CN109194467A - A kind of safe transmission method and system of encryption data - Google Patents

Abstract

A kind of safe transmission method and system of encryption data, two equipment rooms negotiate an encryption key serial number n in this method, sending device utilizes the KEYn key and serial number n check code progress Hash operation in encryption chip according to Key Sequence Number n, a temporary key KEYn_SHA is generated, sending device carries out exclusive or processing to data to be transmitted using temporary key KEYn_SHA and generates encrypted data.The invention also includes a kind of secure transmission systems of encryption data.The present invention can realize the verifying of the mirror fixed sum data integrality of signature in process of data communication, ensure that the safety of device talk and the integrality of data.

Description

A kind of safe transmission method and system of encryption data

Technical field

The present invention relates to radio network technique field more particularly to the safe transmission methods and system of a kind of encryption data.

Background technique

In wireless self-organization network, wireless sensor network field, due to the opening of wireless communication signal, by wireless Signal transmits plaintext communication data, is very easy to that communication data is intercepted and captured and analyzed by third party, so as to cause in wireless network Critical data leakage, serious person will appear illegal invasion person camouflage invasion wireless network, leading to wireless network communication not just Often, to reach the illegal purpose of malice invader.

Although there is least a portion of product to carry out encryption to upgrade procedure and communication data at present, equipment ensure that Safety, but in wireless self-organization network, wireless sensor network and embedded system, according to international such as DES With the symmetric encipherment algorithms such as AES data encryption is carried out, but is constrained to the code space and processor of embedded type CPU processor Arithmetic speed, encrypting and decrypting efficiency are very low；According to simple single encryption technology, and it is easy to be broken by the third party of malice Solution, so that the purpose of encryption be not achieved.How to realize the encryption being simple and efficient and safe transmission is carried out to encryption data and has become Urgent problem at present.

Summary of the invention

The present invention devises the safe transmission method and system of a kind of encryption data, and this method can be in process of data communication The verifying of the middle mirror fixed sum data integrality for realizing signature, ensure that the safety of device talk and the integrality of data.

The technical solution adopted in the present invention is as follows:

A kind of safe transmission method of encryption data, it is characterised in that include the following steps:

Step 1, two equipment rooms negotiate an encryption key serial number n；

Step 2, sending device according to Key Sequence Number n using in encryption chip KEYn key and serial number n check code carry out Hash operation generates a temporary key KEYn_SHA；

Step 3, sending device carries out exclusive or processing to data to be transmitted using temporary key KEYn_SHA and generates encryption Data afterwards；

Step 4, sending device sends encrypted data；

Further, after step 4 further include: step 5, after receiving device receives rear encryption data, also according to negotiation Key Sequence Number n and key KEYn generates temporary key KEYn_SHA.

Further, after step 5 further include: step 6, receiving device is according to temporary key KEYn_SHA to received encryption Data carry out exclusive or decryption.

Further, every when carrying out one and taking turns the decryption processing, need to extract from cryptographic digest corresponding exclusive or abstract, Interpolation abstract is made a summary with value；Include the steps that interpolation is rejected in the decryption processing, when carrying out interpolation rejecting, due to interpolation Sequence be according to upgrade procedure interpolation from front to back, then need according to upgrade procedure from back to front according to byte-aligned number into Row traverses all binary data reversely to reject interpolation.

Further, the interpolation rejecting includes: to select some 32 byte packet in encrypted cipher text according to byte-aligned INS moves to right grouping INS according to exclusive or shift amount to obtain an interpolated data DATA_TMP, and DATA_TMP is utilized KEY Matching way matches the KEY key in encryption chip, and interpolated data INS is correctly then rejected in matching, and records DATA_ in memory TMP is the KEY key of some serial number；The KEY key inside all encryption chips can be gradually matched during subsequent rejecting, After all cipher key match come out after, can directly according to match come record in memory DATA_TMP key progress interpolation Rejecting.

A kind of secure transmission system of encryption data, which is characterized in that the secure transmission system includes:

Consulting device, two equipment rooms negotiate an encryption key serial number n,

Sending device utilizes the KEYn key and serial number n check code progress Hash fortune in encryption chip according to Key Sequence Number n It calculates, generates a temporary key KEYn_SHA, sending device carries out data to be transmitted using temporary key KEYn_SHA different Or processing generates encrypted data, sends encrypted data.

Further, secure transmission system further include: receiving device receives encryption data, and encrypts number upon receipt According to rear, temporary key KEYn_SHA is generated also according to the Key Sequence Number n and key KEYn of negotiation.

Further, receiving device carries out exclusive or decryption to received encryption data according to temporary key KEYn_SHA.

Further, every when carrying out one and taking turns the decryption processing, need to extract from cryptographic digest corresponding exclusive or abstract, Interpolation abstract is made a summary with value；

Include the steps that in the decryption processing interpolation reject, when carrying out interpolation rejecting, due to the sequence of interpolation be by According to upgrade procedure interpolation from front to back, then need reversely to be traversed according to byte-aligned number from back to front according to upgrade procedure All binary data rejects interpolation.

Further, the interpolation rejecting includes: to select some 32 byte packet in encrypted cipher text according to byte-aligned INS moves to right grouping INS according to exclusive or shift amount to obtain an interpolated data DATA_TMP, and DATA_TMP is utilized KEY Matching way matches the KEY key in encryption chip, and interpolated data INS is correctly then rejected in matching, and records DATA_ in memory TMP is the KEY key of some serial number；The KEY key inside all encryption chips can be gradually matched during subsequent rejecting, After all cipher key match come out after, can directly according to match come record in memory DATA_TMP key progress interpolation Rejecting.

Beneficial effects of the present invention are as follows compared with prior art:

The present invention is also encrypted the data in Wireless Communication Equipment communication process, guarantees legal wireless network Equipment can reliable communicating, avoid the equipment of third party's malice and device steal wireless network communication data and illegal invasion attack Wireless communication networks, guarantee the confidentiality of wireless network communication data, Anti-theft, wireless network attack protection, improve nothing The robustness of gauze network and safety, reliability.

Detailed description of the invention

Fig. 1 is the flow diagram of the safe transmission of encryption data；

Fig. 2 is Wireless Communication Equipment structural schematic diagram.

Specific embodiment

In order to better illustrate the present invention, technical solution is made now in conjunction with specific embodiment and Figure of description further Explanation.Although describing these specific embodiments in embodiment, however, it is not to limit the invention, any affiliated skill Have usually intellectual in art field, without departing from the spirit and scope of the present invention, when can make some changes and embellishment, therefore The scope of protection of the present invention is defined by those of the claims.

The present invention solves encryption data in the bright of remote server and upgrading terminals equipment room by following a few points The safety issue of text transmission:

1) it is sent by two Data Concurrents of generating random number USER_ID_TMP, DIGEST_DATA_NEW of remote server Give updating apparatus terminal；

2) updating apparatus terminal is by traversing whole key KEY1~16 and USER_ in the encryption chip inside equipment ID_TMP carries out the temporary decryption data of Hash operation production, therefrom extracts two ciphertext datas and completes cryptographic digest data Decryption reduction；

3) as long as upgrading terminals device request cryptographic digest data and when being encrypted data deciphering every time, participate in fortune every time The random number TMP of calculation is different, and USER_ID_TMP, DIGEST_DATA_NEW of generation are different from every time；

4) these three data of USER_ID_TMP, DIGEST_DATA_NEW, DIGEST_DATA_SHA are all to pass through SHA256 Hash operation obtains, reversely can not directly solve its initial data, is merely able to whole keys KEY1~16 in traversal encryption chip Complete cryptographic digest data convert；

5) after the cryptographic digest data of remote server encryption, the encryption key inside upgrading terminals equipment is stored in encryption In chip, and the KEY key of encryption chip cannot be read in any manner, can only SHA256 operation intermediate result and These three data informations of USER_ID_TMP, DIGEST_DATA_NEW, DIGEST_DATA_SHA can just be known after being compared matching Whether the key that road selects when encrypting is correct；

6) when calculating DIGEST_DATA_SHA and DIGEST_DATA_SHA_X, the ID of updating apparatus terminal is participated in breathing out Uncommon operation, due to the device id be respectively stored in remote server data library and the hardware device of updating apparatus terminal in, and It transmits in the wireless network and does not need to carry the ID value in the instruction of cryptographic digest request of data, avoid upgrading terminals device id The leakage of value, enhances encryption intensity, if the upgrading terminals device id, which is changed to an agreement dynamic data, participates in cryptographic calculation, The data are dynamically converted in real time every time, the difficulty for decrypting cryptographic digest data will greatly improve；

7) the temporary key KEY_SHA that the cryptographic digest that the present invention describes carries out exclusive or encryption is 2 32 bytes, if by different Or the temporary key KEY_SHA of encryption increases for 4,8 or more, then the difficulty of reversed exclusive or decryption will be again at multiplication Add；

It ensure that the safe transmission of encryption key data using above-mentioned 7 measures, even if disclosing adding for encryption key In the case where close algorithm, invader has intercepted and captured the ciphertext block data of encryption key, can not acquire KEY in encryption chip hardware In the case where, it is also difficult to it decrypts encryption key in plain text, ensure that the safety of data transmission.

The method that the present invention describes is transmitted for realizing the encrypted secure of Wireless Communication Equipment communication data, high safety The Data Encryption Transmission step of rank is identical with the encrypted transmission step of cryptographic digest data, if not needing this high security level Encryption data processing, can by encrypting step simplify carry out data security transmission:

1) two equipment rooms negotiate an encryption key serial number n；

2) sending device utilizes the KEYn key and serial number n check code progress Hash in encryption chip according to Key Sequence Number n Operation generates a temporary key KEYn_SHA；

3) sending device generates data to be transmitted progress exclusive or processing using temporary key KEYn_SHA encrypted Data；

4) sending device sends encrypted data；

5) it after receiving device receives rear encryption data, is generated temporarily also according to the Key Sequence Number n and key KEYn of negotiation Key KEYn_SHA；

6) receiving device carries out exclusive or decryption to received encryption data according to temporary key KEYn_SHA.

The decryption oprerations of upgrade procedure encrypted cipher text of the invention are the inverse process of cryptographic operation, in decrypting process just like Under several decryption main points:

1) when every one wheel decryption processing of progress, need to extract corresponding exclusive or abstract from cryptographic digest, interpolation makes a summary, is same Value abstract；

2) when carrying out interpolation rejecting, since the sequence of interpolation therefore is carried out slotting according to upgrade procedure interpolation from front to back When value is rejected, need reversely to be traversed all binary data according to byte-aligned number from back to front according to upgrade procedure Reject interpolation；

3) method that interpolation is rejected are as follows: some 32 byte packet INS is selected in encrypted cipher text according to byte-aligned, by this Grouping INS moves to right to obtain an interpolated data DATA_TMP according to exclusive or shift amount, and DATA_TMP is utilized KEY matching way The KEY key in encryption chip is matched, interpolated data INS is correctly then rejected in matching, and is some in memory record DATA_TMP The KEY key of serial number；The KEY key inside all encryption chips can be gradually matched during subsequent rejecting, to all close Key match come after, can directly according to match come record in memory DATA_TMP key progress interpolation rejecting, To accelerate the speed of interpolation rejecting, and the number of the hardware communication of CPU processor and encryption chip is reduced, improves key safety Property；

3) it is grouped pretreated decryption, the benefit being inserted into grouping preprocessing process is equally rejected by the way of from back to front Neat data.

The present invention carries out encryption production two parts of encrypted cipher text and cryptographic digest, and two for upgrade procedure and data Part is transmitted with approach in different ways, ensure that the safety of encryption data, solves encryption key distribution management appearance The problem of easily revealing is decrypted operation and also needs to use hardware encryption chip even if cryptographic digest data are leaked and crack In KEY encryption key, and encryption key is unreadable, can only extract identification by traversing matched mode, not add In the case where close chip hardware, although having cracked cryptographic digest data, interpolation number can not be still rejected from encrypted cipher text It is decrypted according to exclusive or；The upgrade procedure and data that this encryption method is encrypted encrypted cipher text, cryptographic digest, encryption in decryption Three elements of key are indispensable.

The Encryption Algorithm that the present invention uses, the quantity for the encryption key KEY that can be stored in encryption chip by increase and decrease Encryption intensity is adjusted, the number of encryption circulation can also be repeated by increase and decrease to adjust the intensity of encryption, it in this way can be with Dynamic equilibrium selection is made in terms of encryption intensity and encryption and decryption arithmetic speed.

Each KEY key authentication of CPU processor and encryption chip of the present invention all joined a random number and carry out SHA256 Hash operation ensure that even if the same KEY key authentication, the hardware I/O pin between CPU processor and encryption chip On waveform it is also different, avoid third party and crack personnel by the waveform of capture device hardware I/O pin to analyze key It is decrypted.

As shown in Figure 2, the comprising modules of Wireless Communication Equipment of the invention include:

1) embedded type CPU processor, the present embodiment use STM32F103RD chip, which is 72MHz, internal processes code FLASH space 384Kbyte；There is the STM32F103RD CPU processor internal FLASH to read to protect Protection mechanism can guarantee that the program code being stored in CPU processor is not read by third party；

2) SHA256 encryption chip, the present embodiment, as SHA256 encryption chip, should be added using ATSHA204 encryption chip Close chip is connected with CPU processor IO by I2C bus and is communicated, and can store the encryption key of 16 32 bytes, and The encryption chip equally has read protection mechanism, and 16 encryption keys can be protected not read；

3) wireless communication interface, the present embodiment realize the wireless telecommunications of equipment using SI4463 wireless communication module；

4) wired communication interface, the present embodiment has 2 RS232 communication interfaces, using SP3232EEA chip, 1 RS485 communication interface, using SP3485EN chip, 1 CAN bus communication interface, 1 USB communication interface and other equipment into Row communication and data transmission；

5) spread F LASH memory, it is close that the present embodiment stores upgrade procedure encryption using M25P32FLASH memory Text, the memory space with 4Mbyte carry out data interaction using SPI interface and CPU processor, pass through channel radio for storing The upgrade procedure encrypted cipher text that communication interface or wire communication interface transmit；

6) power supply chip, the present embodiment uses SPX1117M5 power management chip, for being converted to 5V power supply 3.3V power supply, to CPU processor, encryption chip, wireless communication module, spread F LASH memory and other devices power supply.

384Kbyte FLASH program code space in the present invention inside CPU processor is divided into five subregions.First Code in the subregion is named as boot generation for storing starting and decrypted code, the present invention by a partition size 32Kbyte Code；Second partition size is 144Kbyte, and for store the upgrade procedure code after decrypting, the present invention is by the generation in the subregion Code is named as app code；, third subregion and the second subregion it is equally big, for storing the app code run before decryption upgrading The subregion is named as app-back backup subregion, after certain upgrade procedure run-time error, can use app- by backup, the present invention Code in back backup subregion is restored to the program operation of an old version；4th partition size is 48Kbyte, for storing Code in the subregion is named as lib code by key code library, the present invention；5th partition size is 16Kbyte, for depositing The configuration data of equipment operation is stored up, the numerical nomenclature in the subregion is cfg data by the present invention.

For the division of the space partition zone different size FLASH inside different CPU processors, the present invention guarantees first point first Area's boot size is 32Kbyte, and storage location is set in the lowest address space of internal FLASH；Secondly guarantee the 5th subregion cfg Size is 16Kbyte, and storage location is set in the highest address space of internal FLASH；The size of 4th subregion lib is according to pass The size of keyness code library is set, and default setting lib size is 48Kbyte, if not needing to call key code library in equipment When, lib partition size should not be less than 48Kbyte, the purpose is to set isolated area, guarantee the app-back backup of third subregion Code, which will not cross the border, covers cfg configuration data, guarantees the reliability and stability in device upgrade operational process；It finally will be remaining CPU processor inside FLASH space be divided into equal two subregions of two app and app-back and be used to store equipment operation Code.

The present invention if desired higher encryption of security intensity can extend multiple ATSHA204 encryption chips to store 32 A, 64,128,256 even more encryption keys, can be by 2,4,8,16 even more encryption chips The multiple I/O ports for being connected to CPU are communicated, and realize the storage and management of more encryption keys, increase the length of encryption key, The security intensity of encryption is provided.

The present embodiment stores encryption key using ATSHA204 encryption chip, is extending multiple ATSHA204 encryption chips In the case where, if can be using the communication modes connection ATSHA204 encryption of 1 BITBUS network when the I/O port negligible amounts of CPU processor Chip；If desired in the case where being enlarged beyond 256 encryption keys, another CPU processor can be used STM8S007C8 chip carries out SHA256 Hash operation and does encryption chip, has 64Kbyte memory space inside the processor, can Be storage get over 2000 32 bytes encryption key, also can store 1000 64 bytes encryption key or it is longer such as The encryption key of 128 bytes.

Transmitting step of the present embodiment upgrade procedure inside the CPU processor in FLASH and spread F LASH memory is such as Under:

1) upgrade procedure encrypted cipher text, the encryption that will be received are received by wireless communication interface or wireline interface first Ciphertext data are written in the outer FLASH memory of piece；

2) cryptographic digest request instruction is then sent to remote server by remote wireless network, remote server receives To after cryptographic digest request instruction, cryptographic digest request of data and decryption step according to the invention obtain cryptographic digest and decrypt The cryptographic digest data decrypted are stored in the 5th subregion cfg data of CPU processor by cryptographic digest data out；

3) wireless remote device is restarted, boot code is executed, the 5th subregion is read in boot code implementation In cfg data, check whether that there are cryptographic digest data, and read spread F LASH memory, checked whether upgrade procedure Encryption key file verifies cryptographic digest and upgrade procedure Encryption key file；

4) verifying cryptographic digest and upgrade procedure Encryption key file, which all exist, then executes decryption oprerations, if authentication failed Execute step 7,8 the second partition programs of starting；

5) CPU processor passes through the plaintext abstract number in cryptographic digest data for after the upgrade procedure plaintext decrypted After verifying upgrade procedure plaintext correctly, the data in the second subregion of CPU are copied to store in third subregion and are backed up；

6) it by the upgrade procedure after decrypting and verifying correctly in plain text the second subregion of write-in, is unsuccessfully thened follow the steps if verifying 7,8 the second partition programs of starting；

7) the upgrade procedure encrypted cipher text data in spread F LASH memory are first wiped, the 5th subregion cfg number is then wiped Cryptographic digest data in；

8) and start the new upgrade procedure executed in the second subregion app, so far upgrade procedure is completed.If boot code is held It detects that cryptographic digest and upgrade procedure encrypted cipher text check errors or decryption oprerations are decrypted in the process during row to fail, Step 7,8 the second partition programs of starting are then directly executed, and remote server upgrade procedure is notified to fail.

The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto, In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by anyone skilled in the art, It should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with the protection model of the claim Subject to enclosing.

Claims (10)

1. a kind of safe transmission method of encryption data, it is characterised in that include the following steps:

Step 1, two equipment rooms negotiate an encryption key serial number n；

Step 2, sending device utilizes the KEYn key and serial number n check code progress Hash in encryption chip according to Key Sequence Number n Operation generates a temporary key KEYn_SHA；

Step 3, sending device generates data to be transmitted progress exclusive or processing using temporary key KEYn_SHA encrypted Data；

Step 4, sending device sends encrypted data.

2. safe transmission method according to claim 1, which is characterized in that after step 4 further include:

Step 5, it after receiving device receives rear encryption data, is generated temporarily also according to the Key Sequence Number n and key KEYn of negotiation Key KEYn_SHA.

3. safe transmission method according to claim 2, which is characterized in that after step 5 further include:

Step 6, receiving device carries out exclusive or decryption to received encryption data according to temporary key KEYn_SHA.

4. safe transmission method according to claim 3, it is characterised in that:

When the decryption processing is taken turns in every progress one, need to extract corresponding exclusive or abstract, interpolation abstract from cryptographic digest, with value Abstract；

Include the steps that interpolation is rejected in the decryption processing, when carrying out interpolation rejecting, since the sequence of interpolation is according to liter Grade program interpolation from front to back, then need to carry out reversed traversal according to byte-aligned number from back to front according to upgrade procedure all Binary data reject interpolation.

5. safe transmission method according to claim 4, which is characterized in that the interpolation, which is rejected, includes:

Some 32 byte packet INS is selected in encrypted cipher text according to byte-aligned, by grouping INS according to exclusive or shift amount It moves to right to obtain an interpolated data DATA_TMP, DATA_TMP is close using the KEY in KEY matching way matching encryption chip Interpolated data INS is correctly then rejected in key, matching, and in the KEY key that memory record DATA_TMP is some serial number；Subsequent rejecting The KEY key inside all encryption chips can be gradually matched in the process, it, can direct root after all cipher key match come out According to the rejecting for matching the DATA_TMP key progress interpolation of the record come in memory.

6. a kind of secure transmission system of encryption data, which is characterized in that the secure transmission system includes:

Consulting device, two equipment rooms negotiate an encryption key serial number n,

Sending device, according to Key Sequence Number n using in encryption chip KEYn key and serial number n check code carry out Hash operation, A temporary key KEYn_SHA is generated, sending device carries out at exclusive or data to be transmitted using temporary key KEYn_SHA Reason generates encrypted data, sends encrypted data.

7. secure transmission system according to claim 6, which is characterized in that the secure transmission system further include:

Receiving device receives encryption data, and upon receipt after encryption data, also according to the Key Sequence Number n and key of negotiation KEYn generates temporary key KEYn_SHA.

8. secure transmission system according to claim 7, it is characterised in that:

Receiving device carries out exclusive or decryption to received encryption data according to temporary key KEYn_SHA.

9. secure transmission system according to claim 8, it is characterised in that:

When the decryption processing is taken turns in every progress one, need to extract corresponding exclusive or abstract, interpolation abstract from cryptographic digest, with value Abstract；

Include the steps that interpolation is rejected in the decryption processing, when carrying out interpolation rejecting, since the sequence of interpolation is according to liter Grade program interpolation from front to back, then need to carry out reversed traversal according to byte-aligned number from back to front according to upgrade procedure all Binary data reject interpolation.

10. secure transmission system according to claim 9, which is characterized in that the interpolation, which is rejected, includes:

Some 32 byte packet INS is selected in encrypted cipher text according to byte-aligned, by grouping INS according to exclusive or shift amount It moves to right to obtain an interpolated data DATA_TMP, DATA_TMP is close using the KEY in KEY matching way matching encryption chip Interpolated data INS is correctly then rejected in key, matching, and in the KEY key that memory record DATA_TMP is some serial number；Subsequent rejecting The KEY key inside all encryption chips can be gradually matched in the process, it, can direct root after all cipher key match come out According to the rejecting for matching the DATA_TMP key progress interpolation of the record come in memory.