Summary of the invention:
The present invention utilizes password, chip and network technology to design one to overlap when carrying out data encryption at every turn, the VPN (virtual private network) that the establishment of the symmetric encipherment algorithm of employing is all inequality, and implementation step is as follows:
At first, set up the dynamic encryption algorithm of VPN, a kind of " encryption element " in the one cover symmetric encipherment algorithm expanded to N group be total to M group " encryption element seed " promptly: set up the capable N row of L " encryption element seed " matrix, the establishment generating algorithm of utilizing dynamic symmetric encipherment algorithm is promptly: choose parameter by what timestamp and random number were formed, the element of N this matrix is chosen in combination at random---group " encryption element seed ", with other constant " encryption element " and the circuits thereof in the N that selects group " encryption element seed " and the symmetric encipherment algorithm, form the establishment of a cover symmetric encipherment algorithm together, thisly choose " encryption element seed " by combination, the establishment of the symmetric encipherment algorithm that generates is dynamically to produce, one time one change does not repeat, encryption system only adopts a kind of symmetric key, do not adopt multiple key code system as netkey, bag key and tunnel keys etc., the symmetric key management of encryption system is to adopt the cipher key combinations generation technique, that is: symphysis becomes symmetric key with the key schedule random groups to adopt " key seed ", one time one change does not repeat, realization symmetric key more new management is finished automatically by algorithm, the manpower-free safeguards, between the vpn gateway or and client computer between data encryption transmission and authentication contain: set up the authentication between the Origin And Destination before the encryption tunnel, all adopt dynamic symmetric encipherment algorithm and combination key to carry out, authentication mode adopts two-way authentication, and choosing jointly of " encryption element seed " and " key seed " after being encrypted to ciphertext, parameter transmitted, preventing to choose parameter leaks, thereby, it is safe and reliable to set up a cover, simple in structure, efficient vpn system quick and easy to maintenance, vpn system uses soft, the mode that hardware combines realizes that the specific implementation step is as follows:
1, " encryption element " in the selection symmetric encipherment algorithm, with a kind of " encryption element " in the selected symmetric encipherment algorithm, as: preset parameter, replacement, displacement, displacement, entanglement and mixing etc., with China located to announce in 2006 grouping algorithm---SMS4 is an example, " encryption element " that can select is: S box substitution list, preset parameter CK or system parameters FK etc.
2, timestamp is a Z position decimal number, comprise: year, month, day, hour, min clock and second, Z=5~12, when timestamp is 5, example: 61103, expression: on November 3rd, 06, when timestamp is 12, example: 101103221518, expression: 22: 15: 18 on the 3rd November in 2010, random number is a N position N system number, and when N=10, random number is 10 decimal numbers, as: " 0213295648 " etc., when N=16, random number is 16 hexadecimal numbers, as: " 0F295A64B17E83D " etc.
3, set up " encryption element seed " matrix, a kind of " encryption element " in the selected symmetric encipherment algorithm, it is extended to the M group and is divided into N group, if " encryption element " is preset parameter, replace or displacement, then extended method adopts randomizer in the VPN chip, generate M group binary system random number or hexadecimal random number and write in the chip, if selected " encryption element " is displacement, displacement, entanglement or mixing etc., then extended method adopts artificial design according to the feature of different " encryption element ", if: " encryption element " is displacement, then move the variation of how many positions by expansion, set up M group shift parameters, if: " encryption element " is entanglement, then by what the variation of expansion entanglement sequence number, set up M group entanglement order parameter, if: " encryption element " is for mixing, then by choosing the variation of information bit in the extended register, set up M group hybrid parameter, simultaneously, also to carry out again its parameter being write in the chip after invertibity and the security test to parameter, wherein: the invertibity test is the element in " the encryption element seed " that guarantees to set up, made up at random and choose the N group and generate symmetric encipherment algorithm, can correctly decipher with its data encrypted, security test is the element in " the encryption element seed " that guarantees to set up, distributed more widely and have randomness, can not be guessed, in a word, the method of most convenient is that " encryption element " selected is preset parameter or replacement, as: select preset parameter CK or substitution list---S box, " encryption element " as the SMS4 algorithm, with this N group altogether M group " encryption element seed " be divided into the capable N row of L as the element of matrix, form L * N " encryption element seed " matrix.
4, set up the algorithm of choosing of element in " encryption element seed " matrix:
(1) sets up the corresponding relation of choosing parameter and " encryption element seed " matrix element, with timestamp and random number as choosing parameter, 1~N group is defined as: year group, moon group, the day group, Shi Qun, minute group, second group, the 7th group, N group, every group " encryption element seed " is a sub-matrix, be total to N sub-matrix, with timestamp each group " encryption element seed " is divided into several rows, wherein: " year ", the group was that W is promptly capable: the sub-matrix of W * N, " moon " group be 12 the row promptly: the sub-matrix of 12 * N, " day " group be 31 the row promptly: the sub-matrix of 31 * N, " time " group be 24 the row: the sub-matrix of 24 * N, " minute " group be 60 the row promptly: the sub-matrix of 60 * N, " second " group be 60 the row promptly: the sub-matrix of 60 * N, the 7th~N group is respectively 1 row promptly: the sub-matrix of 1 * N, L is capable altogether, wherein: W=10~100, L=60~297, every row has the N column element promptly: N organizes " encryption element seed ", every group 1~12 byte, N=10 or 16, M=600~4752, every group " encryption element seed " promptly: each sub-matrix is all distinguished the random number of a corresponding N system, altogether corresponding N position N system random number;
(2) selection rule of parameter to " encryption element seed " matrix element chosen in foundation, with in the timestamp " year; month; day; the time; minute and second " be made as respectively: y, m, d, h, mi, s, N N system random number is made as respectively: S1, S2, S3, S4, S5, S6, S7, SN, choose " year " group promptly with y and S1 combination: the element of the capable S1 row of the sub-matrix of W * N y, choose " moon " group promptly with m and S2 combination: the element of the capable S2 row of the sub-matrix of 12 * N m, choose " day " group promptly with d and S3 combination: the element of the capable S3 row of the sub-matrix of 31 * N d, with h and S4 in conjunction with choose " time " group: the element of the capable S4 row of the sub-matrix of 24 * N h, with mi and S5 in conjunction with choose " minute " group promptly: the element of the capable S5 row of the sub-matrix of 60 * N mi, choose " second " group promptly with s and S6 combination: the element of the capable S6 row of the sub-matrix of 60 * N s, choose 7 groups promptly with S7: the element of the sub-matrix of 1 * N S7 row,, choose N group promptly with SN: the element of the sub-matrix of 1 * N SN row.
5, set up the establishment generating algorithm of dynamic symmetric encipherment algorithm, choose parameter by what the random number of the decimal numeral timestamp in Z position and one group of N position N system was formed jointly, element to L * N " encryption element seed " matrix is chosen, select N matrix element is N group " encryption element seed " at every turn, with the N group of selecting " encryption element seed ", with other constant " encryption element " and circuits thereof in the symmetric encipherment algorithm, form the establishment of a cover symmetric encipherment algorithm together, thereby, the establishment of symmetric encipherment algorithm is transformed into the establishment of dynamic symmetric encipherment algorithm.
6, set up " key seed " matrix, randomizer is produced the binary system random number as " key seed " in the employing VPN chip, and leave in the chip, " key seed " is divided into N group's M group altogether, with this N group altogether M group " key seed " be divided into the capable N row of L as the element of matrix, form L * N " key seed " matrix.
7, set up the algorithm of choosing of element in " key seed " matrix:
(1) sets up the corresponding relation of choosing parameter and " key seed " matrix element, with timestamp and random number as choosing parameter, 1~N group is defined as: year group, moon group, the day group, Shi Qun, minute group, second group, the 7th group, N group, every group " key seed " is a sub-matrix, be total to N sub-matrix, with timestamp each group " key seed " is divided into several rows, wherein: " year ", the group was that W is promptly capable: the sub-matrix of W * N, " moon " group be 12 the row promptly: the sub-matrix of 12 * N, " day " group be 31 the row promptly: the sub-matrix of 31 * N, " time " group be 24 the row: the sub-matrix of 24 * N, " minute " group be 60 the row promptly: the sub-matrix of 60 * N, " second " group be 60 the row promptly: the sub-matrix of 60 * N, the 7th~N group is respectively 1 row promptly: the sub-matrix of 1 * N, L is capable altogether, wherein: W=10~100, L=60~297, every row has the N column element promptly: N organizes " key seed ", every group 1~3 byte, N=10 or 16, M=600~4752, every group " key seed " promptly: each sub-matrix is all distinguished the random number of a corresponding N system, altogether corresponding N position N system random number;
(2) selection rule of parameter to " key seed " matrix element chosen in foundation, choose " year " group promptly with y and S1 combination: the element of the capable S1 row of the sub-matrix of W * N y, choose " moon " group promptly with m and S2 combination: the element of the capable S2 row of the sub-matrix of 12 * N m, choose " day " group promptly with d and S3 combination: the element of the capable S3 row of the sub-matrix of 31 * N d, with h and S4 in conjunction with choose " time " group: the element of the capable S4 row of the sub-matrix of 24 * N h, with mi and S5 in conjunction with choose " minute " group promptly: the element of the capable S5 row of the sub-matrix of 60 * N mi, choose " second " group promptly with s and S6 combination: the element of the capable S6 row of the sub-matrix of 60 * N s, choose 7 groups promptly with S7: the element of the sub-matrix of 1 * N S7 row,, choose N group promptly with SN: the element of the sub-matrix of 1 * N SN row.
8, set up the symmetric key generating algorithm, by choosing parameter the element of L * N " key seed " matrix is chosen, with N matrix element selecting promptly: the synthetic one group of symmetric key of N group " key seed ", thereby, combination generates symmetric key, and wherein: if synthetic key is oversize, folding and making its length is more than 128 bits or 128, in a word, the length of key is as the criterion with the requirement of encryption system.
9, " the encryption element seed " of symmetric encipherment algorithm and choosing of " key seed ", adopt and identical choose algorithm promptly: adopt identical matrix element selection rule, choose parameter with same group---the decimal numeral timestamp of N position N system random number and Z position, come L * N matrix element to choose to same architecture, wherein: the content difference of element representation in two kinds of matrixs, the former represents that " encryption element seed " latter represents " key seed ".
10, transmit leg is chosen parameter promptly by transmitting same group: the decimal numeral timestamp of N position N system random number and Z position is given the recipient, realizes the exchange of symmetric key, simultaneously, realizes the choosing of " encryption element seed " of recipient's symmetric encipherment algorithm.
11, with symmetric encipherment algorithm, L * N " encryption element seed " matrix, L * N " key seed " matrix, digest algorithm, rivest, shamir, adelman, private key, and the establishment generating algorithm of dynamic symmetric encipherment algorithm and symmetric key generating algorithm etc. leave in the chip of VPN hardware, in the chip of VPN hardware, generate the establishment and the symmetric key of interim symmetric encipherment algorithm, and in chip with dynamic symmetry algorithm and combination key encryption and decryption data, choose the parameter ciphertext with the private key deciphering, in chip, also the data of IP packet are made a summary etc. with digest algorithm, thereby, strengthen the ability that vpn gateway is resisted its encryption system of assault.
12, each N position N system random number that produces is to be generated by the randomizer in the VPN chip, each Z position decimal number timestamp that produces is that the function of time by computer system generates, the year, month, day in the timestamp, hour, minute and second all change with the variation of computer system time.
13, according to timestamp and random number, N the element of from L * N " encryption element seed " matrix, selecting promptly: N organizes " encryption element seed ", be the combination of the capable N of L row " encryption element seed ", and its variable quantity is greater than N
N
14, according to timestamp and random number, other constant " encryption element " and circuits thereof in N group of from L * N " encryption element seed " matrix, selecting " encryption element seed " and the symmetric encipherment algorithm, the establishment of forming symmetric encipherment algorithm together produces at random, one time one change does not repeat, the establishment of this symmetric encipherment algorithm that produces at random is interim, do not keep after the use, removed at once by system.
15, according to timestamp and random number, N the element of from L * N " key seed " matrix, selecting promptly: N organizes " key seed ", be the combination of the capable N of L row " key seed ", and its variable quantity is greater than N
N
16, according to timestamp and random number, N group " key seed " synthetic symmetric key of selecting from L * N " key seed " matrix is to generate at random, and one time one change does not repeat, simultaneously, this symmetric key that generates at random is interim, does not keep after the use, is removed at once by system.
17, the authentication between authentication between the vpn gateway and client computer and the gateway also comprises the authentication of setting up between preceding starting point of encryption tunnel and the terminal point, all adopts dynamic symmetric encipherment algorithm and combination key to realize, authentication mode adopts two-way authentication, and its process is:
(1) stabs and random number by the authenticating party rise time, generate the establishment and the symmetric key of interim symmetric encipherment algorithm according to timestamp and random number, encrypted random number generates authenticate password 1, again parameters for authentication such as timestamp, random number and authenticate password 1 are sent to certified side, simultaneously, authenticating party produces authentication life cycle T;
(2) after certified side receives the parameters for authentication that authenticating party sends, generate the establishment and the symmetric key of interim symmetric encipherment algorithm according to timestamp and random number, encrypted random number generates authenticate password 2, whether identical through contrast authenticate password 1 with 2, whether the identity of determining authenticating party is legal, if it is legal, then certified side produces parameters for authentication and sends to authenticating party with identical method again, determine certified side's identity, simultaneously, whether authenticating party calculates the authenticated time period T finishes, and controls the time of two-way authentication, in order to avoid intercepted and captured parameters for authentication by other people encryption system is attacked.
18, when setting up the VPN of IPSes agreement, the IPSes agreement is: on basis, Origin And Destination IP address, set up IPSec Standard Encryption tunnel, its process is as follows:
(1) sets up the tunnel stage: adopt dynamic symmetric encipherment algorithm and combination key to carry out two-way authentication between the Origin And Destination IP address;
(2) the tunnel communication stage: each IP packet all uses the establishment of one a group of symmetric key and a cover symmetric encipherment algorithm to encrypt, different IP packet adopts the establishment of different one a group of symmetric key and a cover symmetric encipherment algorithm to encrypt, for guaranteeing the integrality of IP data packet transmission, use digest algorithm that the data of sending out the IP packet that send are made a summary, and integrity information is sent to the recipient after the IP packet is encrypted to ciphertext.
19, when setting up the VPN of ssl protocol, ssl protocol is: set up the encryption tunnel of ssl protocol standard at Origin And Destination, ssl protocol is made up of Handshake Protocol and record protocol, and its process is as follows:
(1) Handshake Protocol in the ssl protocol: adopt dynamic symmetric encipherment algorithm and combination key to carry out two-way authentication between the Origin And Destination, in carrying out mutual authentication process, the authentication both sides keep establishment and one group of symmetric key of a cover symmetric encipherment algorithm of interim generation, if two-way authentication is not passed through, then encryption system is removed the establishment and the symmetric key of the interim symmetric encipherment algorithm of authentication both sides reservation at once;
(2) record protocol in the ssl protocol: after finishing Handshake Protocol, and obtained interim generation one the cover symmetric encipherment algorithm establishment and one group of symmetric key, finish record protocol in the ssl protocol with the establishment of this interim symmetric encipherment algorithm and symmetric key, after one time the tunnel connects, use the encryption and decryption data of working out of one a group of symmetric key and a cover symmetric encipherment algorithm, all use establishment and one group of symmetric key of different cover symmetric encipherment algorithms to come encryption and decryption data after each tunnel connects.
20, in the VPN encryption system, adopt " key seed " and symmetric key generating algorithm to make up the generation key, the exchange of symmetric key is to realize by the parameter of choosing of transmitting " key seed ", and improve the intensity of encryption system by the establishment of the dynamic symmetric encipherment algorithm that becomes for one time one, the efficient height, safe, do not resemble other most VPN is to adopt multiple key code system as netkey, tunnel keys and packet key etc., and carry out the encryption that is layering between the multiple key, improve the intensity of encryption system, the VPN of the multiple key cryptosystem of this employing, efficient is low.
21, by all long-range vpn gateways of tunnel management, the keeper sets up encryption tunnel by client computer and each long-range vpn gateway, and by tunnel maintenance and the long-range vpn gateway of management, as: the keeper passes through each long-range vpn gateway daily record data of client browses etc., this vpn gateway in the network is carried out managed concentratedly, reduce management cost, improved the efficiency of management, guaranteed the safety of vpn gateway.
22, the VPN encryption system adopts dynamic symmetric encipherment algorithm enciphered data, if with block encryption algorithm during as the framework of dynamic symmetric encipherment algorithm, the block length of algorithm is 64 or 128 bits, and key length is 128 bits or above 128 bits.
23, the establishment of VPN encryption system symmetric encipherment algorithm and key become promptly for one time one: one group of The data of every encryption, one a cover cryptography and a group key, all decoding conditions have been shielded, this data encryption mode to the code breaker is, the known symmetric encryption algorithm framework, I do not know that single part of newspaper under the condition of the establishment of symmetric encipherment algorithm and key decodes, the hyundai electronics password all is based on large scale integrated circuit design, and the hyundai electronics password of establishment of Gonna breakthrough unknown password and key is impossible.
24, in the VPN encryption system, use rivest, shamir, adelman to come encrypted transmission to choose parameter---random number and timestamp, that is: transmit leg is chosen parameter with recipient's public key encryption, send to the recipient in the lump with encrypt data, after the recipient receives that this chooses the parameter ciphertext, decipher this with recipient's private key and choose the parameter ciphertext, according to the parameter of choosing after the deciphering element of recipient's " encryption element seed " matrix is chosen, with the N group of selecting " encryption element seed ", generate the interim symmetric encipherment algorithm of a cover with other constant " encryption elements " and circuit thereof, again according to the deciphering after choose parameter to the element of recipient's " key seed " matrix is chosen, with the synthetic one group of interim symmetric key of the N group of selecting " key seed ", thereby, prevent to choose parameter and leak, improve the safe class of vpn system.
Embodiment:
Below in conjunction with the vpn system performing step of description of drawings based on dynamic encryption algorithm:
Fig. 1: what random number and timestamp composition was described chooses algorithm structure figure to L * N matrix element, wherein: L=89, N=16,
1, sets up " encryption element seed " matrix of symmetric encipherment algorithm and to the selection rule of this matrix element
(1) getting timestamp is 7 decimal numbers, establishes: timestamp: ymdh wherein: y representative " year " is 1 figure place, and m representative " moon " is 2 figure places, and it is 2 figure places that d represents " day ", and h represents " time " be 2 figure places,
(2) getting random number is 16 hexadecimal numbers, establishes: random number: S1, and S2, S3, S4, S5, S6, S7, S8, S9, S10, S11, S12, S13, S14, S15, S16,
(3) be example with disclosed grouping algorithm SMS4 at the beginning of the country 2006, set up " encryption element seed " matrix in the SMS4 algorithm,
(4) the preset parameter CK table of getting in the SMS4 algorithm is " encryption element ", it is expanded to 1424 groups " encryption element seeds ", and be divided into 16 groups, " year " group is 10 row, " moon " group is 12 row, " day " group is 31 row, " time " group be 24 the row, the 5th group~the 16th group is respectively 1 row, totally 89 goes 16 groups of every row, every group 8 byte (64 bit) is each element 8 byte (64 bit), totally 1424 elements constitute (89 * 16) matrixs, that is: " encryption element seed " matrix by 89 row, 16 row totally 1424 elements form
(5) set up " encryption element seed " matrix
Because: 16 system numerical tables are shown in 32 preset parameter CK tables in the SMS4 block encryption algorithm:
00070e15,1c232a31,383f464d,545b6269,
70777e85,8c939aa1,a8afb6bd,c4cbd2d9,
e0e7eef5,fc030a11,181f262d,343b4249,
50575e65,6c737a81,888f969d,a4abb2b9,
c0c7ced5,dce3eaf1,f8ff060d,141b2229,
30373e45,4c535a61,686f767d,848b9299,
a0a7aeb5,bcc3cad1,d8dfe6ed,f4fb0209,
10171e25,2c333a41,484f565d,646b7279,
If: the element in " encryption element seed " matrix is: A
00, A
01..., A
0 15..., A
90, A
91..., A
9 15, B
01 0, B
01 1..., B
01 15..., B
12 0, B
12 1..., B
12 15, C
01 0, C
01 1..., C
01 15..., C
31 0, C
31 1..., C
31 15, D
01 0, D
01 1..., D
01 15..., D
24 0, D
24 1..., D
24 15, E
0, E
1..., E
15, F
0, F
1..., F
15, G
0, G
1..., G
15, H
0, H
1..., H
15, I
0, I
1..., I
15, J
0, J
1..., J
15, K
1..., K
15, L
0, L
1..., L
15, M
0, M
1..., M
15, N
0, N
1..., N
15, O
0, O
1..., O
15, P
0, P
1..., P
15Produce the hexadecimal random number with the randomizer in the VPN chip, producing the hexadecimal random number altogether is 1424 groups, every group has 16 hexadecimal numbers to account for 8 bytes, totally 11382 bytes, with the content of these 1424 groups of hexadecimal random numbers, and leave in the chip as element in above " encryption element seed " matrix;
(6) corresponding relation and the selection rule between the element in settling time stamp and random number and " encryption element seed " matrix
Corresponding relation: y and S1 corresponding A
00, A
01..., A
0 15..., A
90, A
91..., A
9 15, the sub-matrix of these (10 * 16); The corresponding B of m and S2
01 0, B
01 1..., B
01 15..., B
12 0, B
12 1..., B
12 15, the sub-matrix of these (12 * 16); The corresponding C of d and S3
01 0, C
01 1..., C
01 15..., C
31 0, C
31 1..., C
31 15, the sub-matrix of these (31 * 16); The corresponding D of h and S4
01 0, D
01 1..., D
01 15..., D
24 0, D
24 1..., D
24 15, the sub-matrix of these (24 * 16); The corresponding E of S5
0, E
1..., E
15, the sub-matrix of this (1 * 16); The corresponding F of S6
0, F
1..., F
15, the sub-matrix of this (1 * 16); The corresponding G of S7
0, G
1..., G
15, the sub-matrix of this (1 * 16); The corresponding H of S8
0, H
1..., H
15, the sub-matrix of this (1 * 16); The corresponding I of S9
0, I
1..., I
15, the sub-matrix of this (1 * 16); The corresponding J of S10
0, J
1..., J
15, the sub-matrix of this (1 * 16); The corresponding K of S11
0, K
1..., K
15, the sub-matrix of this (1 * 16); The corresponding L of S12
0, L
1..., L
15, the sub-matrix of this (1 * 16); The corresponding M of S13
0, M
1..., M
15, the sub-matrix of this (1 * 16); The corresponding N of S14
0, N
1..., N
15, the sub-matrix of this (1 * 16); The corresponding O of S15
0, O
1..., O
15, the sub-matrix of this (1 * 16); The corresponding P of S16
0, P
1..., P
15, the sub-matrix of this (1 * 16),
Selection rule: y and S1 choose A
Y S1, m and S2 choose B
M S2, d and S3 choose C
D S3, h and S4 choose D
H S4, S5 chooses E
S5, S6 chooses F
S6, S7 chooses G
S7, S8 chooses S
S8, S9 chooses I
S9, S10 chooses J
S10, S11 chooses K
S11, S12 chooses L
S12, S13 chooses M
S13, S14 chooses N
S14, S15 chooses 0
S15, S16 chooses P
S16
(7) for example: when the time was 6 days 21 October in 2006, then timestamp was got: " 6100621 " totally 7, wherein: y=6, m=10, d=06, h=21,
If: random number is: " B130F8A765D90245 ",
According to the algorithm of choosing of " encryption element seed " matrix element, the element that is selected matrix among Fig. 1 is: A
6 11, B
10 1, C
63, D
21 0, E
15, F
8, G
10, H
7, I
6, J
5, K
13, L
9, M
0, N
2, O
4, P
5
It is as follows that the structure of showing according to preset parameter CK generates interim CK table again:
With 16 groups " encryption element seeds " selecting temporarily promptly: the interim CK table of generation, with other constant " encryption element " and the circuits thereof in the cryptographic algorithm in the SMS4 algorithm, form the establishment of the interim symmetric encipherment algorithm of a cover together.
2, set up the combination key create-rule
(1) getting timestamp is 7 decimal numbers,
If: timestamp: ymdh wherein: y representative " year " is 1 figure place, and m representative " moon " is 2 figure places, and it is 2 figure places that d represents " day ", and h represents " time " be 2 figure places;
(2) getting random number is 16 hexadecimal numbers,
If: random number: S1, S2, S3, S4, S5, S6, S7, S8, S9, S10, S11, S12, S13, S14, S15, S16;
(3) getting key length is 128 bits,
If: each element in the key seed table be 1 byte promptly: 8 bits;
(4) set up " key seed " matrix
If: the element in " key seed " matrix is: A
00, A
01..., A
0 15..., A
90, A
91..., A
9 15, B
01 0, B
01 1..., B
01 15..., B
12 0, B
12 1..., B
12 15, C
01 0, C
01 1..., C
01 15..., C
31 0, C
31 1..., C
31 15, D
01 0, D
01 1..., D
01 15..., D
24 0, D
24 1..., D
24 15, E
0, E
1..., E
15, F
0, F
1..., F
15, G
0, G
1..., G
15, H
0, H
1..., H
15, I
0, I
1..., I
15, J
0, J
1..., J
15, K
1..., K
15, L
0, L
1..., L
15, M
0, M
1..., M
15, N
0, N
1..., N
15, O
0, O
1..., O
15, P
0, P
1..., P
15Produce the binary system random number with the randomizer in the VPN chip, producing the binary system random number altogether is 1424 groups, every group has 8 bits to account for 1 byte, totally 1424 bytes, with the content of these 1424 groups of binary random numbers, and leave in the chip as element in above " key seed " matrix;
(5) corresponding relation and the selection rule between the element in settling time stamp and random number and " key seed " matrix,
Corresponding relation: y and S1 corresponding A
00, A
01..., A
0 15..., A
90, A
91..., A
9 15, the sub-matrix of these (10 * 16); The corresponding B of m and S2
01 0, B
01 1..., B
01 15..., B
12 0, B
12 1..., B
12 15, the sub-matrix of these (12 * 16); The corresponding C of d and S3
01 0, C
01 1..., C
01 15..., C
31 0, C
31 1..., C
31 15, the sub-matrix of these (31 * 16); The corresponding D of h and S4
01 0, D
01 1..., D
01 15..., D
24 0, D
24 1..., D
24 15, the sub-matrix of these (24 * 16); The corresponding E of S5
0, E
1..., E
15, the sub-matrix of this (1 * 16); The corresponding F of S6
0, F
1..., F
15, the sub-matrix of this (1 * 16); The corresponding G of S7
0, G
1..., G
15, the sub-matrix of this (1 * 16); The corresponding H of S8
0, H
1..., H
15, the sub-matrix of this (1 * 16); The corresponding I of S9
0, I
1..., I
15, the sub-matrix of this (1 * 16); The corresponding J of S10
0, J
1..., J
15, the sub-matrix of this (1 * 16); The corresponding K of S11
0, K
1..., K
15, the sub-matrix of this (1 * 16); The corresponding L of S12
0, L
1..., L
15, the sub-matrix of this (1 * 16); The corresponding M of S13
0, M
1..., M
15, the sub-matrix of this (1 * 16); The corresponding N of S14
0, N
1..., N
15, the sub-matrix of this (1 * 16); The corresponding O of S15
0, O
1..., O
15, the sub-matrix of this (1 * 16); The corresponding P of S16
0, P
1..., P
15, the sub-matrix of this (1 * 16);
Selection rule: y and S1 choose A
Y S1, m and S2 choose B
M S2, d and S3 choose C
D S3, h and S4 choose D
H S4, S5 chooses E
S5, S6 chooses F
S6, S7 chooses G
S7, S8 chooses H
S8, S9 chooses I
S9, S10 chooses J
S10, S11 chooses K
S11, S12 chooses L
S12, S13 chooses M
S13, S14 chooses N
S14, S15 chooses O
S15, S16 chooses P
S16
(6) for example: when the time was 6 days 21 October in 2006, then timestamp was got: " 6100621 " totally 7, wherein: y=6, m=10, d=06, h=21,
If: random number is: " B130F8A765D90245 ",
According to the algorithm of choosing of " key seed " matrix element, the element that is selected matrix among Fig. 1 is: A
6 11, B
10 1, C
63, D
21 0, E
15, F
8, G
10, H
7, I
6, J
5, K
13, L
9, M
0, N
2, O
4, P
5, then: synthetic symmetric key=(A
6 11B
10 1C
63D
21 0E
15F
8G
10H
7I
6J
5K
13L
9M
0N
2O
4P
5).
Fig. 2: the authentication process between the Origin And Destination in the vpn system is described:
(1) at first, produce N system random number 1 and one group of decimal numeral timestamp 1 in Z position of one group of N position by authenticating party;
(2) authenticating party is chosen algorithm according to random number 1 and timestamp 1 to the control of " encryption element seed " matrix, from the encryption chip of authenticating party, obtain element---" the encryption element seed " of N " encryption element seed " matrix, with other constant " encryption element " and the circuits thereof in the cryptographic algorithm, generate the establishment of the interim symmetric encipherment algorithm of a cover together, according to this group random number and timestamp algorithm is chosen in the control of " key seed " matrix again, from the encryption chip of authenticating party, obtain element---" key seed " of N " key seed " matrix, and synthetic one group of interim symmetric key;
(3) establishment and one group of symmetric key of the interim symmetric encipherment algorithm of a cover that generates with authenticating party, the random number 1 that authenticating party is produced is encrypted to ciphertext promptly: authenticate password 1;
(4) authenticating party sends to certified side in the lump with parameters for authentication such as authenticate password 1 and random number 1 and timestamps 1, simultaneously, generate authentication life cycle T, establishment and one group of symmetric key of the cover symmetric encipherment algorithm that encryption system will generate are at once temporarily removed;
(5) after certified side receives these parameters for authentication, according to random number 1 and timestamp 1 algorithm is chosen in the control of " encryption element seed " matrix, from certified side's encryption chip, obtain element---" the encryption element seed " of N " encryption element seed " matrix, with other constant " encryption element " and the circuits thereof in the symmetry algorithm, generate the establishment of the interim symmetric encipherment algorithm of a cover together, according to random number 1 and timestamp 1 algorithm is chosen in the control of " key seed " matrix again, from certified side's encryption chip, obtain element---" key seed " of N " key seed " matrix, and synthetic one group of interim symmetric key;
(6) establishment and one group of symmetric key of an interim cover symmetric encipherment algorithm that generates with certified side, random number 1 is encrypted to ciphertext promptly: authenticate password 2, whether contrast authenticate password 1 more identical with authenticate password 2? if it is inequality, authentification failure then, otherwise authentication is by promptly: unilateral authentication finishes, afterwards, establishment and one group of symmetric key of the encryption system one cover symmetric encipherment algorithm that will temporarily generate are at once removed;
(7) when the identity of authenticating party is certified pass through after, produce N system random number 2 and one group of decimal numeral timestamp 2 in Z position of one group of N position by certified side;
(8) according to random number 2 and timestamp 2 algorithm is chosen in the control of " encryption element seed " matrix, from certified side's encryption chip, obtain element---" the encryption element seed " of N " encryption element seed " matrix, with other constant " encryption element " and the circuits thereof in the cryptographic algorithm, generate the establishment of the interim symmetric encipherment algorithm of a cover together, according to random number 2 and timestamp 2 algorithm is chosen in the control of " key seed " matrix again, from certified side's encryption chip, obtain element---" key seed " of N " key seed " matrix, and synthetic one group of interim symmetric key;
(9) establishment and one group of symmetric key of an interim cover symmetric encipherment algorithm that generates with certified side are encrypted to ciphertext authentication authorization and accounting password 3 with random number 2;
(10) certified side sends to authenticating party in the lump with parameters for authentication such as authenticate password 3, random number 2 and timestamps 2, afterwards, encryption system is removed establishment and one group of symmetric key of the interim cover symmetric encipherment algorithm that generates of certified side at once, if need set up the SSL encryption tunnel, establishment and one group of symmetric key of then keeping this interim cover symmetric encipherment algorithm that generates are for use in the record protocol in the ssl protocol;
(11) after authenticating party is received these parameters for authentication, according to random number 2 and timestamp 2 algorithm is chosen in the control of " encryption element seed " matrix, from the encryption chip of authenticating party, obtain element---" the encryption element seed " of N " encryption element seed " matrix, with other constant " encryption element " and the circuits thereof in the cryptographic algorithm, generate the establishment of the interim symmetric encipherment algorithm of a cover together, according to random number 2 and timestamp 2 algorithm is chosen in the control of " key seed " matrix again, from the encryption chip of authenticating party, obtain element---" key seed " of N " key seed " matrix, and synthetic one group of interim symmetric key;
(12) establishment and one group of symmetric key of the interim symmetric encipherment algorithm of a cover that generates with authenticating party, the random code of receiving 2 is encrypted to ciphertext promptly: authenticate password 4, afterwards, whether calculate authentication life cycle T finishes, if finishing then authentication, do not pass through T, again authentication, if T does not finish, whether identical by contrast authenticate password 3 again with authenticate password 4? if it is inequality, authentification failure then, otherwise authentication is by promptly: two-way authentication finishes, be validated user mutually, afterwards, establishment and one group of symmetric key of the cover symmetric encipherment algorithm that encryption system will generate are at once temporarily removed, if need set up the SSL encryption tunnel, establishment and one group of symmetric key of then keeping this interim cover symmetric encipherment algorithm that generates are for use in the record protocol in the ssl protocol.
Fig. 3: the vpn gateway based on the IPsec agreement is described, the process that the data of Intranet IP packet are added, decipher:
(1) produces one group of decimal numeral timestamp of N position N system random number and Z position by the transmit leg system, according to this group random number and timestamp, select N group " key element seed " in L * N from transmit leg VPN chip " encryption element seed " matrix promptly: the element of N matrix, again with cryptographic algorithm in other constant " encryption elements ", form together one the cover interim symmetric encipherment algorithm establishment;
(2) this group random number and timestamp that produces according to system, from transmit leg VPN chip, select N group " key seed " in L * N " key seed " matrix promptly: the element of N matrix, synthesize one group of symmetric key;
(3) generate the integrity information 1 of Intranet IP packet with digest algorithm summary Intranet IP packet, transmit leg is encrypted to ciphertext with establishment and one group of symmetric key of an interim cover symmetric encipherment algorithm that generates with the data of Intranet IP packet and the integrity information 1 of Intranet IP bag;
(4) should organize random number and timestamp, integrity information 1 with Intranet IP packet that is encrypted to ciphertext and Intranet IP bag sends to the recipient, afterwards, establishment and one group of symmetric key of the encryption system one cover symmetric encipherment algorithm that will temporarily generate are at once removed:
(5) random number and the timestamp sent according to transmit leg of recipient, select N group " encryption element seed " in L * N from recipient VPN chip " encryption element seed " matrix promptly: the element of N matrix, again with symmetric encipherment algorithm in other constant " encryption element " and circuits thereof, form together one the cover interim symmetric encipherment algorithm establishment;
(6) according to this group random number and timestamp, select N group " key seed " in L * N " key seed " matrix from reciever VPN chip promptly: the element of N matrix, synthesize one group of symmetric key;
(7) recipient is with the establishment and the symmetric key of the interim interim symmetric encipherment algorithm of a cover that generates, and the ciphertext Intranet IP packet that transmit leg is sent and the integrity information 1 of Intranet IP bag are decrypted into expressly;
(8) recipient has been decrypted into the data of Intranet IP packet expressly with the digest algorithm summary, generate the integrity information 2 of Intranet IP bag, pass through integrity information 1 whether identical again with integrity information 2, whether the data of determining Intranet IP packet are complete, if the two is identical, the data integrity of Intranet IP packet then, otherwise the data of Intranet IP packet are wrong.