CN117675205A - Data security transmission method - Google Patents
Data security transmission method Download PDFInfo
- Publication number
- CN117675205A CN117675205A CN202311836324.4A CN202311836324A CN117675205A CN 117675205 A CN117675205 A CN 117675205A CN 202311836324 A CN202311836324 A CN 202311836324A CN 117675205 A CN117675205 A CN 117675205A
- Authority
- CN
- China
- Prior art keywords
- key
- data
- algorithm
- encryption
- shared
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000005540 biological transmission Effects 0.000 title claims abstract description 24
- 230000006835 compression Effects 0.000 claims abstract description 18
- 238000007906 compression Methods 0.000 claims abstract description 18
- 238000004364 calculation method Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 abstract description 12
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Compression, Expansion, Code Conversion, And Decoders (AREA)
Abstract
The invention relates to the technical field of data transmission, in particular to a data security transmission method, which integrates the high-strength confidentiality of a national encryption algorithm SM2, the high throughput of a compression algorithm LZ4, the high efficiency of a symmetric encryption algorithm SM4 and the high performance of a message digest algorithm BLAKE3, realizes more reliable data security transmission, greatly improves the processing efficiency and ensures the high throughput processing capacity of a large-scale service system.
Description
Technical Field
The invention relates to the technical field of data transmission, in particular to a data security transmission method.
Background
The application of financial business based on internet is very popular, the data volume of data interaction transmission between a client and a service system and between services is very large, and many data can relate to personal information and other personal sensitive information, so it is very important to design an efficient and reliable safe transmission method.
The secure transmission comprises two aspects, namely ensuring the security of data, avoiding information leakage and theft, considering the problems of data volume and encryption efficiency, processing a large amount of plaintext data by using a compression algorithm and a symmetric encryption algorithm with high processing efficiency, and encrypting by using an asymmetric encryption algorithm with stronger security for a random key with high randomness and confidentiality requirements but smaller data volume;
and the other is to deploy a security access strategy, only a specified internet access party is allowed to access a specific system service interface through a hardware firewall or similar isolation technology, and the encryption and decryption gateway performs plaintext data interaction with an internal service system after completing encryption and decryption and verification processing of data.
The current common processing mode is to directly use a pre-shared key to directly carry out symmetric encryption processing on transmitted data, and two parties use a preset key to carry out encryption and decryption operations. Or an asymmetric encryption algorithm is used, the sender encrypts the plaintext by using a public key, and the receiver decrypts by using a private key.
The common scheme is basically consistent in the data processing process, generates a random key or encrypts a plaintext by using a pre-shared key, and simultaneously generates a message digest for the plaintext to verify the integrity of the data. International algorithm standards are typically used, including the asymmetric encryption algorithm RSA, the symmetric encryption algorithms AES and DES, the digest algorithms MD5 and SHA-1/SHA-256. The usual scheme would also calculate a message digest to protect the data integrity.
However, the commonly used scheme of symmetric encryption of the pre-shared secret key is simple to use, and can be used for business scenes with low security requirements, and the fatal problem is that once the pre-shared secret key is leaked or cracked, the pre-shared secret key means that all transmitted encrypted data can be easily decrypted and stolen, so that a large amount of data is leaked.
Disclosure of Invention
Therefore, the invention aims to provide a data security transmission method to solve the problem of insufficient security performance of the existing algorithm.
Based on the above purpose, the invention provides a data security transmission encryption method, which comprises the following steps:
s1, based on a national encryption algorithm SM2, a key pair is created, after the key pair is generated, a private key is reserved at a sender, and a public key is sent to a receiver in a compressed format;
s2, generating a temporary key pair by using a pre-agreed elliptic curve algorithm, wherein the temporary key pair comprises a temporary private key PRIK and a temporary public key PUBK, calculating a shared public key SPK by using the elliptic curve and transmitting the shared public key SPK to a receiver, and generating a shared key SK by using the public key and the temporary private key PRIK in the step S1;
s3, carrying out multiple times of fast BLAKE3 hash on the shared key SK generated in the step S2, and using a calculation result as a key for subsequent symmetric encryption;
s4, compressing plaintext data to be transmitted;
s5, encrypting the plaintext data compressed in the step S4 by using the symmetric encryption key generated in the step S3 through a national encryption SM4 algorithm to obtain ciphertext;
s6, generating a message digest by using a fast digest algorithm BLAKE3 on the plaintext data compressed in the step S4;
s7, according to the protocol appointed format, the shared public key SPK generated in the step S2, the ciphertext generated in the step S5 and the message abstract generated in the step S6 are assembled, and the generated encrypted message is sent to the receiving party.
Preferably, in step S1, the public key is sent to the recipient in a 66 character compressed format.
Preferably, in step S2, the contracted elliptic curve algorithm uses an X25519 elliptic curve.
Preferably, in step S3, the number of fast BLAKE3 hashes is three.
Preferably, in step S4, the LZ4 compression algorithm is used to compress the plaintext data preferentially, and no compression is performed on the message smaller than 2 KB.
Preferably, in step S5, after encrypting the compressed plaintext data, the encryption method further includes performing hexadecimal encoding on binary data.
The invention also provides a data security transmission decryption method corresponding to the data security transmission encryption method, which comprises the following steps:
s8, generating a shared key by using the elliptic curve algorithm which is the same as that in the step S2, the received shared public key SPK and the private key in the step S1, and performing quick BLAKE3 hash on the shared key for the same times in the step S3 to obtain a key for decrypting data;
s9, decrypting the received ciphertext by using the key of the decrypted data obtained in the step S8 through a national encryption symmetric encryption algorithm SM4 to obtain an original message;
s10, based on the original message obtained in the step S9, calculating whether the abstract of BLAKE3 is consistent with the abstract in the encrypted message, and verifying the data integrity;
s11, decompressing the original message by using the same compression algorithm in the step S4 to obtain an original plaintext.
The invention has the beneficial effects that:
(1) The invention comprehensively uses elliptic curve key exchange algorithm, quick compression LZ4 algorithm, quick hash BLAKE3 algorithm and national encryption SM4 algorithm to realize safe and efficient data transmission and consider the safety, compliance and processing efficiency.
(2) The mode of pre-sharing the secret key can lead to a large amount of data leakage and theft once the secret key is leaked, and the mode of randomly generating the secret key is not safe enough.
(3) The ciphertext is generally high in randomness, and for large data messages, compression processing is difficult to achieve, and the method and the device uniformly compress plaintext contents before encryption by using a speed-first compression algorithm LZ4, so that encryption cost is reduced by the lowest compression calculation cost.
(4) The fast digest algorithm BLAKE3 is used for calculating the digest of the original message, so that unnecessary signature verification processes are reduced.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only of the invention and that other drawings can be obtained from them without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an encryption method of a data security transmission method according to an embodiment of the invention.
Detailed Description
The present invention will be further described in detail with reference to specific embodiments in order to make the objects, technical solutions and advantages of the present invention more apparent.
It is to be noted that unless otherwise defined, technical or scientific terms used herein should be taken in a general sense as understood by one of ordinary skill in the art to which the present invention belongs. The terms "first," "second," and the like, as used herein, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
As shown in fig. 1, an embodiment of the present disclosure provides a data secure transmission encryption method, including the following steps:
s1, creating a key pair based on a national encryption algorithm SM2, wherein the SM2 algorithm supports 256-bit keys, 32 bytes of a private key and 64 bytes of a public key, after the key pair is generated, the private key is reserved in a sender, and the public key is sent to a receiver in a compressed format (66 characters);
s2, a temporary key pair is generated by using a pre-agreed elliptic curve algorithm, as in the embodiment, an X25519 elliptic curve is agreed to be used, the generated temporary key pair comprises a temporary private key PRIK and a temporary public key PUBK, a shared public key SPK is obtained by calculation by using the elliptic curve and is transmitted to a receiver, a shared key SK is generated by using the public key and the temporary private key PRIK in the step S1, wherein the shared public key SPK=the private key in the elliptic curve base point G, the shared key SK=the temporary private key PRIK in the S1, and the bottom formula is (a×G) ×b= (b×G) ×a.
S3, carrying out multiple fast BLAKE3 hashes on the shared key SK generated in the step S2, wherein a calculation result (256 bits) is used as a key for follow-up symmetric encryption, and if three fast BLAKE3 hashes are carried out by default in the embodiment;
s4, compressing the plaintext data to be transmitted by using an LZ4 compression algorithm, and performing speed priority compression on the original data. To reduce unnecessary computation overhead, the message smaller than 2KB is contracted without compression;
s5, encrypting the plaintext data compressed in the step S4 by using the symmetric encryption key generated in the step S3 through a SM4 algorithm, and further performing hexadecimal encoding on the encrypted binary data to obtain ciphertext;
s6, generating a message digest by using a fast digest algorithm BLAKE3 on the plaintext data compressed in the step S4, wherein the integrity of the data is only verified and encryption is not performed.
S7, according to the protocol appointed format, the shared public key SPK generated in the step S2, the ciphertext generated in the step S5 and the message abstract generated in the step S6 are assembled, and the generated encrypted message is sent to the receiving party.
Corresponding to the encryption method, the embodiment of the specification also provides a data security transmission decryption method, which comprises the following steps:
s8, generating a shared key by using the elliptic curve algorithm which is the same as that in the step S2, the received shared public key SPK and the private key in the step S1, and performing quick BLAKE3 hash on the shared key for the same times in the step S3 to obtain a key for decrypting data;
s9, decrypting the received ciphertext by using the key of the decrypted data obtained in the step S8 through a national encryption symmetric encryption algorithm SM4 to obtain an original message;
s10, based on the original message obtained in the step S9, calculating whether the abstract of BLAKE3 is consistent with the abstract in the encrypted message, and verifying the data integrity;
s11, decompressing the original message by using the same compression algorithm in the step S4 to obtain an original plaintext.
According to the secure transmission method provided by the embodiment, the national secret SM2 is used for replacing an RSA algorithm according to the secure compliance requirement, RSA1024 is not suggested to be used, the algorithm is gradually transited from the international standard RSA algorithm to the national secret SM2 algorithm, the national secret SM2 algorithm is derived based on an elliptic curve algorithm, the 256-bit secret key can reach the secure strength of 3072-bit secret key of the RSA algorithm, and the encryption and decryption processing efficiency is several times higher.
The elliptic curve algorithm is used for replacing a random key, a random number is used as a symmetric encryption key relative to the existing scheme, the pseudo random number generally only provides randomness in a statistical sense, the scheme is adjusted to generate a temporary key pair by using the elliptic curve algorithm, a temporary shared key K is generated by using a private key and a public key of an opposite party, and the temporary key K is subjected to multiple hashes and then data are encrypted. The temporary public key and the encrypted data are transmitted to a receiver, the receiver generates a key pair by using the same elliptic curve, and a shared key is generated by using the private key and the received public key, and the shared key is ensured to be consistent with the generation of the sender by an algorithm, so that stronger security is provided.
In the method, in the plaintext compression, the LZ4 algorithm is used for replacing the ZIP/GZIP algorithm, other schemes are used for directly encrypting plaintext data, then ciphertext is compressed, the ciphertext cannot be effectively compressed, the scheme is optimized to only compress the plaintext by using the LZ4 algorithm, the compression efficiency is improved by several times compared with the compression efficiency of the existing scheme ZIP/GZIP algorithm, the ciphertext is not compressed, and unnecessary calculation cost is saved.
The method uses BLAKE3 digest algorithm to replace digest algorithm MD5/SHA1 used in other schemes of MD5/SHA1/SHA2 digest algorithm, and the method is not recommended to use because of low security intensity, and the scheme is optimized to use BLAKE3 digest algorithm, so that the method has faster calculation speed than SHA256, higher security intensity, supports parallel calculation, and can fully utilize the advantages of multi-core multi-thread and SIMD instruction sets of a server. The encryption method is characterized in that the national encryption SM4 algorithm is used for replacing AES and DES algorithms, an international standard symmetric encryption scheme is generally used for encrypting large data packets, the DES algorithm is not recommended to be used for safety reasons, the national encryption SM4 algorithm is used for replacing the scheme, the national encryption SM4 algorithm meets the national financial data compliance requirement, and special encryption hardware equipment can be used for achieving higher processing requirements.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the invention (including the claims) is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the invention, the steps may be implemented in any order and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.
The present invention is intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omission, modification, equivalent replacement, improvement, etc. of the present invention should be included in the scope of the present invention.
Claims (7)
1. A method for encrypting a secure transmission of data, the method comprising the steps of:
s1, based on a national encryption algorithm SM2, a key pair is created, after the key pair is generated, a private key is reserved at a sender, and a public key is sent to a receiver in a compressed format;
s2, generating a temporary key pair by using a pre-agreed elliptic curve algorithm, wherein the temporary key pair comprises a temporary private key PRIK and a temporary public key PUBK, calculating a shared public key SPK by using the elliptic curve and transmitting the shared public key SPK to a receiver, and generating a shared key SK by using the public key and the temporary private key PRIK in the step S1;
s3, carrying out multiple times of fast BLAKE3 hash on the shared key SK generated in the step S2, and using a calculation result as a key for subsequent symmetric encryption;
s4, compressing plaintext data to be transmitted;
s5, encrypting the plaintext data compressed in the step S4 by using the symmetric encryption key generated in the step S3 through a national encryption SM4 algorithm to obtain ciphertext;
s6, generating a message digest by using a fast digest algorithm BLAKE3 on the plaintext data compressed in the step S4;
s7, according to the protocol appointed format, the shared public key SPK generated in the step S2, the ciphertext generated in the step S5 and the message abstract generated in the step S6 are assembled, and the generated encrypted message is sent to the receiving party.
2. The data security transmission encryption method according to claim 1, wherein in step S1, the public key is transmitted to the receiving party in a compressed format of 66 characters.
3. The method according to claim 1, wherein in step S2, the agreed elliptic curve algorithm uses an X25519 elliptic curve.
4. The data security transmission encryption method according to claim 1, wherein in step S3, the number of fast BLAKE3 hashes is three.
5. The method according to claim 1, wherein in step S4, the plaintext data is compressed preferentially by using an LZ4 compression algorithm, and the message smaller than 2KB is not compressed.
6. The method according to claim 1, wherein in step S5, after encrypting the compressed plaintext data, the encrypting method further comprises performing hexadecimal encoding on binary data.
7. A data secure transmission decryption method corresponding to the data secure transmission encryption method according to any one of claims 1 to 6, characterized by comprising the steps of:
s8, generating a shared key by using the elliptic curve algorithm which is the same as that in the step S2, the received shared public key SPK and the private key in the step S1, and performing quick BLAKE3 hash on the shared key for the same times in the step S3 to obtain a key for decrypting data;
s9, decrypting the received ciphertext by using the key of the decrypted data obtained in the step S8 through a national encryption symmetric encryption algorithm SM4 to obtain an original message;
s10, based on the original message obtained in the step S9, calculating whether the abstract of BLAKE3 is consistent with the abstract in the encrypted message, and verifying the data integrity;
s11, decompressing the original message by using the same compression algorithm in the step S4 to obtain an original plaintext.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311836324.4A CN117675205A (en) | 2023-12-28 | 2023-12-28 | Data security transmission method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311836324.4A CN117675205A (en) | 2023-12-28 | 2023-12-28 | Data security transmission method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117675205A true CN117675205A (en) | 2024-03-08 |
Family
ID=90075192
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311836324.4A Pending CN117675205A (en) | 2023-12-28 | 2023-12-28 | Data security transmission method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117675205A (en) |
-
2023
- 2023-12-28 CN CN202311836324.4A patent/CN117675205A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110048849B (en) | Multi-layer protection session key negotiation method | |
| CN105376261B (en) | Encryption method and system for instant messaging message | |
| CN109005027B (en) | Random data encryption and decryption method, device and system | |
| CN112804205A (en) | Data encryption method and device and data decryption method and device | |
| GB2528959A (en) | Encoder, decoder and method | |
| CN113193957B (en) | Quantum key service method and system separated from quantum network | |
| CN114826656A (en) | Trusted data link transmission method and system | |
| CN113726725A (en) | Data encryption and decryption method and device, electronic equipment and storage medium | |
| CN112165443A (en) | Multi-key information encryption and decryption method and device and storage medium | |
| TW201537937A (en) | Unified identity authentication platform and authentication method thereof | |
| CN116132043B (en) | Session key negotiation method, device and equipment | |
| CN108900540A (en) | A kind of business data processing method of the distribution terminal based on double-encryption | |
| CN111049738B (en) | E-mail data security protection method based on hybrid encryption | |
| CN105099699A (en) | Safe and high-efficiency communication method based on equipment of Internet of things and system | |
| CN113300842B (en) | Method for improving security of symmetric encryption algorithm | |
| CN112532384B (en) | Method for quickly encrypting and decrypting transmission key based on packet key mode | |
| CN114499857A (en) | Method for realizing data correctness and consistency in big data quantum encryption and decryption | |
| CN114338648A (en) | SFTP multi-terminal file secure transmission method and system based on state cryptographic algorithm | |
| CN113645235A (en) | Distributed data encryption and decryption system and encryption and decryption method | |
| CN112398655B (en) | File transmission method, server and computer storage medium | |
| CN111800784A (en) | Block chain cloud service system based on cloud computing | |
| CN112738037A (en) | Data encryption communication method | |
| CN117675205A (en) | Data security transmission method | |
| CN102647428A (en) | Encrypting and decrypting system and method adopting trusteeship control based on communication network | |
| Arora et al. | Handling Secret Key Compromise by Deriving Multiple Asymmetric Keys based on Diffie-Hellman Algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |