CN113326530B - Key negotiation method suitable for key sharing of two communication parties - Google Patents
Key negotiation method suitable for key sharing of two communication parties Download PDFInfo
- Publication number
- CN113326530B CN113326530B CN202110723225.XA CN202110723225A CN113326530B CN 113326530 B CN113326530 B CN 113326530B CN 202110723225 A CN202110723225 A CN 202110723225A CN 113326530 B CN113326530 B CN 113326530B
- Authority
- CN
- China
- Prior art keywords
- key
- secret key
- random
- communication
- parties
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000004891 communication Methods 0.000 title claims abstract description 37
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 29
- 238000009795 derivation Methods 0.000 claims abstract description 12
- 239000011159 matrix material Substances 0.000 claims description 25
- 238000012795 verification Methods 0.000 claims description 6
- 230000003247 decreasing effect Effects 0.000 claims description 2
- 238000004364 calculation method Methods 0.000 abstract description 12
- 238000005336 cracking Methods 0.000 abstract description 4
- 238000001514 detection method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/588—Random number generators, i.e. based on natural stochastic processes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Data Mining & Analysis (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a key negotiation method suitable for sharing keys of two communication parties, belonging to the field of information security. The invention does not use public key algorithm in the whole negotiation process, only one-way communication is adopted, and after the random key of one party is sent to the other party, the two parties use the same calculation strategy to obtain the session key. In terms of security, six layers of security protection are provided, and an attacker needs to finish six cracking operations at the same time to attack the key negotiation system. Even if the principle and implementation of the system are leaked by bad molecules, since the key derivation algorithm, the HASH algorithm, the index calculation method and the method for obtaining the key through the index are all configurable through strategies, an attacker cannot realize the aim of stealing the system information through communication with the system as long as the algorithm and the strategies are modified.
Description
Technical Field
The invention belongs to the field of information security, and particularly relates to a key negotiation method suitable for sharing keys of two communication parties.
Background
The current general secret key negotiation method is to generate a session secret key through password calculation after exchanging parameter information of both sides based on three-way handshake, the time delay of the session secret key generated by the method is larger, the method is mainly embodied in that the communication times are more (three-way handshake is needed), the password calculation speed is low (public key calculation is used in the negotiation process, and the public key calculation is time-consuming), and the secret key negotiation method is difficult to meet the requirements of a scene with higher real-time requirement on communication control.
Disclosure of Invention
First, the technical problem to be solved
The technical problem to be solved by the invention is how to provide a key negotiation method suitable for sharing keys of two parties of communication, so as to solve the problem that the conventional key negotiation method is difficult to meet the requirements on the scene with higher real-time requirements on communication control.
(II) technical scheme
In order to solve the technical problems, the present invention provides a key negotiation method suitable for sharing keys of two parties of communication, the method comprising the following steps:
s1, presetting a secret key and sharing a secret key matrix
Loading a preset secret key and a shared secret key matrix into the equipment in a specified mode;
s2, generation of random secret key
The A end generates a random secret key and then carries out randomness verification according to a standard, the random number passing verification is a true random number, and the true random number is the random secret key;
s3, the random secret key is sent to a secret key negotiation opposite end
After the A end generates the random secret key, the random secret key is encrypted by using the preset secret key and then sent to the communication opposite end, and after the communication opposite end receives the random secret key, the random secret key is obtained by decrypting the random secret key by using the preset secret key;
s4, negotiating a session key component through random key derivation
Inputting the random key as a parameter into a key derivative function, and performing key derivative operation to obtain a derivative key;
s5, calculating HASH value for random secret key
Using the random secret key as an input parameter, and obtaining a 160-bit abstract value through a HASH algorithm;
s6, calculating the shared key matrix index through HASH value
Dividing the 160-bit abstract value into 32 sections according to a section of 5 bits, and taking the 32 sections as an index value for acquiring a shared secret key group, wherein the index value array is Kindex [32];
s7, obtaining the shared secret key group from the shared secret key matrix
The shared key matrix is expressed by using SKM, wherein SKM= { { SKM [0] [0], SKM [0] [1], … SKM [0] [31] }, { … … } … … { SKM [31] [0], SKM [31] [1], … SKM [31] [31] } and the elements thereof are SKM [ m ] [ n ];
let m=kindex [ i ], n=kindex [ j ]; i, j < = 31; obtaining a shared secret key set, which is expressed by SKA, wherein SKA [ k ] = SKM [ m ] [ n ], and k < = 31;
s8, obtaining the secondary key from the shared key group and the derivative key
The secondary key is calculated by the following formula:
kn=e (E (… E (CK, SKA [ k ])))); e represents encryption, the encryption layer number is more than 10 layers, and the generated secondary secret key is the negotiation session secret key.
Further, the shared key matrix is composed of 32×32 keys, and the element corresponding to each column of each row is a true random number key.
Further, the true random number key in the shared key matrix is a 32-byte true random number key.
Further, in the step S2, the generation of the random key by the a end is specifically: the A terminal generates a random key through a random number generation chip.
Further, after the step S3, the two communication ends simultaneously execute the subsequent steps to calculate the negotiation session key according to the negotiation policy.
Further, the key derivation function in the step S4 is sm3_kdf.
Further, the HASH algorithm in the step S5 is SM3 digest operation.
Further, i is cyclically increased from 0 to 31 and j is cyclically decreased from 31 to 0 in step S7.
Further, the encryption algorithm represented by E in step S8 is a symmetric encryption algorithm.
Further, in the step S8, the number of encryption layers is 32.
(III) beneficial effects
The invention provides a secret key negotiation method suitable for secret key sharing of two communication parties, the secret key negotiation method based on a shared secret key matrix does not use a public key algorithm in the whole negotiation process, only one-way communication is adopted, and after a random secret key of one party is sent to the other party, the two parties use the same calculation strategy to obtain a session secret key. In terms of security, a random secret key generated at one end is encrypted by a preset secret key and then sent to the other end, encryption of the process is a first layer of security protection, the random secret key does not directly participate in the secret key negotiation process, but HASH values and secret key derivatives are calculated respectively to indirectly participate in secret key negotiation, the two processes are a second layer of security protection and a third layer of security protection respectively, secret key matrix indexes are calculated through the HASH values, 32 secret keys are obtained through index values, the process is a fourth layer of security protection and a fifth layer of security protection, the negotiation session secret key is obtained by calculating the 32 secret keys and the derived secret key components through a strong cryptographic algorithm, the sixth layer of security protection is achieved, an attacker can attack the secret key negotiation system only by completing six cracking operations at the same time, and the implementation is almost impossible. Even if the principle and implementation of the system are leaked by bad molecules, since the key derivation algorithm, the HASH algorithm, the index calculation method and the method for obtaining the key through the index are all configurable through strategies, an attacker cannot realize the aim of stealing the system information through communication with the system as long as the algorithm and the strategies are modified.
Drawings
FIG. 1 is a flow chart of a key agreement method according to the present invention.
Detailed Description
To make the objects, contents and advantages of the present invention more apparent, the following detailed description of the present invention will be given with reference to the accompanying drawings and examples.
The invention relates to a key negotiation method for two communication parties, which is particularly suitable for an environment with higher requirements on communication instantaneity and limited hardware computing resources.
The following key contents need to be realized in the invention:
1) Shared key matrix
The shared key matrix is composed of 32x32 keys, each row and each column of corresponding elements is a true random number key, the key length is different according to different requirements, the invention adopts the true random number keys of 32 bytes, and the keys of other byte numbers also belong to the scope of the invention. According to the design that each row and each column respectively takes one element, taking all 32 elements as a group, calculating negotiation session keys, wherein the total number of key groups which can be realized is KCOUNT=32 32 The number of keys of this order can be adapted for long-term key agreement at multiple communication ends. The calculation of each group of secret keys has a linear relation, is easy to crack in theory, and can realize negotiation of the session secret keys obtained by nonlinear calculation by adding the session secret key components derived by the random secret keys, so that the risk of cracking the secret keys is solved.
2) Random secret key
The random key is a true random number obtained by a random number generator hardware device, the random number needs to be subjected to randomness detection according to a certain standard, and the random number can be put into use after detection.
3) Key derivation
Key derivation is a deterministic algorithm for deriving symmetric keys from a number of secret values (e.g., master key, cipher), which is derived from random keys in this study. The key derivation is realized mainly by adopting the SM 3-KDF algorithm, and the key derivation algorithm can have various choices.
The key negotiation method of the invention specifically comprises the following steps:
s1, presetting a secret key and sharing a secret key matrix
The preset secret key and the shared secret key matrix are loaded into the equipment in a specified mode, and the preset secret key is used for protecting the transmission safety of the random secret key and has safety with certain strength. The preset key is represented by PSK.
S2, generation of random secret key
The A end generates a random key through the random number generation chip, and performs randomness verification according to the standard, wherein the random number after verification is a true random number, and the true random number is the random key. The random key is used to derive a negotiation session key component for participation in operations as a nonlinear component of the generated negotiation session key, the a-side random key being denoted RNK.
S3, the random secret key is sent to a secret key negotiation opposite end
After the A terminal generates the random secret key, the random secret key is encrypted by using the preset secret key and then is sent to the communication opposite terminal on line in a communication mode, and after the communication opposite terminal receives the random secret key, the random secret key is obtained by decrypting the random secret key by using the preset secret key. The opposite end decrypts the random key as RNK =d (PSK, RNK) Secret key )。
The two communication ends execute the subsequent steps to calculate the negotiation session key according to the negotiation strategy, so that the negotiation time can be saved.
S4, negotiating a session key component through random key derivation
The random key is used as a parameter to be input into a key derivative function, key derivative operation is carried out to obtain a derivative key, the key derivative function is SM3_KDF, and the derivative key generated after the derivative operation is represented by CK.
S5, calculating HASH value for random secret key
And taking the random key as an input parameter, and obtaining a 160-bit abstract value through a HASH algorithm. The digest value is denoted by SHASH. The HASH algorithm may be an SM3 digest operation.
S6, calculating the shared key matrix index through HASH value
The 160-bit abstract value is divided into 32 sections according to a section of 5 bits, the 32 sections are used as index values for acquiring a shared secret key group, the index value array is Kindex [32], the numerical value of 5-bit binary maximum representation is 31, and the whole array is just filled.
S7, obtaining the shared secret key group from the shared secret key matrix
The shared key matrix is represented by SKM, where SKM= { { SKM [0] [0], SKM [0] [1], … SKM [0] [31] }, { … … } … … { SKM [31] [0], SKM [31] [1], … SKM [31] [31] } has the element SKM [ m ] [ n ].
Let m=kindex [ i ], n=kindex [ j ]; i, j < = 31;
i. j is chosen in a contracted manner, e.g., i increases from 0 to 31 in a cycle, j decreases from 31 to 0 in a cycle; obtaining a shared secret key set, which is expressed by SKA, wherein SKA [ k ] = SKM [ m ] [ n ], and k < = 31;
s8, obtaining the secondary key from the shared key group SKA and the derivative key CK
The secondary key is calculated by the following formula:
K N =E(E(…E(E(CK,SKA[k]) -a) a; e represents encryption, the encryption layer number is more than 10 layers, and generally 32 layers of encryption are needed, and the generated secondary secret key is the negotiation session secret key. The 32-layer encryption algorithm is a symmetric encryption algorithm.
The key negotiation method based on the shared key matrix does not use a public key algorithm in the whole negotiation process, only carries out one-way communication once, and after a random key of one party is sent to the other party, the two parties use the same calculation strategy to obtain a session key. In terms of security, a random secret key generated at one end is encrypted by a preset secret key and then sent to the other end, encryption of the process is a first layer of security protection, the random secret key does not directly participate in the secret key negotiation process, but HASH values and secret key derivatives are calculated respectively to indirectly participate in secret key negotiation, the two processes are a second layer of security protection and a third layer of security protection respectively, secret key matrix indexes are calculated through the HASH values, 32 secret keys are obtained through index values, the process is a fourth layer of security protection and a fifth layer of security protection, the negotiation session secret key is obtained by calculating the 32 secret keys and the derived secret key components through a strong cryptographic algorithm, the sixth layer of security protection is achieved, an attacker can attack the secret key negotiation system only by completing six cracking operations at the same time, and the implementation is almost impossible. Even if the principle and implementation of the system are leaked by bad molecules, since the key derivation algorithm, the HASH algorithm, the index calculation method and the method for obtaining the key through the index are all configurable through strategies, an attacker cannot realize the aim of stealing the system information through communication with the system as long as the algorithm and the strategies are modified.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.
Claims (10)
1. A key agreement method suitable for key sharing between two parties of communication, the method comprising the steps of:
s1, presetting a secret key and sharing a secret key matrix
Loading a preset secret key and a shared secret key matrix into the equipment in a specified mode;
s2, generation of random secret key
The A end generates a random secret key and then carries out randomness verification according to a standard, the random number passing verification is a true random number, and the true random number is the random secret key;
s3, the random secret key is sent to a secret key negotiation opposite end
After the A end generates the random secret key, the random secret key is encrypted by using the preset secret key and then sent to the communication opposite end, and after the communication opposite end receives the random secret key, the random secret key is obtained by decrypting the random secret key by using the preset secret key;
s4, negotiating a session key component through random key derivation
Inputting the random secret key as a parameter into a secret key derivative function, and performing secret key derivative operation to obtain a derivative secret key, wherein the derivative secret key is expressed by CK;
s5, calculating HASH value for random secret key
Using the random secret key as an input parameter, and obtaining a 160-bit abstract value through a HASH algorithm;
s6, calculating the shared key matrix index through HASH value
Dividing the 160-bit abstract value into 32 sections according to a section of 5 bits, and taking the 32 sections as an index value for acquiring a shared secret key group, wherein the index value array is Kindex [32];
s7, obtaining the shared secret key group from the shared secret key matrix
The shared key matrix is expressed by using SKM, wherein SKM= { { SKM [0] [0], SKM [0] [1], … SKM [0] [31] }, { … … } … … { SKM [31] [0], SKM [31] [1], … SKM [31] [31] } and the elements thereof are SKM [ m ] [ n ];
let m=kindex [ i ], n=kindex [ j ]; i, j < = 31; obtaining a shared secret key set, which is expressed by SKA, wherein SKA [ k ] = SKM [ m ] [ n ], and k < = 31;
s8, obtaining the secondary key from the shared key group and the derivative key
The secondary key is calculated by the following formula:
kn=e (E (… E (CK, SKA [ k ])))); e represents encryption, the encryption layer number is more than 10 layers, and the generated secondary secret key is the negotiation session secret key.
2. The key agreement method for both parties' key sharing according to claim 1, wherein the shared key matrix is composed of 32x32 keys, and each element corresponding to each column in each row is a true random number key.
3. The key agreement method for both parties to a communication key sharing according to claim 2, wherein the true random number key in the shared key matrix is a 32-byte true random number key.
4. The key agreement method applicable to both parties of communication key sharing as recited in claim 1, wherein the generating the random key at the a end in step S2 is specifically: the A terminal generates a random key through a random number generation chip.
5. The key agreement method for both communication parties' key sharing according to claim 1, wherein after step S3, both communication parties simultaneously execute subsequent steps according to the negotiation strategy to calculate the negotiation session key.
6. The key agreement method for key sharing between two parties of communication according to claim 1, wherein the key derivation function in step S4 is sm3_kdf.
7. The key agreement method for both parties' key sharing according to claim 1, wherein the HASH algorithm in step S5 is SM3 digest operation.
8. The key agreement method applicable to both communication parties' key sharing according to claim 1, wherein i is cyclically increased from 0 to 31 and j is cyclically decreased from 31 to 0 in step S7.
9. The key agreement method for key sharing between two parties of communication according to claim 1, wherein the encryption algorithm represented by E in step S8 is a symmetric encryption algorithm.
10. The key agreement method for key sharing between two parties of communication according to claim 1 or 9, wherein the number of encryption layers in step S8 is 32.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110723225.XA CN113326530B (en) | 2021-06-29 | 2021-06-29 | Key negotiation method suitable for key sharing of two communication parties |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110723225.XA CN113326530B (en) | 2021-06-29 | 2021-06-29 | Key negotiation method suitable for key sharing of two communication parties |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113326530A CN113326530A (en) | 2021-08-31 |
| CN113326530B true CN113326530B (en) | 2024-02-02 |
Family
ID=77425075
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110723225.XA Active CN113326530B (en) | 2021-06-29 | 2021-06-29 | Key negotiation method suitable for key sharing of two communication parties |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113326530B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114007219B (en) * | 2021-10-25 | 2024-03-26 | 北京计算机技术及应用研究所 | Invisible identification access authentication method for low-orbit satellite communication |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2012235214A (en) * | 2011-04-28 | 2012-11-29 | Panasonic Corp | Encryption communication device and encryption communication system |
| CN103441839A (en) * | 2013-08-15 | 2013-12-11 | 国家电网公司 | Method and system for using quantum cryptography in safe IP communication |
| CN106656490A (en) * | 2016-12-26 | 2017-05-10 | 浙江神州量子网络科技有限公司 | Quantum whiteboard data storage method |
| CN109347809A (en) * | 2018-09-25 | 2019-02-15 | 北京计算机技术及应用研究所 | A kind of application virtualization safety communicating method towards under autonomous controllable environment |
| CN112715016A (en) * | 2018-07-17 | 2021-04-27 | 皇家飞利浦有限公司 | Key encapsulation protocol |
-
2021
- 2021-06-29 CN CN202110723225.XA patent/CN113326530B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2012235214A (en) * | 2011-04-28 | 2012-11-29 | Panasonic Corp | Encryption communication device and encryption communication system |
| CN103441839A (en) * | 2013-08-15 | 2013-12-11 | 国家电网公司 | Method and system for using quantum cryptography in safe IP communication |
| CN106656490A (en) * | 2016-12-26 | 2017-05-10 | 浙江神州量子网络科技有限公司 | Quantum whiteboard data storage method |
| CN112715016A (en) * | 2018-07-17 | 2021-04-27 | 皇家飞利浦有限公司 | Key encapsulation protocol |
| CN109347809A (en) * | 2018-09-25 | 2019-02-15 | 北京计算机技术及应用研究所 | A kind of application virtualization safety communicating method towards under autonomous controllable environment |
Non-Patent Citations (2)
| Title |
|---|
| 一种面向SI P通信的域间认证与密钥协商机制;罗铭等;《东北大学学报( 自然科学版)》;第30卷(第3期);第365-368页 * |
| 传感器网络上群组密钥协商协议的设计与实现;祝烈煌等;《解放军理工大学学报(自然科学版)》;第13卷(第3期);第266-270页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113326530A (en) | 2021-08-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108418686A (en) | A kind of how distributed SM9 decryption methods and medium and key generation method | |
| WO2017147503A1 (en) | Techniques for confidential delivery of random data over a network | |
| CN107872322A (en) | Digital signature collaboration generation method and system based on homomorphic cryptography | |
| CN107566128A (en) | A kind of two side's distribution SM9 digital signature generation methods and system | |
| US20210152370A1 (en) | Digital signature method, device, and system | |
| CN107294696B (en) | Method for distributing full homomorphic keys for Leveled | |
| CN113407963B (en) | SIGNSGD-based federal learning gradient security aggregation method | |
| CN101997683B (en) | Method and device for authenticating zero knowledge proof | |
| CN113711564A (en) | Computer-implemented method and system for encrypting data | |
| CN114095181B (en) | Threshold ring signature method and system based on cryptographic algorithm | |
| CN104320393A (en) | Effective attribute base agent re-encryption method capable of controlling re-encryption | |
| CN112187461A (en) | Weapon equipment data hybrid encryption method based on encryption algorithm | |
| Rawat et al. | Efficient extended diffie-hellman key exchange protocol | |
| CN109861809A (en) | A kind of random encipher-decipher method of grouping of functionization | |
| CN111030801A (en) | Multi-party distributed SM9 key generation and ciphertext decryption method and medium | |
| CN106850584B (en) | Anonymous authentication method facing client/server network | |
| Shen et al. | Group public key encryption supporting equality test without bilinear pairings | |
| CN113326530B (en) | Key negotiation method suitable for key sharing of two communication parties | |
| CN113132104A (en) | Active and safe ECDSA (electronic signature SA) digital signature two-party generation method | |
| CN114065249A (en) | Authentication encryption method | |
| CN104320249B (en) | A kind of elastoresistance leakage encryption method of identity-based | |
| CN104506312A (en) | Method for rapidly generating information theory safety authentication information used for quantum secret communication | |
| CN115361109B (en) | Homomorphic encryption method supporting bidirectional proxy re-encryption | |
| CN114844649B (en) | Secret key distribution method containing trusted third party based on superlattice PUF | |
| Singh et al. | Hybrid Encryption Scheme (HES): An approach for transmitting secure data over internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |