CN115834038A - Encryption method and device based on national commercial cryptographic algorithm - Google Patents
Encryption method and device based on national commercial cryptographic algorithm Download PDFInfo
- Publication number
- CN115834038A CN115834038A CN202211350989.XA CN202211350989A CN115834038A CN 115834038 A CN115834038 A CN 115834038A CN 202211350989 A CN202211350989 A CN 202211350989A CN 115834038 A CN115834038 A CN 115834038A
- Authority
- CN
- China
- Prior art keywords
- private key
- encryption
- ciphertext
- public
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides an encryption method and device based on a national commercial cryptographic algorithm, belonging to the technical field of encryption, and the method comprises the following steps: calling an SM4 generation interface of the hardware encryption machine to randomly generate an SM4 secret key ciphertext; calling an SM2 public and private key pair generation interface, and generating an SM2 public key and an SM2 private key according to opposite side system parameters; and calling an SM4 encryption interface of a hardware encryption machine, and encrypting the SM2 private key based on the SM4 secret key ciphertext to obtain an SM2 private key ciphertext. The SM2 private key in the method is encrypted based on the internal key ciphertext, the whole process of manual operation has no risk of key leakage, and nobody can see the password plaintext and cannot decrypt the password, so that the risk of password leakage is avoided, the public and private key pair meeting the requirements of a contralateral system is realized, and the safety of the system is ensured. Therefore, the system on the opposite side does not need to be matched through hardware improvement on the hardware encryption machine, and no additional hardware improvement cost exists.
Description
Technical Field
The invention relates to the technical field of encryption, in particular to an encryption method and device based on a national commercial cryptographic algorithm.
Background
The national commercial cipher algorithm is a set of encryption and decryption algorithm introduced by the national cipher administration. The SM2 algorithm is an asymmetric key algorithm in a national commercial cryptographic algorithm; the SM4 algorithm is a symmetric key algorithm in a national commercial cryptographic algorithm. At present, in order to adapt to the current international situation change, the information system uses the national commercial cryptographic algorithm in an increasing scene.
However, in the process of interfacing with an external system, it is found that the SM2 public-private key pair generated by the existing hardware encryption system cannot meet the requirement of the other party. The reasons for this include: the two SM2 encryption mode parameters are different, for example, the mode of the hardware encryption machine and the opposite side system is C1| C3| C2, and the other mode is C1| C2| C3; the SM2 signature mode parameters are different, for example, the user IDs (i.e., userid) of the hardware encryption engine and the contralateral system, one is the default value 12345671234567, and the other is the custom value.
If the matching with the opposite side system is realized by software, the risk of SM2 private key leakage exists. Therefore, only hardware improvements to the hardware crypto-engine are currently possible to achieve interfacing with external crypto-systems. However, these improvements have an impact on time limit, hardware encryptor modification cost, and the like.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides an encryption method and device based on a national commercial cryptographic algorithm.
The invention provides an encryption method based on a national commercial cryptographic algorithm, which comprises the following steps: calling an SM4 generation interface of the hardware encryption machine to randomly generate an SM4 secret key ciphertext; calling an SM2 public and private key pair generation interface, and generating an SM2 public key and an SM2 private key according to opposite side system parameters; calling an SM4 encryption interface of a hardware encryption machine, and encrypting the SM2 private key based on the SM4 secret key ciphertext to obtain an SM2 private key ciphertext; the SM2 public key and the SM2 private key ciphertext are used for encrypting and decrypting service contents with a contralateral system.
According to the encryption method based on the national commercial cryptographic algorithm, the SM2 public and private key pair generation interface is called, and an SM2 public key and an SM2 private key are generated according to opposite side system parameters, and the encryption method comprises the following steps: receiving system parameters specified by an opposite side system, wherein the system parameters comprise a user ID and an encryption mode parameter; configuring the system parameters in a configuration file; and calling an SM2 encryption interface, reading the configuration file, setting encryption parameters in a parameter transmission mode, wherein the encryption parameters comprise an encryption mode and a signature mode parameter, and generating an SM2 public key and an SM2 private key.
According to the encryption method based on the national commercial cryptographic algorithm provided by the invention, after the SM2 public key and the SM2 private key are generated, the encryption method further comprises the following steps: and sending the SM2 public key to the opposite side system for encrypting the service content to be sent by the opposite side system.
According to the encryption method based on the national commercial cipher algorithm provided by the invention, after obtaining the SM2 private key ciphertext, the encryption method further comprises the following steps: and locally storing the SM2 private key ciphertext for decrypting the content encrypted by the side system based on the SM2 public key.
According to the encryption method based on the national commercial cryptographic algorithm provided by the invention, after the SM2 public key is sent to the opposite side system, the encryption method further comprises the following steps: receiving a service content ciphertext transmitted by the opposite side system; reading an SM4 secret key ciphertext in the configuration file; calling an SM4 decryption interface of the hardware encryption machine to decrypt the SM2 private key ciphertext to obtain an SM2 private key plaintext; and decrypting the business content ciphertext sent by the opposite side system by using the SM2 private key plaintext to obtain the business content plaintext.
The invention also provides an encryption device based on the national commercial cryptographic algorithm, which comprises: the generation module is used for calling an SM4 generation interface of the hardware encryption machine to randomly generate an SM4 secret key ciphertext; the processing module is used for calling an SM2 public and private key pair generation interface and generating an SM2 public key and an SM2 private key according to opposite side system parameters; the encryption module is used for calling an SM4 encryption interface of the hardware encryption machine and encrypting the SM2 private key based on the SM4 secret key ciphertext to obtain an SM2 private key ciphertext; the SM2 public key and the SM2 private key ciphertext are used for encrypting and decrypting service content with a side system.
The encryption device based on the national commercial cryptographic algorithm further comprises a decryption module, which is used for: receiving a business content ciphertext transmitted by the opposite side system; reading an SM4 secret key ciphertext in the configuration file; calling an SM4 decryption interface of the hardware encryption machine to decrypt the SM2 private key ciphertext to obtain an SM2 private key plaintext; and decrypting the business content ciphertext sent by the opposite side system by using the SM2 private key plaintext to obtain the business content plaintext.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the encryption method based on the national commercial cryptographic algorithm.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a national commercial cryptographic algorithm based encryption method as any one of the above.
The invention also provides a computer program product comprising a computer program which, when executed by a processor, implements a national commercial cryptographic algorithm based encryption method as described in any one of the above.
According to the encryption method and device based on the national commercial cipher algorithm, the SM4 encryption interface of the hardware encryption machine is called, the SM2 private key is encrypted based on the SM4 secret key ciphertext, the SM2 private key is encrypted based on the internal secret key ciphertext while the soft encryption mode is matched with the opposite side system, the risk of secret key leakage does not exist in the whole process of manual operation, no person can see the cipher plaintext, and the cipher cannot be decrypted, so that the risk of the leakage of the cipher is avoided, the public and private key pair meeting the requirements of the opposite side system is realized, and the safety of the system is ensured. Therefore, the system on the opposite side does not need to be matched through hardware improvement on the hardware encryption machine, and no additional hardware improvement cost exists.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of an encryption method based on a national commercial cryptographic algorithm provided by the present invention;
FIG. 2 is a schematic structural diagram of an encryption device based on a national commercial cryptographic algorithm provided by the present invention;
fig. 3 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following explains some technical terms related to the present invention.
The SM2 is an elliptic Curve public key cryptographic algorithm issued by the State crypto administration, and the SM2 is asymmetric encryption and is based on an elliptic cryptographic algorithm (ECC). Because the algorithm is based on ECC, the signature speed and the key generation speed of the algorithm are faster than RSA (an asymmetric encryption algorithm, the algorithm mainly depends on the complexity of decomposing large prime numbers to realize the safety of the algorithm, and the product of the large prime numbers is difficult to decompose, so the password is difficult to crack). The security strength of the ECC256 bits (the SM2 adopts one of the ECC256 bits) is higher than that of the RSA2048 bits, but the operation speed is faster than that of the RSA. The SM2 performance is better and safer: the cipher complexity is high, the processing speed is fast, and the machine performance consumption is smaller.
SM2 encryption algorithm and flow:
inputting: the message to be sent is a bit string M, and klen is the bit length of M.
1. Generating a random number k from the [1,n-1] by using a random number generator, wherein the value of k is 1 to n-1;
2. calculating an elliptic curve point C1= [ k ] G = (x 1, y 1), and converting the data type of C1 into a bit string;
3. calculating an elliptic curve point S = [ h ] PB, if S is an infinite point, reporting an error and exiting;
4. calculating an elliptic curve point [ k ] PB = (x 2, y 2), and converting the data types of the coordinates x2 and y2 into bit strings;
5. calculating t = KDF (x 2/y 2, klen), and if t is all 0 bit string, returning to 1;
6. calculating C2= M ≧ t;
7. calculate C3= Hash (x 2/M/y 2);
8. output ciphertext C = C1/C2/C3.
SM2 decryption algorithm and flow:
klen is the bit length of C2 in the ciphertext, and the ciphertext C = C1/C2/C3 is decrypted, and the following steps are required to be implemented:
1. taking out the bit string C1 from the C, converting the data type of the C1 into a point on an elliptic curve, verifying whether the C1 meets an elliptic curve equation, and if not, reporting an error and exiting;
2. calculating an elliptic curve point S = [ h ] C1, if S is an infinite point, reporting an error and exiting;
3. calculating [ dB ] C1= (x 2, y 2), converting the data type of coordinates x2, y2 into a bit string;
4. t = KDF (x 2/y 2, klen) is calculated, and if t is all 0 bit strings, an error is reported and exit is performed.
5. Taking out a bit string C2 from C, and calculating M = C2 ≦ t;
6. calculating u = Hash (x 2/M/y 2), taking out a bit string C3 from C, and if u ≠ C3, reporting an error and exiting;
7. the plaintext M' is output.
The unexplained part of the parameters can be referred to in the prior art, and is not described in detail here.
SM4 is a symmetric encryption algorithm issued by the national crypto authority, the packet length of which is 128 bits and the key length is 128 bits. Both the encryption algorithm and the key expansion algorithm adopt 32-round nonlinear iteration structures. The decryption algorithm has the same structure as the encryption algorithm, but the use sequence of the round keys is opposite, and the decryption round keys are the reverse sequence of the encryption round keys.
The encryption method and apparatus based on the national commercial cipher algorithm of the present invention will be described with reference to fig. 1 to 3. Fig. 1 is a schematic flow diagram of an encryption method based on a national commercial cryptographic algorithm provided by the present invention, and as shown in fig. 1, the present invention provides an encryption method based on a national commercial cryptographic algorithm, including:
101. and calling an SM4 generation interface of the hardware encryption machine to randomly generate an SM4 secret key ciphertext.
The hardware encryption machine has the SM2 key and SM4 key generation function, namely, an SM2 key and SM4 key generation interface is provided, and the invention only uses the SM4 key generation interface of the hardware encryption machine. In the present invention, after the service system receives the requirement for generating the SM2 key of the opposite side system (which may be the opposite side system with the aforementioned unmatched parameters), the service system first invokes the hardware encryption engine SM4 to generate an SM4 key ciphertext at random. It should be noted that the SM4 key ciphertext can only be decrypted into plaintext by the hardware encryptor, so that the security is guaranteed.
And storing the SM4 key ciphertext into a configuration file and using the SM4 key ciphertext as a subsequent parameter for generating an SM2 public and private key pair. Specifically, the SM4 key ciphertext generated by 101 may be configured and stored in a configuration file (or a configuration table) for use in a subsequent SM2 public-private key pair generation process.
102. And calling the SM2 public and private key pair generation interface, and generating an SM2 public key and an SM2 private key according to the opposite side system parameters.
And calling an SM2 public and private key pair generation process, and performing a process of generating the SM2 public and private key pair according to parameters (such as userid and the like) of the opposite side system to match the opposite side system.
103. Calling an SM4 encryption interface of a hardware encryption machine, and encrypting the SM2 private key based on the SM4 secret key ciphertext to obtain an SM2 private key ciphertext; the SM2 public key and the SM2 private key ciphertext are used for encrypting and decrypting service contents with a contralateral system.
That is, based on the SM4 key ciphertext generated by 101, the SM2 private key generated by 102 is encrypted by combining with the SM4 encryption interface provided by the hardware encryptor, so as to obtain the SM2 private key ciphertext which can be used internally. The method for encrypting and decrypting the service content of the side system and the side system in the embodiment of the present invention is not particularly limited, and includes various encryption and decryption methods at present, such as ways of signing, checking, and the like.
It can be seen that, in the SM2 public-private key pair generated in the present invention, the SM2 private key is a ciphertext obtained by calling the SM4 encryption interface of the hardware encryptor. Therefore, no matter how the operation and the circulation are carried out, the decryption cannot be carried out outside the encryption machine, so that the risk caused by the disclosure of the SM2 private key is avoided, and the use requirement can be met without carrying out hardware improvement on the hardware encryption machine.
According to the encryption method based on the national commercial cipher algorithm, the SM4 encryption interface of the hardware encryption machine is called, the SM2 private key is encrypted based on the SM4 secret key ciphertext, when the soft encryption mode is matched with the opposite side system, the SM2 private key is encrypted based on the internal secret key ciphertext, the risk of secret key leakage does not exist in the whole process of manual operation, no person can see the password plaintext and cannot decrypt the password, the risk of password leakage is avoided, the public and private key pair meeting the requirements of the opposite side system is achieved, and meanwhile the safety of the system is guaranteed. Therefore, the system on the opposite side does not need to be matched through hardware improvement on the hardware encryption machine, and no additional hardware improvement cost exists.
In one embodiment, the invoking an SM2 public-private key pair generation interface to generate an SM2 public key and an SM2 private key according to the opposite-side system parameters includes: receiving system parameters specified by an opposite side system, wherein the system parameters comprise a user ID and an encryption mode parameter; configuring the system parameters in a configuration file; and calling an SM4 public and private key pair generation interface, reading a configuration file, setting encryption parameters in a parameter transmission mode, wherein the encryption parameters comprise an encryption mode and a signature mode parameter, and generating an SM2 public key and an SM2 private key.
In the embodiment of the invention, an interface of the SM4 public and private key pair generation method is called, and parameters such as an encryption mode, a signature mode and the like are set in the interface method according to parameters of the opposite side system through a parameter transmission mode so as to match the opposite side system to generate an SM2 public and private key pair. The parameters of the contralateral system include a user ID and an encryption mode parameter, for example, the encryption mode is C1| C3| C2 or C1| C2| C3, and the user ID is 12345671234567. And finally, calling an SM2 encryption interface of the hardware encryption machine, reading the configuration file, and generating an SM2 public key and an SM2 private key.
The encryption method based on the national commercial cryptographic algorithm does not need to improve a hardware encryption machine in terms of hardware, and simultaneously generates the SM2 key by using the parameters of the opposite side system, so that the opposite side system can be matched to realize mutual encryption and decryption.
In one embodiment, after generating the SM2 public key and the SM2 private key, the method further includes: and sending the SM2 public key to the opposite side system for encrypting the service content to be sent by the opposite side system.
After the SM2 public key and the SM2 private key are generated, the SM2 public key is sent to the opposite side system, and if business content needing to be encrypted exists in the opposite side system, encryption can be carried out on the basis of the SM2 public key.
In an embodiment, after obtaining the SM2 private key ciphertext, the method further includes: and locally storing the SM2 private key ciphertext for decrypting the content encrypted by the side system based on the SM2 public key.
And after the SM2 public key is sent to the opposite side system, if the opposite side system has service content needing to be encrypted, encrypting the service content based on the SM2 public key. And in the system at the side, the SM2 private key ciphertext is locally stored, and after the service content which is sent by the system at the side and encrypted based on the SM2 public key is received, the service content can be decrypted based on the stored SM2 private key ciphertext.
In one embodiment, after sending the SM2 public key to the contralateral system, the method further includes: receiving a business content ciphertext transmitted by the opposite side system; reading an SM4 secret key ciphertext in the configuration file; calling an SM4 decryption interface of the hardware encryption machine to decrypt the SM2 private key ciphertext to obtain an SM2 private key plaintext; and decrypting the business content ciphertext sent by the opposite side system by using the SM2 private key plaintext to obtain the business content plaintext.
After the opposite side system encrypts the service content based on the SM2 public key, the local side system needs to decrypt the service content after receiving the relevant service content.
In the embodiment of the invention, the decryption is performed based on the SM2 private key ciphertext. The specific process is that firstly, SM4 key ciphertext generated by 101 is read from a configuration file or a configuration standard, based on the SM4 key ciphertext, an SM4 decryption interface is called, and the SM2 private key ciphertext is decrypted to obtain an SM2 private key.
Based on this, according to the current general decryption method of the SM2 private key, the decryption of the service content can be realized.
In the encryption method based on the national commercial cipher algorithm, the SM2 secret key plaintext can be seen by no one, and the decryption can not be carried out outside the system, so that the risk of cipher leakage is avoided.
In the key exchange process, an SM2 public and private key pair meeting the requirements of the other party can be realized through a hardware encryption machine without hardware improvement, the private key is encrypted to form an SM2 private key ciphertext through calling an SM4 private key ciphertext of the encryption machine, only the private key is output, deployment personnel only contact and configure, and a business system calls the hardware encryption machine to decrypt the SM2 private key to form a plaintext for use. The system comprises a business system, a contralateral system and a hardware encryptor, wherein the business system can be a user M participating in encryption and decryption, the contralateral system can be a user N participating in encryption and decryption, the hardware encryptor is a server providing SM4 key generation and encryption and decryption, the M generates an SM2 public and private key pair, a needed SM2 private key ciphertext is obtained through the hardware encryptor and the business system, and the N sends the needed SM2 public key to the contralateral system through the business system and receives the needed SM2 public key.
The encryption device based on the national commercial cryptographic algorithm provided by the invention is described below, and the encryption device based on the national commercial cryptographic algorithm described below and the encryption method based on the national commercial cryptographic algorithm described above can be referred to correspondingly.
Fig. 2 is a schematic structural diagram of an encryption apparatus based on a national commercial cipher algorithm according to the present invention, and as shown in fig. 2, the encryption apparatus based on the national commercial cipher algorithm includes: a generation module 201, a processing module 202 and an encryption module 203. The generation module 201 is configured to invoke an SM4 generation interface of the hardware encryption machine to randomly generate an SM4 key ciphertext; the processing module 202 is configured to invoke an SM2 public-private key pair generation interface, and generate an SM2 public key and an SM2 private key according to the opposite-side system parameter; the encryption module 203 is configured to call an SM4 encryption interface of a hardware encryption machine, and encrypt the SM2 private key based on the SM4 key ciphertext to obtain an SM2 private key ciphertext; the SM2 public key and the SM2 private key ciphertext are used for encrypting and decrypting service contents with a contralateral system.
In an apparatus embodiment, the processing module 202 is specifically configured to: receiving system parameters specified by an opposite side system, wherein the system parameters comprise a user ID and an encryption mode parameter; configuring the system parameters in a configuration file; and calling an SM2 encryption interface of the hardware encryption machine, reading the configuration file, setting an encryption mode and a signature mode through a transmission mode, and generating an SM2 public key and an SM2 private key.
In an embodiment of the apparatus, the apparatus further comprises a sending module, configured to, after the generating of the SM2 public key and the SM2 private key: and sending the SM2 public key to the opposite side system for encrypting the service content to be sent by the opposite side system.
In an embodiment of the apparatus, the apparatus further comprises a storage module configured to: and locally storing the SM2 private key ciphertext for decrypting the content encrypted by the side system based on the SM2 public key.
In an embodiment of the apparatus, the apparatus further comprises a decryption module configured to: receiving a business content ciphertext transmitted by the opposite side system; reading an SM4 secret key ciphertext in the configuration file; calling an SM4 decryption interface of the hardware encryption machine to decrypt the SM2 private key ciphertext to obtain an SM2 private key plaintext; and decrypting the business content ciphertext sent by the opposite side system by using the SM2 private key plaintext to obtain the business content plaintext.
The encryption device based on the national commercial cipher algorithm provided by the embodiment of the invention is for realizing the above method embodiments, the realization principle is the same as that of the encryption method based on the national commercial cipher algorithm, and for brief description, corresponding contents in the encryption method based on the national commercial cipher algorithm can be referred to where not mentioned in the embodiment of the encryption device based on the national commercial cipher algorithm.
According to the encryption device based on the national commercial cipher algorithm, the SM4 encryption interface of the hardware encryption machine is called, the SM2 private key is encrypted based on the SM4 secret key ciphertext, the SM2 private key is encrypted based on the internal secret key ciphertext while the soft encryption mode is matched with the opposite side system, the risk of secret key leakage does not exist in the whole process of manual operation, no person can see the password plaintext and cannot decrypt the password, the risk of password leakage is avoided, the public and private key pair meeting the requirements of the opposite side system is met, and meanwhile the safety of the system is guaranteed. Therefore, the system on the opposite side does not need to be matched through hardware improvement on the hardware encryption machine, and no additional hardware improvement cost exists.
Fig. 3 is a schematic structural diagram of an electronic device provided in the present invention, and as shown in fig. 3, the electronic device may include: a processor (processor) 301, a communication Interface (Communications Interface) 302, a memory (memory) 303 and a communication bus 304, wherein the processor 301, the communication Interface 302 and the memory 303 communicate with each other through the communication bus 304. The processor 301 may invoke logic instructions in the memory 303 to perform a national commercial cipher algorithm based encryption method comprising: calling an SM4 generation interface of a hardware encryption machine to randomly generate an SM4 secret key ciphertext; calling an SM2 public and private key pair generation interface, and generating an SM2 public key and an SM2 private key according to the opposite side system parameters; calling an SM4 encryption interface of a hardware encryption machine, and encrypting the SM2 private key based on the SM4 secret key ciphertext to obtain an SM2 private key ciphertext; the SM2 public key and the SM2 private key ciphertext are used for encrypting and decrypting service content with a side system.
In addition, the logic instructions in the memory 303 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product comprising a computer program, the computer program being stored on a non-transitory computer-readable storage medium, wherein when the computer program is executed by a processor, the computer is capable of executing the encryption method based on the national commercial cryptographic algorithm provided by the above methods, the method comprising: calling an SM4 generation interface of the hardware encryption machine to randomly generate an SM4 secret key ciphertext; calling an SM2 public and private key pair generation interface, and generating an SM2 public key and an SM2 private key according to opposite side system parameters; calling an SM4 encryption interface of a hardware encryption machine, and encrypting the SM2 private key based on the SM4 secret key ciphertext to obtain an SM2 private key ciphertext; the SM2 public key and the SM2 private key ciphertext are used for encrypting and decrypting service content with a side system.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a national commercial cryptographic algorithm-based encryption method provided by the above methods, the method comprising: calling an SM4 generation interface of the hardware encryption machine to randomly generate an SM4 secret key ciphertext; calling an SM2 public and private key pair generation interface, and generating an SM2 public key and an SM2 private key according to opposite side system parameters; calling an SM4 encryption interface of a hardware encryption machine, and encrypting the SM2 private key based on the SM4 secret key ciphertext to obtain an SM2 private key ciphertext; the SM2 public key and the SM2 private key ciphertext are used for encrypting and decrypting service contents with a contralateral system.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An encryption method based on a national commercial cryptographic algorithm is characterized by comprising the following steps:
calling an SM4 generation interface of the hardware encryption machine to randomly generate an SM4 secret key ciphertext;
calling an SM2 public and private key pair generation interface, and generating an SM2 public key and an SM2 private key according to opposite side system parameters;
calling an SM4 encryption interface of a hardware encryption machine, and encrypting the SM2 private key based on the SM4 secret key ciphertext to obtain an SM2 private key ciphertext;
the SM2 public key and the SM2 private key ciphertext are used for encrypting and decrypting service contents with a contralateral system.
2. The national commercial cryptographic algorithm-based encryption method of claim 1, wherein the invoking of the SM2 public-private key pair generation interface to generate the SM2 public key and the SM2 private key from the contralateral system parameter comprises:
receiving system parameters specified by an opposite side system, wherein the system parameters comprise a user ID and an encryption mode parameter;
configuring the system parameters in a configuration file;
and calling an SM2 public and private key pair generation interface, reading a configuration file, setting encryption parameters in a parameter transmission mode, wherein the encryption parameters comprise an encryption mode and a signature mode parameter, and generating an SM2 public key and an SM2 private key.
3. The encryption method based on the national commercial cryptographic algorithm according to claim 1, wherein after the generating of the SM2 public key and the SM2 private key, the method further comprises:
and sending the SM2 public key to the opposite side system for encrypting the service content to be sent by the opposite side system.
4. The encryption method based on the national commercial cipher algorithm according to claim 1, further comprising, after obtaining the SM2 private key ciphertext:
and locally storing the SM2 private key ciphertext for decrypting the content encrypted by the side system based on the SM2 public key.
5. The national commercial cipher algorithm-based encryption method according to claim 3, wherein after the sending the SM2 public key to the contralateral system, further comprising:
receiving a business content ciphertext transmitted by the opposite side system;
reading an SM4 secret key ciphertext in the configuration file;
calling an SM4 decryption interface of the hardware encryption machine to decrypt the SM2 private key ciphertext to obtain an SM2 private key plaintext;
and decrypting the business content ciphertext sent by the opposite side system by using the SM2 private key plaintext to obtain the business content plaintext.
6. An encryption device based on a national commercial cryptographic algorithm, comprising:
the generation module is used for calling an SM4 generation interface of the hardware encryption machine to randomly generate an SM4 secret key ciphertext;
the processing module is used for calling an SM2 public and private key pair generation interface and generating an SM2 public key and an SM2 private key according to opposite side system parameters;
the encryption module is used for calling an SM4 encryption interface of a hardware encryption machine and encrypting the SM2 private key based on the SM4 secret key ciphertext to obtain an SM2 private key ciphertext;
the SM2 public key and the SM2 private key ciphertext are used for encrypting and decrypting service contents with a contralateral system.
7. The national commercial cipher algorithm-based encryption device according to claim 6, further comprising a decryption module for:
receiving a business content ciphertext transmitted by the opposite side system;
reading an SM4 secret key ciphertext in the configuration file;
calling an SM4 decryption interface of the hardware encryption machine to decrypt the SM2 private key ciphertext to obtain an SM2 private key plaintext;
and decrypting the business content ciphertext sent by the opposite side system by using the SM2 private key plaintext to obtain the business content plaintext.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the national commercial cryptographic algorithm based encryption method according to any one of claims 1 to 5 when executing the program.
9. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the national commercial cryptographic algorithm based encryption method according to any one of claims 1 to 5.
10. A computer program product comprising a computer program, characterized in that the computer program realizes the national commercial cryptographic algorithm based encryption method according to any one of claims 1 to 5 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211350989.XA CN115834038A (en) | 2022-10-31 | 2022-10-31 | Encryption method and device based on national commercial cryptographic algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211350989.XA CN115834038A (en) | 2022-10-31 | 2022-10-31 | Encryption method and device based on national commercial cryptographic algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115834038A true CN115834038A (en) | 2023-03-21 |
Family
ID=85525981
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211350989.XA Pending CN115834038A (en) | 2022-10-31 | 2022-10-31 | Encryption method and device based on national commercial cryptographic algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834038A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116594972A (en) * | 2023-07-17 | 2023-08-15 | 国网江苏省电力有限公司信息通信分公司 | File encryption sharing method and device |
-
2022
- 2022-10-31 CN CN202211350989.XA patent/CN115834038A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116594972A (en) * | 2023-07-17 | 2023-08-15 | 国网江苏省电力有限公司信息通信分公司 | File encryption sharing method and device |
| CN116594972B (en) * | 2023-07-17 | 2023-10-24 | 国网江苏省电力有限公司信息通信分公司 | File encryption sharing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Diffie et al. | New directions in cryptography | |
| US10785019B2 (en) | Data transmission method and apparatus | |
| US8670563B2 (en) | System and method for designing secure client-server communication protocols based on certificateless public key infrastructure | |
| US8429408B2 (en) | Masking the output of random number generators in key generation protocols | |
| CN108199835B (en) | Multi-party combined private key decryption method | |
| Tseng et al. | A chaotic maps-based key agreement protocol that preserves user anonymity | |
| CN107483212A (en) | A kind of method of both sides' cooperation generation digital signature | |
| Khader et al. | Preventing man-in-the-middle attack in Diffie-Hellman key exchange protocol | |
| WO2017147503A1 (en) | Techniques for confidential delivery of random data over a network | |
| JP2011501585A (en) | Method, system and apparatus for key distribution | |
| US6640303B1 (en) | System and method for encryption using transparent keys | |
| CN110535626B (en) | Secret communication method and system for identity-based quantum communication service station | |
| CN113711564A (en) | Computer-implemented method and system for encrypting data | |
| Castiglione et al. | An efficient and transparent one-time authentication protocol with non-interactive key scheduling and update | |
| Muth et al. | Smartdhx: Diffie-hellman key exchange with smart contracts | |
| WO2020042023A1 (en) | Instant messaging data encryption method and apparatus | |
| CN115834038A (en) | Encryption method and device based on national commercial cryptographic algorithm | |
| CN104253692B (en) | Key management method and device based on SE | |
| CN109981254B (en) | Micro public key encryption and decryption method based on finite lie type group decomposition problem | |
| EP2395698B1 (en) | Implicit certificate generation in the case of weak pseudo-random number generators | |
| CN111565108A (en) | Signature processing method, device and system | |
| Panda et al. | A modified PKM environment for the security enhancement of IEEE 802.16 e | |
| CN110048852A (en) | Quantum communications service station Signcryption method and system based on unsymmetrical key pond | |
| US20230188330A1 (en) | System and method for identity-based key agreement for secure communication | |
| Duits | The post-quantum Signal protocol: Secure chat in a quantum world |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |