CN1595865A - Method for implementing information security based on virtual optics and public key infrastructure - Google Patents

Abstract

The invention discloses a method of realizing information safety based on virtual optics and public key infrastructure, relating a safety system composed of virtual optical data encrpytion techniques, public secret key cryptology, digital certificate, and certification center, which is a synthetic system that can verify the ID of a user holding the secret key. Multidimensional data encrypted secret key of a transmitting part can be sent to a receiving part under the protection of public secret key encryption. It effectively solves the problem of allocating and transmitting symmetrically encrypted secret key in optical encryption system. Its advantages: the physical background is clear, the freedom of data encrypting course is large, safety grade is high, and it can be widely applied to optical information safety field and has an extremely wide prospect in spreading.

Description

Method based on virtual optics and PKIX realization information security

Technical field

The present invention relates to a kind of method, belong to optical information security based on virtual optics and PKIX realization information security

Technical field.

Background technology

After entering the information age, information security issue becomes the focus that people pay close attention to.Data encryption technology is widely used in many key areas such as commerce is maintained secrecy, military communication.But the domestic cryptographic algorithm that adopts mostly is the low-intensity cryptographic algorithm that abroad will eliminate at present.The unsafe factor that is brought has become a major issue of current obstruction economic development and threat national security thus.

Based on the data encryption technology of optical information processing is to begin a kind of new " non-mathematics " data encryption technology of starting to walk to develop in recent years in the world.Different with electronic processors, optical system has the ability that inherent parallel data is handled, and can side by side be propagated and handle as each pixel in the width of cloth two dimensional image in optical system.When carrying out the bulk information processing, the parallel processing capability of optical system clearly occupies absolute advantage.Simultaneously, the optical encryption device has the more freedom degree than Electronic Coding device, and information can be hidden in a plurality of degrees of freedom space---as phase place, wavelength, spatial frequency and polarization state of light etc.

But,, at present in the world overwhelming majority's research of optical encryption method also only is confined to symmetric-key systems from cryptographic viewpoint.This cryptographic system, can not be applied in the actual secure communication so also can't combine with the international standard of information security field because management, distribution, the transmission problem of key can not obtain fine must the solution.And, consider the optical information security problem from the angle of a complete information safety system, in the world also not the someone propose.In the present invention, our combined with virtual optical data encryption technology, PKIX technology, authentication techniques have made up one and have improved the virtual optics information safety system, have solved well to perplex the optical information security system in the world and go on one of major obstacle of practicability: the distribution of symmetric cryptographic key and transmission problem in the optical encryption system.The present invention combines domestic advanced person's virtual optics DEA with international advanced network security technology, guarantee to wait each stage all to have superior fail safe in data encryption and transmission.

The technical literature that can contrast has following five pieces:

[1]P.Refregier，and?B.Javidi：Optical?image?encryption?based?on?input?and?Fourier?planerandom?encoding，Optics?Letters，1995，20(7)：767-769

[2]X.Peng，Z.Y.Cui，and?T.Tan：Information?encryption?with?virtual-optics?imaging?system，optics?Communications，2002，212：235-245

[3] patent of invention: publication number CN 1474283A

[4]US?Patents：6,002,773；5,903,648

[5]ITU_T?Recommendation?X.509：Information?Technology-Open?systems?Interconnection-The?Directory：Public-key?and?attribute?certificate?frameworks.

Summary of the invention

The object of the present invention is to provide a kind of method based on virtual optics and PKIX realization information security.This method physical background is clear, the data encryption process degree of freedom is big, level of security is high, can be widely used in the optical information security field.

For achieving the above object, the present invention is realized by following technical proposals.Described PKIX general reference communicating pair is common and have authoritative third party (CA of authentication center), sets up trusting relationship each other by the form of signing digital certificate.Method based on this relation and virtual optics realization information security is characterized in that, comprises following process:

● information sender:

1) transmit leg generates session key K at random _Session=MDEK=RNG (d _o, d, f, λ, RM ‖ Seed)

Wherein RNG (.) represents randomizer, and on behalf of random number, Seed generate seed.System generates diffraction distance parameter d at random _o, d, virtual lens focal length parameter f, virtual optical wavelength λ, random mask RM, be combined into multidimensional data encryption key MDEK (Multidimensional Data Encryption Keys) then, i.e. session key K _Session

2) transmit leg utilizes session key K _SessionWith virtual optics data encryption equation, cleartext information is encrypted, obtain ciphertext, be expressed as U _L2:

U _L2(m，n)＝{DFD[U _o(k，l)；λ，d _o]+DFD[U _M(k，l)；λ，d]}×t(m，n；f)；

Wherein DFD represents discrete fresnel diffraction conversion.

3) transmit leg utilizes the PKI PK of the CA of authentication center _CAVerify digital certificate, thereby true property of the coin of the recipient's PKI that comprises in the authentication certificate and integrality are obtained recipient's public-key cryptography PK _R

PK _R←Authentication(Certificate‖PK _CA)

4) transmit leg utilizes recipient's public-key cryptography PK _REncrypted session key K _Session

$c=E_{P{K}_R}\left(K_{\mathrm{session}}\right)$

E wherein _PKR(.) represents a kind of rivest, shamir, adelman.C is the result after adopting rivest, shamir, adelman to session key.

5) the session key c after will encrypting is attached to ciphertext U _L2The back, send to the recipient by communication line together.

● the receiving party:

1) recipient at first uses the private cipher key SK of oneself _RDecrypt correct session key K _Session

$K_{\mathrm{session}}=D_{{\mathrm{SK}}_R}\left(c\right)$

D wherein _SKR(.) represents asymmetric decipherment algorithm.Because private key SK _RThe assailant preserves by the recipient is secret, so can't obtain correct session key K _Session

2) recipient has obtained correct session key K _Session, that is the recipient has known in this communication that transmit leg is encrypted employed diffraction distance parameter d _o, d, virtual lens focal length parameter f, virtual optical wavelength λ, random mask RM right value.

3) recipient utilizes the correct deciphering parameter value of acquisition to calculate following virtual optics data decryption equation, the deciphering cleartext information.

U _i(m，n)＝DFD[U′(k，l)；λ，d _i(d _o，f)]

In the formula,

U′(m，n)=U _L2(m，n)-DFD[U _M′(k，l)；λ，d]×t(m，n；f)

4) correct cleartext information obtains, and a secure communication finishes.

The invention has the advantages that: (1) virtual optics DEA simulate optical information process carries out enciphering/deciphering to information, and its physical background is very clear; (2) than the traditional data ciphering process the bigger degree of freedom is arranged, the level of security height.Such as, can select a wavelength design key arbitrarily in a certain spectral region, and not rely on physics light source (as laser) with specific wavelength; (3) perplex the optical information security system in the world and go on one of major obstacle of practicability by introducing the PKIX technology, having solved: the distribution of symmetric cryptographic key and transmission problem.(4) automatic key management and encryption key distribution are concentrated in the scheme support that proposes of the present invention, can manage be used to encrypt and key, certificate and the consequent various mechanism of digital signature between trusting relationship.

Description of drawings:

Fig. 1 is a transmit leg process block diagram.

Fig. 2 is recipient's process block diagram.

Fig. 3 is the process block diagram of transmit leg checking recipient digital certificate.

Embodiment

Below in conjunction with accompanying drawing embodiments of the present invention are done and to be explained.For convenience of explanation, the form of digital certificate adopts ITU-T international standard X.509, and it comprises the information content of the following aspects: the information of certificate owner's personal information, public key information, certificate authority unit, the digital signature of certificate authority unit etc.Particular content sees corresponding international standard for details, i.e. correlation technique document [5].The PKI distribution technique is the RSA rivest, shamir, adelman that asymmetric encryption techniques adopts standard; Hash function adopts the SHA-1 of American National Standard and the NIST of technical research institute design; Digital signature technology adopts the RSA Digital Signature Algorithm of standard.

Before using native system, must produce that to meet required (PKI, the private key) key of RSA Algorithm right, its step is as follows:

1) selects two big prime number p, q at random.

2) calculate N _RSA=p * q, Φ (N _RSA)=(p-1) (q-1), wherein Φ (N _RSA) be N _RSAThe Euler's function value.

3) select an integer e _RSA, satisfy 1＜e _RSA＜Φ (N _RSA), and gcd (Φ (N _RSA), e _RSA)=1.By the way of industry, get e _RSA=65537 or e _RSA=3.

4) calculate d _RSA=e _RSA ^-1Mod Φ (N _RSA).

5) with { e _RSA, N _RSAAs PKI PK, can disclose; { d _RSA, N _RSAAs private key SK, need secret the preservation.

The key that produces the recipient according to the method described above is to (PK _R, SK _R) and the key of the CA of authentication center to (PK _CA, SK _CA).

Mentioned " digital certificate " comes down to the message of a digital signature among the present invention, is generally used for proving the validity of the PKI of certain entity.Digital certificate requires a kind of public form, and the certificate format in this enforcement is based upon ITU-T X.509 on the standard base.Digital certificate is a structured documents, in structure some information and PKI is bundled, and is signed by third party (CA) then, and CA has guaranteed the corresponding relation of PKI with main body to the signature of certificate.Digital certificate comprises certificate owner's identity information, certificate owner's PKI, the identity information of CA, the digital signature of CA usually.

X.509 the CA of authentication center treats document (public key information that the comprises the recipient) M of signature, it is the message digest H (M) of 160 bits that the effect of SHA-1 one-way Hash function (Hash Function) H by NIST design produces length, then with the private cipher key SK of this message digest H (M) with CA _CAEncrypt with the RSA Digital Signature Algorithm of standard, form the signature S of CA and tail as the part of certificate content.

It is the fixing output text (160bit) of relatively little length that hash function wherein can become the plain text of random length of input." fingerprint " that the text strings of this regular length (output text) can be used as input text (fingerprint) also is called message digest (digest).The informative abstract of asking for by salted hash Salted that depends on raw information can reflect the slight variation of raw information, only is a bit even change.

Fig. 1 and Fig. 2 are respectively transmit leg and recipient's process block diagram.

As follows based on secure communication basic process of the present invention:

At transmit leg, the step of carrying out comprises following:

1) transmit leg generates session key K at random _Session=MDEK=RNG (d _o, d, f, λ, RM ‖ Seed)

Wherein RNG (.) represents randomizer, and on behalf of random number, Seed generate seed.System generates diffraction distance parameter d at random _o, d, virtual lens focal length parameter f, virtual optical wavelength λ, random mask RM, be combined into multidimensional data encryption key MDEK (Multidimensional Data Encryption Keys) then, i.e. session key K _SessionShould be noted that: under the technical background of virtual optics, the geometry and the physical parameter value that are used to be designed to key can be selected arbitrarily.Such as, can select a wavelength design key arbitrarily in a certain spectral region, and not necessarily depend on physics light source (as laser) with specific wavelength.

2) transmit leg utilizes session key K _SessionWith virtual optics data encryption equation, cleartext information is encrypted, obtain ciphertext, be expressed as U _L2:

U _L2(m，n)＝{DFD[U _o(k，l)；λ，d _o]+DFD[U _M(k，l)；λ，d]}×t(m，n；f)；

Wherein DFD represents discrete fresnel diffraction conversion, and its computing formula is as follows:

$\mathrm{DFD}[U_o(k,l);\mathrm{\λ},d_o]=\frac{1}{\mathrm{j\λ}{d}_o}\exp \left[j\frac{\mathrm{\π}}{\mathrm{\λ}{d}_o}(m^2{\mathrm{\Δ\ξ}}^2+n^2{\mathrm{\Δ\η}}^2)\right]$

$\×\underset{k=0}{\overset{N-1}{\mathrm{\Σ}}}\underset{l=0}{\overset{N-1}{\mathrm{\Σ}}}{U}_o(k,l)\exp \left[j\frac{\mathrm{\π}}{\mathrm{\λ}{d}_o}(k^2{{\mathrm{\Δx}}_o}^2+l^2{{\mathrm{\Δy}}_o}^2)\right]$

$\×\exp [-j2\mathrm{\π}(\frac{\mathrm{km}}{N}+\frac{\ln }{N})]$

T (m, n; F) discrete form of expression lens complex amplitude transmittance function, its computing formula is as follows:

$t(m,n)=\exp [-j\frac{k}{2f}(m^2{\mathrm{\Δ\ξ}}^2+n^2{\mathrm{\Δ\η}}^2)]$

3) transmit leg utilizes the PKI PK of the CA of authentication center _CAVerify digital certificate, thereby the correctness and the integrality of the recipient's PKI that comprises in the authentication certificate are obtained recipient's public-key cryptography PK _R

PK _R←Authentication(Certificate‖PK _CA)

Wherein Authentication (.) represents the basic process of transmit leg checking recipient's digital certificate, and detailed process as shown in Figure 3.Transmit leg at first utilizes the public-key cryptography PK of CA _CA, and the RSA Digital Signature Algorithm of operative norm decrypts message digest; Then the SHA-1 one-way Hash function (Hash Function) of certificate content execution NIST design to be verified is produced the message digest of another section 160 bits.Relatively whether two sections digests are identical, if different, then checking is not passed through; If content identical then can trusted certificate, and then the recipient's who is comprised in the trusted certificate PKI PK _RInformation really belongs to the recipient, and content is not correctly distorted.

4) transmit leg utilizes recipient's public-key cryptography PK _REncrypted session key K _Session

$c=E_{P{K}_R}\left(K_{\mathrm{session}}\right)$

E wherein _PKRThe RSA rivest, shamir, adelman of (.) expression international standard.C is the result after adopting the RSA rivest, shamir, adelman to session key.

5) the session key c after will encrypting is attached to ciphertext U _L2The back, send to the recipient by communication line together.The recipient, the step of carrying out comprises following:

1) recipient at first uses the private cipher key SK of oneself _RDecrypt correct session key K _Session

$K_{\mathrm{session}}=D_{{\mathrm{SK}}_R}\left(c\right)$

D wherein _SKRThe asymmetric decipherment algorithm of RSA of (.) expression international standard.Because private key SK _RThe assailant preserves by the recipient is secret, so can't obtain correct session key K _Session

2) recipient has obtained correct session key K _Session, that is the recipient has known in this communication that transmit leg is encrypted employed diffraction distance parameter d _o, d, virtual lens focal length parameter f, virtual optical wavelength λ, random mask RM right value.

3) recipient utilizes the correct deciphering parameter value of acquisition to calculate following virtual optics data decryption equation, the deciphering cleartext information.

U _i(m，n)=DFD[U′(k，l)；λ，d _i(d _o，f)]

In the formula,

U′(m，n)＝U _L2(m，n)-DFD[U′ _M(k，l)；λ，d]×t(m，n；f)

4) correct cleartext information obtains, and a secure communication finishes.

Method based on virtual optics and PKIX realization information security of the present invention has been established necessary basis for optical information security moves towards practicability, can be widely used in the Network Communicate Security field, and promotion prospect is very wide.

Claims (1)

1, a kind of method based on virtual optics and PKIX realization information security, described PKIX general reference communicating pair common with have authoritative third party, set up trusting relationship each other by the form of signing digital certificate, method based on this relation and virtual optics realization information security is characterized in that comprising following process:

Information sender:

(1) side of sending generates session key K at random _Session=MDEK=RNG (d ₀, d, f, λ, RM ‖ Seed)

Wherein RNG (.) represents randomizer, and on behalf of random number, Seed generate seed, and system generates diffraction distance parameter d at random _o, d, virtual lens focal length parameter f, virtual optical wavelength λ, random mask RM, be combined into multidimensional data encryption key MDEK (Multidimensional Data Encryption Keys) then, i.e. session key K _Session

(2) side utilizes session key K _SessionWith virtual optics data encryption equation, cleartext information is encrypted, obtain ciphertext, be expressed as U _L2:

U _L2(m，n)＝{DFD[U _o(k，l)；λ，d _o]+DFD[U _M(k，l)；λ，d]}×t(m，n；f)；

Wherein DFD represents discrete fresnel diffraction conversion;

(3) side utilizes the PKI PK of the CA of authentication center _CAVerify digital certificate, thereby the correctness and the integrality of the recipient's PKI that comprises in the authentication certificate are obtained recipient's public-key cryptography PK _R

PK _R←Authentication(Certificate‖PK _CA)；

(4) side utilizes recipient's public-key cryptography PK _REncrypted session key K _Session

$c=E_{{\mathrm{PK}}_R}\left(K_{\mathrm{session}}\right)$

E wherein _PKR(.) represents a kind of rivest, shamir, adelman, and c is the result after adopting rivest, shamir, adelman to session key;

(5) the session key c after close is attached to ciphertext UL ₂The back, send to the recipient by communication line together; The receiving party:

(1) recipient at first uses the private cipher key SK of oneself _RDecrypt correct session key K _Session

$K_{\mathrm{session}}=D_{{\mathrm{SK}}_R}\left(c\right)$

D wherein _SKR(.) represents asymmetric decipherment algorithm, because private key SK _RThe assailant preserves by the recipient is secret, so can't obtain correct session key K _Session

(2) recipient has obtained correct session key K _Session, that is the recipient has known in this communication that transmit leg is encrypted employed diffraction distance parameter d _o, d, virtual lens focal length parameter f, virtual optical wavelength λ, random mask RM right value;

(3) recipient utilizes the correct deciphering parameter value of acquisition to calculate following virtual optics data decryption equation, the deciphering cleartext information,

U _i(m，n)＝DFD[U′(k，l)；λ，d _i(d _o，f)]

In the formula,

U′(m，n)＝U _L2(m，n)-DFD[U′ _M(k，l)；λ，d]×t(m，n；f)；

(4) correct cleartext information obtains, and a secure communication finishes.

Images