CN115333730B - Method for improving data integrity of digital envelope message - Google Patents

Method for improving data integrity of digital envelope message Download PDF

Info

Publication number
CN115333730B
CN115333730B CN202210956180.5A CN202210956180A CN115333730B CN 115333730 B CN115333730 B CN 115333730B CN 202210956180 A CN202210956180 A CN 202210956180A CN 115333730 B CN115333730 B CN 115333730B
Authority
CN
China
Prior art keywords
key
digital envelope
key block
data
hmac
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210956180.5A
Other languages
Chinese (zh)
Other versions
CN115333730A (en
Inventor
李阳
张大伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Unita Information Technology Co ltd
Original Assignee
Beijing Unita Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Unita Information Technology Co ltd filed Critical Beijing Unita Information Technology Co ltd
Priority to CN202210956180.5A priority Critical patent/CN115333730B/en
Publication of CN115333730A publication Critical patent/CN115333730A/en
Application granted granted Critical
Publication of CN115333730B publication Critical patent/CN115333730B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method for improving the data integrity of digital envelope messages and a high-performance digital envelope thereof, which utilize a key in a key block to protect the messages, wherein the key block comprises a symmetric key and an HMAC key; when a sender makes a digital envelope, an HMAC value of a message is calculated by adopting an HMAC key and is attached to the back of the message to obtain data A, then the data A is encrypted by adopting a symmetric key to obtain ciphertext data in the ciphertext of the digital envelope message, a key block is encrypted by using a public key of a receiver of the digital envelope to obtain a key block ciphertext, then the data is packaged according to the format to make the digital envelope, and the key block ciphertext are cached to be used for making other digital envelopes. The invention realizes the complete protection and non-repudiation of data by combining the key for encrypting the message and the HMAC key, and simultaneously improves the manufacturing and unsealing performance of the digital envelope by adopting a key reuse mechanism.

Description

Method for improving data integrity of digital envelope message
Technical Field
The invention relates to the technical field of digital envelopes. And more particularly to a method for improving the data integrity of digital envelope messages.
Background
The digital envelope technology is an information security technology that uses cryptographic techniques to ensure that only the correct recipient can obtain information. The problem of key distribution is solved by encrypting the public key at the outer layer; the encryption efficiency is improved by symmetric encryption at the inner layer.
In PKCS #7, the sender can sign data, achieving data integrity protection and non-repudiation. If the data needs to be undeniable, the data must be signed, the data integrity protection can be realized by adopting the above idea, and the data and the used symmetric key are random, so the performance cannot be improved.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to provide a method for improving the integrity of message data of a digital envelope and a high-performance digital envelope, which realize confidentiality protection and integrity protection of data by using a symmetric key for message encryption in combination with an HMAC key.
In order to solve the technical problems, the invention provides the following technical scheme:
a method for improving data integrity of digital envelope messages, wherein the messages are encrypted by using a key block, wherein the key block comprises an HMAC key and a symmetric key; when a sender makes a digital envelope, an HMAC value of a message is calculated by adopting an HMAC key and is attached to the back of the message to obtain data A, then the data A is encrypted by adopting a symmetric key to obtain ciphertext data in the ciphertext of the digital envelope message, a key block is encrypted by using a public key of a receiver of the digital envelope to obtain a key block ciphertext, and then the key block ciphertext is packaged into the digital envelope according to a format and the key block ciphertext are cached.
In the method for improving the integrity of the digital envelope message data, the key block is randomly generated; the length of the key block is a fixed length and is the sum of the symmetric key length and the HMAC key length.
According to the method for improving the data integrity of the digital envelope message, the key block plaintext abstract is added to the receiver information of the digital envelope; when making a digital envelope, the key block ciphertext is encapsulated with the key block plaintext digest.
According to the method for improving the integrity of the digital envelope message data, the smaller threshold value of the symmetric algorithm and the HMAC algorithm for the key security requirement threshold value is selected as the effective security threshold value; when the calculated data volume does not reach the safety threshold value, making a subsequent digital envelope, and calculating an HMAC value by adopting the same HMAC key; the same symmetric key encrypts data and attaches the previously cached key block cipher text and key block digest in a digital envelope, avoiding public key computation.
In the method for improving the integrity of the digital envelope message data, the value of the plaintext abstract of the key block is the spliced abstract value of the symmetric key used for message encryption and the HMAC key used for integrity protection; and when calculating the key block digest, performing digest calculation on data spliced by the symmetric key and the HMAC key.
A digital envelope includes recipient information, message ciphertext, and key ciphertext, where the recipient information includes software version information, a certificate issuer and certificate serial number, a key block encryption algorithm identifier, a key block ciphertext, and a key block plaintext digest.
When the number of the receivers of the digital envelope is greater than or equal to 2 and the data does not exceed the safety threshold value, the key blocks used for making the message ciphertext are the same key block.
When the data of the digital envelope does not exceed the safety threshold value, the key block used for making the digital envelope is the key block randomly generated for the first time, and the key block can be repeatedly used without being randomly generated again.
The technical scheme of the invention achieves the following beneficial technical effects:
compared with the common digital envelope, the invention uses the symmetric key/HMAC key to encrypt and protect the integrity of the message, and repeatedly uses the key block within the data security threshold, thereby avoiding the encryption of a public key when making the digital envelope in a large quantity and the decryption of a private key when decrypting the digital envelope. To ensure data security, the digital certificate producer should set a certain threshold (time/data amount) to replace the key block (symmetric key/HMAC key).
Drawings
FIG. 1 is a schematic diagram of the structure of a digital envelope of the present invention;
FIG. 2 is a schematic structural diagram of an original digital envelope;
FIG. 3 is a schematic flow chart of the digital envelope making process of the present invention;
fig. 4 is a flow chart of the decryption of the digital envelope in the invention.
Detailed Description
The present invention is further described below with reference to examples.
As shown in fig. 1, the digital envelope of the present invention includes recipient information, message ciphertext, and key ciphertext, where the recipient information includes software version information, certificate issuer and certificate serial number, key block encryption algorithm id, key block ciphertext, and key block plaintext digest.
And when the number of receivers of the digital envelope is greater than or equal to 2 and the data amount does not exceed the safety threshold value, the key block used for making the message ciphertext is the same key block.
When the digital envelope is used for message transmission, a key block for making the digital envelope is randomly generated. A digital envelope sender adopts an HMAC key to calculate an HMAC value of a message, attaches the HMAC value to the back of the message to obtain data A, encrypts the data A by adopting a symmetric key to obtain ciphertext data in a message ciphertext, encrypts a key block by adopting a receiver public key to obtain a key block ciphertext, packages the key block ciphertext into a digital envelope according to a format and caches the key block and the key block ciphertext.
When the digital envelope is used for information transmission, the original format of the digital envelope is expanded by adding the key block plaintext abstract in the receiver information, the expanded digital envelope format is compatible with the original format of the digital envelope, and a symmetric key ciphertext in the receiver information in the original digital envelope is replaced by a key block ciphertext, wherein the original format of the digital envelope is as shown in FIG. 2; after the expanded digital envelope is made for the first time, if the expanded digital envelope has a receiver, in the process of making the expanded digital envelope, directly adopting an original encryption value for a key block ciphertext text segment in receiver information of the expanded digital envelope, filling an abstract value of a key block plaintext abstract as information of the key block plaintext abstract, and not performing public key calculation required by making the digital envelope at this time; when a digital envelope sender makes an expanded digital envelope for the first time, all calculation processes required for making the digital envelope need to be performed, and a key block, a key block ciphertext and a key block plaintext summary information need to be cached.
As shown in fig. 4, when decrypting the digital envelope, the receiving party first searches according to the plaintext digest of the key block, and if there is no existing key block, decrypts the imported key block by using a private key to obtain the key block, and caches a corresponding relationship between a digest value of the plaintext digest of the key block and the key block; if the existing key block exists, the private key decryption process is omitted, and the key block is directly used for unsealing the digital envelope.
When the digital envelope sender makes the expanded digital envelope, the HMAC calculation is performed on the message, then the symmetric encryption is performed to obtain a message ciphertext, and the message ciphertext, the key block ciphertext and the key block plaintext digest are encapsulated in the expanded digital envelope, as shown in fig. 3. The key block used in the process of making the digital envelope is a randomly generated key block with a fixed length, the length of the key block is the sum of the length of the symmetric key and the length of the HMAC key, the smaller threshold value of the symmetric algorithm and the HMAC algorithm for the key safety requirement threshold value is selected as an effective safety threshold value, and the digest value of the key block is calculated.
When the calculated data volume does not reach the safety threshold value, making a subsequent digital envelope, and calculating an HMAC value by adopting the same HMAC key; the same symmetric key encrypts data and attaches the key block cipher text and the key block digest which are cached previously to a digital envelope, so that public key calculation is avoided.
In the invention, a digital envelope sender utilizes an HMAC algorithm to carry out integrity protection on message data, and then encrypts the message data through a symmetric key to realize the security protection of the message data, the HMAC algorithm and the symmetric encryption algorithm are combined, the integrity protection of the message data is realized under the condition of ensuring the security of the message data, and the key reuse can reduce the decryption time when a receiver receives and decrypts the same digital envelope again.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications are possible which remain within the scope of the appended claims.

Claims (2)

1. A method for improving data integrity of digital envelope messages, characterized by encrypting and integrity protecting the messages with a key block, wherein the key block comprises an HMAC key and a symmetric key; when a sender makes a digital envelope, an HMAC value of a message is calculated by adopting an HMAC key and is attached to the back of the message to obtain data A, then the data A is encrypted by adopting a symmetric key to obtain ciphertext data in the ciphertext of the digital envelope message, a key block is encrypted by using a public key of a receiver of the digital envelope to obtain a key block ciphertext, then the digital envelope is made by packaging the data according to a format, and the key block ciphertext are cached; randomly generating a key block; the length of the key block is a fixed length and is the sum of the length of the symmetric key and the length of the HMAC key; adding a key block plaintext abstract in the receiver information of the digital envelope; when making digital envelope, packaging cipher text and plaintext abstract of key block together; selecting a smaller threshold value from the symmetric algorithm and the HMAC algorithm on the key security requirement threshold value as an effective security threshold value; when the calculated data volume does not reach the safety threshold value, making a subsequent digital envelope, and calculating an HMAC value by adopting the same HMAC key; and encrypting data by using the same symmetric key, and attaching the key block ciphertext and the key block digest which are cached before into a digital envelope, so that public key calculation is avoided.
2. The method for improving data integrity of digital envelope messages according to claim 1, wherein the value of the key block plaintext digest is the digest value after concatenation of a symmetric key for message encryption and an HMAC key for integrity protection.
CN202210956180.5A 2022-08-10 2022-08-10 Method for improving data integrity of digital envelope message Active CN115333730B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210956180.5A CN115333730B (en) 2022-08-10 2022-08-10 Method for improving data integrity of digital envelope message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210956180.5A CN115333730B (en) 2022-08-10 2022-08-10 Method for improving data integrity of digital envelope message

Publications (2)

Publication Number Publication Date
CN115333730A CN115333730A (en) 2022-11-11
CN115333730B true CN115333730B (en) 2023-04-07

Family

ID=83922465

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210956180.5A Active CN115333730B (en) 2022-08-10 2022-08-10 Method for improving data integrity of digital envelope message

Country Status (1)

Country Link
CN (1) CN115333730B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11356427B1 (en) * 2017-02-15 2022-06-07 Wells Fargo Bank, N.A. Signcrypted envelope message
CN108683688B (en) * 2018-07-20 2024-02-06 中国建设银行股份有限公司浙江省分行 Method for realizing information transmission safety based on digital envelope technology
CN109962784B (en) * 2019-03-22 2021-04-02 西安电子科技大学 Data encryption, decryption and recovery method based on multiple digital envelope certificates

Also Published As

Publication number Publication date
CN115333730A (en) 2022-11-11

Similar Documents

Publication Publication Date Title
CA2213096C (en) Key management system for mixed-trust environments
KR100380125B1 (en) Encryption and decryption method and apparatus
CN103684794A (en) Communication data encryption and decryption method based on DES (Data Encryption Standard), RSA and SHA-1 (Secure Hash Algorithm) encryption algorithms
CN102664740B (en) Remote-authorization-based bidding document encryption and decryption method
HU225077B1 (en) Method and apparatus for providing for the recovery of a cryptographic key
CN110138795B (en) Multi-step mixed encryption and decryption method in communication process
CN101262341A (en) A mixed encryption method in session system
CN109005027B (en) Random data encryption and decryption method, device and system
CN103731270A (en) Communication data encryption and decryption method based on BBS, RSA and SHA-1 encryption algorithm
US7783045B2 (en) Secure approach to send data from one system to another
CN112564906A (en) Block chain-based data security interaction method and system
CN112055022A (en) High-efficiency and high-security network file transmission double encryption method
CN112948867A (en) Method and device for generating and decrypting encrypted message and electronic equipment
CN112347493A (en) Encryption, decryption and graying method for OFD (office file)
CN109743305A (en) The method for realizing applicating text data protection in the application of Intelligent dialogue system
CN101964039B (en) Encryption protection method and system of copyright object
WO2008133521A1 (en) Method for signing and encrypting digital data
CN102523563A (en) Multimedia messaging service (MMS) encrypting method based on identity-based cryptograph (IBC) technology
CN115333730B (en) Method for improving data integrity of digital envelope message
CN113852466B (en) User revocation method based on SM9 of China
CN101437145B (en) Safety management method and apparatus for layering cipher key, and enciphering/deciphering device
CN115174085A (en) Data secure transmission method based on RSA encryption
CN115102788B (en) Method for improving performance of digital envelope through key reuse and digital envelope
CN102647428A (en) Encrypting and decrypting system and method adopting trusteeship control based on communication network
CN113347153A (en) File encryption transmission method combining identity authentication and dynamic key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant