CN1697371A - Method for sending and receiving data of cipher key - Google Patents

Method for sending and receiving data of cipher key Download PDF

Info

Publication number
CN1697371A
CN1697371A CN 200410038227 CN200410038227A CN1697371A CN 1697371 A CN1697371 A CN 1697371A CN 200410038227 CN200410038227 CN 200410038227 CN 200410038227 A CN200410038227 A CN 200410038227A CN 1697371 A CN1697371 A CN 1697371A
Authority
CN
China
Prior art keywords
data
key
key data
ciphertext
distributing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200410038227
Other languages
Chinese (zh)
Other versions
CN100544248C (en
Inventor
范云松
何迎春
孙伊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2004100382271A priority Critical patent/CN100544248C/en
Publication of CN1697371A publication Critical patent/CN1697371A/en
Application granted granted Critical
Publication of CN100544248C publication Critical patent/CN100544248C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The method includes steps: cipher key sending party sets up first operation rule and second operation rule in advance; transform operation is implemented for cipher key data by using first operation rule so as to obtain cipher text of cipher key data; transform operation is implemented for cipher text of cipher key data by using second operation rule so as to obtain abstract data of cipher key data; distribution data combined from cipher text of cipher key data with abstract data are sent to receiving party of cipher key data. The invention lowers complexity of cipher key distribution step in cipher key management procedure, and raises difficulty of cipher key data to be attacked in procedure of distributing cipher key.

Description

The key data receiving/transmission method
Technical field
The present invention relates to information security field, relate in particular to a kind of key data receiving/transmission method.
Background technology
Key management is the key link in the secret key safety system, and wherein the whole life of cipher key management procedures comprises:
The key registration, network node obtains by safety measure or creates the initial key material, authorizes the member for one that becomes security domain;
Key is created, and network node produces by oneself or obtain key material from the trusted system assembly of KMC, wherein generally comprises key data and corresponding algorithm information etc. in the key material;
Key storage, the key material that network node obtains are stored in the corresponding medium such as the hard disk, ROM equipment, chip card, hardware token of self;
The key data that key distribution, network node obtain sends to the process of other network nodes respectively, and wherein the key distribution process must guarantee the integrality and the confidentiality of key data;
The key material that cipher key backup, network node obtain carries out storage backup once more on independent, safe storage medium, with as the follow-up data source that is provided for the key recovery process;
Key updating, network node uses new key material to replace the primary key material that is using before key material termination life cycle;
Private key log-off, in a single day network node needs that no longer key data and self are kept related, just can nullify key data, removes the offical record of all key materials;
Cipher key destruction, network node is destroyed the key material of all storages and backup;
Key recovery leaks (situation of having forgotten password as the hardware fault or the user of network node) if key material is lost, network node can recover key data by the backup keys material in the cipher key backup process.
And at present, in the various key management modes that prior art exists, its key distribution process is mainly taked following dual mode:
1) Diffie-Hellman key distribution mechanism (hereinafter to be referred as the DH key distribution)
Illustrate the principle of DH key distribution:
Suppose that two network nodes that need carry out key distribution and exchange are respectively A and B, network node A produces the key data X of self in the key constructive process A, network node B produces the key data X of self in the key constructive process B
Network node A is to key data X ACarry out Montgomery Algorithm, obtain the distributed key data Y A, wherein Y A = α X A mod q Network node B is to key data X BCarry out Montgomery Algorithm, obtain the distributed key data Y B, wherein Y B = α X B mod q Prime number q and integer a are the prior known parameters of network node A and B both sides in wherein top two formulas;
Network node A and B are respectively with the distributed key data Y AAnd Y BBe distributed to the other side, network node A will obtain the distributed key data Y like this B, network node B will obtain the distributed key data Y A
Network node A and B carry out following computing respectively subsequently: K A = Y B X A mod q , Y B = Y A X B mod q , Prove K through mathematical derivation A=K BThus, network node A and B both sides have just set up mutual cipher key shared data, have finished the purpose of key distribution.
To sum up, the DH key distribution can realize any two network nodes on unsafe transmission medium, realize safety key distribution and cipher key change, its network node carries out the algorithm of cryptographic calculation to key data validity mainly depends on the difficulty of calculating discrete logarithm in calculating process, promptly Montgomery Algorithm is relatively easy in the process of key data being carried out cryptographic calculation, but the process of calculating discrete logarithm is difficult relatively more; For the situation of big prime number, under the prior art condition, it has been generally acknowledged that it is calculated discrete logarithm is infeasible especially.
The DH key distribution is applicable to real-time dynamic key distribution simultaneously, and key data after its encryption and key data algorithm do not need to transmit simultaneously.
2) key distribution of root key protection mechanism
Key data provider and key data requesting party agreement in advance share group key data, and defining these group key data is root key.In the key data request process, after the key data provider adopts root key that the key data of actual transmissions is carried out encryption, send to the key data requesting party again, the key data requesting party adopts this root key that the encryption key data that receives is implemented to obtain key data after the decryption processing.
Therefore, be somebody's turn to do in the cipher key distribution scheme based on the root key protection mechanism, need carry out safekeeping, generally root key need be stored in (as smart card) in certain secure storage medium root key.
In the key distribution process that realizes by software program; for guaranteeing the safe transmission of confidential information (as authorization message); the confidential information transmit leg need be implemented digital signature or encipherment protection to confidential information, and digital signature or encipherment protection process just are to use key data Key confidential information to be carried out the process of encryption.Guaranteeing that software program does not rely on key data that equipment is provided and realizes under the prerequisite of independent operating like this, key data should divide with the cryptographic algorithm information of software program setting and sends out, the key data distribution procedure of this moment is not just finished by real-time ways of distribution, therefore can not use the cryptographic key distribution method of DH key distribution mechanism.
If set up root key KeyRoot for each network node in advance simultaneously; adopt root key KeyRoot to remove to encrypt the key data Key that is used to protect confidential information; then face the protection problem of root key KeyRoot equally; for the cipher key distribution scheme that realizes by software program; the protection problem of this root key KeyRoot is the same substantially with the problem character of protection key data Key; can adopt the hardware smart card to come storage root key KeyRoot, but strengthen the difficulty of key management system security deployment like this.
Summary of the invention
The technical problem to be solved in the present invention is to propose a kind of key data receiving/transmission method, so that in the cipher key distribution scheme that realizes by software program, reduce the complexity of key distribution link in the cipher key management procedures, and improve in the key distribution process key data by difficulty of attacking.
For addressing the above problem, the present invention proposes a kind of key data receiving/transmission method, be used for key data is received and dispatched processing, comprise step:
The key data transmit leg sets in advance first operation rule and second operation rule;
Utilize first operation rule that described key data is implemented transform operation, obtain the ciphertext key data of described key data;
Utilize second operation rule that the ciphertext key data that obtains is implemented transform operation, obtain the summary data of described key data;
The ciphertext key data that obtains and summary data are combined into the distribution data to send to the key data recipient and receives.
Described method also comprises step:
The key data recipient utilizes second operation rule that the summary data that comprises in the distributing data that receives is carried out transform operation, and summary data is restored;
Whether attacked by the distributing data that relatively recovers the consistency between summary data and the former summary data, judge to receive.
Described method also comprises step: the key data recipient utilizes described first operation rule that the ciphertext key data that comprises in the distributing data that receives is implemented the inverse transformation computing, obtains described key data.
Described method also comprises step:
At the key data transmit leg, produce first auxiliary parameter corresponding with first operation rule by random sequence generator; And
Produce second auxiliary parameter corresponding with second operation rule.
Wherein the key data transmit leg utilizes first operation rule to use first auxiliary parameter that described key data is implemented transform operation, obtains the ciphertext key data of described key data; And
Utilize second operation rule to use second auxiliary parameter that the ciphertext key data that obtains is implemented transform operation, obtain the summary data of described key data;
After first auxiliary parameter, second auxiliary parameter, ciphertext key data and summary data are carried out the cascade computing, be combined into the distribution data and send.
Described first operation rule is the computing of key block chaining, and described first auxiliary parameter comprises first conversion password and the initial vector; The described process that obtains the ciphertext key data by computing further comprises:
Described key data and described initial vector are carried out XOR;
Result data after using the described first conversion password to key data and initial vector XOR carries out key block chaining cryptographic calculation, obtains described ciphertext key data.
Described second operation rule is the computing of key hash, and described second auxiliary parameter comprises second conversion password and the random number; The described process that obtains summary data by computing further comprises:
The pre-regional location of placing described summary data in the distributing data is carried out zero clearing handle, obtain corresponding zero clearing data;
Described zero clearing data, first auxiliary parameter, the second conversion password, ciphertext key data and random number are carried out the cascade computing;
Use the described second conversion password that cascade calculated result data are carried out the computing of key hash, obtain described summary data.
Described method also comprises step:
The key data recipient extracts the summary data that comprises in the distributing data that receives;
The regional location at the summary data place that comprises in the distributing data to reception carries out zero clearing to be handled, and obtains corresponding zero clearing data;
Use the described second conversion password that the data of being closed by first auxiliary parameter, second auxiliary parameter, ciphertext key data and zero clearing data level joint group are carried out the computing of key hash, summary data is restored;
Whether the summary data that relatively recovers summary data and extraction is consistent, if consistent, shows that distributing data is not attacked; Otherwise show that distributing data is attacked.
Described method also comprises step:
The key data recipient carries out XOR to ciphertext key data and the initial vector that comprises in the distributing data that receives;
The result data of the first conversion password that comprises in the distributing data that use to receive after to ciphertext key data and initial vector XOR carries out key block chaining decrypt operation, obtains described key data.
Key data receiving/transmission method of the present invention at first carries out transform operation to key data by in the distribution link of cipher key management procedures, obtains the corresponding ciphertext key data; Again the ciphertext key data is carried out transform operation, obtain the summary data of this key data, then ciphertext key data and summary data are combined into the transmission of distribution data.So just can be by carrying out simple operation to receiving data the key data recipient, summary data is restored, the summary data that recovers summary data and receive is compared consistency, learn whether distributing data is attacked in distribution procedure, under the situation of guaranteeing not attacked, the recipient recovers the inverse transformation computing of key data again, obtain key data, therefore simplified the complexity of key distribution link, also can improve distributing data in distribution procedure by difficulty of attacking, thereby can guarantee the integrality of distributing data.
Description of drawings
Fig. 1 is the process chart of key data receiving/transmission method of the present invention at the key data transmit leg;
Fig. 2 is that key data receiving/transmission method of the present invention is at the process chart of key data recipient to distributing data;
Fig. 3 is that key data receiving/transmission method of the present invention is at the embodiment of key data transmit leg process chart.
Embodiment
In the modern key management system, the fail safe of key data is the key link of safeguards system safety.For ensureing the confidentiality and integrity of key data in distribution procedure; the opposing key data is replaced in distribution procedure and attacks; in the cipher key distribution scheme that realizes by the pure software design; key data receiving/transmission method of the present invention is taked to realize to the mode in user's distribution algorithms storehouse here, integrated association key protection algorithm and relevant key data in algorithms library.
Key data receiving/transmission method design aim of the present invention: the key data transmit leg at first carries out transform operation to key data and obtains the corresponding ciphertext key data, again the ciphertext key data is carried out transform operation and obtain corresponding summary data, the above-mentioned ciphertext key data that obtains and summary data are combined into the distribution data send the key data recipient and receive; Whether the key data recipient is by the distributing data that receives being carried out the computing summary data that is restored, consistent with the summary data that relatively recovers summary data and reception, judges whether distributing data is attacked in distribution procedure; And then under the situation of not attacked, the computing that the distributing data that receives is recovered key data again obtains the key data of actual use.
With reference to Fig. 1, this figure is the process chart of key data receiving/transmission method of the present invention at the key data transmit leg; Wherein at the key data transmit leg, its process that key data is handled and sent is as follows:
Step S10 sets in advance first operation rule and second operation rule; Wherein first operation rule here is mainly used in follow-up to key data enforcement transform operation, (wherein key data is exactly the employed actual key data of each key data distribution node with the ciphertext key data that obtains this key data by computing, and the ciphertext key data is the data of plaintext transmission in the key distribution process), wherein this first operation rule can select for use existing all can carry out the algorithm of enciphering transformation to key data, the wherein existing the most frequently used algorithm that key data is carried out enciphering transformation mainly adopts the key grouping to connect (CBC, CipherBlock Chaining) algorithm; And second operation rule is mainly used in and follow-up the ciphertext key data is implemented transform operation, obtain the summary data of this key data, wherein this second operation rule also can select for use existing all can carry out the algorithm that transform operation obtains summary data to the ciphertext key data, wherein existingly the most frequently used the ciphertext key data is carried out transform operation mainly adopt key hash computing (HMAC, message authentication codes mechanism based on cryptographichash functions) algorithm with the algorithm that obtains summary data.
Step S20 utilizes first operation rule that key data is implemented transform operation, obtains the ciphertext key data of this key data;
Step S30 utilizes second operation rule that the ciphertext key data that obtains is implemented transform operation again, obtains the summary data of this key data;
Step S40, the summary data that obtains by computing among the ciphertext key data that obtains by computing among the step S20 and the step S30 is combined into the distribution data to be sent, wherein ciphertext key data and summary data can adopt the mode of cascade computing to make up, and receive to send to the key data recipient behind the formation distributing data.
With reference to Fig. 2, this figure is that the key data recipient is to the process chart of distributing data in the key data receiving/transmission method of the present invention; After each node receives the distributing data that transmit leg sends out as the key data recipient, can carry out following processing to distributing data, in distribution procedure, whether suffer stealer's attack with the checking distributing data, not suffering under the attacking state, again the ciphertext key data that comprises in the distributing data is carried out the key data that the inverse transformation computing obtains actual use:
Step S50, key data recipient at first extract the summary data that comprises in the distributing data that receives, and the summary data that extracts is stored;
Step S60 utilizes above-mentioned second operation rule that the distributing data that receives is carried out transform operation, obtains corresponding recovery summary data;
Step S70 by to carrying out consistency between the summary data of storing among the recovery summary data that obtains among the step S60 and the step S50 relatively, judges whether the distributing data that receives is attacked, if comparative result is for being execution in step S80; Otherwise execution in step S100 shows that distributing data may suffer stealer's attack in distribution procedure, and the distributing data that receives is no longer carried out subsequent treatment.
Step S80 shows that distributing data does not suffer stealer's attack in distribution procedure, then the distributing data that receives is carried out subsequent treatment;
Step S90 utilizes above-mentioned first operation rule that the ciphertext key data that comprises in the distributing data that receives is implemented the inverse transformation computing, obtains the key data of actual use.
Because above-mentioned recipient's processing procedure is in implementation process, it is simply more than the calculating process of the key data of finding the solution actual use to find the solution the processing procedure of recovering summary data, so meeting less CPU resources, like this under recovery summary data that obtains solving and the inconsistent situation of original digest data, just needn't find the solution the computing of the key data of actual use again to distributing data, therefore with respect to prior art directly by distributing data is found the solution key data, in the mode of judging whether distributing data is attacked, its processing procedure is simple relatively, and can take less system's operation resource.
With reference to Fig. 3, this figure is that key data receiving/transmission method of the present invention is at the embodiment of key data transmit leg process chart; Wherein key data is carried out enciphering transformation and forms the processing procedure that distributing data sends as follows:
Step S110, be provided for follow-up to key data enforcement transform operation, first operation rule with the ciphertext key data that obtains key data, simultaneously by random sequence generator RNG to producing first auxiliary parameter by first operation rule, wherein first auxiliary parameter of Chan Shenging is mainly used in to participate in by first operation rule this key data is carried out the calculating process of enciphering transformation, and this key data is carried out encryption to obtain the ciphertext key data;
Step S120, be provided for follow-up to ciphertext key data enforcement transform operation, second operation rule with the summary data that obtains this key data, simultaneously by random sequence generator RNG to producing second auxiliary parameter by second operation rule, wherein second auxiliary parameter of Chan Shenging is mainly used in to participate in by second operation rule ciphertext key data is carried out the calculating process of conversion process, and the ciphertext key data is carried out conversion process to obtain the summary data of this key data;
Step S130 utilizes first operation rule to use first auxiliary parameter that key data is implemented the enciphering transformation computing, obtains the ciphertext key data of this key data;
Step S140 utilizes second operation rule to use second auxiliary parameter that the ciphertext key data that computing among the step S130 obtains is implemented transform operation, obtains the summary data of this key data;
Step S150 carries out the cascade computing to the first above-mentioned auxiliary parameter, second auxiliary parameter, ciphertext key data and summary data, and with cascade calculated result data as the distributing data that will send;
Step S160, the key data transmit leg sends distributing data.
When being key block chaining CBC computing as first operation rule when above-mentioned setting, then first auxiliary parameter of RNG generation just comprises first conversion password and the initial vector; It is as follows to obtain the process of ciphertext key data by computing among the above-mentioned steps S130 like this:
Based on the CBC algorithm, at first key data and initial vector are carried out XOR;
And then, the result data behind key data and the initial vector XOR is carried out the CBC cryptographic calculation, thereby just can obtain ciphertext key data that should key data with the encryption key of the first conversion password as the CBC computing.
When above-mentioned second operation rule being key hash computing HMAC computing, then second auxiliary parameter just comprises second conversion password and the random number; It is as follows to obtain the process of summary data by computing among the step S140 like this:
Based on hmac algorithm, at first the regional location of reserving in the distributing data that will place summary data is carried out zero clearing and handle, obtain corresponding zero clearing data;
And then zero clearing data, first auxiliary parameter, the second conversion password, ciphertext key data and random number carried out the cascade computing;
Use the computing key of the second conversion password at last, above-mentioned cascade calculated result data are carried out the HMAC computing, thereby just can obtain the summary data of this key data as the HMAC computing.
Equally, based on CBC computing and HMAC computing, the distributing data that receives is verified the processing whether distributing data is attacked and recovers the processing of primary key data specific as follows the recipient:
At first the summary data that comprises in the distributing data that receives is extracted, and the summary data after will extracting is stored;
The regional location at the summary data place that comprises in the distributing data to reception carries out the zero clearing processing again, obtains corresponding zero clearing data;
Re-use the alternate key of the second conversion password as the HMAC computing, the data of being closed by first auxiliary parameter, second auxiliary parameter, ciphertext key data and zero clearing data level joint group are carried out the HMAC computing, summary data is restored;
Whether the recovery summary data that relatively obtains at last and the summary data of storage be consistent, if consistent, shows that distributing data is not attacked; Otherwise just show that distributing data may suffer attack.
At first ciphertext key data and the initial vector that comprises in the distributing data that receives carried out XOR above-mentioned relatively obtaining under the situation that distributing data do not attacked;
Re-use the first conversion password that comprises in the distributing data decoding key, the result data behind ciphertext key data and the initial vector XOR is carried out the CBC decrypt operation, obtain the key data of original actual use as the CBC algorithm.
By above-mentioned narration as seen; for the situation of using class ECC (Elliptic Curve) asymmetric cryptosystem or DSE arithmetic; can set up the mechanism of distributing data layering protection by cryptographic key distribution method of the present invention, guarantee the confidentiality and integrity of its distributing data.In the process that produces key data; use symmetric cryptography that the key data of need protection is carried out enciphering transformation; use hmac algorithm to calculate the summary of data behind the enciphering transformation subsequently; the HMAC computing forms distributing data and sends to the requesting party again to comprising HMAC key, alternate key and summary data after all interior data are handled.
Before the requesting party used key data, whether with original summary data consistent, have only both unanimities if at first calculating summary data, thinks that just key data is not destroyed.
Below with the CBC algorithm as the key conversion algorithm that key data is carried out the encryption and decryption conversion, simultaneously with hmac algorithm as the algorithm that calculates summary data, cryptographic key distribution method of the present invention is carried out following detailed description.
The principle of operation of HMAC computing at first is described, the parameter-definition that participates in the HMAC computing is as follows:
H: hash function, as MD5, SHA1
The incoming message of M:HMAC
B: the bit number of the grouping that hash function is handled
N: the hash code length that hash function produces
The key that the K:HMAC computing is used, key length is not more than b, but key length should be more than or equal to n
K +: the left side at K fills 0, makes total length equal b
Ipad: 0x36 is repeated b/8 time
Opad: 0x5a is repeated b/8 time
HMAC K=H[(K +opad)‖H[(K +ipad)‖M]]
Wherein ‖ represents after the number with several cascade on the left sides on operator the right.
Besides the principle of operation of bright CBC computing:
In the process of CBC cryptographic calculation, the input of cryptographic algorithm is the XOR of current clear packets and last ciphertext block; In CBC decrypt operation process, each ciphertext block through the deciphering after with last ciphertext block XOR with the recovery clear packets.For producing first ciphertext block, need to produce an initial vector IV and come and first clear packets XOR, in decrypting process, IV is used to carry out XOR to produce first clear packets with the output of decipherment algorithm.
Parameter-definition is as follows:
Cn represents n ciphertext block, and Pn represents n clear packets, E K() expression is carried out enciphering transformation, D with key k K() expression is decrypted conversion with key k, and IV is an initial vector.
Then for first grouping P1:, C1=E is arranged in encryption side K(IV P1); In deciphering side, P1=IV D is arranged K(C1)=P1;
For all the other the grouping Pn: in encryption side, Cn=E is arranged K(Cn-1 Pn); In deciphering side, Pn=Cn-1 D is arranged k[Cn]=Pn.
Based on above-mentioned CBC principle of operation and HMAC principle of operation, then key data provider's processing procedure is:
1, the key provider produces the key data PK that key request side's user program need use;
2, call randomizer RNG and produce HMAC password PKHKey, CBC symmetric cryptography PKCKey, initial vector PKIV, random number R andomData;
3, use is carried out enciphering transformation based on the pattern of CBC computing to key data PK, produces the ciphertext key data, with E K(wherein K is the symmetric cryptography of CBC computing for M, IV) expression CBC cryptographic calculation, and M is a clear data, and IV is an initial vector, then ciphertext key data PKCipher=E PKCKey(PK, PKIV)=E PKCKey(PK PKIV);
4, with HMAC K[M] expression HMAC computing, wherein K is the alternate key of HMAC computing, and M is pending clear data, and then the summary data that calculates according to ciphertext key data PKCipher is PKHMAC=HMAC PKHKey[RandomData ‖ PKCipher ‖ PKHKey ‖ PKCKey ‖ PKIV ‖ 0_PKHMAC]; Wherein, 0_PKHMAC represents that the regional location removing with summary data PKHMAC place in the distributing data is 0.
5, will be integrated in through the distributing data KEY_C behind the HMAC encipherment protection and be distributed to the user in the user program; distributing data KEY_C=RandomData ‖ PKCipher ‖ PKHKey ‖ PKCKey ‖ PKIV ‖ PKHMAC wherein, ‖ represents that the data level on the right side is associated in after the data on the left side.
Accordingly, the key data of key data requesting party user program uses processing procedure to be:
1, user program is by calling the algorithms library interface function, and algorithms library needed to verify and decryption oprerations before using key data; The algorithms library function at first needs to obtain the distributing data KEY_C that receives in the process of implementation;
2, extract the original digest data PKHMAC that comprises among the distributing data KEY_C, and original digest data PKHMAC is stored; It is 0 that the regional location at summary data PKHMAC place among the distributing data KEY_C is removed, and will be clearly that 0 distributing data KEY_C note is as KEY_C0 to position, PKHMAC region, with the PKHKey that comprises among the KEY_C as HAMC computing key, based on the summary data HMAC_KEY_C of hmac algorithm calculating K EY_C0, then
HMAC_KEY_C=HMAC PKHKey[KEY_C0]=HAMC PKHKey[RandomData‖PKCipher‖PKHKey‖PKCKey‖PKIV‖0_PKHMAC];
Whether 3, the HMAC_KEY_C that obtains is found the solution in checking consistent with the PKHMAC of former storage, if consistent, the expression distributing data is complete, does not suffer stealer's attack in distribution procedure;
4, with the PKCKey that comprises among the KEY_C and PKIV as the input parameter of CBC block cipher, PKCipher is implemented decrypt operation, as with D K(wherein K is a key for C, IV) expression CBC decrypt operation, and C is an encrypt data, and IV is an initial vector; PK '=D is then arranged PKCKey(PKCipher, PKIV)=PKIV D PKCey(PKCipher), PK ' is the key data PK of the actual use of user program just.
In sum, key data receiving/transmission method of the present invention has been simplified the workload of key distribution link in the cipher key management procedures; Realized effectively separating of key data and key maintenance state data in the key distribution process; Increase the replacement of key data on transmission medium simultaneously and attacked difficulty.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the technology of the present invention principle; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (9)

1, a kind of key data receiving/transmission method is used for key data is received and dispatched processing, it is characterized in that, comprises step:
The key data transmit leg sets in advance first operation rule and second operation rule;
Utilize first operation rule that described key data is implemented transform operation, obtain the ciphertext key data of described key data;
Utilize second operation rule that the ciphertext key data that obtains is implemented transform operation, obtain the summary data of described key data;
The ciphertext key data that obtains and summary data are combined into the distribution data to send to the key data recipient and receives.
2, key data receiving/transmission method according to claim 1 is characterized in that, also comprises step:
The key data recipient utilizes second operation rule that the summary data that comprises in the distributing data that receives is carried out transform operation, and summary data is restored;
Whether attacked by the distributing data that relatively recovers the consistency between summary data and the former summary data, judge to receive.
3, key data receiving/transmission method according to claim 1 is characterized in that, also comprises step:
The key data recipient utilizes described first operation rule that the ciphertext key data that comprises in the distributing data that receives is implemented the inverse transformation computing, obtains described key data.
4, key data receiving/transmission method according to claim 1 is characterized in that, also comprises step:
At the key data transmit leg, produce first auxiliary parameter corresponding with first operation rule by random sequence generator; And
Produce second auxiliary parameter corresponding with second operation rule.
5, key data receiving/transmission method according to claim 4 is characterized in that,
The key data transmit leg utilizes first operation rule to use first auxiliary parameter that described key data is implemented transform operation, obtains the ciphertext key data of described key data; And
Utilize second operation rule to use second auxiliary parameter that the ciphertext key data that obtains is implemented transform operation, obtain the summary data of described key data;
After first auxiliary parameter, second auxiliary parameter, ciphertext key data and summary data are carried out the cascade computing, be combined into the distribution data and send.
6, key data receiving/transmission method according to claim 5 is characterized in that, described first operation rule is the computing of key block chaining, and described first auxiliary parameter comprises first conversion password and the initial vector; The described process that obtains the ciphertext key data by computing further comprises:
Described key data and described initial vector are carried out XOR;
Result data after using the described first conversion password to key data and initial vector XOR carries out key block chaining cryptographic calculation, obtains described ciphertext key data.
7, key data receiving/transmission method according to claim 5 is characterized in that, described second operation rule is the computing of key hash, and described second auxiliary parameter comprises second conversion password and the random number; The described process that obtains summary data by computing further comprises:
The pre-regional location of placing described summary data in the distributing data is carried out zero clearing handle, obtain corresponding zero clearing data;
Described zero clearing data, first auxiliary parameter, the second conversion password, ciphertext key data and random number are carried out the cascade computing;
Use the described second conversion password that cascade calculated result data are carried out the computing of key hash, obtain described summary data.
8, key data receiving/transmission method according to claim 7 is characterized in that, also comprises step:
The key data recipient extracts the summary data that comprises in the distributing data that receives;
The regional location at the summary data place that comprises in the distributing data to reception carries out zero clearing to be handled, and obtains corresponding zero clearing data;
Use the described second conversion password that the data of being closed by first auxiliary parameter, second auxiliary parameter, ciphertext key data and zero clearing data level joint group are carried out the computing of key hash, summary data is restored;
Whether the summary data that relatively recovers summary data and extraction is consistent, if consistent, shows that distributing data is not attacked; Otherwise show that distributing data is attacked.
9, key data receiving/transmission method according to claim 6 is characterized in that, also comprises step:
The key data recipient carries out XOR to ciphertext key data and the initial vector that comprises in the distributing data that receives;
The result data of the first conversion password that comprises in the distributing data that use to receive after to ciphertext key data and initial vector XOR carries out key block chaining decrypt operation, obtains described key data.
CNB2004100382271A 2004-05-13 2004-05-13 The key data receiving/transmission method Expired - Fee Related CN100544248C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100382271A CN100544248C (en) 2004-05-13 2004-05-13 The key data receiving/transmission method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100382271A CN100544248C (en) 2004-05-13 2004-05-13 The key data receiving/transmission method

Publications (2)

Publication Number Publication Date
CN1697371A true CN1697371A (en) 2005-11-16
CN100544248C CN100544248C (en) 2009-09-23

Family

ID=35349912

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100382271A Expired - Fee Related CN100544248C (en) 2004-05-13 2004-05-13 The key data receiving/transmission method

Country Status (1)

Country Link
CN (1) CN100544248C (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104038337A (en) * 2014-06-20 2014-09-10 上海动联信息技术股份有限公司 Data encryption method based on AES128
CN106549927A (en) * 2015-09-23 2017-03-29 阿里巴巴集团控股有限公司 Key preservation, acquisition methods and device
CN108880804A (en) * 2018-07-18 2018-11-23 北京理工大学 Netkey distribution method, device and system based on cascaded computation imaging
CN109412791A (en) * 2018-11-29 2019-03-01 北京三快在线科技有限公司 Key information processing method, device, electronic equipment and computer-readable medium
CN114531455A (en) * 2022-03-02 2022-05-24 北京工业大学 Multi-cloud safe storage method based on edge assistance
TWI819516B (en) * 2022-03-09 2023-10-21 瑞昱半導體股份有限公司 Processing method and circuit of the hash message authentication codes based key derivation function

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104038337A (en) * 2014-06-20 2014-09-10 上海动联信息技术股份有限公司 Data encryption method based on AES128
CN106549927A (en) * 2015-09-23 2017-03-29 阿里巴巴集团控股有限公司 Key preservation, acquisition methods and device
CN106549927B (en) * 2015-09-23 2020-11-13 阿里巴巴集团控股有限公司 Key storage and acquisition method and device
CN108880804A (en) * 2018-07-18 2018-11-23 北京理工大学 Netkey distribution method, device and system based on cascaded computation imaging
CN108880804B (en) * 2018-07-18 2020-06-30 北京理工大学 Network key distribution method, device and system based on cascade computing imaging
CN109412791A (en) * 2018-11-29 2019-03-01 北京三快在线科技有限公司 Key information processing method, device, electronic equipment and computer-readable medium
CN109412791B (en) * 2018-11-29 2019-11-22 北京三快在线科技有限公司 Key information processing method, device, electronic equipment and computer-readable medium
CN114531455A (en) * 2022-03-02 2022-05-24 北京工业大学 Multi-cloud safe storage method based on edge assistance
TWI819516B (en) * 2022-03-09 2023-10-21 瑞昱半導體股份有限公司 Processing method and circuit of the hash message authentication codes based key derivation function

Also Published As

Publication number Publication date
CN100544248C (en) 2009-09-23

Similar Documents

Publication Publication Date Title
CN101064595A (en) Computer network safe input authentication system and method
CN1553349A (en) Safety chip and information safety processor and processing method
CN101056171A (en) An encryption communication method and device
CN1310464C (en) Method for safe data transmission based on public cipher key architecture and apparatus thereof
CN1655503A (en) A secure key authentication and ladder system
CN1832403A (en) CPK credibility authorization system
CN1507733A (en) Symmetrical key establishing using public key encryption
CN1929369A (en) Method and apparatus for securely transmitting and receiving data in peer-to-peer manner
CN1905436A (en) Method for ensuring data exchange safety
CN1949765A (en) Method and system for obtaining SSH host computer public key of device being managed
CN1859090A (en) Encipher method and system based identity
CN101047505A (en) Method and system for setting safety connection in network application PUSH service
CN110557248A (en) Secret key updating method and system for resisting quantum computation signcryption based on certificateless cryptography
CN1697374A (en) Method for sanding and receiving cipher data, device for distributing and receiving cipher data
CN1697371A (en) Method for sending and receiving data of cipher key
CN1898623A (en) Software execution protection using an active entity
CN1555151A (en) Enbedded equipment secrete communication method
CN1697365A (en) Secure transmission method oriented to mobile agent
CN1791095A (en) Data concentrated backup method, reduction method and its system
CN115001865B (en) Communication processing method and system, client, communication server and supervision server
CN101047945A (en) Mobile communication system and customer temporary identity distribution method
CN1949707A (en) Key transmission method and system for multi-stage intelligent key apparatus
CN115765985A (en) Processing method and device for multi-party secure computation
CN1285227C (en) Short message security method and SIM card for implementing short message security
CN1767504A (en) E-mail management system and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090923

Termination date: 20180513