CN116073987A - Reliability design method of block cipher mode, cipher card and server - Google Patents

Reliability design method of block cipher mode, cipher card and server Download PDF

Info

Publication number
CN116073987A
CN116073987A CN202310014637.5A CN202310014637A CN116073987A CN 116073987 A CN116073987 A CN 116073987A CN 202310014637 A CN202310014637 A CN 202310014637A CN 116073987 A CN116073987 A CN 116073987A
Authority
CN
China
Prior art keywords
data
algorithm
encryption
encrypted
state machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310014637.5A
Other languages
Chinese (zh)
Inventor
苏振宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202310014637.5A priority Critical patent/CN116073987A/en
Publication of CN116073987A publication Critical patent/CN116073987A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Abstract

The invention belongs to the technical field of information security, and particularly provides a reliability design method of a block cipher mode, a cipher card and a server, wherein the cipher card comprises an algorithm control state machine, a cipher algorithm module and an algorithm mode module; the algorithm control state machine is connected with a buffer memory and a register group for storing state values; the buffer memory is used for storing data to be encrypted/decrypted, an intermediate result processed by an encryption algorithm and ciphertext/plaintext data after the processing is completed, which are externally transmitted to the password card; the algorithm control state machine is used for reading the data in the register group and the cache, transmitting the data in the cache to the corresponding encryption algorithm processing engine according to the value set in the register group, controlling the encryption algorithm processing engine to carry out data encryption/decryption operation according to the corresponding block cipher mode, and transmitting the ciphertext/plaintext data after operation to the cache, so that error propagation and diffusion of the ciphertext are prevented, and the reliability of the block cipher mode is improved.

Description

Reliability design method of block cipher mode, cipher card and server
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a reliability design method of a block cipher mode and a cipher card.
Background
The cryptographic algorithm is classified into a block cipher and a sequence cipher according to different processing modes of the plaintext. The block cipher is also called a symmetric cipher, and the encryption process is to process (encrypt) a plaintext by using an encryption function and a secret key in an algorithm and output a ciphertext; the decryption process is the inverse of the encryption process, and the ciphertext is processed (decrypted) using the decryption function in the algorithm and the same key, thereby recovering the plaintext. Typical algorithms for block ciphers are 3DES, AES, SM, etc., where the block length of 3DES is 64 bits, i.e., only 64bit plaintext can be encrypted/decrypted at a time, and 64bit ciphertext/plaintext is generated; the AES and SM4 algorithms are both 128 bits in packet length, so 128bit plaintext can be encrypted/decrypted each time, and 128bit ciphertext/plaintext is generated.
The block cipher algorithm can only encrypt a fixed-length block, but the block length of the block cipher may be exceeded by the plaintext to be encrypted in practical application, and then the block cipher algorithm needs to be iterated to encrypt a long section of plaintext completely, and the iterated method is a block cipher mode, which generally includes ECB, CBC, CFB, OFB modes and the like. Aiming at the weakness of ECB mode that ciphertext grouping sequence is changed to further manipulate plaintext, the improvement of the prior art is to adopt CBC, CFB, OFB mode instead of ECB mode.
In the encryption process of the CBC mode, if the problems of hardware line faults, signal interference in the transmission process, or encryption algorithm design in a hardware mode occur, ciphertext errors in the encryption process occur probability, so that the errors are spread to all subsequent ciphertexts, and due to the fact that the errors of the ciphertext can cause errors of data in the decryption process, correct plaintext cannot be recovered, and practical application is affected. CFB mode also suffers from error diffusion. In the iterative encryption process of the initial vector, if errors occur in the OFB mode, the corresponding ciphertext and the subsequent packets are affected, and the problem of error diffusion also exists.
Disclosure of Invention
In the encryption process of the CBC mode, if the problems of hardware line faults, signal interference in the transmission process, or encryption algorithm design in a hardware mode occur, ciphertext errors in the encryption process occur probability, so that the errors are spread to all subsequent ciphertexts, and due to the fact that the errors of the ciphertext can cause errors of data in the decryption process, correct plaintext cannot be recovered, and practical application is affected. CFB mode also suffers from error diffusion. In the iterative encryption process of the initial vector, if errors occur in the OFB mode, the corresponding ciphertext and the subsequent packets are affected, and the problem of error diffusion also exists. Aiming at the problem of error diffusion in the conventional encryption process of the block cipher mode, the invention provides a reliability design method of the block cipher mode and a cipher card.
In a first aspect, the present invention provides a method for designing reliability of a block cipher mode, including the following steps:
the encryption algorithm is controlled to carry out encryption operation on the data to be encrypted to generate encrypted data, and error detection and correction processing is carried out on the generated encrypted data; controlling an encryption algorithm to process the next data to be encrypted until the generated encrypted data is correct; until all the data to be encrypted are processed.
As a preferred embodiment of the present invention, the method includes:
the encryption algorithm is controlled to process the same data to be encrypted successively, and corresponding encrypted data are generated;
comparing the two groups of encrypted data generated successively;
when the two are inconsistent, controlling an encryption algorithm to process the data to be encrypted again;
when the two are consistent, judging that the encryption result is correct, and controlling the encryption algorithm to process the next data to be encrypted; until all the data to be encrypted are processed.
As a preferred embodiment of the present invention, the method includes:
controlling an encryption algorithm to encrypt data to be encrypted to generate ciphertext;
the decryption algorithm is controlled to decrypt the generated ciphertext to generate decrypted data, and the decrypted data are stored in a register;
comparing the decrypted data in the register with the original data to be encrypted;
when the two are inconsistent, controlling an encryption algorithm to process the data to be encrypted again;
when the two are consistent, controlling an encryption algorithm to process the next data to be encrypted; until all the data to be encrypted are processed.
As a preferred embodiment of the present invention, the method further comprises:
two encryption algorithm processing engines are arranged, and are controlled to simultaneously carry out encryption algorithm processing to generate corresponding encryption data.
As a preferred aspect of the present invention, when the block cipher mode is the CBC mode, the method includes:
setting an algorithm control state machine to control two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on one plaintext packet to generate a corresponding ciphertext;
comparing whether ciphertext generated by processing of the two encryption algorithm processing engines is consistent or not;
when the ciphertexts are inconsistent, the algorithm control state machine is set to control the two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on the plaintext packet again until the ciphertexts generated by the two encryption algorithm processing engines are consistent, and the algorithm control state machine is set again to control the two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on the next plaintext packet again; and generating corresponding ciphertext blocks until all plaintext blocks are processed.
As a preferred aspect of the present invention, when the block cipher mode is the CFB mode, the method includes:
setting an algorithm control state machine to control two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on the initial vector to generate corresponding password data, and carrying out exclusive OR operation on the generated password data and a plaintext block to generate ciphertext when the password data generated by the two encryption algorithm processing engines are consistent;
setting an algorithm control state machine to control two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on the generated ciphertext to generate corresponding password data, and carrying out exclusive OR operation on the generated password data and the next plaintext block to generate ciphertext when the password data generated by the two encryption algorithm processing engines are consistent; and generating corresponding ciphertext blocks until all plaintext blocks are processed.
As one preferable aspect of the present invention, when the block cipher mode is the OFB mode, the method includes:
setting an algorithm control state machine to control two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on the initial vector so as to generate corresponding password data;
when the cipher data generated by the two encryption algorithm processing engines are the same, performing exclusive OR operation on the generated cipher data and the plaintext block to generate ciphertext; meanwhile, an algorithm control state machine is arranged to control two encryption algorithm processing engines to simultaneously perform encryption algorithm processing on the password data again to generate corresponding password data;
when the two encryption algorithm processing engines process the generated password data again to be the same, performing exclusive OR operation on the password data and the next plaintext block to generate ciphertext; and generating corresponding ciphertext blocks until all plaintext blocks are processed.
In a second aspect, the present invention provides a cryptographic card supporting reliability of a block cipher mode, including a programmable logic unit, where the programmable logic unit includes an algorithm control state machine, a cryptographic algorithm module, and an algorithm mode module;
the algorithm control state machine is connected with a buffer memory and a register group for storing state values;
the algorithm mode module comprises at least one block cipher mode;
the cryptographic algorithm module comprises a cryptographic algorithm processing engine;
the algorithm control state machine controls the encryption algorithm processing engine to execute the method for performing reliability design on the block cipher mode; specifically, the algorithm control state machine controls the encryption algorithm processing engine to operate a corresponding encryption algorithm to encrypt data to be encrypted to generate encrypted data, and error detection and correction processing is carried out on the generated encrypted data; until the generated encrypted data is correct, the algorithm control state machine controls the encryption algorithm processing engine to process the next data to be encrypted; until all the data to be encrypted are processed.
The buffer memory is used for storing data to be encrypted/decrypted, an intermediate result processed by an encryption algorithm and ciphertext/plaintext data after the processing is completed, which are externally transmitted to the password card;
the algorithm control state machine is used for reading the data in the register group and the cache, transmitting the data in the cache to the corresponding encryption algorithm processing engine according to the value set in the register group, controlling the encryption algorithm processing engine to perform data encryption/decryption operation according to the corresponding block cipher mode, and transmitting the ciphertext/plaintext data after operation to the cache.
As one preferable choice of the technical scheme of the invention, the cryptographic algorithm module comprises two parallel processing encryption algorithm processing engines;
the programmable logic unit comprises a PCI-E protocol IP core;
the PCI-E protocol IP core is connected with the cache;
the PCI-E protocol IP core is used for realizing bus protocol conversion and converting a physical PCI-E bus into a bus of a board card side.
As one preferable aspect of the present invention, the programmable logic unit further includes a clock control module, configured to perform clock frequency conversion, as a working clock of each module of the programmable logic unit;
the password card also comprises a power supply module and a JATG/AS interface;
the power supply module provides working voltage for the password card;
the JATG/AS interface is a debugging/downloading interface of the program and is used for debugging and downloading the programmable logic unit program.
As one preferable choice of the technical scheme of the invention, the cache comprises a first-level cache and a second-level cache;
the PCI-E protocol IP core is connected with the first-level cache;
the algorithm control state machine and the cryptographic algorithm module are respectively connected with the secondary cache;
the first-level cache is used for storing the data to be encrypted/decrypted which is transmitted to the password card by the upper computer and the ciphertext/plaintext data after the encryption algorithm processing is completed;
and the second-level cache is used for storing intermediate results of the processing process of the encryption algorithm processing engine.
As an preferable aspect of the present invention, the working process of the cryptographic card includes:
the password card receives the service type and the clear text packet transmitted externally through the PCI-E bus and correspondingly stores the service type and the clear text packet into a register group and a first-level cache;
the algorithm controls the state machine to read the register group, and reads the initial vector and the plaintext/ciphertext block from the first-level cache;
the algorithm control state machine transmits the data in the first-level cache to the corresponding encryption algorithm processing engine according to the value set in the register group;
the encryption algorithm processing engine performs data encryption/decryption operation according to the corresponding block cipher mode;
the algorithm control state machine sequentially transmits ciphertext/plaintext packets to the first-level buffer memory through the second-level buffer memory until all plaintext packets are processed;
the algorithm control state machine transmits the data in the first-level cache back to the upper computer through the PCI-E bus, so as to finish the data processing service.
The control logic of the algorithm control state machine comprises:
1) The password card enters an idle state after being reset, and enters a starting state when the reset is finished and the upper computer starts a service;
2) In a starting state, the algorithm control state machine waits for an upper computer to set a register set, a plaintext packet to be operated is transmitted to a first-level cache, and then the state of reading the register set is entered;
3) Reading the state of the register group, and controlling the state machine by an algorithm to read all groups of values representing the service types in the register group, and then entering a state of reading an initial vector;
4) In the initial vector reading state, an algorithm control state machine reads an initial vector IV in a first-level cache, and then enters a data reading state;
5) In the data reading state, the algorithm control state machine reads the first plaintext packet data in the first-level cache, and then enters a waiting state;
6) In the waiting state, the algorithm control state machine selects a corresponding encryption algorithm processing engine and a corresponding mode according to the numerical value set by the register group, controls the encryption algorithm processing engine to work according to the corresponding mode, and if the encryption operation is carried out, the algorithm control state machine compares the two second-level cached ciphertext grouping data until the two second-level cached ciphertext grouping data are consistent, and enters a data writing state; the corresponding pattern here is a pattern of reliability design;
7) In the data writing state, the algorithm controls the state machine to transmit the data in the second-level cache to the first-level cache, and then enters an ending state;
8) In the ending state, the algorithm control state machine judges whether all plaintext grouping operations are finished, if not, the steps 5) -7) are repeated until all plaintext groupings are processed and transmitted back to the first-level cache, and then the idle state is returned.
In a third aspect, the present invention further provides a server, including a cryptographic card as described in the second aspect.
From the above technical scheme, the invention has the following advantages: 1. aiming at CBC, CFB and OFB modes in a block cipher algorithm, error detection and correction functions are added in the encryption process, error propagation and diffusion of ciphertext are prevented, and reliability of the block cipher mode is improved.
2. Through the dual-core parallel operation of the design cryptographic algorithm, the operation performance is improved on the basis of meeting the reliability, and the requirement of the information security field on the data encryption performance is met.
In addition, the invention has reliable design principle, simple structure and very wide application prospect.
It can be seen that the present invention has outstanding substantial features and significant advances over the prior art, as well as its practical advantages.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a schematic diagram of a conventional block cipher mode encryption.
FIG. 2 is a schematic diagram of CBC mode encryption according to one embodiment of the present invention.
FIG. 3 is a schematic diagram of CBC mode encryption according to another embodiment of the present invention.
FIG. 4 is a CBC mode encryption schematic of a dual engine process according to one embodiment of the invention.
FIG. 5 is a CFB mode encryption schematic of a dual engine process in accordance with an embodiment of the present invention.
Fig. 6 is an OFB mode encryption schematic of a dual engine process according to one embodiment of the invention.
Fig. 7 is a diagram of a cryptographic card architecture supporting block cipher mode reliability in accordance with one embodiment of the present invention.
FIG. 8 is a flow chart of the operation of a cryptographic card in accordance with one embodiment of the invention.
FIG. 9 is algorithmically controlled state machine logic of one embodiment of the present invention.
Detailed Description
Aiming at the weakness of ECB mode that ciphertext grouping sequence is changed to further manipulate plaintext, the improvement of the prior art is to adopt CBC, CFB, OFB mode instead of ECB mode. The CBC mode encryption architecture is shown in fig. 1 (a), and the encryption process is as follows:
C 1 =E(P 1 ⊕IV,K)
C i =E(P i ⊕C i-1 ,K),i=2,3,…,n
CFB mode encryption architecture as shown in fig. 1 (b), the encryption process is as follows:
C 1 =P 1 ⊕E(IV,K)
C i =P i ⊕E(C i-1 ,K),i=2,3,…,n
the OFB mode encryption structure is as shown in fig. 1 (c), and the encryption process is as follows:
IV i =E(IV i-1 ,K)
C i =P i ⊕IV i ,i=1,2,…,n
in the above formulas, P represents plaintext, C represents ciphertext, IV represents an initial vector, E represents an encryption algorithm, K represents a key, and K represents an exclusive-or operation XOR.
The invention provides a reliability design method of a block cipher mode and a cipher card, which are mainly applied to the field of information security, and improve CBC, CFB and OFB modes in a block cipher algorithm, so that error detection and error correction functions are added in the encryption process, error propagation and diffusion of ciphertext are prevented, the reliability of the block cipher mode is improved, and in addition, the performance of operation is improved on the basis of meeting the reliability through dual-core parallel operation of the design cipher algorithm, thereby meeting the safety and efficiency requirements of data encryption in the field of information security. In order to make the technical solution of the present invention better understood by those skilled in the art, the technical solution of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
ECB: electronic CodeBook mode, electronic codebook mode of block cipher algorithm.
CBC: cipher Block Chaining mode cipher block chaining mode of the block cipher algorithm.
CFB: cipher FeedBack mode ciphertext feedback mode of the block cipher algorithm.
OFB: output FeedBack mode, output feedback mode of the block cipher algorithm.
The embodiment of the invention provides a reliability design method of a block cipher mode, which comprises the following steps:
the encryption algorithm is controlled to carry out encryption operation on the data to be encrypted to generate encrypted data, and error detection and correction processing is carried out on the generated encrypted data; controlling an encryption algorithm to process the next data to be encrypted until the generated encrypted data is correct; until all the data to be encrypted are processed.
In the embodiment of the invention, the specific implementation comprises the following steps:
the encryption algorithm is controlled to process the same data to be encrypted successively, and corresponding encrypted data are generated; comparing the two groups of encrypted data generated successively; when the two are inconsistent, controlling an encryption algorithm to process the data to be encrypted again; when the two are consistent, judging that the encryption result is correct, and controlling the encryption algorithm to process the next data to be encrypted; until all the data to be encrypted are processed.
When the block cipher mode is a CBC mode, a data buffer area is added for storing ciphertext based on the existing structure, 2 data buffer areas are adopted, an algorithm control state machine is set to control an encryption algorithm to process a plaintext block, and ciphertext I is generated and stored in the data buffer area I; setting an algorithm control state machine to control an encryption algorithm again to process the plaintext packet, generating a ciphertext II, and storing the ciphertext II in a data cache area II; comparing the ciphertext I stored in the data cache area I with the ciphertext II stored in the data cache area II.
Data buffer area: may be a RAM (random access memory) or a FIFO (first-in first-out stack). The first data buffer area stores ciphertext blocks C1, C2, … and Cn after the encryption algorithm operation, and the second data buffer area stores ciphertext blocks C1', C2', … and Cn '.
The algorithm controls the state machine: the encryption algorithm is controlled, as shown in fig. 2, firstly, the encryption algorithm is controlled to encrypt the plaintext packet P1, and a ciphertext packet C1 is generated and stored in a first data cache area; then, the encryption algorithm is controlled again to encrypt the plaintext P1, and a ciphertext block C1' is generated and stored in a data cache area II. Then comparing C1 with C1', and if C1=C1', carrying out encryption processing on the next plaintext packet P2; if c1+.c1 ', the plaintext packet P1 needs to be re-encrypted, and the processing of the plaintext packet P2 does not take place until c1=c1'. And the like until all plaintext packets Pn are processed, a corresponding ciphertext packet Cn is generated.
According to the method, the data buffer is added, the encryption process is repeated once, ciphertext comparison is carried out, ciphertext errors caused by hardware line faults, signal interference in the transmission process, calculation errors of an encryption algorithm and the like are prevented, encryption reliability can be improved, and the problem of ciphertext error diffusion is solved.
In other words, in this embodiment, error detection and correction are performed by performing encryption processing on the same plaintext packet twice successively, comparing the results of the encryption processing until the ciphertext generated in the previous and subsequent two times is identical, and performing processing on the next plaintext packet, so as to implement error detection and correction in the encryption process.
The embodiment of the invention provides a reliability design method of a block cipher mode, which comprises the following steps:
the encryption algorithm is controlled to carry out encryption operation on the data to be encrypted to generate encrypted data, and error detection and correction processing is carried out on the generated encrypted data; controlling an encryption algorithm to process the next data to be encrypted until the generated encrypted data is correct; until all the data to be encrypted are processed.
In the embodiment of the invention, when the block cipher mode is the CBC mode, the specific implementation includes:
controlling an encryption algorithm to encrypt data to be encrypted to generate ciphertext; the decryption algorithm is controlled to decrypt the generated ciphertext to generate decrypted data, and the decrypted data are stored in a register; comparing the decrypted data in the register with the original data to be encrypted; when the two are inconsistent, controlling an encryption algorithm to process the data to be encrypted again; when the two are consistent, controlling an encryption algorithm to process the next data to be encrypted; until all the data to be encrypted are processed.
1 data buffer area is adopted, and a decryption algorithm D and a register J are added;
data buffer area: storing ciphertext groups C1, C2, … and Cn calculated by an encryption algorithm E;
decryption algorithm D: for the inverse operation of the encryption algorithm E, the key is also K, namely, the ciphertext is decrypted to generate a corresponding plaintext;
register J: and temporarily storing the intermediate variable of the plaintext after the ciphertext is decrypted in the encryption process.
The algorithm controls the state machine, as shown in fig. 3, firstly controls the encryption algorithm to encrypt the plaintext packet P1, generates the ciphertext packet C1, and stores the ciphertext packet C1 in the data buffer; then, the decryption algorithm D is controlled to decrypt the ciphertext C1 to generate a plaintext packet P1', and the plaintext packet P1' is temporarily stored in the register J. Then comparing P1 'in the register with the original plaintext packet P1, and if P1' =P1, encrypting the next plaintext packet P2; if p1 '+.p1, the plaintext P1 needs to be processed again, and the processing of the plaintext packet P2 is not performed until P1' =p1. And the like until all plaintext packets Pn are processed, a corresponding ciphertext packet Cn is generated.
In the error detection and correction process of the embodiment, the ciphertext blocks are decrypted one by one in the encryption process and compared with the initial plaintext, so that the reliability of the encryption process can be improved, and error propagation can be prevented. In this embodiment, a data buffer is adopted, and in addition, the register J is only used for temporary storage of plaintext packet data, and the plaintext packet calculated later will cover the previous plaintext data (for example, the plaintext intermediate result P2 'generated by decrypting the ciphertext C2 will cover the previously stored P1'), so that the plaintext data will not be exposed in the calculation process, and the data security requirement is satisfied.
The CFB and OFB mode reliability design method is consistent with the CBC mode reliability design scheme described above, and will not be described again here.
The embodiment of the invention provides a reliability design method of a block cipher mode, which comprises the following steps:
the encryption algorithm is controlled to carry out encryption operation on the data to be encrypted to generate encrypted data, and error detection and correction processing is carried out on the generated encrypted data; controlling an encryption algorithm to process the next data to be encrypted until the generated encrypted data is correct; until all the data to be encrypted are processed.
It should be noted that, since one repeated calculation of the algorithm is added in each encryption process, the algorithm mode generates a delay of calculation. Aiming at some scenes with higher requirements on algorithm computing performance, in order to further improve the data encryption performance while maintaining the reliability of an algorithm mode, a dual-engine parallel processing mode of an encryption algorithm is adopted, and in the embodiment, the step of controlling the encryption algorithm to encrypt and generate encrypted data comprises the following steps:
setting two encryption algorithm processing engines, and controlling the two encryption algorithm processing engines by an algorithm control state machine to simultaneously perform encryption algorithm processing to generate corresponding encryption data.
When the block cipher mode is CBC mode, the method includes:
setting an algorithm control state machine to control two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on one plaintext packet to generate a corresponding ciphertext; comparing whether ciphertext generated by processing of the two encryption algorithm processing engines is consistent or not; when the ciphertexts are inconsistent, the algorithm control state machine is set to control the two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on the plaintext packet again until the ciphertexts generated by the two encryption algorithm processing engines are consistent, and the algorithm control state machine is set again to control the two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on the next plaintext packet again; and generating corresponding ciphertext blocks until all plaintext blocks are processed.
The CBC mode performance enhancing method adds an encryption algorithm processing engine (Core 2) on the basis of fig. 2, as shown in fig. 4, the Core2 is completely identical to the previous Core1 in function, and in each encryption process of the plaintext packet, the algorithm control state machine controls the Core1 and the Core2 to work simultaneously. Firstly, ciphertext groups C1 and C1' are calculated, when C1 is not equal to C1', an algorithm control state machine controls Core1 and Core2 to calculate again at the same time, and after C1=C1 ', the plaintext group P2 is processed until all plaintext groups Pn are processed, and corresponding ciphertext Cn is generated. Compared with the serial mode of sequential processing of the ciphertext C1, C1' calculation process of FIG. 2, the parallel operation mode of FIG. 4 can improve the performance of the encrypted data, and can meet the application scenario with high requirements on the encryption processing efficiency of the data.
In some embodiments, when the block cipher mode is CFB mode, the method includes:
setting an algorithm control state machine to control two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on the initial vector to generate corresponding password data, and carrying out exclusive OR operation on the generated password data and a plaintext block to generate ciphertext when the password data generated by the two encryption algorithm processing engines are consistent;
setting an algorithm control state machine to control two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on the generated ciphertext to generate corresponding password data, and carrying out exclusive OR operation on the generated password data and the next plaintext block to generate ciphertext when the password data generated by the two encryption algorithm processing engines are consistent; and generating corresponding ciphertext blocks until all plaintext blocks are processed.
The reliability design of the CFB mode is shown in fig. 5, and in each encryption process, for the initial vector IV and the ciphertext blocks C1, C2, …, cn, the reliability is realized by parallel processing of the encryption algorithm engines Core1, core2 and algorithm control of the state machine, error diffusion caused by error of the ciphertext blocks is prevented, and the encryption performance is improved.
In some embodiments, when the block cipher mode is an OFB mode, the method includes:
setting an algorithm control state machine to control two encryption algorithm processing engines to simultaneously carry out encryption algorithm processing on the initial vector so as to generate corresponding password data;
when the cipher data generated by the two encryption algorithm processing engines are the same, performing exclusive OR operation on the generated cipher data and the plaintext block to generate ciphertext; meanwhile, an algorithm control state machine is arranged to control two encryption algorithm processing engines to simultaneously perform encryption algorithm processing on the password data again to generate corresponding password data;
when the two encryption algorithm processing engines process the generated password data again to be the same, performing exclusive OR operation on the password data and the next plaintext block to generate ciphertext; and generating corresponding ciphertext blocks until all plaintext blocks are processed.
The design of improving the reliability and performance of the OFB mode is shown in fig. 6, and the initial vector IV is processed in parallel and the algorithm is controlled to a state machine through encryption algorithm engines Core1 and Core2 in each encryption process, so that the reliability is realized, error diffusion of ciphertext packets caused by errors of the initial vector in the iterative encryption process is prevented, and the encryption performance is improved.
As shown in fig. 7, an embodiment of the present invention provides a cryptographic card supporting reliability of a block cipher mode, including a programmable logic unit, where the programmable logic unit includes an algorithm control state machine, a cryptographic algorithm module, an algorithm mode module, a cache, a register set, a clock control module, and a PCI-E protocol IP core;
the PCI-E protocol IP core is used for realizing bus protocol conversion and converting a physical PCI-E bus into a bus of a board card end;
the algorithm control state machine is connected with a buffer memory and a register group for storing state values;
the algorithm mode module comprises at least one block cipher mode;
the cryptographic algorithm module comprises a cryptographic algorithm processing engine;
an algorithm control state machine for controlling the encryption algorithm processing engine to execute the method described in the above embodiment to perform reliability design on the block cipher mode;
the buffer memory is used for storing data to be encrypted/decrypted, an intermediate result processed by an encryption algorithm and ciphertext/plaintext data after the processing is completed, which are externally transmitted to the password card; the cache comprises a first-level cache and a second-level cache;
the first-level cache is used for storing the grouping data to be encrypted/decrypted, which is transmitted to the password card by the upper computer, and the ciphertext/plaintext data after the operation of the password algorithm is completed; as previously described, the level one cache may be together with RAM or FIFO.
The second-level cache is used for storing intermediate results of the operation process of the encryption algorithm processing engine; comprises 2 groups, namely a second-level buffer memory (1) and a second-level buffer memory (2); the first group is used for temporarily storing intermediate results of the operation process of the encryption algorithm processing engine Core 1; the second group is used for temporarily storing intermediate results of the encryption algorithm processing engine Core2 operation.
Register set: representing the type of service, and specifically includes 4 sets of registers.
Register I: algorithm class, 01 represents 3DES algorithm, 02 represents AES algorithm, 03 represents SM4 algorithm;
register II: algorithm mode, 01 represents CBC mode, 02 represents CFB mode, 03 represents OFB mode;
register III: the length of the packet data, for example for the SM4 algorithm, 100 represents 100 plaintext packet data, 128 bits per packet;
register IV: encryption and decryption modes, 01 represents encryption operation and 02 represents decryption operation.
The algorithm control state machine is used for reading the data in the register group and the first-level cache, transmitting the data in the first-level cache to the corresponding encryption algorithm processing engine according to the value set in the register group, controlling the encryption algorithm processing engine to perform data encryption/decryption operation according to the corresponding block cipher mode, and transmitting the ciphertext/plaintext data after operation back to the first-level cache through the second-level cache.
The programmable logic unit also comprises a clock control module which is used for performing clock frequency conversion and used as the working clock of each module of the FPGA;
the password card also comprises a power supply module and a JATG/AS interface;
the power supply module provides working voltage for the password card; for example 3.3V, 2.5V, 1.2V, etc.
The JATG/AS interface is a debugging/downloading interface of the program and is used for debugging and downloading the programmable logic unit program.
In the embodiment of the invention, the programmable logic unit is an FPGA, and the cryptographic algorithm module is as follows: the method comprises the steps of symmetric cryptographic algorithms 3DES, AES and SM4, wherein each algorithm adopts a parallel working mode of double engines (Core 1 and Core 2); algorithm mode module: the method comprises three algorithm modes of CBC, CFB and OFB;
as shown in fig. 8, taking a one-time data processing service as an example, the working process of the cryptographic card includes:
step 1: the password card receives the service type and the clear text packet transmitted by the upper computer through the PCI-E bus and correspondingly stores the service type and the clear text packet into a register group and a first-level cache;
step 2: the algorithm controls the state machine to read the register group, and reads the initial vector and the plaintext/ciphertext block from the first-level cache;
step 3: the algorithm control state machine transmits the data in the first-level cache to the corresponding encryption algorithm processing engine according to the value set in the register group;
step 4: the encryption algorithm processing engine performs data encryption/decryption operation according to the corresponding block cipher mode;
step 5: the algorithm control state machine sequentially transmits ciphertext/plaintext packets to the first-level buffer memory through the second-level buffer memory until all plaintext packets are processed;
step 6: the algorithm control state machine transmits the data in the first-level cache back to the upper computer through the PCI-E bus, so as to finish the data processing service.
The algorithm control state machine logic is shown in fig. 9, and includes 8 states of IDLE (IDLE), START (START), read register set (rd_reg), read initial vector (rd_iv), read DATA (rd_data), WAIT (WAIT), write DATA (wr_data), and end (final_data), and the transition relationships among the states are described as follows:
1) After the password card is reset, the password card enters an IDLE state, and when the reset is finished and the upper computer STARTs a service, the password card enters a START state;
2) In the START state, the algorithm control state machine waits for the upper computer to set a register set, and plaintext packets to be operated are all transmitted to a first-level cache, and then enters an RD_REG state;
3) In the RD_REG state, the algorithm control state machine reads each group of values (algorithm type, algorithm mode, packet length, operation type) representing the service type in the register group, and then enters the RD_IV state;
4) In the RD_IV state, the algorithm control state machine reads the initial vector IV in the first-level cache, and then enters the RD_DATA state;
5) In the RD_DATA state, the algorithm control state machine reads the first plaintext packet DATA in the first level cache, and then enters the WAIT state;
6) In the WAIT state, the algorithm control state machine selects a corresponding encryption algorithm processing engine and a corresponding mode according to the numerical value set by the register set, controls the encryption algorithm processing engine to work according to the corresponding mode (namely, the mode designed by the reliability design method in the embodiment), if encryption operation is performed, the algorithm control state machine needs to compare two-level cached ciphertext packet DATA, if C1 is not equal to C1', the algorithm control state machine is always in a waiting state until the algorithm control state machine enters a WR_DATA state when C1=C1';
7) In the WR_DATA state, the algorithm controls the state machine to transmit the DATA in the secondary cache to the primary cache, and then enters the FINAL_DATA state;
8) In the final_data state, the algorithm control state machine determines whether all plaintext packet operations are completed, if not, returns to the rd_data state to process the next plaintext packet, i.e., repeats steps 5) -7), until all plaintext packets are processed and returned to the first level cache, and then returns to the IDLE state.
The reliability design of the block cipher CBC, CFB and OFB modes prevents error propagation and diffusion in the encryption process; and the performance of data encryption is further improved by an encryption algorithm double-engine parallel processing mode on the basis of reliability. In addition, based on PCI-E bus, programmable logic of FPGA is utilized to realize a cipher card supporting symmetric encryption algorithm AES, SM4 and 3DES, support CBC, CFB, OFB reliability design and improve operation performance through algorithm double engines.
The embodiment of the invention also provides a server comprising the password card in the embodiment.
Although the present invention has been described in detail by way of preferred embodiments with reference to the accompanying drawings, the present invention is not limited thereto. Various equivalent modifications and substitutions may be made in the embodiments of the present invention by those skilled in the art without departing from the spirit and scope of the present invention, and it is intended that all such modifications and substitutions be within the scope of the present invention/be within the scope of the present invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A method for designing the reliability of a block cipher mode is characterized by comprising the following steps:
the encryption algorithm is controlled to carry out encryption operation on the data to be encrypted to generate encrypted data, and error detection and correction processing is carried out on the generated encrypted data; controlling an encryption algorithm to process the next data to be encrypted until the generated encrypted data is correct; until all the data to be encrypted are processed.
2. The method for designing the reliability of the block cipher mode according to claim 1, characterized in that the method comprises:
the encryption algorithm is controlled to process the same data to be encrypted successively, and corresponding encrypted data are generated;
comparing the two groups of encrypted data generated successively;
when the two are inconsistent, controlling an encryption algorithm to process the data to be encrypted again;
when the two are consistent, judging that the encryption result is correct, and controlling the encryption algorithm to process the next data to be encrypted; until all the data to be encrypted are processed.
3. The method for designing the reliability of the block cipher mode according to claim 1, characterized in that the method comprises:
controlling an encryption algorithm to encrypt data to be encrypted to generate ciphertext;
the decryption algorithm is controlled to decrypt the generated ciphertext to generate decrypted data, and the decrypted data are stored in a register;
comparing the decrypted data in the register with the original data to be encrypted;
when the two are inconsistent, controlling an encryption algorithm to process the data to be encrypted again;
when the two are consistent, controlling an encryption algorithm to process the next data to be encrypted; until all the data to be encrypted are processed.
4. The method for reliability design of a block cipher mode according to claim 1, further comprising:
two encryption algorithm processing engines are arranged, and are controlled to simultaneously carry out encryption algorithm processing to generate corresponding encryption data.
5. The cipher card supporting the reliability design of the block cipher mode is characterized by comprising a programmable logic unit, wherein the programmable logic unit comprises an algorithm control state machine, a cipher algorithm module and an algorithm mode module;
the algorithm control state machine is connected with a buffer memory and a register group for storing state values;
the algorithm mode module comprises at least one block cipher mode;
the cryptographic algorithm module comprises a cryptographic algorithm processing engine;
an algorithm control state machine controls an encryption algorithm processing engine to execute the method of any one of claims 1-4 for reliability design of a block cipher mode;
the buffer memory is used for storing data to be encrypted/decrypted, an intermediate result processed by an encryption algorithm and ciphertext/plaintext data after the processing is completed, which are externally transmitted to the password card;
the algorithm control state machine is used for reading the data in the register group and the cache, transmitting the data in the cache to the corresponding encryption algorithm processing engine according to the value set in the register group, controlling the encryption algorithm processing engine to perform data encryption/decryption operation according to the corresponding block cipher mode, and transmitting the ciphertext/plaintext data after operation to the cache.
6. The cryptographic card supporting block cipher mode reliability design according to claim 5, wherein the cryptographic algorithm module comprises two parallel processing cryptographic algorithm processing engines;
the programmable logic unit comprises a PCI-E protocol IP core;
the PCI-E protocol IP core is connected with the cache;
the PCI-E protocol IP core is used for realizing bus protocol conversion and converting a physical PCI-E bus into a bus of a board card side.
7. The cryptographic card supporting block cipher mode reliability design according to claim 6, wherein the cache comprises a primary cache and a secondary cache;
the PCI-E protocol IP core is connected with the first-level cache;
the algorithm control state machine and the cryptographic algorithm module are respectively connected with the secondary cache;
the first-level cache is used for storing the data to be encrypted/decrypted which is transmitted to the password card by the upper computer and the ciphertext/plaintext data after the encryption algorithm processing is completed;
and the second-level cache is used for storing intermediate results of the processing process of the encryption algorithm processing engine.
8. The combination card supporting block cipher mode reliability design according to claim 7, wherein the operation of the combination card comprises:
the password card receives the service type and the clear text packet transmitted externally through the PCI-E bus and correspondingly stores the service type and the clear text packet into a register group and a first-level cache;
the algorithm controls the state machine to read the register group, and reads the initial vector and the plaintext/ciphertext block from the first-level cache;
the algorithm control state machine transmits the data in the first-level cache to the corresponding encryption algorithm processing engine according to the value set in the register group;
the encryption algorithm processing engine performs data encryption/decryption operation according to the corresponding block cipher mode;
the algorithm control state machine sequentially transmits ciphertext/plaintext packets to the first-level buffer memory through the second-level buffer memory until all plaintext packets are processed;
the algorithm control state machine transmits the data in the first-level cache back to the upper computer through the PCI-E bus, so as to finish the data processing service.
9. The cryptographic card supporting a block cipher mode reliability design of claim 8, wherein the control logic of the algorithm control state machine comprises:
1) The password card enters an idle state after being reset, and enters a starting state when the reset is finished and the upper computer starts a service;
2) In a starting state, the algorithm control state machine waits for an upper computer to set a register set, a plaintext packet to be operated is transmitted to a first-level cache, and then the state of reading the register set is entered;
3) Reading the state of the register group, and controlling the state machine by an algorithm to read all groups of values representing the service types in the register group, and then entering a state of reading an initial vector;
4) In the initial vector reading state, an algorithm control state machine reads an initial vector IV in a first-level cache, and then enters a data reading state;
5) In the data reading state, the algorithm control state machine reads the first plaintext packet data in the first-level cache, and then enters a waiting state;
6) In the waiting state, the algorithm control state machine selects a corresponding encryption algorithm processing engine and a corresponding mode according to the numerical value set by the register group, controls the encryption algorithm processing engine to work according to the corresponding mode, and if the encryption operation is carried out, the algorithm control state machine compares the two second-level cached ciphertext grouping data until the two second-level cached ciphertext grouping data are consistent, and enters a data writing state;
7) In the data writing state, the algorithm controls the state machine to transmit the data in the second-level cache to the first-level cache, and then enters an ending state;
8) In the ending state, the algorithm control state machine judges whether all plaintext grouping operations are finished, if not, the steps 5) -7) are repeated until all plaintext groupings are processed and transmitted back to the first-level cache, and then the idle state is returned.
10. A server comprising a cryptographic card as claimed in any one of claims 5 to 9.
CN202310014637.5A 2023-01-05 2023-01-05 Reliability design method of block cipher mode, cipher card and server Pending CN116073987A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310014637.5A CN116073987A (en) 2023-01-05 2023-01-05 Reliability design method of block cipher mode, cipher card and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310014637.5A CN116073987A (en) 2023-01-05 2023-01-05 Reliability design method of block cipher mode, cipher card and server

Publications (1)

Publication Number Publication Date
CN116073987A true CN116073987A (en) 2023-05-05

Family

ID=86178080

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310014637.5A Pending CN116073987A (en) 2023-01-05 2023-01-05 Reliability design method of block cipher mode, cipher card and server

Country Status (1)

Country Link
CN (1) CN116073987A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116366206A (en) * 2023-06-01 2023-06-30 三未信安科技股份有限公司 Method and system for enhancing reliability of password card

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116366206A (en) * 2023-06-01 2023-06-30 三未信安科技股份有限公司 Method and system for enhancing reliability of password card
CN116366206B (en) * 2023-06-01 2023-08-25 三未信安科技股份有限公司 Method and system for enhancing reliability of password card

Similar Documents

Publication Publication Date Title
Mathur et al. AES based text encryption using 12 rounds with dynamic key selection
CN108073353B (en) Data processing method and device
US7978851B2 (en) Keystream encryption device, method, and program
US20110255689A1 (en) Multiple-mode cryptographic module usable with memory controllers
US20040019619A1 (en) System and method for generating initial vectors
JPH1075240A (en) Method for protecting data transmission and device for ciphering or deciphering data
CN111010266B (en) Message encryption and decryption, reading and writing method and device, computer equipment and storage medium
WO2021129470A1 (en) Polynomial-based system and method for fully homomorphic encryption of binary data
CN116488794B (en) Method and device for realizing high-speed SM4 password module based on FPGA
CN116073987A (en) Reliability design method of block cipher mode, cipher card and server
US7257229B1 (en) Apparatus and method for key scheduling
Daemen et al. On the design of high speed self-synchronizing stream ciphers
CN105049203A (en) Configurable 3DES encryption and decryption algorism circuit capable of supporting multiple work modes
US20120321079A1 (en) System and method for generating round keys
Peng et al. FPGA implementation of AES encryption optimization algorithm
Landge et al. VHDL based Blowfish implementation for secured embedded system design
Cao et al. Analysis And Improvement of AES Key Expansion Algorithm
CN109951434B (en) High-robustness real-time encryption and decryption method for industrial communication protocol
CN111740818A (en) Data processing method, device, equipment and storage medium
KR100494560B1 (en) Real time block data encryption/decryption processor using Rijndael block cipher and method therefor
Sreehari Efficient key management methods for symmetric cryptographic algorithm
Bu et al. ’A Compact Implementation of SM4 Encryption and Decryption Circuit’
CN112507357B (en) Multi-stage interface design method based on key generator
US20240146514A1 (en) Method of encryption and decryption initialization configuration, edge port, encryption and decryption platform and security system
Fang et al. Decomposition of higher-order nonlinear S-boxes in lightweight block ciphers for algebraic fault analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination