CN1972237A - VPN system based on dynamic encryption algorithm - Google Patents

VPN system based on dynamic encryption algorithm Download PDF

Info

Publication number
CN1972237A
CN1972237A CN 200610144395 CN200610144395A CN1972237A CN 1972237 A CN1972237 A CN 1972237A CN 200610144395 CN200610144395 CN 200610144395 CN 200610144395 A CN200610144395 A CN 200610144395A CN 1972237 A CN1972237 A CN 1972237A
Authority
CN
China
Prior art keywords
key
group
matrix
encryption
seed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200610144395
Other languages
Chinese (zh)
Other versions
CN100423507C (en
Inventor
胡祥义
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongdian Shuan Technology Co ltd
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CNB2006101443958A priority Critical patent/CN100423507C/en
Publication of CN1972237A publication Critical patent/CN1972237A/en
Application granted granted Critical
Publication of CN100423507C publication Critical patent/CN100423507C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

This invention relates to VPN system based on dynamic code formula, which uses keys, chips and network technique and designs one set of dynamic symmetric code formula to make each formula with different virtual special networks in each data coding, wherein, each code system only adopts one symmetric code keys such as network keys, pack keys and channel keys through establishing code formula to generate formula and symmetric key generation formula.

Description

Vpn system based on dynamic encryption algorithm
Technical field:
The present invention relates to information security field; be to realize VPN(Virtual Private Network) with password, chip and network technology; this invention can be carried out encryption and decryption in real time to clear data; the transmission security of protected data file is applicable to the diverse network of units such as government, enterprise, army, bank, security, insurance.
Background technology:
At present, the establishment of the symmetric encipherment algorithm that adopts in the vpn products is changeless in the world, mainly by changing the safety that symmetric key improves symmetric encryption system, safe class for the data confidentiality that improves vpn system, adopt multiple key as packet key, netkey, session key and tunnel keys etc., and realize the exchange of various keys by the mode that the is layering encryption key between the multiple key, but, being layering of multiple key also increased the spending of vpn system, reduced the efficient of VPN; Simultaneously, the key management of some kind needs manual intervention to upgrade, and causes the encryption system maintenance workload big, the cost height; Therefore, the tunnel type vpn products kind and the brand of producing is a lot of both at home and abroad, great majority all exist in various degree: speed is slow, the price height, the weakness of poor stability, anti-collective aggression scarce capacity, simultaneously, also all exist vpn system efficient low, various key distribution management expense height, the problem of the big grade of system's regular maintenance difficulty, these have directly influenced the application of VPN and have popularized.
Summary of the invention:
The present invention utilizes password, chip and network technology to design one to overlap when carrying out data encryption at every turn, the VPN (virtual private network) that the establishment of the symmetric encipherment algorithm of employing is all inequality, and implementation step is as follows:
At first, set up the dynamic encryption algorithm of VPN, a kind of " encryption element " in the one cover symmetric encipherment algorithm expanded to N group be total to M group " encryption element seed " promptly: set up the capable N row of L " encryption element seed " matrix, the establishment generating algorithm of utilizing dynamic symmetric encipherment algorithm is promptly: choose parameter by what timestamp and random number were formed, the element of N this matrix is chosen in combination at random---group " encryption element seed ", with other constant " encryption element " and the circuits thereof in the N that selects group " encryption element seed " and the symmetric encipherment algorithm, form the establishment of a cover symmetric encipherment algorithm together, thisly choose " encryption element seed " by combination, the establishment of the symmetric encipherment algorithm that generates is dynamically to produce, one time one change does not repeat, encryption system only adopts a kind of symmetric key, do not adopt multiple key code system as netkey, bag key and tunnel keys etc., the symmetric key management of encryption system is to adopt the cipher key combinations generation technique, that is: symphysis becomes symmetric key with the key schedule random groups to adopt " key seed ", one time one change does not repeat, realization symmetric key more new management is finished automatically by algorithm, the manpower-free safeguards, between the vpn gateway or and client computer between data encryption transmission and authentication contain: set up the authentication between the Origin And Destination before the encryption tunnel, all adopt dynamic symmetric encipherment algorithm and combination key to carry out, authentication mode adopts two-way authentication, and choosing jointly of " encryption element seed " and " key seed " after being encrypted to ciphertext, parameter transmitted, preventing to choose parameter leaks, thereby, it is safe and reliable to set up a cover, simple in structure, efficient vpn system quick and easy to maintenance, vpn system uses soft, the mode that hardware combines realizes that the specific implementation step is as follows:
1, " encryption element " in the selection symmetric encipherment algorithm, with a kind of " encryption element " in the selected symmetric encipherment algorithm, as: preset parameter, replacement, displacement, displacement, entanglement and mixing etc., with China located to announce in 2006 grouping algorithm---SMS4 is an example, " encryption element " that can select is: S box substitution list, preset parameter CK or system parameters FK etc.
2, timestamp is a Z position decimal number, comprise: year, month, day, hour, min clock and second, Z=5~12, when timestamp is 5, example: 61103, expression: on November 3rd, 06, when timestamp is 12, example: 101103221518, expression: 22: 15: 18 on the 3rd November in 2010, random number is a N position N system number, and when N=10, random number is 10 decimal numbers, as: " 0213295648 " etc., when N=16, random number is 16 hexadecimal numbers, as: " 0F295A64B17E83D " etc.
3, set up " encryption element seed " matrix, a kind of " encryption element " in the selected symmetric encipherment algorithm, it is extended to the M group and is divided into N group, if " encryption element " is preset parameter, replace or displacement, then extended method adopts randomizer in the VPN chip, generate M group binary system random number or hexadecimal random number and write in the chip, if selected " encryption element " is displacement, displacement, entanglement or mixing etc., then extended method adopts artificial design according to the feature of different " encryption element ", if: " encryption element " is displacement, then move the variation of how many positions by expansion, set up M group shift parameters, if: " encryption element " is entanglement, then by what the variation of expansion entanglement sequence number, set up M group entanglement order parameter, if: " encryption element " is for mixing, then by choosing the variation of information bit in the extended register, set up M group hybrid parameter, simultaneously, also to carry out again its parameter being write in the chip after invertibity and the security test to parameter, wherein: the invertibity test is the element in " the encryption element seed " that guarantees to set up, made up at random and choose the N group and generate symmetric encipherment algorithm, can correctly decipher with its data encrypted, security test is the element in " the encryption element seed " that guarantees to set up, distributed more widely and have randomness, can not be guessed, in a word, the method of most convenient is that " encryption element " selected is preset parameter or replacement, as: select preset parameter CK or substitution list---S box, " encryption element " as the SMS4 algorithm, with this N group altogether M group " encryption element seed " be divided into the capable N row of L as the element of matrix, form L * N " encryption element seed " matrix.
4, set up the algorithm of choosing of element in " encryption element seed " matrix:
(1) sets up the corresponding relation of choosing parameter and " encryption element seed " matrix element, with timestamp and random number as choosing parameter, 1~N group is defined as: year group, moon group, the day group, Shi Qun, minute group, second group, the 7th group, N group, every group " encryption element seed " is a sub-matrix, be total to N sub-matrix, with timestamp each group " encryption element seed " is divided into several rows, wherein: " year ", the group was that W is promptly capable: the sub-matrix of W * N, " moon " group be 12 the row promptly: the sub-matrix of 12 * N, " day " group be 31 the row promptly: the sub-matrix of 31 * N, " time " group be 24 the row: the sub-matrix of 24 * N, " minute " group be 60 the row promptly: the sub-matrix of 60 * N, " second " group be 60 the row promptly: the sub-matrix of 60 * N, the 7th~N group is respectively 1 row promptly: the sub-matrix of 1 * N, L is capable altogether, wherein: W=10~100, L=60~297, every row has the N column element promptly: N organizes " encryption element seed ", every group 1~12 byte, N=10 or 16, M=600~4752, every group " encryption element seed " promptly: each sub-matrix is all distinguished the random number of a corresponding N system, altogether corresponding N position N system random number;
(2) selection rule of parameter to " encryption element seed " matrix element chosen in foundation, with in the timestamp " year; month; day; the time; minute and second " be made as respectively: y, m, d, h, mi, s, N N system random number is made as respectively: S1, S2, S3, S4, S5, S6, S7, SN, choose " year " group promptly with y and S1 combination: the element of the capable S1 row of the sub-matrix of W * N y, choose " moon " group promptly with m and S2 combination: the element of the capable S2 row of the sub-matrix of 12 * N m, choose " day " group promptly with d and S3 combination: the element of the capable S3 row of the sub-matrix of 31 * N d, with h and S4 in conjunction with choose " time " group: the element of the capable S4 row of the sub-matrix of 24 * N h, with mi and S5 in conjunction with choose " minute " group promptly: the element of the capable S5 row of the sub-matrix of 60 * N mi, choose " second " group promptly with s and S6 combination: the element of the capable S6 row of the sub-matrix of 60 * N s, choose 7 groups promptly with S7: the element of the sub-matrix of 1 * N S7 row,, choose N group promptly with SN: the element of the sub-matrix of 1 * N SN row.
5, set up the establishment generating algorithm of dynamic symmetric encipherment algorithm, choose parameter by what the random number of the decimal numeral timestamp in Z position and one group of N position N system was formed jointly, element to L * N " encryption element seed " matrix is chosen, select N matrix element is N group " encryption element seed " at every turn, with the N group of selecting " encryption element seed ", with other constant " encryption element " and circuits thereof in the symmetric encipherment algorithm, form the establishment of a cover symmetric encipherment algorithm together, thereby, the establishment of symmetric encipherment algorithm is transformed into the establishment of dynamic symmetric encipherment algorithm.
6, set up " key seed " matrix, randomizer is produced the binary system random number as " key seed " in the employing VPN chip, and leave in the chip, " key seed " is divided into N group's M group altogether, with this N group altogether M group " key seed " be divided into the capable N row of L as the element of matrix, form L * N " key seed " matrix.
7, set up the algorithm of choosing of element in " key seed " matrix:
(1) sets up the corresponding relation of choosing parameter and " key seed " matrix element, with timestamp and random number as choosing parameter, 1~N group is defined as: year group, moon group, the day group, Shi Qun, minute group, second group, the 7th group, N group, every group " key seed " is a sub-matrix, be total to N sub-matrix, with timestamp each group " key seed " is divided into several rows, wherein: " year ", the group was that W is promptly capable: the sub-matrix of W * N, " moon " group be 12 the row promptly: the sub-matrix of 12 * N, " day " group be 31 the row promptly: the sub-matrix of 31 * N, " time " group be 24 the row: the sub-matrix of 24 * N, " minute " group be 60 the row promptly: the sub-matrix of 60 * N, " second " group be 60 the row promptly: the sub-matrix of 60 * N, the 7th~N group is respectively 1 row promptly: the sub-matrix of 1 * N, L is capable altogether, wherein: W=10~100, L=60~297, every row has the N column element promptly: N organizes " key seed ", every group 1~3 byte, N=10 or 16, M=600~4752, every group " key seed " promptly: each sub-matrix is all distinguished the random number of a corresponding N system, altogether corresponding N position N system random number;
(2) selection rule of parameter to " key seed " matrix element chosen in foundation, choose " year " group promptly with y and S1 combination: the element of the capable S1 row of the sub-matrix of W * N y, choose " moon " group promptly with m and S2 combination: the element of the capable S2 row of the sub-matrix of 12 * N m, choose " day " group promptly with d and S3 combination: the element of the capable S3 row of the sub-matrix of 31 * N d, with h and S4 in conjunction with choose " time " group: the element of the capable S4 row of the sub-matrix of 24 * N h, with mi and S5 in conjunction with choose " minute " group promptly: the element of the capable S5 row of the sub-matrix of 60 * N mi, choose " second " group promptly with s and S6 combination: the element of the capable S6 row of the sub-matrix of 60 * N s, choose 7 groups promptly with S7: the element of the sub-matrix of 1 * N S7 row,, choose N group promptly with SN: the element of the sub-matrix of 1 * N SN row.
8, set up the symmetric key generating algorithm, by choosing parameter the element of L * N " key seed " matrix is chosen, with N matrix element selecting promptly: the synthetic one group of symmetric key of N group " key seed ", thereby, combination generates symmetric key, and wherein: if synthetic key is oversize, folding and making its length is more than 128 bits or 128, in a word, the length of key is as the criterion with the requirement of encryption system.
9, " the encryption element seed " of symmetric encipherment algorithm and choosing of " key seed ", adopt and identical choose algorithm promptly: adopt identical matrix element selection rule, choose parameter with same group---the decimal numeral timestamp of N position N system random number and Z position, come L * N matrix element to choose to same architecture, wherein: the content difference of element representation in two kinds of matrixs, the former represents that " encryption element seed " latter represents " key seed ".
10, transmit leg is chosen parameter promptly by transmitting same group: the decimal numeral timestamp of N position N system random number and Z position is given the recipient, realizes the exchange of symmetric key, simultaneously, realizes the choosing of " encryption element seed " of recipient's symmetric encipherment algorithm.
11, with symmetric encipherment algorithm, L * N " encryption element seed " matrix, L * N " key seed " matrix, digest algorithm, rivest, shamir, adelman, private key, and the establishment generating algorithm of dynamic symmetric encipherment algorithm and symmetric key generating algorithm etc. leave in the chip of VPN hardware, in the chip of VPN hardware, generate the establishment and the symmetric key of interim symmetric encipherment algorithm, and in chip with dynamic symmetry algorithm and combination key encryption and decryption data, choose the parameter ciphertext with the private key deciphering, in chip, also the data of IP packet are made a summary etc. with digest algorithm, thereby, strengthen the ability that vpn gateway is resisted its encryption system of assault.
12, each N position N system random number that produces is to be generated by the randomizer in the VPN chip, each Z position decimal number timestamp that produces is that the function of time by computer system generates, the year, month, day in the timestamp, hour, minute and second all change with the variation of computer system time.
13, according to timestamp and random number, N the element of from L * N " encryption element seed " matrix, selecting promptly: N organizes " encryption element seed ", be the combination of the capable N of L row " encryption element seed ", and its variable quantity is greater than N N
14, according to timestamp and random number, other constant " encryption element " and circuits thereof in N group of from L * N " encryption element seed " matrix, selecting " encryption element seed " and the symmetric encipherment algorithm, the establishment of forming symmetric encipherment algorithm together produces at random, one time one change does not repeat, the establishment of this symmetric encipherment algorithm that produces at random is interim, do not keep after the use, removed at once by system.
15, according to timestamp and random number, N the element of from L * N " key seed " matrix, selecting promptly: N organizes " key seed ", be the combination of the capable N of L row " key seed ", and its variable quantity is greater than N N
16, according to timestamp and random number, N group " key seed " synthetic symmetric key of selecting from L * N " key seed " matrix is to generate at random, and one time one change does not repeat, simultaneously, this symmetric key that generates at random is interim, does not keep after the use, is removed at once by system.
17, the authentication between authentication between the vpn gateway and client computer and the gateway also comprises the authentication of setting up between preceding starting point of encryption tunnel and the terminal point, all adopts dynamic symmetric encipherment algorithm and combination key to realize, authentication mode adopts two-way authentication, and its process is:
(1) stabs and random number by the authenticating party rise time, generate the establishment and the symmetric key of interim symmetric encipherment algorithm according to timestamp and random number, encrypted random number generates authenticate password 1, again parameters for authentication such as timestamp, random number and authenticate password 1 are sent to certified side, simultaneously, authenticating party produces authentication life cycle T;
(2) after certified side receives the parameters for authentication that authenticating party sends, generate the establishment and the symmetric key of interim symmetric encipherment algorithm according to timestamp and random number, encrypted random number generates authenticate password 2, whether identical through contrast authenticate password 1 with 2, whether the identity of determining authenticating party is legal, if it is legal, then certified side produces parameters for authentication and sends to authenticating party with identical method again, determine certified side's identity, simultaneously, whether authenticating party calculates the authenticated time period T finishes, and controls the time of two-way authentication, in order to avoid intercepted and captured parameters for authentication by other people encryption system is attacked.
18, when setting up the VPN of IPSes agreement, the IPSes agreement is: on basis, Origin And Destination IP address, set up IPSec Standard Encryption tunnel, its process is as follows:
(1) sets up the tunnel stage: adopt dynamic symmetric encipherment algorithm and combination key to carry out two-way authentication between the Origin And Destination IP address;
(2) the tunnel communication stage: each IP packet all uses the establishment of one a group of symmetric key and a cover symmetric encipherment algorithm to encrypt, different IP packet adopts the establishment of different one a group of symmetric key and a cover symmetric encipherment algorithm to encrypt, for guaranteeing the integrality of IP data packet transmission, use digest algorithm that the data of sending out the IP packet that send are made a summary, and integrity information is sent to the recipient after the IP packet is encrypted to ciphertext.
19, when setting up the VPN of ssl protocol, ssl protocol is: set up the encryption tunnel of ssl protocol standard at Origin And Destination, ssl protocol is made up of Handshake Protocol and record protocol, and its process is as follows:
(1) Handshake Protocol in the ssl protocol: adopt dynamic symmetric encipherment algorithm and combination key to carry out two-way authentication between the Origin And Destination, in carrying out mutual authentication process, the authentication both sides keep establishment and one group of symmetric key of a cover symmetric encipherment algorithm of interim generation, if two-way authentication is not passed through, then encryption system is removed the establishment and the symmetric key of the interim symmetric encipherment algorithm of authentication both sides reservation at once;
(2) record protocol in the ssl protocol: after finishing Handshake Protocol, and obtained interim generation one the cover symmetric encipherment algorithm establishment and one group of symmetric key, finish record protocol in the ssl protocol with the establishment of this interim symmetric encipherment algorithm and symmetric key, after one time the tunnel connects, use the encryption and decryption data of working out of one a group of symmetric key and a cover symmetric encipherment algorithm, all use establishment and one group of symmetric key of different cover symmetric encipherment algorithms to come encryption and decryption data after each tunnel connects.
20, in the VPN encryption system, adopt " key seed " and symmetric key generating algorithm to make up the generation key, the exchange of symmetric key is to realize by the parameter of choosing of transmitting " key seed ", and improve the intensity of encryption system by the establishment of the dynamic symmetric encipherment algorithm that becomes for one time one, the efficient height, safe, do not resemble other most VPN is to adopt multiple key code system as netkey, tunnel keys and packet key etc., and carry out the encryption that is layering between the multiple key, improve the intensity of encryption system, the VPN of the multiple key cryptosystem of this employing, efficient is low.
21, by all long-range vpn gateways of tunnel management, the keeper sets up encryption tunnel by client computer and each long-range vpn gateway, and by tunnel maintenance and the long-range vpn gateway of management, as: the keeper passes through each long-range vpn gateway daily record data of client browses etc., this vpn gateway in the network is carried out managed concentratedly, reduce management cost, improved the efficiency of management, guaranteed the safety of vpn gateway.
22, the VPN encryption system adopts dynamic symmetric encipherment algorithm enciphered data, if with block encryption algorithm during as the framework of dynamic symmetric encipherment algorithm, the block length of algorithm is 64 or 128 bits, and key length is 128 bits or above 128 bits.
23, the establishment of VPN encryption system symmetric encipherment algorithm and key become promptly for one time one: one group of The data of every encryption, one a cover cryptography and a group key, all decoding conditions have been shielded, this data encryption mode to the code breaker is, the known symmetric encryption algorithm framework, I do not know that single part of newspaper under the condition of the establishment of symmetric encipherment algorithm and key decodes, the hyundai electronics password all is based on large scale integrated circuit design, and the hyundai electronics password of establishment of Gonna breakthrough unknown password and key is impossible.
24, in the VPN encryption system, use rivest, shamir, adelman to come encrypted transmission to choose parameter---random number and timestamp, that is: transmit leg is chosen parameter with recipient's public key encryption, send to the recipient in the lump with encrypt data, after the recipient receives that this chooses the parameter ciphertext, decipher this with recipient's private key and choose the parameter ciphertext, according to the parameter of choosing after the deciphering element of recipient's " encryption element seed " matrix is chosen, with the N group of selecting " encryption element seed ", generate the interim symmetric encipherment algorithm of a cover with other constant " encryption elements " and circuit thereof, again according to the deciphering after choose parameter to the element of recipient's " key seed " matrix is chosen, with the synthetic one group of interim symmetric key of the N group of selecting " key seed ", thereby, prevent to choose parameter and leak, improve the safe class of vpn system.
Description of drawings:
Fig. 1: L * N matrix element is chosen algorithm structure figure by what random number and timestamp were formed
Fig. 2: flow for authenticating ID figure between the Origin And Destination in the vpn system
Fig. 3: the data of IP packet add, decipher flow chart in the IPsec agreement
Embodiment:
Below in conjunction with the vpn system performing step of description of drawings based on dynamic encryption algorithm:
Fig. 1: what random number and timestamp composition was described chooses algorithm structure figure to L * N matrix element, wherein: L=89, N=16,
1, sets up " encryption element seed " matrix of symmetric encipherment algorithm and to the selection rule of this matrix element
(1) getting timestamp is 7 decimal numbers, establishes: timestamp: ymdh wherein: y representative " year " is 1 figure place, and m representative " moon " is 2 figure places, and it is 2 figure places that d represents " day ", and h represents " time " be 2 figure places,
(2) getting random number is 16 hexadecimal numbers, establishes: random number: S1, and S2, S3, S4, S5, S6, S7, S8, S9, S10, S11, S12, S13, S14, S15, S16,
(3) be example with disclosed grouping algorithm SMS4 at the beginning of the country 2006, set up " encryption element seed " matrix in the SMS4 algorithm,
(4) the preset parameter CK table of getting in the SMS4 algorithm is " encryption element ", it is expanded to 1424 groups " encryption element seeds ", and be divided into 16 groups, " year " group is 10 row, " moon " group is 12 row, " day " group is 31 row, " time " group be 24 the row, the 5th group~the 16th group is respectively 1 row, totally 89 goes 16 groups of every row, every group 8 byte (64 bit) is each element 8 byte (64 bit), totally 1424 elements constitute (89 * 16) matrixs, that is: " encryption element seed " matrix by 89 row, 16 row totally 1424 elements form
(5) set up " encryption element seed " matrix
Because: 16 system numerical tables are shown in 32 preset parameter CK tables in the SMS4 block encryption algorithm:
00070e15,1c232a31,383f464d,545b6269,
70777e85,8c939aa1,a8afb6bd,c4cbd2d9,
e0e7eef5,fc030a11,181f262d,343b4249,
50575e65,6c737a81,888f969d,a4abb2b9,
c0c7ced5,dce3eaf1,f8ff060d,141b2229,
30373e45,4c535a61,686f767d,848b9299,
a0a7aeb5,bcc3cad1,d8dfe6ed,f4fb0209,
10171e25,2c333a41,484f565d,646b7279,
If: the element in " encryption element seed " matrix is: A 00, A 01..., A 0 15..., A 90, A 91..., A 9 15, B 01 0, B 01 1..., B 01 15..., B 12 0, B 12 1..., B 12 15, C 01 0, C 01 1..., C 01 15..., C 31 0, C 31 1..., C 31 15, D 01 0, D 01 1..., D 01 15..., D 24 0, D 24 1..., D 24 15, E 0, E 1..., E 15, F 0, F 1..., F 15, G 0, G 1..., G 15, H 0, H 1..., H 15, I 0, I 1..., I 15, J 0, J 1..., J 15, K 1..., K 15, L 0, L 1..., L 15, M 0, M 1..., M 15, N 0, N 1..., N 15, O 0, O 1..., O 15, P 0, P 1..., P 15Produce the hexadecimal random number with the randomizer in the VPN chip, producing the hexadecimal random number altogether is 1424 groups, every group has 16 hexadecimal numbers to account for 8 bytes, totally 11382 bytes, with the content of these 1424 groups of hexadecimal random numbers, and leave in the chip as element in above " encryption element seed " matrix;
(6) corresponding relation and the selection rule between the element in settling time stamp and random number and " encryption element seed " matrix
Corresponding relation: y and S1 corresponding A 00, A 01..., A 0 15..., A 90, A 91..., A 9 15, the sub-matrix of these (10 * 16); The corresponding B of m and S2 01 0, B 01 1..., B 01 15..., B 12 0, B 12 1..., B 12 15, the sub-matrix of these (12 * 16); The corresponding C of d and S3 01 0, C 01 1..., C 01 15..., C 31 0, C 31 1..., C 31 15, the sub-matrix of these (31 * 16); The corresponding D of h and S4 01 0, D 01 1..., D 01 15..., D 24 0, D 24 1..., D 24 15, the sub-matrix of these (24 * 16); The corresponding E of S5 0, E 1..., E 15, the sub-matrix of this (1 * 16); The corresponding F of S6 0, F 1..., F 15, the sub-matrix of this (1 * 16); The corresponding G of S7 0, G 1..., G 15, the sub-matrix of this (1 * 16); The corresponding H of S8 0, H 1..., H 15, the sub-matrix of this (1 * 16); The corresponding I of S9 0, I 1..., I 15, the sub-matrix of this (1 * 16); The corresponding J of S10 0, J 1..., J 15, the sub-matrix of this (1 * 16); The corresponding K of S11 0, K 1..., K 15, the sub-matrix of this (1 * 16); The corresponding L of S12 0, L 1..., L 15, the sub-matrix of this (1 * 16); The corresponding M of S13 0, M 1..., M 15, the sub-matrix of this (1 * 16); The corresponding N of S14 0, N 1..., N 15, the sub-matrix of this (1 * 16); The corresponding O of S15 0, O 1..., O 15, the sub-matrix of this (1 * 16); The corresponding P of S16 0, P 1..., P 15, the sub-matrix of this (1 * 16),
Selection rule: y and S1 choose A Y S1, m and S2 choose B M S2, d and S3 choose C D S3, h and S4 choose D H S4, S5 chooses E S5, S6 chooses F S6, S7 chooses G S7, S8 chooses S S8, S9 chooses I S9, S10 chooses J S10, S11 chooses K S11, S12 chooses L S12, S13 chooses M S13, S14 chooses N S14, S15 chooses 0 S15, S16 chooses P S16
(7) for example: when the time was 6 days 21 October in 2006, then timestamp was got: " 6100621 " totally 7, wherein: y=6, m=10, d=06, h=21,
If: random number is: " B130F8A765D90245 ",
According to the algorithm of choosing of " encryption element seed " matrix element, the element that is selected matrix among Fig. 1 is: A 6 11, B 10 1, C 63, D 21 0, E 15, F 8, G 10, H 7, I 6, J 5, K 13, L 9, M 0, N 2, O 4, P 5
It is as follows that the structure of showing according to preset parameter CK generates interim CK table again:
Figure A20061014439500161
With 16 groups " encryption element seeds " selecting temporarily promptly: the interim CK table of generation, with other constant " encryption element " and the circuits thereof in the cryptographic algorithm in the SMS4 algorithm, form the establishment of the interim symmetric encipherment algorithm of a cover together.
2, set up the combination key create-rule
(1) getting timestamp is 7 decimal numbers,
If: timestamp: ymdh wherein: y representative " year " is 1 figure place, and m representative " moon " is 2 figure places, and it is 2 figure places that d represents " day ", and h represents " time " be 2 figure places;
(2) getting random number is 16 hexadecimal numbers,
If: random number: S1, S2, S3, S4, S5, S6, S7, S8, S9, S10, S11, S12, S13, S14, S15, S16;
(3) getting key length is 128 bits,
If: each element in the key seed table be 1 byte promptly: 8 bits;
(4) set up " key seed " matrix
If: the element in " key seed " matrix is: A 00, A 01..., A 0 15..., A 90, A 91..., A 9 15, B 01 0, B 01 1..., B 01 15..., B 12 0, B 12 1..., B 12 15, C 01 0, C 01 1..., C 01 15..., C 31 0, C 31 1..., C 31 15, D 01 0, D 01 1..., D 01 15..., D 24 0, D 24 1..., D 24 15, E 0, E 1..., E 15, F 0, F 1..., F 15, G 0, G 1..., G 15, H 0, H 1..., H 15, I 0, I 1..., I 15, J 0, J 1..., J 15, K 1..., K 15, L 0, L 1..., L 15, M 0, M 1..., M 15, N 0, N 1..., N 15, O 0, O 1..., O 15, P 0, P 1..., P 15Produce the binary system random number with the randomizer in the VPN chip, producing the binary system random number altogether is 1424 groups, every group has 8 bits to account for 1 byte, totally 1424 bytes, with the content of these 1424 groups of binary random numbers, and leave in the chip as element in above " key seed " matrix;
(5) corresponding relation and the selection rule between the element in settling time stamp and random number and " key seed " matrix,
Corresponding relation: y and S1 corresponding A 00, A 01..., A 0 15..., A 90, A 91..., A 9 15, the sub-matrix of these (10 * 16); The corresponding B of m and S2 01 0, B 01 1..., B 01 15..., B 12 0, B 12 1..., B 12 15, the sub-matrix of these (12 * 16); The corresponding C of d and S3 01 0, C 01 1..., C 01 15..., C 31 0, C 31 1..., C 31 15, the sub-matrix of these (31 * 16); The corresponding D of h and S4 01 0, D 01 1..., D 01 15..., D 24 0, D 24 1..., D 24 15, the sub-matrix of these (24 * 16); The corresponding E of S5 0, E 1..., E 15, the sub-matrix of this (1 * 16); The corresponding F of S6 0, F 1..., F 15, the sub-matrix of this (1 * 16); The corresponding G of S7 0, G 1..., G 15, the sub-matrix of this (1 * 16); The corresponding H of S8 0, H 1..., H 15, the sub-matrix of this (1 * 16); The corresponding I of S9 0, I 1..., I 15, the sub-matrix of this (1 * 16); The corresponding J of S10 0, J 1..., J 15, the sub-matrix of this (1 * 16); The corresponding K of S11 0, K 1..., K 15, the sub-matrix of this (1 * 16); The corresponding L of S12 0, L 1..., L 15, the sub-matrix of this (1 * 16); The corresponding M of S13 0, M 1..., M 15, the sub-matrix of this (1 * 16); The corresponding N of S14 0, N 1..., N 15, the sub-matrix of this (1 * 16); The corresponding O of S15 0, O 1..., O 15, the sub-matrix of this (1 * 16); The corresponding P of S16 0, P 1..., P 15, the sub-matrix of this (1 * 16);
Selection rule: y and S1 choose A Y S1, m and S2 choose B M S2, d and S3 choose C D S3, h and S4 choose D H S4, S5 chooses E S5, S6 chooses F S6, S7 chooses G S7, S8 chooses H S8, S9 chooses I S9, S10 chooses J S10, S11 chooses K S11, S12 chooses L S12, S13 chooses M S13, S14 chooses N S14, S15 chooses O S15, S16 chooses P S16
(6) for example: when the time was 6 days 21 October in 2006, then timestamp was got: " 6100621 " totally 7, wherein: y=6, m=10, d=06, h=21,
If: random number is: " B130F8A765D90245 ",
According to the algorithm of choosing of " key seed " matrix element, the element that is selected matrix among Fig. 1 is: A 6 11, B 10 1, C 63, D 21 0, E 15, F 8, G 10, H 7, I 6, J 5, K 13, L 9, M 0, N 2, O 4, P 5, then: synthetic symmetric key=(A 6 11B 10 1C 63D 21 0E 15F 8G 10H 7I 6J 5K 13L 9M 0N 2O 4P 5).
Fig. 2: the authentication process between the Origin And Destination in the vpn system is described:
(1) at first, produce N system random number 1 and one group of decimal numeral timestamp 1 in Z position of one group of N position by authenticating party;
(2) authenticating party is chosen algorithm according to random number 1 and timestamp 1 to the control of " encryption element seed " matrix, from the encryption chip of authenticating party, obtain element---" the encryption element seed " of N " encryption element seed " matrix, with other constant " encryption element " and the circuits thereof in the cryptographic algorithm, generate the establishment of the interim symmetric encipherment algorithm of a cover together, according to this group random number and timestamp algorithm is chosen in the control of " key seed " matrix again, from the encryption chip of authenticating party, obtain element---" key seed " of N " key seed " matrix, and synthetic one group of interim symmetric key;
(3) establishment and one group of symmetric key of the interim symmetric encipherment algorithm of a cover that generates with authenticating party, the random number 1 that authenticating party is produced is encrypted to ciphertext promptly: authenticate password 1;
(4) authenticating party sends to certified side in the lump with parameters for authentication such as authenticate password 1 and random number 1 and timestamps 1, simultaneously, generate authentication life cycle T, establishment and one group of symmetric key of the cover symmetric encipherment algorithm that encryption system will generate are at once temporarily removed;
(5) after certified side receives these parameters for authentication, according to random number 1 and timestamp 1 algorithm is chosen in the control of " encryption element seed " matrix, from certified side's encryption chip, obtain element---" the encryption element seed " of N " encryption element seed " matrix, with other constant " encryption element " and the circuits thereof in the symmetry algorithm, generate the establishment of the interim symmetric encipherment algorithm of a cover together, according to random number 1 and timestamp 1 algorithm is chosen in the control of " key seed " matrix again, from certified side's encryption chip, obtain element---" key seed " of N " key seed " matrix, and synthetic one group of interim symmetric key;
(6) establishment and one group of symmetric key of an interim cover symmetric encipherment algorithm that generates with certified side, random number 1 is encrypted to ciphertext promptly: authenticate password 2, whether contrast authenticate password 1 more identical with authenticate password 2? if it is inequality, authentification failure then, otherwise authentication is by promptly: unilateral authentication finishes, afterwards, establishment and one group of symmetric key of the encryption system one cover symmetric encipherment algorithm that will temporarily generate are at once removed;
(7) when the identity of authenticating party is certified pass through after, produce N system random number 2 and one group of decimal numeral timestamp 2 in Z position of one group of N position by certified side;
(8) according to random number 2 and timestamp 2 algorithm is chosen in the control of " encryption element seed " matrix, from certified side's encryption chip, obtain element---" the encryption element seed " of N " encryption element seed " matrix, with other constant " encryption element " and the circuits thereof in the cryptographic algorithm, generate the establishment of the interim symmetric encipherment algorithm of a cover together, according to random number 2 and timestamp 2 algorithm is chosen in the control of " key seed " matrix again, from certified side's encryption chip, obtain element---" key seed " of N " key seed " matrix, and synthetic one group of interim symmetric key;
(9) establishment and one group of symmetric key of an interim cover symmetric encipherment algorithm that generates with certified side are encrypted to ciphertext authentication authorization and accounting password 3 with random number 2;
(10) certified side sends to authenticating party in the lump with parameters for authentication such as authenticate password 3, random number 2 and timestamps 2, afterwards, encryption system is removed establishment and one group of symmetric key of the interim cover symmetric encipherment algorithm that generates of certified side at once, if need set up the SSL encryption tunnel, establishment and one group of symmetric key of then keeping this interim cover symmetric encipherment algorithm that generates are for use in the record protocol in the ssl protocol;
(11) after authenticating party is received these parameters for authentication, according to random number 2 and timestamp 2 algorithm is chosen in the control of " encryption element seed " matrix, from the encryption chip of authenticating party, obtain element---" the encryption element seed " of N " encryption element seed " matrix, with other constant " encryption element " and the circuits thereof in the cryptographic algorithm, generate the establishment of the interim symmetric encipherment algorithm of a cover together, according to random number 2 and timestamp 2 algorithm is chosen in the control of " key seed " matrix again, from the encryption chip of authenticating party, obtain element---" key seed " of N " key seed " matrix, and synthetic one group of interim symmetric key;
(12) establishment and one group of symmetric key of the interim symmetric encipherment algorithm of a cover that generates with authenticating party, the random code of receiving 2 is encrypted to ciphertext promptly: authenticate password 4, afterwards, whether calculate authentication life cycle T finishes, if finishing then authentication, do not pass through T, again authentication, if T does not finish, whether identical by contrast authenticate password 3 again with authenticate password 4? if it is inequality, authentification failure then, otherwise authentication is by promptly: two-way authentication finishes, be validated user mutually, afterwards, establishment and one group of symmetric key of the cover symmetric encipherment algorithm that encryption system will generate are at once temporarily removed, if need set up the SSL encryption tunnel, establishment and one group of symmetric key of then keeping this interim cover symmetric encipherment algorithm that generates are for use in the record protocol in the ssl protocol.
Fig. 3: the vpn gateway based on the IPsec agreement is described, the process that the data of Intranet IP packet are added, decipher:
(1) produces one group of decimal numeral timestamp of N position N system random number and Z position by the transmit leg system, according to this group random number and timestamp, select N group " key element seed " in L * N from transmit leg VPN chip " encryption element seed " matrix promptly: the element of N matrix, again with cryptographic algorithm in other constant " encryption elements ", form together one the cover interim symmetric encipherment algorithm establishment;
(2) this group random number and timestamp that produces according to system, from transmit leg VPN chip, select N group " key seed " in L * N " key seed " matrix promptly: the element of N matrix, synthesize one group of symmetric key;
(3) generate the integrity information 1 of Intranet IP packet with digest algorithm summary Intranet IP packet, transmit leg is encrypted to ciphertext with establishment and one group of symmetric key of an interim cover symmetric encipherment algorithm that generates with the data of Intranet IP packet and the integrity information 1 of Intranet IP bag;
(4) should organize random number and timestamp, integrity information 1 with Intranet IP packet that is encrypted to ciphertext and Intranet IP bag sends to the recipient, afterwards, establishment and one group of symmetric key of the encryption system one cover symmetric encipherment algorithm that will temporarily generate are at once removed:
(5) random number and the timestamp sent according to transmit leg of recipient, select N group " encryption element seed " in L * N from recipient VPN chip " encryption element seed " matrix promptly: the element of N matrix, again with symmetric encipherment algorithm in other constant " encryption element " and circuits thereof, form together one the cover interim symmetric encipherment algorithm establishment;
(6) according to this group random number and timestamp, select N group " key seed " in L * N " key seed " matrix from reciever VPN chip promptly: the element of N matrix, synthesize one group of symmetric key;
(7) recipient is with the establishment and the symmetric key of the interim interim symmetric encipherment algorithm of a cover that generates, and the ciphertext Intranet IP packet that transmit leg is sent and the integrity information 1 of Intranet IP bag are decrypted into expressly;
(8) recipient has been decrypted into the data of Intranet IP packet expressly with the digest algorithm summary, generate the integrity information 2 of Intranet IP bag, pass through integrity information 1 whether identical again with integrity information 2, whether the data of determining Intranet IP packet are complete, if the two is identical, the data integrity of Intranet IP packet then, otherwise the data of Intranet IP packet are wrong.

Claims (10)

1, based on the vpn system of dynamic symmetric encipherment algorithm, be to utilize password, chip and network technology to design one to overlap when carrying out data encryption at every turn, the VPN (virtual private network) that the establishment of the symmetric encipherment algorithm of employing is all inequality, implementation step is as follows:
At first, set up the dynamic encryption algorithm of VPN, a kind of " encryption element " in the one cover symmetric encipherment algorithm expanded to N group be total to M group " encryption element seed " promptly: set up the capable N row of L " encryption element seed " matrix, the establishment generating algorithm of utilizing dynamic symmetric encipherment algorithm is promptly: choose parameter by what timestamp and random number were formed, at random combination choose N this matrix element---N organizes " encryption element seed ", with other constant " encryption element " and the circuits thereof in the N that selects group " encryption element seed " and the symmetric encipherment algorithm, form the establishment of a cover symmetric encipherment algorithm together, thisly choose " encryption element seed " by combination, the establishment of the symmetric encipherment algorithm that generates is dynamically to produce, one time one change does not repeat, encryption system only adopts a kind of symmetric key, do not adopt multiple key code system as netkey, bag key and tunnel keys etc., the symmetric key management of encryption system is to adopt the cipher key combinations generation technique, that is: symphysis becomes symmetric key with the key schedule random groups to adopt " key seed ", one time one change does not repeat, realization symmetric key more new management is finished automatically by algorithm, the manpower-free safeguards, between the vpn gateway or and client computer between data encryption transmission and authentication contain: set up the authentication between the Origin And Destination before the encryption tunnel, all adopt dynamic symmetric encipherment algorithm and combination key to carry out, authentication mode adopts two-way authentication, and choosing jointly of " encryption element seed " and " key seed " after being encrypted to ciphertext, parameter transmitted, preventing to choose parameter leaks, thereby it is safe and reliable to set up a cover, simple in structure, efficient vpn system quick and easy to maintenance.
2, according to the method for claim 1, it is characterized in that:
(1) sets up " encryption element seed " matrix, a kind of " encryption element " in the selected symmetric encipherment algorithm, it is extended to the M group and is divided into N group, if " encryption element " is preset parameter or substitution list, then extended method adopts in the VPN chip randomizer to generate binary system random number or hexadecimal random number and writes in the chip, if selected " encryption element " is displacement, displacement, entanglement or mixing etc., then extended method adopts artificial design, and carry out after fail safe and the invertibity test its parameter being write in the chip, again with this N group altogether M group " encryption element seed " be divided into the capable N row of L as the element of matrix, form L * N " encryption element seed " matrix, and this L * N " encryption element seed " matrix is divided into N sub-matrix promptly: every group " encryption element seed " forms a sub-matrix;
(2) set up the algorithm of choosing of element in " encryption element seed " matrix,
1. set up the corresponding relation of choosing parameter and " encryption element seed " matrix element, with timestamp and random number as choosing parameter, with timestamp each group " encryption element seed " is divided into several rows, wherein: " year ", the group was that W is capable, " moon " group is 12 row, " day " group is 31 row, " time " group be 24 the row, " minute " group be 60 the row, " second " group is 60 row, and the 7th~the N group is respectively 1 row, with the random number of every group " encryption element seed " corresponding N system, be total to corresponding N position N system random number
2. set up and choose the selection rule of parameter " encryption element seed " matrix element, choose " year " group promptly with y and S1 combination: the element of the capable S1 row of the sub-matrix of W * N y, choose " moon " group promptly with m and S2 combination: the element of the capable S2 row of the sub-matrix of 12 * N m, choose " day " group promptly with d and S3 combination: the element of the capable S3 row of the sub-matrix of 31 * N d, with h and S4 in conjunction with choose " time " group: the element of the capable S4 row of the sub-matrix of 24 * N h, with mi and S5 in conjunction with choose " minute " group promptly: the element of the capable S5 row of the sub-matrix of 60 * N mi, choose " second " group promptly with s and S6 combination: the element of the capable S6 row of the sub-matrix of 60 * N s, choose the 7th group promptly with S7: the element of the sub-matrix of 1 * N S7 row,, choose N group promptly with SN: the element of the sub-matrix of 1 * N SN row;
(3) set up the establishment generating algorithm of dynamic symmetric encipherment algorithm, by choosing parameter the element of L * N " encryption element seed " matrix is chosen, select N matrix element is N group " encryption element seed " at every turn, with the N group of selecting " encryption element seed ", with other constant " encryption element " and circuits thereof in the symmetric encipherment algorithm, form the establishment of a cover symmetric encipherment algorithm together.
3, according to the method for claim 1, it is characterized in that:
(1) sets up " key seed " matrix, randomizer is produced the binary system random number as " key seed " in the employing VPN chip, and leave in the chip, " key seed " is divided into N group's M group altogether, with this N group altogether M group " key seed " be divided into the capable N row of L as the element of matrix, form L * N " key seed " matrix, and this L * N " key seed " matrix is divided into N sub-matrix promptly: every group " key seed " forms a sub-matrix;
(2) set up the algorithm of choosing of element in " key seed " matrix,
1. set up the corresponding relation choose parameter and " key seed " matrix element, timestamp and random number as choosing parameter, are divided into several rows with timestamp with each group " key seed ", wherein: " year ", the group was that W is capable, " moon " group is 12 row, and " day " group is 31 row, " time " group 24 goes, " minute " group be 60 the row, " second " group is 60 row, and the 7th~the N group is respectively 1 row, with the random number of every group " key seed " corresponding N system, be total to corresponding N position N system random number
2. set up and choose the selection rule of parameter " key seed " matrix element, choose " year " group promptly with y and S1 combination: the element of the capable S1 row of the sub-matrix of W * N y, choose " moon " group promptly with m and S2 combination: the element of the capable S2 row of the sub-matrix of 12 * N m, choose " day " group promptly with d and S3 combination: the element of the capable S3 row of the sub-matrix of 31 * N d, with h and S4 in conjunction with choose " time " group: the element of the capable S4 row of the sub-matrix of 24 * N h, with mi and S5 in conjunction with choose " minute " group promptly: the element of the capable S5 row of the sub-matrix of 60 * N mi, choose " second " group promptly with s and S6 combination: the element of the capable S6 row of the sub-matrix of 60 * N s, choose the 7th group promptly with S7: the element of the sub-matrix of 1 * N S7 row,, choose N group promptly with SN: the element of the sub-matrix of 1 * N SN row;
(3) set up the symmetric key generating algorithm, the element of L * N " key seed " matrix is chosen, with N matrix element selecting promptly: the synthetic one group of symmetric key of N group " key seed " by choosing parameter.
4, according to the method for claim 2 and 3, it is characterized in that:
(1) each N position N system random number that produces is to be generated by the randomizer in the VPN chip, each decimal numeral timestamp in Z position that produces is that year, month, day, hour, min clock in the timestamp and second all change with the variation of computer system time by the function of time generation of computer system;
(2) according to timestamp and random number, from L * N " encryption element seed " matrix, the element of the N that a selects matrix promptly: N organizes " encryption element seed ", is the combination of the capable N of L row " encryption element seed ", its variable quantity: greater than N N
(3) according to timestamp and random number, from L * N " encryption element seed " matrix, the element of the N that a selects matrix is promptly: N organizes " encryption element seed ", with other constant " encryption element " and circuits thereof in the symmetric encipherment algorithm, the establishment of the symmetric encipherment algorithm of Zu Chenging produces at random together, and one time one change does not repeat, and the establishment of this symmetric encipherment algorithm is interim generation, do not keep after the use, encrypted system removes at once;
(4) according to timestamp and random number, from L * N " key seed " matrix, the element of the N that a selects matrix promptly: N organizes " key seed ", is the combination of the capable N of L row " key seed ", its variable quantity: greater than N N
(5) according to timestamp and random number, from L * N " key seed " matrix, the element of the N that a selects matrix is promptly: N organizes " key seed ", synthetic symmetric key is to generate at random, one time one change does not repeat, and this symmetric key also is interim generation, does not keep after the use, is removed at once by system.
5, according to claim 1,2 and 3 method, it is characterized in that:
(1) " the encryption element seed " of symmetric encipherment algorithm and choosing of " key seed ", adopt and identical choose algorithm promptly: adopt identical matrix element selection rule, choose parameter with same group---the decimal numeral timestamp of N position N system random number and Z position, come L * N matrix element to choose to same architecture, wherein: the content difference of element representation in two kinds of matrixs, the former represents that " encryption element seed " latter represents " key seed ";
(2) transmit leg is chosen parameter promptly by transmitting same group: the decimal numeral timestamp of N position N system random number and Z position is given the recipient, realizes the exchange of symmetric key, and simultaneously, " encryption element seed " chooses in the realization recipient symmetric encipherment algorithm;
(3) data encryption adopts dynamic symmetric encipherment algorithm and combination key to realize in the vpn system, and one time one change of the establishment of symmetric encipherment algorithm does not repeat, the symmetric key that combination generates also is that one time one change does not repeat, the operational efficiency height, and maintenance cost is low, not as other vpn systems, be to improve the security intensity of VPN, adopt multiple key code system as netkey, bag key and tunnel keys etc., the formula that is layering encrypted symmetric key, operational efficiency is low, the maintenance cost height;
(4) ciphering process of vpn system is: transmit leg produces one group of metric timestamp of N position N system random number and Z position, choose parameter according to this and from " encryption element seed " matrix element of transmit leg symmetric encipherment algorithm, select N element, the N that selects is organized other constant " encryption element " and circuits thereof in " encryption element seed " and the symmetric encipherment algorithm, form the establishment of a cover symmetric encipherment algorithm together, choose parameter according to this again, from transmit leg " key seed " matrix element, select N element and synthetic symmetric key, transmit leg openly transmits this chooses parameter to the recipient, the recipient chooses parameter according to what transmit leg was sent, from recipient's " key seed " matrix element, select N element and synthetic symmetric key, choose parameter according to this again, from " encryption element seed " matrix element of recipient's symmetric encipherment algorithm, select N element, the N that selects is organized other constant " encryption element " and circuits thereof in " encryption element seed " and the symmetric encipherment algorithm, form the establishment of symmetric encipherment algorithm together.
6, according to the method for claim 1 and 5, it is characterized in that:
(1) when setting up the VPN of IPSes agreement, set up the tunnel stage: adopt dynamic symmetric encipherment algorithm and combination key to carry out two-way authentication between the Origin And Destination IP address, the tunnel communication stage: each IP packet all uses the establishment of one a group of symmetric key and a cover symmetric encipherment algorithm to come encryption and decryption, different IP packet adopts the establishment of different one a group of symmetric key and a cover symmetric encipherment algorithm to come encryption and decryption, for guaranteeing the integrality of IP data packet transmission, use digest algorithm that the data of sending out the IP packet that send are made a summary, and the IP packet integrity information that will be encrypted to ciphertext send to the recipient with the IP packet;
(2) when setting up the VPN of ssl protocol, Handshake Protocol in the ssl protocol: adopt dynamic symmetric encipherment algorithm and combination key to carry out two-way authentication between the Origin And Destination, record protocol in the ssl protocol: after finishing Handshake Protocol, and obtained interim generation one the cover symmetric encipherment algorithm establishment and one group of symmetric key, finish record protocol in the ssl protocol with the establishment of this interim symmetric encipherment algorithm and symmetric key, after one time the tunnel connects, use the encryption and decryption data of working out of one a group of symmetric key and a cover symmetric encipherment algorithm, after each tunnel connects, all use establishment and one group of symmetric key of different cover symmetric encipherment algorithms to come encryption and decryption data.
7, according to the method for claim 6, it is characterized in that:
In setting up SSL encryption tunnel process, if two-way authentication is not passed through, then encryption system is removed the establishment and the symmetric key of the interim symmetric encipherment algorithm of authentication both sides reservation at once, after if two-way authentication is passed through, then keep the establishment of the symmetric encipherment algorithm that both sides the 2nd time produce and symmetric key promptly: unilateral authentication by after enter the establishment and the symmetric key of the symmetric encipherment algorithm that produces in the mutual authentication process, finish the encryption and decryption that data are transmitted mutually between the tunnel.
8, according to the method for claim 1 and 6, it is characterized in that:
(1) sets up the ipsec protocol tunnel, do not adopt in the world the Standard IPSec agreement promptly setting up the tunnel stage: to use rivest, shamir, adelman to carry out the negotiation of all kinds of symmetric keys, symmetric encipherment algorithm and symmetric encipherment algorithm version thereof, all adopt dynamic symmetric encipherment algorithm and combination key, and realize by two-way authentication;
(2) set up the ssl protocol tunnel, in Handshake Protocol, do not adopt in the world in the standard ssl protocol Handshake Protocol promptly: to carry out the negotiation of all kinds of symmetric keys, symmetric encipherment algorithm and symmetric encipherment algorithm version thereof with rivest, shamir, adelman, all adopt dynamic symmetric encipherment algorithm and combination key, and realize by two-way authentication;
(3) verification process of two-way authentication is: by authenticating party rise time stamp and random number, generate the establishment and the symmetric key of interim symmetric encipherment algorithm according to timestamp and random number, encrypted random number generates authenticate password 1, again with timestamp, parameters for authentication such as random number and authenticate password 1 send to certified side, simultaneously, authenticating party produces authentication life cycle T, after certified side receives the parameters for authentication that authenticating party sends, generate the establishment and the symmetric key of interim symmetric encipherment algorithm according to timestamp and random number, encrypted random number generates authenticate password 2, whether identical through contrast authenticate password 1 with 2, whether the identity of determining authenticating party is legal, if legal, then certified side produces parameters for authentication and sends to authenticating party with identical method again, determines certified side's identity, simultaneously, whether authenticating party calculates the authenticated time period T finishes, and controls the time of two-way authentication, in order to avoid intercepted and captured parameters for authentication by other people encryption system is attacked.
9, according to claim 1,5,6 and 8 method, it is characterized in that:
(1) in the VPN encryption system, the establishment of symmetric encipherment algorithm and key become promptly for one time one: one group of The data of every encryption, one a cover cryptography and a group key, all decoding conditions have been shielded, what the code breaker faced is, the known symmetric encryption algorithm framework, do not know that single part of newspaper under the condition of the establishment of symmetric encipherment algorithm and key decodes, the hyundai electronics password all is based on large scale integrated circuit design, and the hyundai electronics password of establishment of Gonna breakthrough unknown password and key is impossible;
(2) in the VPN encryption system, that uses that rivest, shamir, adelman comes encrypted transmission " encryption element seed " and " key seed " chooses parameter---random number and timestamp jointly, that is: transmit leg is chosen parameter with recipient's public key encryption, after the recipient receives that this chooses the parameter ciphertext, decipher this with recipient's private key and choose the parameter ciphertext, thereby, further improve the safe class of vpn system.
10, according to claim 1,2,3,6,8 and 9 method, it is characterized in that:
With symmetric encipherment algorithm, L * N " encryption element seed " matrix, L * N " key seed " matrix, digest algorithm, rivest, shamir, adelman, private key, and the establishment generating algorithm of dynamic symmetric encipherment algorithm and symmetric key generating algorithm etc. leave in the chip of VPN hardware, in the chip of VPN hardware, generate the establishment and the symmetric key of interim symmetric encipherment algorithm, and in chip, carry out data encrypting and deciphering with dynamic symmetry algorithm and combination key, choose the parameter ciphertext with the private key deciphering, in chip, also the data of IP packet are made a summary etc. with digest algorithm, thereby, strengthen the ability that vpn gateway is resisted its encryption system of assault.
CNB2006101443958A 2006-12-06 2006-12-06 VPN system based on dynamic encryption algorithm Active CN100423507C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2006101443958A CN100423507C (en) 2006-12-06 2006-12-06 VPN system based on dynamic encryption algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006101443958A CN100423507C (en) 2006-12-06 2006-12-06 VPN system based on dynamic encryption algorithm

Publications (2)

Publication Number Publication Date
CN1972237A true CN1972237A (en) 2007-05-30
CN100423507C CN100423507C (en) 2008-10-01

Family

ID=38112837

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006101443958A Active CN100423507C (en) 2006-12-06 2006-12-06 VPN system based on dynamic encryption algorithm

Country Status (1)

Country Link
CN (1) CN100423507C (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009062373A1 (en) * 2007-10-15 2009-05-22 Beijing Jinaobo Digital Information Technology Co., Ltd. Method of implementing network genuine identification
CN103259768A (en) * 2012-02-17 2013-08-21 中兴通讯股份有限公司 Method, system and device of message authentication
CN103888243A (en) * 2014-04-15 2014-06-25 飞天诚信科技股份有限公司 Seed key safe transmission method
CN103973438A (en) * 2014-03-25 2014-08-06 深圳天源迪科信息技术股份有限公司 Communication channel dynamic encryption method
CN104318168A (en) * 2014-09-24 2015-01-28 北京云巢动脉科技有限公司 Encryption and decryption method and encryption and decryption system for virtual machine image file
CN104393987A (en) * 2014-11-11 2015-03-04 天津北方网新媒体集团股份有限公司 Data encryption method and system based on iBeacon technology
CN104517019A (en) * 2013-10-07 2015-04-15 涂先锋 Simple and convenient recent time authentication method and realization thereof
WO2015127737A1 (en) * 2014-02-25 2015-09-03 中兴通讯股份有限公司 Data encrypting and decrypting method, apparatus, and terminal
CN107065750A (en) * 2017-05-15 2017-08-18 中国工程物理研究院计算机应用研究所 The industrial control network dynamic security method of interior raw safety
CN107800758A (en) * 2017-03-28 2018-03-13 平安壹钱包电子商务有限公司 Air control data processing method, apparatus and system
CN108400870A (en) * 2018-01-30 2018-08-14 浙江易云物联科技有限公司 Dynamic dual key algorithm
CN108429615A (en) * 2018-01-10 2018-08-21 如般量子科技有限公司 A kind of Stunnel communication means and Stunnel communication systems based on quantum key
CN108632296A (en) * 2018-05-17 2018-10-09 中体彩科技发展有限公司 A kind of dynamic encryption and decryption method of network communication
CN108809940A (en) * 2018-05-04 2018-11-13 四川理工学院 Network system server interacts encryption method with client
CN109005031A (en) * 2018-08-10 2018-12-14 湖南中车时代通信信号有限公司 A kind of key management method for railway signal system
CN113468587A (en) * 2021-09-02 2021-10-01 深圳市通易信科技开发有限公司 User data management method and system based on big data and readable storage medium
CN114615054A (en) * 2022-03-09 2022-06-10 四川中电启明星信息技术有限公司 Dynamic encryption transmission method based on code table
CN116738021A (en) * 2023-06-15 2023-09-12 深圳荣灿大数据技术有限公司 Intelligent enterprise information visualization system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106936782A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 Encryption method and encryption device
CN114866242A (en) * 2022-07-06 2022-08-05 眉山环天智慧科技有限公司 Dynamic encryption method, device and medium based on random key and symmetric encryption

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030005328A1 (en) * 2001-06-29 2003-01-02 Karanvir Grewal Dynamic configuration of IPSec tunnels
CN1388684A (en) * 2002-07-23 2003-01-01 胡祥义 Dynamic adaptive VPN method
CN1819515B (en) * 2006-03-20 2012-07-04 胡祥义 Realizing method of security symmetric coding algorithm

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009062373A1 (en) * 2007-10-15 2009-05-22 Beijing Jinaobo Digital Information Technology Co., Ltd. Method of implementing network genuine identification
CN103259768A (en) * 2012-02-17 2013-08-21 中兴通讯股份有限公司 Method, system and device of message authentication
CN104517019A (en) * 2013-10-07 2015-04-15 涂先锋 Simple and convenient recent time authentication method and realization thereof
CN104517019B (en) * 2013-10-07 2020-09-22 涂先锋 Simple and convenient recent time authentication method and implementation
WO2015127737A1 (en) * 2014-02-25 2015-09-03 中兴通讯股份有限公司 Data encrypting and decrypting method, apparatus, and terminal
CN103973438A (en) * 2014-03-25 2014-08-06 深圳天源迪科信息技术股份有限公司 Communication channel dynamic encryption method
CN103973438B (en) * 2014-03-25 2017-11-17 深圳天源迪科信息技术股份有限公司 communication channel dynamic encrypting method
CN103888243A (en) * 2014-04-15 2014-06-25 飞天诚信科技股份有限公司 Seed key safe transmission method
CN103888243B (en) * 2014-04-15 2017-03-22 飞天诚信科技股份有限公司 Seed key safe transmission method
CN104318168A (en) * 2014-09-24 2015-01-28 北京云巢动脉科技有限公司 Encryption and decryption method and encryption and decryption system for virtual machine image file
CN104318168B (en) * 2014-09-24 2017-07-11 浙江云巢科技有限公司 The encryption and decryption method and system of a kind of virtual machine image file
CN104393987A (en) * 2014-11-11 2015-03-04 天津北方网新媒体集团股份有限公司 Data encryption method and system based on iBeacon technology
CN107800758A (en) * 2017-03-28 2018-03-13 平安壹钱包电子商务有限公司 Air control data processing method, apparatus and system
CN107800758B (en) * 2017-03-28 2020-07-24 平安壹钱包电子商务有限公司 Wind control data processing method, device and system
CN107065750A (en) * 2017-05-15 2017-08-18 中国工程物理研究院计算机应用研究所 The industrial control network dynamic security method of interior raw safety
CN108429615A (en) * 2018-01-10 2018-08-21 如般量子科技有限公司 A kind of Stunnel communication means and Stunnel communication systems based on quantum key
CN108400870A (en) * 2018-01-30 2018-08-14 浙江易云物联科技有限公司 Dynamic dual key algorithm
CN108809940A (en) * 2018-05-04 2018-11-13 四川理工学院 Network system server interacts encryption method with client
CN108809940B (en) * 2018-05-04 2020-10-23 四川理工学院 Interactive encryption method for power grid system server and client
CN108632296A (en) * 2018-05-17 2018-10-09 中体彩科技发展有限公司 A kind of dynamic encryption and decryption method of network communication
CN108632296B (en) * 2018-05-17 2021-08-13 中体彩科技发展有限公司 Dynamic encryption and decryption method for network communication
CN109005031A (en) * 2018-08-10 2018-12-14 湖南中车时代通信信号有限公司 A kind of key management method for railway signal system
CN113468587A (en) * 2021-09-02 2021-10-01 深圳市通易信科技开发有限公司 User data management method and system based on big data and readable storage medium
CN114615054A (en) * 2022-03-09 2022-06-10 四川中电启明星信息技术有限公司 Dynamic encryption transmission method based on code table
CN114615054B (en) * 2022-03-09 2023-12-15 四川中电启明星信息技术有限公司 Dynamic encryption transmission method based on code table
CN116738021A (en) * 2023-06-15 2023-09-12 深圳荣灿大数据技术有限公司 Intelligent enterprise information visualization system

Also Published As

Publication number Publication date
CN100423507C (en) 2008-10-01

Similar Documents

Publication Publication Date Title
CN100423507C (en) VPN system based on dynamic encryption algorithm
US10348704B2 (en) Method for a dynamic perpetual encryption cryptosystem
CN101969438B (en) Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things
CN102916806B (en) Cryptograph key distribution system
CN102185692B (en) Multimode reconfigurable encryption method based on advanced encryption standard (AES) encryption algorithm
CN102447698B (en) Encrypting and transmitting method for network communication information
CN102291418A (en) Method for realizing cloud computing security architecture
CN1819515B (en) Realizing method of security symmetric coding algorithm
CN103067166B (en) The stepped mixing encryption method and device of a kind of intelligent home system
CN103152362B (en) Based on the large data files encrypted transmission method of cloud computing
CN101989984A (en) Electronic document safe sharing system and method thereof
CN1998180A (en) Multicast key issuing scheme for large and medium sized scenarios and low user-side demands
CN107257350B (en) Offline authentication or payment method of wearable equipment
CN101170404B (en) Method for secret key configuration based on specified group
US20030149876A1 (en) Method and system for performing perfectly secure key exchange and authenticated messaging
CN102469173A (en) IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm
CN107332657A (en) A kind of encryption method and system based on block chain digital signature
CN100594691C (en) Data transmission encryption method of MANET network
CN101710879A (en) Novel identity-based privacy enhanced mail forwarding system
CN113312608A (en) Electric power metering terminal identity authentication method and system based on timestamp
CN103237302A (en) Sensing information safety protection method for RFID (radio frequency identification) tags in Internet of Things
CN1820449B (en) Method for encoded data transmission via a communication network
CN101562519A (en) Digital certificate management method of user packet communication network and user terminal for accessing into user packet communication network
CN102664730A (en) 128 bit secret key expansion method based on AES (Advanced Encryption Standard)
CN107070637A (en) A kind of data encryption/decryption method of overlapping packet

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220411

Address after: Room 202, door 2, building 18, yard 9, anningzhuang West Road, Haidian District, Beijing 100085

Patentee after: Jiang Hai

Address before: 100044 Beijing city Xicheng District Xizhimen Street No. 138 room 620 Beijing Planetarium

Patentee before: Hu Xiangyi

TR01 Transfer of patent right
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230428

Address after: Room 311, unit 2, floor 3, building 1, No. 9, West Santao, Anning Zhuang, Haidian District, Beijing 100085

Patentee after: Beijing Zhongdian Shuan Technology Co.,Ltd.

Address before: Room 202, door 2, building 18, yard 9, anningzhuang West Road, Haidian District, Beijing 100085

Patentee before: Jiang Hai

DD01 Delivery of document by public notice
DD01 Delivery of document by public notice

Addressee: Chen Long

Document name: Notification of Qualified Procedures

DD01 Delivery of document by public notice
DD01 Delivery of document by public notice

Addressee: Chen Long

Document name: payment instructions