CN117200992A - System and method for identifying false of data stream transmission - Google Patents
System and method for identifying false of data stream transmission Download PDFInfo
- Publication number
- CN117200992A CN117200992A CN202310975974.0A CN202310975974A CN117200992A CN 117200992 A CN117200992 A CN 117200992A CN 202310975974 A CN202310975974 A CN 202310975974A CN 117200992 A CN117200992 A CN 117200992A
- Authority
- CN
- China
- Prior art keywords
- data stream
- digital signature
- server
- data
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 51
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012795 verification Methods 0.000 claims abstract description 65
- 238000012545 processing Methods 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 8
- 238000004891 communication Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 18
- 238000010586 diagram Methods 0.000 description 10
- 238000004422 calculation algorithm Methods 0.000 description 7
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 241000272184 Falconiformes Species 0.000 description 1
- 241000566150 Pandion haliaetus Species 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开了一种数据流传输鉴伪的系统及方法,包括客户端和服务器,客户端包括请求发送模块,用于发送数据流请求;数据转发模块,用于转发数字签名;数据读取模块,用于根据验签结果,判断是否读取数据流;服务器包括文件存储模块,用于根据数据流请求,获取待传输的数据流;XMSS硬件模块,包括密钥获取单元、数字签名单元和数字验签单元;文件发送模块,用于发送数字签名及其对应的数据流,以及验签结果至客户端。本发明基于待传输的数据流临时生成公钥和私钥,且公钥和私钥均只在服务器内部传输,保证了传输的安全性,同时大大提高了数据流传输鉴伪过程中的可靠性。
The invention discloses a system and method for data stream transmission and forgery authentication, including a client and a server. The client includes a request sending module for sending data stream requests; a data forwarding module for forwarding digital signatures; and a data reading module. , used to determine whether to read the data stream based on the signature verification result; the server includes a file storage module, used to obtain the data stream to be transmitted based on the data stream request; the XMSS hardware module includes a key acquisition unit, a digital signature unit and a digital Signature verification unit; file sending module, used to send digital signatures and their corresponding data streams, as well as signature verification results to the client. The invention temporarily generates public keys and private keys based on the data stream to be transmitted, and the public keys and private keys are only transmitted within the server, ensuring the security of the transmission and greatly improving the reliability of the data stream transmission authentication process. .
Description
技术领域Technical field
本发明涉及一种数据流传输鉴伪的系统及方法,属于数据传输技术领域。The invention relates to a system and method for detecting forgery in data stream transmission, belonging to the technical field of data transmission.
背景技术Background technique
数据传输是按照一定流程,将数据从数据源传输到数据终端,它的主要作用是实现点与点之间的数据传输交换。如何保证高效、安全的传输数据信息是一个重要的课题。比如目前计算机与互联网领域广泛使用的技术的公钥加密算法均基于三个计算难题:整数分解问题、离散对数问题和椭圆曲线问题,如DH、ECDH、RSA、ECDSA等等。但是这些难题均可通过使用足够强大的量子计算机和特定量子算法,例如Shor、Grove算法高效破解。Data transmission is to transmit data from data source to data terminal according to a certain process. Its main function is to realize data transmission and exchange between points. How to ensure efficient and safe transmission of data information is an important issue. For example, public-key encryption algorithms that are currently widely used in the computer and Internet fields are based on three computational problems: integer decomposition problems, discrete logarithm problems, and elliptic curve problems, such as DH, ECDH, RSA, ECDSA, etc. However, these difficult problems can be solved efficiently by using sufficiently powerful quantum computers and specific quantum algorithms, such as Shor and Grove algorithms.
因此,随着量子计算机的高速发展。现有的一切数字身份验证、数字签名乃至网络安全证书的加密方式都会被量子计算机的算力破解。2021年,IBM推出了首款拥有100多个量子比特的量子处理器「Eagle」,并于近期推出了公司最大的量子计算机处理器「Osprey」,含有433个量子比特。而量子计算机在达到1024个量子比特时,将可以破解现有的一切网络加密。到那时,所有的网页安全证书,所有的数字化办公,网上安全文件传输的签名都可以被伪造,从而可能导致巨大的互联网安全危机。人们将难以辨认哪些网页是真正安全的,哪些文件才是未被改动的,从日常生活,商务契约乃至军事机密都会面临严峻的考验。Therefore, with the rapid development of quantum computers. All existing encryption methods for digital identity verification, digital signatures and even network security certificates will be cracked by the computing power of quantum computers. In 2021, IBM launched the first quantum processor "Eagle" with more than 100 qubits, and recently launched the company's largest quantum computer processor "Osprey" with 433 qubits. When a quantum computer reaches 1024 qubits, it will be able to crack all existing network encryption. By then, all web security certificates, all digital offices, and signatures for online secure file transmissions can be forged, which may lead to a huge Internet security crisis. It will be difficult for people to identify which web pages are truly safe and which files have not been altered. Everyday life, business contracts and even military secrets will face severe tests.
XMSS,即扩展的默克尔签名方案(eXtendedMerkle Signature Scheme),作为一种基于哈希的高效率,高安全性的后量子加密技术,早在2018年就被互联网工程任务组(Internet Engineering Task Force,IETF)标准化,并在2020年被NIST推荐作为有状态的后量子签名方案。然而,现有的XMSS实现方案大多停留在代码层面,可用性低,想要使用XMSS技术成本较高,而且性能不够优良。无法为大众便捷的使用从而难以普及。XMSS, the extended Merkle Signature Scheme (eXtendedMerkle Signature Scheme), as a hash-based high-efficiency, high-security post-quantum encryption technology, was approved by the Internet Engineering Task Force as early as 2018. , IETF) and was recommended by NIST as a stateful post-quantum signature scheme in 2020. However, most of the existing XMSS implementation solutions remain at the code level, with low availability, high cost, and insufficient performance to use XMSS technology. It cannot be conveniently used by the public and therefore difficult to popularize.
另外,现有的XMSS算法需要执行上千万次哈希运算,一般的通用处理器实现效率低下,难以快速计算得到密钥,故而无法满足高速网络的要求。In addition, the existing XMSS algorithm needs to perform tens of millions of hash operations, and general general-purpose processors are inefficient and difficult to quickly calculate the key, so they cannot meet the requirements of high-speed networks.
“高教社杯”全国大学生数学建模竞赛论文曾经提交中MD5(Message-DigestAlgorithm 5)码,然而该技术中的MD5信息摘要算法由于其算法本身不具备抗量子的特性,导致在未来这种算法并不足够安全,易被破解。另外,该客户端的提交缺少很好的硬件加速结构的设计,因此在提交时易造成排队人数过多从而等候时间过长的情况。另外,该客户端需要用户提交后点击生成MD5码并上传,把签名验签的操作也暴露给用户,操作繁琐。Papers for the "Higher Education Society Cup" National Undergraduate Mathematical Modeling Competition were once submitted in the MD5 (Message-DigestAlgorithm 5) code. However, the MD5 message digest algorithm in this technology does not have anti-quantum properties, resulting in the use of this algorithm in the future. It is not secure enough and can be easily cracked. In addition, the client's submission lacks a good hardware acceleration structure design, so it is easy to cause too many people in the queue and long waiting time when submitting. In addition, the client requires the user to click to generate the MD5 code and upload it after submission, which also exposes the signature verification operation to the user, making the operation cumbersome.
公开于该背景技术部分的信息仅仅旨在增加对本发明的总体背景的理解,而不应当被视为承认或以任何形式暗示该信息构成已为本领域普通技术人员所公知的现有技术。The information disclosed in this Background section is merely intended to increase understanding of the general background of the invention and should not be taken as an admission or in any way implying that the information constitutes prior art that is already known to a person of ordinary skill in the art.
发明内容Contents of the invention
本发明的目的在于克服现有技术中的不足,提供一种数据流传输鉴伪的系统及方法,本发明基于待传输的数据流临时生成公钥和私钥,且公钥和私钥均只在服务器内部传输,保证了传输的安全性,同时大大提高了数据流传输鉴伪过程中的可靠性。The purpose of the present invention is to overcome the deficiencies in the prior art and provide a system and method for data stream transmission forgery authentication. The present invention temporarily generates a public key and a private key based on the data stream to be transmitted, and both the public key and the private key are only Transmitting within the server ensures the security of the transmission and greatly improves the reliability of the data stream transmission authentication process.
为达到上述目的,本发明是采用下述技术方案实现的:In order to achieve the above objects, the present invention is achieved by adopting the following technical solutions:
第一方面,本发明公开了一种数据流传输鉴伪的系统,包括客户端和服务器,In a first aspect, the present invention discloses a data stream transmission forgery authentication system, including a client and a server,
所述客户端包括:The clients include:
请求发送模块,用于发送数据流请求至服务器;Request sending module, used to send data stream requests to the server;
数据转发模块,用于接收服务器发送的数字签名及其对应的数据流,将所述数字签名转发至服务器;A data forwarding module, configured to receive the digital signature and its corresponding data stream sent by the server, and forward the digital signature to the server;
数据读取模块,用于接收并根据服务器发送的验签结果,判断是否读取数据转发模块中的数据流;The data reading module is used to receive and determine whether to read the data stream in the data forwarding module based on the signature verification results sent by the server;
所述服务器包括:The servers include:
文件存储模块,用于根据客户端的数据流请求,获取待传输的数据流;The file storage module is used to obtain the data stream to be transmitted according to the client's data stream request;
XMSS硬件模块,包括密钥获取单元、数字签名单元和数字验签单元;其中,所述密钥获取单元,根据所述待传输的数据流,生成对应的公钥和私钥;所述数字签名单元,使用私钥对所述待传输的数据流进行签名,得到数字签名;所述数字验签单元,采用公钥对客户端转发的数字签名进行验签,得到验签结果;The XMSS hardware module includes a key acquisition unit, a digital signature unit and a digital signature verification unit; wherein the key acquisition unit generates the corresponding public key and private key according to the data stream to be transmitted; the digital signature The unit uses the private key to sign the data stream to be transmitted to obtain a digital signature; the digital signature verification unit uses the public key to verify the digital signature forwarded by the client to obtain the signature verification result;
文件发送模块,用于发送所述数字签名及其对应的数据流,以及验签结果至客户端。The file sending module is used to send the digital signature and its corresponding data stream, as well as the signature verification result to the client.
进一步的,所述客户端的请求发送模块中,所述数据流请求包括新数据流传输请求和历史数据流回放请求。Further, in the request sending module of the client, the data stream request includes a new data stream transmission request and a historical data stream playback request.
进一步的,所述数字签名单元,包括:Further, the digital signature unit includes:
SHA256子单元,用于对所述待传输的数据流进行位宽固定处理,得到固定位宽的数据流;The SHA256 subunit is used to perform fixed bit width processing on the data stream to be transmitted to obtain a fixed bit width data stream;
第一WOTS子单元,用于根据所述固定位宽的数据流和私钥,进行单次数字签名操作,得到第一WOTS-pk数据;The first WOTS subunit is used to perform a single digital signature operation based on the fixed-width data stream and the private key to obtain the first WOTS-pk data;
第一L-TREE子单元,用于将所述第一WOTS-pk数据压缩成第一叶节点数据;The first L-TREE subunit is used to compress the first WOTS-pk data into first leaf node data;
MERKLE子单元,用于将所述第一叶节点数据压缩成根节点数据;根据所述根节点数据,得到XMSS的数字签名。The MERKLE subunit is used to compress the first leaf node data into root node data; obtain the digital signature of XMSS based on the root node data.
进一步的,所述数字签名验证单元包括:Further, the digital signature verification unit includes:
MSGchecksum子单元,用于对客户端转发的数字签名进行完整性验证,验证通过后结合摘要得到固定位宽的字符串;The MSGchecksum subunit is used to verify the integrity of the digital signature forwarded by the client. After passing the verification, it is combined with the digest to obtain a fixed-width string;
第二WOTS子单元,用于对所述固定位宽的字符串进行WOTS链运算,得到第二WOTS-pk数据;The second WOTS subunit is used to perform a WOTS chain operation on the fixed-width character string to obtain the second WOTS-pk data;
第二L-TREE子单元,用于对所述第二WOTS-pk数据进行深度优先计算,得到L-TREE哈希值;The second L-TREE subunit is used to perform depth-first calculation on the second WOTS-pk data to obtain the L-TREE hash value;
Authpath子单元,用于压缩所述L-TREE哈希值,并利用公钥验证压缩后的L-TREE哈希值的正确性,得到验签结果。The Authpath subunit is used to compress the L-TREE hash value, and use the public key to verify the correctness of the compressed L-TREE hash value to obtain the signature verification result.
进一步的,所述判断是否读取数据转发模块中的数据流,包括:Further, the determination of whether to read the data stream in the data forwarding module includes:
响应于所述验签结果为通过,数据读取模块读取数据转发模块中的数据流;In response to the signature verification result being passed, the data reading module reads the data stream in the data forwarding module;
响应于所述验签结果为不通过,数据转发模块接收服务器重新发送新的数字签名及其对应的数据流,将所述新的数字签名转发至服务器进行验签,并丢弃先前存储的验签结果为不通过的数字签名及其对应的数据流。In response to the signature verification result being failed, the data forwarding module receives the server to resend the new digital signature and its corresponding data stream, forwards the new digital signature to the server for signature verification, and discards the previously stored signature verification. The result is a failed digital signature and its corresponding data stream.
进一步的,所述文件存储模块和文件发送模块分别与所述XMSS硬件模块通过串口通信连接。Further, the file storage module and the file sending module are respectively connected to the XMSS hardware module through serial port communication.
第二方面,本发明公开了一种数据流传输鉴伪的方法,适用于第一方面所述的数据流传输鉴伪的系统的客户端,包括如下步骤:In a second aspect, the present invention discloses a method for authenticating data stream transmission, which is suitable for the client of the system for authenticating data stream transmission described in the first aspect, and includes the following steps:
基于客户端的请求发送模块,发送数据流请求至服务器;The client-based request sending module sends data stream requests to the server;
基于客户端的数据转发模块,接收服务器发送的数字签名及其对应的数据流,将所述数字签名转发至服务器;The client-based data forwarding module receives the digital signature and its corresponding data stream sent by the server, and forwards the digital signature to the server;
基于客户端的数据读取模块,接收并根据服务器发送的验签结果,判断是否读取数据转发模块中的数据流。The client-based data reading module receives and determines whether to read the data stream in the data forwarding module based on the signature verification results sent by the server.
第三方面,本发明公开了一种数据流传输鉴伪的方法,适用于第一方面所述的数据流传输鉴伪的系统的服务器,包括如下步骤:In a third aspect, the present invention discloses a method for authenticating data stream transmission, which is suitable for the server of the system for authenticating data stream transmission described in the first aspect, and includes the following steps:
基于服务器的文件存储模块,根据客户端的数据流请求,获取待传输的数据流;The server-based file storage module obtains the data stream to be transmitted according to the client's data stream request;
基于服务器的XMSS硬件模块的密钥获取单元,根据所述待传输的数据流,生成对应的公钥和私钥;The key acquisition unit of the server-based XMSS hardware module generates the corresponding public key and private key according to the data stream to be transmitted;
基于服务器的XMSS硬件模块的数字签名单元,使用私钥对所述待传输的数据流进行签名,得到数字签名;The digital signature unit based on the server's XMSS hardware module uses the private key to sign the data stream to be transmitted to obtain a digital signature;
基于服务器的文件发送模块,发送所述数字签名及其对应的数据流,The server-based file sending module sends the digital signature and its corresponding data stream,
基于服务器的XMSS硬件模块的数字验签单元,采用公钥对客户端转发的数字签名进行验签,得到验签结果发送至客户端;The digital signature verification unit based on the server's XMSS hardware module uses the public key to verify the digital signature forwarded by the client, and the verification result is sent to the client;
基于服务器的文件发送模块,发送所述验签结果至客户端。The server-based file sending module sends the signature verification result to the client.
与现有技术相比,本发明所达到的有益效果:Compared with the prior art, the beneficial effects achieved by the present invention are:
本发明的数据流传输鉴伪的系统,基于待传输的数据流临时生成公钥和私钥,且公钥和私钥均只在服务器内部传输,保证了传输的安全性,同时大大提高了数据流传输鉴伪过程中的可靠性。The data stream transmission forgery authentication system of the present invention temporarily generates public keys and private keys based on the data stream to be transmitted, and the public keys and private keys are only transmitted within the server, ensuring the security of the transmission and greatly improving the data efficiency. Reliability during stream transmission forgery detection.
附图说明Description of the drawings
图1是一种数据流传输鉴伪的系统的示意图;Figure 1 is a schematic diagram of a data stream transmission forgery authentication system;
图2是数字签名单元的示意图;Figure 2 is a schematic diagram of the digital signature unit;
图3是数字验签单元的示意图。Figure 3 is a schematic diagram of the digital signature verification unit.
具体实施方式Detailed ways
下面结合附图对本发明作进一步描述。以下实施例仅用于更加清楚地说明本发明的技术方案,而不能以此来限制本发明的保护范围。The present invention will be further described below in conjunction with the accompanying drawings. The following examples are only used to more clearly illustrate the technical solutions of the present invention, but cannot be used to limit the scope of the present invention.
实施例1Example 1
本实施例1提供了一种数据流传输鉴伪的系统,包括客户端和服务器,This embodiment 1 provides a data stream transmission forgery authentication system, including a client and a server.
客户端包括:Clients include:
请求发送模块,用于发送数据流请求至服务器;Request sending module, used to send data stream requests to the server;
数据转发模块,用于接收服务器发送的数字签名及其对应的数据流,将数字签名转发至服务器;The data forwarding module is used to receive the digital signature and its corresponding data stream sent by the server, and forward the digital signature to the server;
数据读取模块,用于接收并根据服务器发送的验签结果,判断是否读取数据转发模块中的数据流;The data reading module is used to receive and determine whether to read the data stream in the data forwarding module based on the signature verification results sent by the server;
服务器包括:Servers include:
文件存储模块,用于根据客户端的数据流请求,获取待传输的数据流;The file storage module is used to obtain the data stream to be transmitted according to the client's data stream request;
XMSS硬件模块,包括密钥获取单元、数字签名单元和数字验签单元;其中,密钥获取单元,根据待传输的数据流,生成对应的公钥和私钥;数字签名单元,使用私钥对待传输的数据流进行签名,得到数字签名及其对应的数据流;数字验签单元,采用公钥对客户端转发的数字签名进行验签,得到验签结果;The XMSS hardware module includes a key acquisition unit, a digital signature unit and a digital signature verification unit; among them, the key acquisition unit generates the corresponding public key and private key according to the data stream to be transmitted; the digital signature unit uses the private key to treat The transmitted data stream is signed to obtain a digital signature and its corresponding data stream; the digital signature verification unit uses the public key to verify the digital signature forwarded by the client and obtains the signature verification result;
文件发送模块,用于发送数字签名及其对应的数据流,以及验签结果至客户端。The file sending module is used to send digital signatures and their corresponding data streams, as well as signature verification results to the client.
本发明的技术构思为:基于待传输的数据流临时生成公钥和私钥,且公钥和私钥均只在服务器内部传输,保证了传输的安全性,同时大大提高了数据流传输鉴伪过程中的可靠性。The technical concept of the present invention is to temporarily generate a public key and a private key based on the data stream to be transmitted, and both the public key and the private key are only transmitted within the server, ensuring the security of the transmission and greatly improving the data stream transmission authentication. Reliability in the process.
具体步骤如下:Specific steps are as follows:
步骤1:基于客户端的请求发送模块,发送数据流请求至服务器。其中,数据流请求包括新数据流传输请求和历史数据流回放请求。Step 1: Based on the client's request sending module, send the data flow request to the server. Among them, data stream requests include new data stream transmission requests and historical data stream playback requests.
具体的业务场景如下:The specific business scenarios are as follows:
业务场景一、客户端发送新数据流传输请求,请求一些需要防伪造的文件。Business scenario 1: The client sends a new data stream transmission request and requests some files that need to be protected against forgery.
当应用于该业务场景一时,接收方向服务器侧发送新数据流传输请求,以触发服务器侧的相关处理。When applied to this business scenario one, the receiver sends a new data stream transmission request to the server side to trigger related processing on the server side.
业务场景二、客户端发送历史数据流回放请求,请求服务器侧将之前接受并存储的数据流进行回放,以便观看验证。Business scenario 2: The client sends a historical data stream playback request, requesting the server to play back the previously accepted and stored data stream for viewing and verification.
当应用于该业务场景二时,接收方向服务器侧发送历史数据流回放请求,以触发服务器侧的相关处理。When applied to business scenario 2, the receiver sends a historical data stream playback request to the server side to trigger related processing on the server side.
步骤2:基于服务器的文件存储模块,根据客户端的数据流请求,获取待传输的数据流;Step 2: Based on the server's file storage module, obtain the data stream to be transmitted according to the client's data stream request;
与步骤1同理,对应存在两个业务场景。Similar to step 1, there are two corresponding business scenarios.
业务场景一、响应于客户端发送的新数据流传输请求,请求一些需要防伪造的文件。Business scenario 1. In response to a new data stream transmission request sent by the client, request some files that need to be protected against forgery.
当应用于该业务场景一时,服务器接收客户端发送的新数据流传输请求,获取对应的待传输的新数据流。When applied to this business scenario one, the server receives the new data stream transmission request sent by the client and obtains the corresponding new data stream to be transmitted.
业务场景二、响应于客户端发送的历史数据流回放请求,请求服务器侧将之前接受并存储的数据流进行回放,以便观看验证。Business scenario 2: In response to the historical data stream playback request sent by the client, the server is requested to play back the previously accepted and stored data stream for viewing and verification.
当应用于该业务场景二时,服务器接收客户端发送的历史数据流回放请求,获取对应的待传输的历史数据流。When applied to the second business scenario, the server receives the historical data stream playback request sent by the client and obtains the corresponding historical data stream to be transmitted.
步骤3:基于服务器的XMSS硬件模块的密钥获取单元,根据待传输的数据流,生成对应的公钥和私钥。其中,私钥发送给数字签名单元,公钥发送给数字验签单元。Step 3: The key acquisition unit of the server-based XMSS hardware module generates the corresponding public key and private key according to the data stream to be transmitted. Among them, the private key is sent to the digital signature unit, and the public key is sent to the digital signature verification unit.
当应用于业务场景一时,待传输的数据流为新数据流,此时根据新数据流生成对应的公钥和私钥等密钥对。When applied to business scenario 1, the data stream to be transmitted is a new data stream, and the corresponding key pairs such as public key and private key are generated based on the new data stream.
当应用于业务场景二时,待传输的数据流为历史数据流,可能会发生服务器侧之前发送并存储的历史数据流发生过多次回放,产生多个密钥对。需要说明的是,本步骤根据历史数据流生成一个新的对应的公钥和私钥等密钥对,而并不使用之前的旧的密钥对。When applied to business scenario 2, the data stream to be transmitted is a historical data stream. It may happen that the historical data stream previously sent and stored on the server side has been played back multiple times, resulting in multiple key pairs. It should be noted that this step generates a new corresponding key pair such as public key and private key based on the historical data stream, instead of using the old key pair.
步骤4:基于服务器的XMSS硬件模块的数字签名单元,使用私钥对待传输的数据流进行签名,得到数字签名。Step 4: Based on the digital signature unit of the server's XMSS hardware module, use the private key to sign the data stream to be transmitted to obtain a digital signature.
当应用于业务场景一时,使用私钥对待传输的新数据流进行签名,得到数字签名。When applied to business scenario 1, use the private key to sign the new data stream to be transmitted to obtain a digital signature.
当应用于业务场景二时,使用私钥对待传输的历史数据流进行签名,得到数字签名。When applied to business scenario 2, use the private key to sign the historical data stream to be transmitted to obtain a digital signature.
具体的,数字签名单元,包括:Specifically, the digital signature unit includes:
SHA256子单元,用于对待传输的数据流进行位宽固定处理,得到固定位宽的数据流。例如:对数据流根据可变的输入长度得到固定256-bit位的输出数据流。The SHA256 subunit is used to perform fixed bit width processing on the data stream to be transmitted to obtain a fixed bit width data stream. For example: a fixed 256-bit output data stream is obtained based on a variable input length for a data stream.
第一WOTS子单元,用于根据固定位宽的数据流和私钥,进行单次数字签名操作,得到第一WOTS-pk数据。需要说明的是,第一WOTS子单元会在密钥生成和签名过程中被反复调用,复用率越高,设计越高效,整体性能会越好。采取多核复用的方式,可以很大程度的提高运算速度。The first WOTS subunit is used to perform a single digital signature operation based on the fixed-width data stream and the private key to obtain the first WOTS-pk data. It should be noted that the first WOTS subunit will be called repeatedly during the key generation and signing process. The higher the reuse rate, the more efficient the design, and the better the overall performance will be. Adopting multi-core multiplexing can greatly improve the computing speed.
第一L-TREE子单元,用于将第一WOTS-pk数据压缩成第一叶节点数据。基于在硬件模块的成本考虑上,第一L-TREE子单元采用深度优先的方法,计算二叉树第h层节点只需要h个存储空间而远小于标准化方案中的2h个存储资源。The first L-TREE subunit is used to compress the first WOTS-pk data into the first leaf node data. Based on the cost consideration of hardware modules, the first L-TREE subunit adopts the depth-first method. Calculating the h-th layer node of the binary tree only requires h storage space, which is far less than the 2 h storage resources in the standardized solution.
MERKLE子单元,用于将第一叶节点数据压缩成根节点数据;根据根节点数据,得到XMSS的数字签名。The MERKLE subunit is used to compress the first leaf node data into root node data; based on the root node data, the digital signature of XMSS is obtained.
此外,本发明还可以在数字签名过程中采取BDS算法来对签名过程进行加速,比如,可以将BDS硬件化并配置到硬件模块内部,以减少总线通信的数据量,从而进一步加速XMSS数字签名的计算。In addition, the present invention can also use the BDS algorithm to accelerate the signature process during the digital signature process. For example, the BDS can be hardware-based and configured inside the hardware module to reduce the amount of data in bus communication, thereby further accelerating the XMSS digital signature. calculate.
步骤5:基于服务器的文件发送模块,发送数字签名及其对应的数据流至客户端。Step 5: The server-based file sending module sends the digital signature and its corresponding data stream to the client.
步骤6:基于客户端的数据转发模块,接收服务器发送的数字签名及其对应的数据流,将数字签名转发至服务器。Step 6: The client-based data forwarding module receives the digital signature and its corresponding data stream sent by the server, and forwards the digital signature to the server.
需要说明的是,此处只是单纯的接收数据流,并不进行数据流的读取。It should be noted that the data stream is simply received here and the data stream is not read.
步骤7:基于服务器的XMSS硬件模块的数字验签单元,采用公钥对客户端转发的数字签名进行验签,得到验签结果。Step 7: The digital signature verification unit of the server-based XMSS hardware module uses the public key to verify the digital signature forwarded by the client and obtains the signature verification result.
数字验签单元包括:The digital signature verification unit includes:
MSGchecksum子单元,用于对客户端转发的数字签名进行完整性验证,验证通过后结合摘要得到固定位宽的字符串。例如:验证客户端转发的数字签名的消息完整性并输出校验和摘要结合变成长度268-bit的字符串。The MSGchecksum subunit is used to verify the integrity of the digital signature forwarded by the client. After passing the verification, it is combined with the digest to obtain a fixed-width string. For example: verify the integrity of the digitally signed message forwarded by the client and output the checksum digest combined into a 268-bit string.
第二WOTS子单元,用于对固定位宽的字符串进行WOTS链运算,得到第二WOTS-pk数据;The second WOTS subunit is used to perform WOTS chain operations on fixed-width strings to obtain the second WOTS-pk data;
第二L-TREE子单元,用于对第二WOTS-pk数据进行深度优先计算,得到L-TREE哈希值。此处同理,基于在硬件模块的成本考虑上,第二L-TREE子单元采用深度优先的方法,计算二叉树第h层节点只需要h个存储空间而远小于标准化方案中的2h个存储资源。The second L-TREE subunit is used to perform depth-first calculation on the second WOTS-pk data to obtain the L-TREE hash value. In the same way, based on the cost consideration of hardware modules, the second L-TREE subunit adopts the depth-first method. Calculating the h-th layer node of the binary tree only requires h storage space, which is far less than the 2 h storage space in the standardized solution. resource.
Authpath子单元,用于压缩L-TREE哈希值,并利用公钥验证压缩后的L-TREE哈希值的正确性,得到验签结果。具体的,用于XMSS签名方案中的Authath验证,对接收到的L-TREE哈希值不断调用f_t函数压缩,最后,利用接收到的公钥验证签名的正确性。The Authpath subunit is used to compress the L-TREE hash value, and use the public key to verify the correctness of the compressed L-TREE hash value to obtain the signature verification result. Specifically, it is used for Authath verification in the XMSS signature scheme. The f_t function is continuously called to compress the received L-TREE hash value. Finally, the received public key is used to verify the correctness of the signature.
步骤8:基于服务器的文件发送模块,发送验签结果至客户端。Step 8: Server-based file sending module sends signature verification results to the client.
需要说明的是,文件存储模块和文件发送模块分别与XMSS硬件模块通过串口通信连接。It should be noted that the file storage module and the file sending module are respectively connected to the XMSS hardware module through serial port communication.
步骤9:基于客户端的数据读取模块,接收并根据服务器发送的验签结果,判断是否读取数据转发模块中的数据流;Step 9: The client-based data reading module receives and determines whether to read the data stream in the data forwarding module based on the signature verification result sent by the server;
其中,判断是否读取数据转发模块中的数据流,包括:Among them, determining whether to read the data stream in the data forwarding module includes:
响应于验签结果为通过,数据读取模块读取数据转发模块中的数据流。验签通过则说明数据并未篡改,客户端可以正确读取。In response to the signature verification result being passed, the data reading module reads the data stream in the data forwarding module. If the signature verification passes, it means that the data has not been tampered with and the client can read it correctly.
响应于验签结果为不通过,数据转发模块接收服务器重新发送新的数字签名及其对应的数据流,将新的数字签名转发至服务器进行验签,并丢弃先前存储的验签结果为不通过的数字签名及其对应的数据流。In response to the signature verification result being failed, the data forwarding module receives the server to resend the new digital signature and its corresponding data stream, forwards the new digital signature to the server for signature verification, and discards the previously stored signature verification result that is failed. The digital signature and its corresponding data stream.
其中,如果连续3次都验签失败,说明攻击者可能对接收方的端口进行窃听,服务器会对客户端端口进行切换以防止攻击的继续发生。Among them, if the signature verification fails three times in a row, it means that the attacker may eavesdrop on the receiver's port, and the server will switch the client port to prevent the attack from continuing.
需要说明的是,来往的信息记录都会在服务器和客户端两侧保存信息记录,对已经确保所发信息由发送方本人而非伪造/篡改留下记录。以防止日后发送方不承认文件由自己亲自发送。It should be noted that the information records of the exchange will be saved on both the server and the client, ensuring that the information sent is by the sender himself and not forged/tampered with. This is to prevent the sender from not recognizing that the document was sent by him in the future.
综上所述,本发明设计的数字签名是后续为了保证传输数据流的完整性,服务器侧对数字签名进行验签而使用的,通过步骤1-9的处理使得接收方系统客户端与服务器侧两者都获知该数字签名,以保证后续该服务器侧能够通过对接收方收到的数字签名进行验签以查看数据是否被篡改。To sum up, the digital signature designed by the present invention is used by the server side to verify the digital signature later in order to ensure the integrity of the transmission data stream. Through the processing of steps 1-9, the client system of the recipient system and the server side Both parties learn the digital signature to ensure that the server side can later verify whether the data has been tampered with by verifying the digital signature received by the recipient.
数字签名是数字签名过程中临时生成的,仅使用一次,下次签名时可以重新生成新的数字签名,提高了安全性。The digital signature is temporarily generated during the digital signature process and is only used once. A new digital signature can be regenerated the next time you sign, which improves security.
本申请首先对传输的数据流使用私钥进行数字签名;其次,对于于对媒体流加密使用的公私密钥对,将其进行生成然后在硬件模块内部间进行传输,由于过程在硬件模块内部传输,因此,保证了密钥对传输的安全性,并进一步提高了数据流传输过程中的安全性;同时,利用公钥对数据流进行数字签名验证,该密钥对是基于数据流临时生成的,并且仅使用一次,下次生成时将重新生成新的密钥对。综上所述,由于整个密钥对传输过程中涉及到的敏感参数均进行了模块内部传输,因此,大大提高了数据流传输鉴伪过程中的可靠性。This application first uses the private key to digitally sign the transmitted data stream; secondly, the public and private key pairs used to encrypt the media stream are generated and then transmitted within the hardware module. Since the process is transmitted within the hardware module , Therefore, the security of the key pair transmission is guaranteed, and the security during the data stream transmission process is further improved; at the same time, the public key is used to perform digital signature verification on the data stream, and the key pair is temporarily generated based on the data stream. , and is only used once, a new key pair will be regenerated the next time it is generated. To sum up, since the sensitive parameters involved in the entire key pair transmission process are transmitted within the module, the reliability of the data stream transmission authentication process is greatly improved.
实施例2Example 2
本实施例2提供了一种数据流传输鉴伪的方法,适用于实施例1的数据流传输鉴伪的系统的客户端,其特征是,包括如下步骤:Embodiment 2 provides a method for authenticating data stream transmission, which is suitable for the client of the system for authenticating data stream transmission in Embodiment 1. It is characterized by including the following steps:
基于客户端的请求发送模块,发送数据流请求至服务器;The client-based request sending module sends data stream requests to the server;
基于客户端的数据转发模块,接收服务器发送的数字签名及其对应的数据流,将数字签名转发至服务器;The client-based data forwarding module receives the digital signature and its corresponding data stream sent by the server, and forwards the digital signature to the server;
基于客户端的数据读取模块,接收并根据服务器发送的验签结果,判断是否读取数据转发模块中的数据流。The client-based data reading module receives and determines whether to read the data stream in the data forwarding module based on the signature verification results sent by the server.
实施例3Example 3
本实施例3提供了一种数据流传输鉴伪的方法,适用于实施例1的数据流传输鉴伪的系统的服务器,其特征是,包括如下步骤:Embodiment 3 provides a data stream transmission forgery authentication method, which is suitable for the server of the data stream transmission forgery authentication system of Embodiment 1. It is characterized by including the following steps:
基于服务器的文件存储模块,根据客户端的数据流请求,获取待传输的数据流;The server-based file storage module obtains the data stream to be transmitted according to the client's data stream request;
基于服务器的XMSS硬件模块的密钥获取单元,根据待传输的数据流,生成对应的公钥和私钥;The key acquisition unit of the server-based XMSS hardware module generates the corresponding public key and private key according to the data stream to be transmitted;
基于服务器的XMSS硬件模块的数字签名单元,使用私钥对待传输的数据流进行签名,得到数字签名及其对应的数据流一并发送至客户端;The digital signature unit based on the server's XMSS hardware module uses the private key to sign the data stream to be transmitted, and the digital signature and its corresponding data stream are obtained and sent to the client;
基于服务器的文件发送模块,发送数字签名及其对应的数据流,Server-based file sending module, sending digital signatures and their corresponding data streams,
基于服务器的XMSS硬件模块的数字验签单元,采用公钥对客户端转发的数字签名进行验签,得到验签结果发送至客户端;The digital signature verification unit based on the server's XMSS hardware module uses the public key to verify the digital signature forwarded by the client, and the verification result is sent to the client;
基于服务器的文件发送模块,发送验签结果至客户端。Server-based file sending module sends signature verification results to the client.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will understand that embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions The device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.
以上所述仅是本发明的优选实施方式,应当指出:对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above are only the preferred embodiments of the present invention. It should be pointed out that those of ordinary skill in the art can make several improvements and modifications without departing from the principles of the present invention. These improvements and modifications can also be made. should be regarded as the protection scope of the present invention.
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310975974.0A CN117200992A (en) | 2023-08-04 | 2023-08-04 | System and method for identifying false of data stream transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310975974.0A CN117200992A (en) | 2023-08-04 | 2023-08-04 | System and method for identifying false of data stream transmission |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117200992A true CN117200992A (en) | 2023-12-08 |
Family
ID=88989554
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310975974.0A Pending CN117200992A (en) | 2023-08-04 | 2023-08-04 | System and method for identifying false of data stream transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117200992A (en) |
-
2023
- 2023-08-04 CN CN202310975974.0A patent/CN117200992A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11196556B2 (en) | Method for restoring public key based on SM2 signature | |
| US20250047497A1 (en) | Quantumproof blockchain | |
| CN111801910B (en) | System and method for authenticating off-chain data based on proof verification | |
| CN111543026B (en) | System for performing master node change in distributed network | |
| RU2723072C1 (en) | Achieving consensus between network nodes in distributed system | |
| US11005664B2 (en) | Blockchain post-quantum signature scheme | |
| CN110178340B (en) | Recovery processing of network nodes in distributed systems | |
| CN111066046B (en) | Replay attack resistant authentication protocol | |
| US6701434B1 (en) | Efficient hybrid public key signature scheme | |
| Wang et al. | Time valid one-time signature for time-critical multicast data authentication | |
| CN111147246B (en) | SM 2-based multiparty collaborative signature method and system | |
| WO2020258912A1 (en) | Blockchain consensus method, device and system | |
| US20120233457A1 (en) | Issuing implicit certificates | |
| US6826687B1 (en) | Commitments in signatures | |
| CN105227317A (en) | A kind of cloud data integrity detection method and system supporting authenticator privacy | |
| CN111833062B (en) | Credibility verification system for digital asset data packet | |
| CN116108482A (en) | A method and system for intersecting unbalanced private sets | |
| CN116112182A (en) | Digital signature method, device, electronic equipment and storage medium | |
| CN112258192A (en) | Mail confirmation method and device based on block chain wallet address | |
| US20220131697A1 (en) | Using Signed Tokens to Verify Short Message Service (SMS) Message Bodies | |
| Capkun et al. | Rosen: Robust and selective non-repudiation (for tls) | |
| CN108667619A (en) | A white-box implementation method and device for SM9 digital signature | |
| CN112398655B (en) | File transmission method, server and computer storage medium | |
| CN117200992A (en) | System and method for identifying false of data stream transmission | |
| CN113507367B (en) | Online/offline integrity auditing method for outsourcing data in cloud environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |