-12 | 株式会社日立制作所 | Key allocating method and key allocation system for encrypted communication |
| CN101207401A (en) * | 2006-12-22 | 2008-06-25 | 大唐移动通信设备有限公司 | Apparatus, base station, terminal unit and method for obtaining signal-noise ratio and amplitude-noise ratio |
| CN102571357A (en) * | 2012-02-24 | 2012-07-11 | 飞天诚信科技股份有限公司 | Signature realization method and signature realization device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103516511A (en) | 2014-01-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103516511B (en) | A kind of method and device that AES and key are detected | |
| Rao et al. | Data security challenges and its solutions in cloud computing | |
| CN102685093B (en) | A kind of identity authorization system based on mobile terminal and method | |
| CN107770159B (en) | Vehicle accident data recording method and related device and readable storage medium | |
| CN108965230A (en) | A kind of safety communicating method, system and terminal device | |
| CN104283688B (en) | A kind of USBKey security certification systems and safety certifying method | |
| CN102970676B (en) | A kind of method handled initial data, Internet of things system and terminal | |
| CN110362357A (en) | A kind of configuration file management method and device of application program | |
| CN105827582B (en) | A kind of communication encrypting method, device and system | |
| US11349660B2 (en) | Secure self-identification of a device | |
| CN104123769B (en) | The unblanking of a kind of safety intelligent lock, close lock control method | |
| Muthavhine et al. | An analysis and a comparative study of cryptographic algorithms used on the Internet of Things (IoT) based on avalanche effect | |
| CN107609410A (en) | Android system data guard method, terminal device and storage medium based on HOOK | |
| KR20170068437A (en) | Quantum authentication method for access control between three elements of cloud computing | |
| CN109684272A (en) | Document storage method, system and terminal device | |
| CN104935548B (en) | Auth method, apparatus and system based on intelligent equipment of tatooing | |
| CN102571355A (en) | Method and device for importing secret key without landing | |
| Marian et al. | Experimenting with digital signatures over a DNP3 protocol in a multitenant cloud-based SCADA architecture | |
| CN108965315A (en) | A kind of authentic authentication method of terminal device, device and terminal device | |
| CN102571810B (en) | Dynamic password authentication method based on hardware digital certificate carrier and dynamic password authentication system thereof | |
| CN115118751B (en) | Blockchain-based supervision system, method, equipment and medium | |
| CN116599766A (en) | Smart electric meter detection method, device, equipment and storage medium | |
| CN107172078B (en) | Security management and control method and system of core framework platform based on application service | |
| CN114884714B (en) | Task processing method, device, equipment and storage medium | |
| CN105959249A (en) | Method and system for management of electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |