CN201656997U - Device for generating transmission key - Google Patents

Device for generating transmission key Download PDF

Info

Publication number
CN201656997U
CN201656997U CN2010201771189U CN201020177118U CN201656997U CN 201656997 U CN201656997 U CN 201656997U CN 2010201771189 U CN2010201771189 U CN 2010201771189U CN 201020177118 U CN201020177118 U CN 201020177118U CN 201656997 U CN201656997 U CN 201656997U
Authority
CN
China
Prior art keywords
key
unit
control
information
mutual
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CN2010201771189U
Other languages
Chinese (zh)
Inventor
赵晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN2010201771189U priority Critical patent/CN201656997U/en
Application granted granted Critical
Publication of CN201656997U publication Critical patent/CN201656997U/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The utility model discloses a device for generating transmission key. The transmission key is commonly generated by a transmission key generation algorithm distributed by a third party according to an interaction key transmitted by opposite party and a private key generated by the party; the transmission key is not generated independently when the interaction key transmitted by the opposite party is captured in a network, the transmission key generation algorithm distributed by the third party enables the algorithms of the double parties to be the same, and locally-generated transmission keys of the double party are equal so as to reach the effect of the symmetrical encryption algorithm. The local private key of the double parties are generated randomly, and are invalid after used at once so as to ensure no influence to the next transmission even the transmission key is stolen or broken. The transmission key generation algorithm is distributed by the third party and is transparent and the same for double parties of communication, can be redistributed at each time, or distributed regularly or irregularly, and further can be distributed randomly, thereby furthering increasing the security of the interaction key and the transmission key.

Description

A kind of device that generates transmission security key
Technical field
The utility model relates to the network security technology field, relates in particular to a kind of device that generates transmission security key, and the transmission security key of generation cooperates symmetric encipherment algorithm, can realize safe encrypted data transmission.
Background technology
High concerning security matters level industry often relates to a large amount of private information transmitting scenes, needs host-host protocol safe in utilization and secure network environment.In host-host protocol safe in utilization and secure network environment, extensive use at present be that the symmetric cryptography encryption method is transmitted private information, such as 3DES etc.
When using symmetric encryption method, the algorithm that generates transmission security key is the core that realizes; How generating and preserve transmission security key then is encryption method security intensity and the basic assurance that realizes performance.A good key implementation should possess following characteristics: guarantee that key maintains complete secrecy in the transmission course, the key that can upgrade in time easily can be resisted common attack method etc.
Present most cipher key transmission system, various safe transmission algorithms and communication channel and negotiation mechanism have been adopted, but all based on a common ground: need to produce in advance a key, the time that this key of while need be kept at both sides' server one fixed length is used for subsequent applications.In case during this period of time victim gets access to key, the subsequent communications content has just exposed fully, so for fear of this risk, most of cipher key transmission system all require the cycle to change key to reduce the loss that brings after the exposure as much as possible.But this way can not be avoided risk fully, and change that a secondary key need regenerate, negotiation and transmission course, too frequently can improve the realization cost significantly.
The utility model content
(1) technical problem that will solve
In view of this, main purpose of the present utility model is to provide a kind of device that generates transmission security key, to improve the fail safe of transmission security key, reduces the risk that the key based on the symmetric encipherment algorithm transmission system is cracked or steals.
(2) technical scheme
For achieving the above object, the utility model provides a kind of device that generates transmission security key, and this device comprises by the network key control that connects that intercouples distributes device 1, information transmitting apparatus 2 and information receiver 3, wherein:
The key control is distributed device 1, be third party as the information transmitting apparatus 2 and the information receiver 3 of communication two party, produce key control and key control information, this key control includes mutual key schedule and transmission security key generating algorithm, add this key control information to this key control, and send to information transmitting apparatus 2 and information receiver 3;
Information transmitting apparatus 2 and information receiver 3, all are web servers, reception is distributed the key control that device 1 sends by the key control, according to the control information that is added in the key control key control that is received is authenticated respectively, and utilize the mutual key schedule in the key control to generate control generation mutual key separately respectively, re-use check code, timestamp and authentication information are formed mutual key information bag, then described mutual key information bag is transferred to the other side, after receiving the other side's mutual key information bag respectively, the other side's who utilizes local private key and receive mutual key, by calling the transmission security key generating algorithm generation transmission security key separately in the transmission security key generation control, these two transmission security keys equate; At last, utilize the transmission security key that generates that the needs information transmitted is carried out encryption and decryption separately.
In the such scheme, described key control is distributed device 1 and is comprised interconnective control information generating unit 11 and key control generation unit 12, wherein:
Control information generating unit 11 produces key control information, and this key control information comprises security control ID, version number and control useful life at least.
Key control generation unit 12 is taken out with various algorithms and is generated the key control, and this key control comprises mutual key schedule control and transmission security key generating algorithm control.
In the such scheme, described information transmitting apparatus 2 or information receiver 3 include private key generation unit 201, mutual key generation unit 202, transmission security key generation unit 203, signing messages authentication ' unit 204, check code authentication ' unit 205, timestamp verification unit 206, data are preserved cleaning unit 207, information transmitting unit 208 and main control unit 209, and private key generation unit 201, mutual key generation unit 202, transmission security key generation unit 203, signing messages authentication ' unit 204, check code authentication ' unit 205, timestamp verification unit 206, data are preserved cleaning unit 207 and information transmitting unit 208 all is connected in main control unit 209.
In the such scheme, described main control unit 209 receives distributes the data of device 1 from the key control, and coordinates inner private key generation unit 201, mutual key generation unit 202, transmission security key generation unit 203, signing messages authentication ' unit 204, check code authentication ' unit 205, timestamp verification unit 206, data preservation cleaning unit 207 and information transmitting unit 208 and finish key generation, mutual and certification work.
In the such scheme, described private key generation unit 201 generates local private key, and offers main control unit 209, as the input of mutual key generation unit.
In the such scheme, described mutual key generation unit 202 receives the key controls from main control unit 209 and distributes the mutual key that device 1 sends and generate control F (X), and the local private key that described private key generation unit 201 is generated generates mutual key as input.
In the such scheme, described transmission security key generation unit 203 receives the key control from main control unit 209 and distributes the mutual key generation control G (X that device 1 sends, Y), mutual key of the other side who has generated and the local private key information of utilizing the other side's device to send generate transmission security key.
In the such scheme, signed data in the described signing messages authentication ' unit 204 checking interactive information, cipher controlled is distributed device 1 control information all has been provided when providing two kinds of keys to generate control, key after signing messages authentication ' unit 204 uses public signature key that known key control distributes device to two kinds of encryptions generates control and is decrypted, only control the control of distributing device and just can solve correct plaintext from legitimate secret, at first whether identity verification ID is correct after solving expressly, judge that then current date whether in the control effective range, obtains version information at last as follow-up mutual affirmation control consistency.
In the such scheme, described signing messages authentication ' unit 204 is further before the other side's device sends mutual key, use the signature private key of self that mutual key information bag is encrypted earlier, after receiving the other side's mutual key information bag, could use known the other side's public signature key deciphering interactive information bag, transfer to main control unit 209 distribution processor then.
In the such scheme, described check code authentication ' unit 205 is called self-contained certain check code algorithm increases check code information to the mutual key information bag that has generated, to guarantee to form safer mutual key information bag, wherein check code authentication ' unit 205 includes multiple check code algorithm, and this check code algorithm is CRC check algorithm or parity arithmetic at least.
In the such scheme, described check code authentication ' unit 205 further receives the mutual key information bag that the other side's device sends from main control unit 209, and its check code is verified.
In the such scheme, whether the mutual transmission package of described timestamp authentication ' unit 206 authenticate keys lost efficacy, and compared with the local zone time of system separately according to timestamp information in the bag, judged whether overtime to prevent simple Replay Attack.
In the such scheme, ephemeral data during the described data preservation cleaning unit 207 preservation cipher key interactions and the data scrubbing work behind mutual the end.
In the such scheme, described data are preserved cleaning unit 207 and are also comprised a symmetric cryptography module, described main control unit 209 deposits ephemeral data in before this unit, at first temporary information is encrypted by the signature key of this symmetric cryptography module invokes main control unit 209, put into data preservation cleaning unit with the ciphertext pattern and carry out safe storage, when need calling temporary information, other unit, pay other unit uses thereby obtain cleartext information earlier by this symmetric cryptography module decrypts ciphertext.
In the such scheme, described information transmitting unit 208 is obtained mutual key information bag to be sent from main control unit 209.
(3) beneficial effect
From technique scheme as can be seen, the device of this generation transmission security key that the utility model provides can be widely used in the application scenarios that uses the mutual fine and closely woven information of symmetric key encryption algorithm, realizes the cipher key interaction of safety, and its advantage applies is aspect following:
1, anti-intercepting is attacked: at interactive channel, even the assailant has intercepted and captured mutual key K aAnd K b, still, because random key a separately, b is no longer communication in the network, the assailant can't obtain.Guarantee further that simultaneously F (X)=Y algorithm is irreversible, then a and b also can't obtain by calculating, and can guarantee the safety of transmission security key K.
2, key is changed: because both sides' random key a and b generate before mutual at random at every turn, just make that also actual mutual key or transmission security key all are change at random also at every turn, thereby avoided the long-time risk of leakage of bringing of using of key.
3, anti-replay, anti-blocking:, add the effect that check code and timestamp can play the anti-replay anti-blocking by mutual key is formed packets of information.
Description of drawings
Fig. 1 is the structural representation of the generation transmission security key device that provides of the utility model;
Fig. 2 is the structural representation that the key control is distributed device;
Fig. 3 is the structural representation of information transmitting apparatus and information receiver;
Fig. 4 is the method flow diagram that generates transmission security key according to first embodiment of the utility model;
Fig. 5 is the method flow diagram that generates transmission security key according to second embodiment of the utility model;
Fig. 6 is the structural representation of mutual key information bag.
Embodiment
For making the purpose of this utility model, technical scheme and advantage clearer,, and, the utility model is further described with reference to accompanying drawing below in conjunction with specific embodiment.
Technological core of the present utility model is, transmission security key is the mutual key that the private key that produced according to we by communication two party and the other side transmit, the transmission security key generating algorithm of distributing by the third party generates jointly, even being intercepted also, the mutual key that the other side transmits to generate transmission security key separately in network, the transmission security key generating algorithm that described third party distributes makes the algorithm unanimity that both sides use, and the transmission security key in the local generation of both sides is equal, thereby reaches the effect of symmetric encipherment algorithm.Both sides' local private key uses once and just lost efficacy by generating at random, can not impact transmission next time even guaranteed that transmission security key is stolen or cracks also.The transmission security key generating algorithm is distributed by the third party, and is transparent and consistent for communication two party, can be to distribute again at every turn, or regularly, irregularly distribute, can also be to distribute at random, further promotes the safety of mutual key and transmission security key.
Fig. 1 is the structural representation of the generation transmission security key device that provides of the utility model, this device comprises the key control and distributes device 1, information transmitting apparatus 2 and information receiver 3, and the key control is distributed device 1, information transmitting apparatus 2 and information receiver 3 and intercoupled by network and be connected.
It is the third party that communication two party is generally acknowledged that described key control is distributed device 1, can be a PC server or main frame, (the key control comprises mutual key schedule control and transmission security key generating algorithm control to be used to produce key control and key control information, key control information comprises security control ID, version number and control useful life etc.), add this key control information to this key control, formation includes the key control of mutual key schedule and transmission security key generating algorithm, sends to information transmitting apparatus 2 and information receiver 3 then.
As shown in Figure 2, Fig. 2 is the structural representation that the key control is distributed device.The key control is distributed device 1 and is comprised control information generating unit 11 and key control generation unit 12.Described control information generating unit 11 is used to produce key control information, and this key control information comprises security control ID, version number and control useful life etc.Described key control generation unit 12 is used to take out with various algorithms generation key controls, and this key control comprises mutual key schedule control and transmission security key generating algorithm control.
Described information transmitting apparatus 2 and information receiver 3, it all can be a web server, be used to receive and distribute the key control that device 1 sends by the key control, according to the control information that is added in the key control key control that is received is authenticated respectively, and utilize mutual key schedule in the key control to generate separately mutual key respectively, re-use check code, timestamp and authentication information and form mutual key information bag, with guarantee the integrality and the accuracy of mutual key information, then described mutual key information bag is transferred to the other side.Described mutual key information package prejudice Fig. 6.
Information transmitting apparatus 2 and information receiver 3 are after receiving the other side's mutual key information bag respectively, the packet data legitimacy is authenticated, authentication by after utilize local private key and the other side's of receiving mutual key, by calling the transmission security key generating algorithm generation transmission security key separately in the transmission security key generation control, these two transmission security keys equate.At last, information transmitting apparatus 2 and information transmitting apparatus 3 utilize the transmission security key that generates that the needs information transmitted is carried out encryption and decryption.
Fig. 3 is the structural representation of information transmitting apparatus and information receiver, and information transmitting apparatus 2 and information receiver 3 all comprise private key generation unit 201, mutual key generation unit 202, transmission security key generation unit 203, signing messages authentication ' unit 204, check code authentication ' unit 205, timestamp verification unit 206, data preservation cleaning unit 207, information transmitting unit 208 and main control unit 209.
Described main control unit 209 is used to receive the data of distributing device 1 from the key control, and coordinates inner each functional unit and finish work such as key generates, mutual and authentication.
Described private key generation unit 201 is used to generate local private key, and offers main control unit 209, as the input of mutual key generation unit.For example, this inside, unit can produce a cipher key values at random in meeting the numerical value interval of key strength, i.e. private key, and offer main control unit 209 adds the tabulation of cancelling with this private key simultaneously, follow-uply do not re-use, and the tabulation of cancelling regularly empties.
Described mutual key generation unit 202: be responsible for receiving the key controls from main control unit 209 and distribute the mutual key that device 1 sends and generate control F (X), the local private key that above-mentioned private key generation unit 201 is generated generates mutual key as input.
Described transmission security key generation unit 203: be responsible for receiving the key control and distribute the mutual key generation control G (X that device 1 sends from main control unit 209, Y), mutual key of the other side who has generated and the local private key information of utilizing the other side's device to send, thus transmission security key generated.
Described signing messages authentication ' unit 204: the signed data that is used for verifying interactive information, cipher controlled is distributed device 1 when providing two kinds of keys to generate control, all added control information, key after signing messages authentication ' unit 204 uses public signature key that known key control distributes device to two kinds of encryptions generates control and is decrypted, only control the control of distributing device and just can solve correct plaintext from legitimate secret, at first whether identity verification ID is correct after solving expressly, judge that then current date whether in the control effective range, obtains version information at last as follow-up mutual affirmation control consistency.
Simultaneously, described signing messages authentication ' unit 204 also is responsible for before the other side's device sends mutual key, use the signature private key of self that mutual key information bag is encrypted earlier, thereby after receiving the other side's mutual key information bag, could use known the other side's public signature key deciphering interactive information bag, transfer to main control unit 209 distribution processor then.
Described check code authentication ' unit 205: include multiple check code algorithm, described check code algorithm can be the CRC check algorithm, parity arithmetic etc.Certain check code algorithm is responsible for calling in this unit increases check code information to guarantee to form safer mutual key information bag to the mutual key information bag that has generated; Further, described check code authentication ' unit 205 also is responsible for receiving the mutual key information bag that the other side's device sends from main control unit 209, and its check code is verified.
Described timestamp authentication ' unit 206: be used for the mutual transmission package of authenticate key and whether lost efficacy, and compare with the local zone time of system separately, judge whether overtime to prevent Replay Attack according to timestamp information in the bag.
Described data are preserved cleaning unit 207: be used to preserve the ephemeral data during the cipher key interaction and finish alternately after data scrubbing work; Further, data are preserved cleaning unit 207 can also increase a simple symmetric cryptography module, main control unit 209 deposits ephemeral data in before this unit, at first temporary information is encrypted by the signature key of described symmetric cryptography module invokes main control unit, put into data preservation cleaning unit with the ciphertext pattern and carry out safe storage, when need calling temporary information, other unit need earlier by this symmetric cryptography module decrypts ciphertext, thereby obtain cleartext information, could pay other unit and use.This device can guarantee the fail safe of each private key that uses, mutual key and transmission security key, prevents to be stolen in application process.
Described information transmitting unit 208: be used for obtaining mutual key information bag to be sent from main control unit 209.
Based on the device of Fig. 1 to generation transmission security key shown in Figure 3, the utility model also provides a kind of method that generates transmission security key, and this method may further comprise the steps:
Step 1: the key control is distributed device 1 and is produced key control and key control information, adds this key control information to this key control, and the key control that forms is sent to information transmitting apparatus 2 and information receiver 3;
Step 2: information transmitting apparatus 2 and information receiver 3 receive this key control, according to the control information that is added in the key control key control that is received are authenticated respectively;
Step 3: information transmitting apparatus 2 and information receiver 3 generate mutual key separately respectively, re-use check code, timestamp and authentication information and form mutual key information bag, should be transferred to the other side by mutual key information bag then;
Step 4: after information transmitting apparatus 2 and information receiver 3 are received the other side's mutual key information bag respectively, the other side's who utilizes local private key and receive mutual key, by calling the transmission security key generating algorithm generation transmission security key separately in the transmission security key generation control, these two transmission security keys equate.
Wherein, the control of key described in the step 1 is distributed device 1 and is produced key control and key control information, and the key control that produces encrypted, comprise: the key control is distributed device 1 and is produced key control and key control information, this key control includes mutual key schedule and transmission security key generating algorithm, add this key control information to this key control, and use signature private key that the mutual key schedule and the transmission security key generating algorithm of having added key control information are encrypted.
Information transmitting apparatus described in the step 32 and information receiver 3 generate mutual key separately respectively, re-use check code, timestamp and authentication information and form mutual key information bag, comprise: information transmitting apparatus 2 and information receiver 3 generate private key respectively in this locality, and utilize mutual key schedule in the key control to generate separately mutual key respectively, re-use check code, timestamp and authentication information and form mutual key information bag.
In addition, this method also comprises behind step 4 generation transmission security key separately: information transmitting apparatus 2 and information receiver 3 utilize the transmission security key that generates that the needs information transmitted is carried out encryption and decryption separately.
The method of the generation transmission security key that the utility model is provided below in conjunction with Fig. 4 and Fig. 5 is described in further detail.
Fig. 4 is the method flow diagram that generates transmission security key according to first embodiment of the utility model, and both sides refer to information transmitting apparatus 2 and information receiver 3 to present embodiment simply alternately as an example with one, and its concrete steps are as follows:
Step 401: propose operation requests;
Step 402: the key control is distributed device 1 and is called control information generating unit 11, generation comprises security control ID, the control information of version number and control useful life, and call key control generation unit 12, choose two kinds of keys and generate the control algorithm, for example F (X)=64X and G (X, Y)=X*Y, generate mutual key respectively and generate control and transmission security key generation control, again control information is added to and generate above-mentioned two kinds of keys generation control, add that then the key control distributes the private key of device 1 and sign, the final key that forms generates the control packets of information, distributes to information transmitting apparatus 2 and information receiver 3; Described control information comprises security control ID, for example " NCAA.Ltd.co. Ministry of State Security ", version number, for example " 2.0.3 ", control useful life, for example " 2009-12-01to2010-02-01 ";
Step 403: both sides' main control unit 209 calls signing messages authentication ' unit 204 separately, distributing the PKI that key control packets of information that device 1 distributes distributes device 1 according to known key control according to the key control respectively is decrypted in this locality, obtain the control authentication information, the described control authentication information that obtained comprises security control ID " NCAA.Ltd.co. Ministry of State Security ", version number " 2.0.3 ", control useful life " 2009-12-01to2010-02-01 ";
Step 404: 209 pairs of described control authentication informations of both sides' main control unit carry out the legitimacy verification, confirm that by authenticating security control ID whether the information that receives be the third party ID content of having arranged, confirm that by checking control useful life the local system time of device separately is whether within the control useful life that receives; If checking is passed through, then enter step 406, if checking is not passed through, transaction is interrupted, and enters step 405;
Step 405: transaction is interrupted, and verification is not distributed device by a side main control unit 209 recalls information transmitting elements 208 to the key control and sent the notice that resends, and finishes;
Step 406: checking is passed through, and the main control unit 209 recalls information transmitting elements 208 of information transmitting apparatus 2 are initiated the cipher key interaction request to information receiver 3; Step 406 checking by after also comprise: both sides' main control unit 209 calls data and preserves cleaning unit 204, is used for preserving the key control algorithm information of the control packets of information that receives, with the fail safe of guarantee information;
Step 407: information receiver 3 is confirmed the request that receives, and sets up SSL with information transmitting apparatus 2 and be connected;
Step 408: both sides SSL carries out alternately the control version information after connecting foundation;
Step 409: both sides verify whether mutual version information is consistent, if consistent, then checking is passed through, and carries out next step; If inconsistent, then transaction is interrupted, and both sides notify separately main control unit 209 contact key controls to distribute device 1 and retransmit, and finish;
Step 410: after consistency checking passes through, both sides' main control unit 209 calls separately respectively, and private key generation unit 201 generates local private key, get private key numerical value in this example and be respectively a=923 and b=672, preserve cleaning unit 207 and be saved in the fail safe that guarantees private key in the safety zone of this unit to guarantee random key a and b thereby main control unit 209 calls data more respectively;
Step 411: both sides' main control unit 209 calls data respectively and preserves mutual key algorithm control in the cleaning unit 204, uses algorithm F (the X)=64*X in the control, generates separately mutual cipher key number K respectively according to the local private key that has generated a=64*a=59072 and K b=64*b=43008 calls mutual key generation unit 202 again, and timestamp is added into mutual key K aAnd K b, call check code authentication ' unit 205 then, use wherein " parity arithmetic " to generate check code, be example with a side: with K a=59072 and the every additions summation of timestamp 200912122048,5+9+0+7+2+2+0+0+9+1+2+1+2+2+0+4+8=54, so be that its parity check code of even number is 0, in like manner can calculate the opposing party's parity check code is 1, last control version information composition cipher key interaction packets of information A=59027|200912122048|0|2.0.3 and the B=43008|200912122048|1|2.0.3 separately that replenish again signs to packets of information separately at last;
Step 412: both sides' main control unit 209 calls information transmitting unit 208 separately, and by the SSL traffic connection of having set up cipher key interaction packets of information clear data is exchanged;
Step 413: both sides' main control unit 209 calls data and preserves the cleaning unit the other side's interactive information bag clear data that receives is stored fail safe with guarantee information, obtains encrypt data in the interactive information bag thereby in this locality cipher key interaction information is decrypted again;
Step 414: both sides' main control unit 209 calls each self-checking code authentication ' unit 205 and 206 pairs of timestamp verification unit respectively and is kept at data and preserves the encrypt data of cleaning unit 207 and carry out the verification of parity check sum timestamp, verification is by then carrying out next step transaction, if verification is not passed through, then recalls information transmitting element 208 contact key controls are distributed device 1 and are retransmitted end;
Further, parity check concrete steps in the described step 414 are carried out parity check according to the described parity check method of step 411 to the data that receive for both sides' main control unit 209 calls check code authentication ' unit 205, the timestamp 200912122048 and the current system time of 206 pairs of cipher key interaction packets of information of allocating time stamp verification unit compare again by back main control unit 209, if it is overtime that the time shown in the timestamp then is judged as more than 1 minute greater than current system time, refusal is transaction further;
Step 415: both sides' main control unit 209 calls data and preserves cleaning unit 207, therefrom take out separately private key a=923 and b=672, and the mutual key that transmits of the other side, call transmission security key and generate control 203, G (X for example, Y)=X*Y calculates final transmission security key K, K=a*K among this embodiment b=923*43008=39696384 and K=b*K a=672*59072=39696384;
Step 416: both sides' main control unit 209 calls data transmission unit 208 respectively, sends to information receiving device 3 after the data that will need to transmit with the transmission security key that generates in the described step 415 are encrypted;
Step 417: finish.
Fig. 5 is the method flow diagram that generates transmission security key according to second embodiment of the utility model.Present embodiment further specifies the method that the utility model generates transmission security key with another kind of algorithm Diffie-Hellman (abbreviation DH algorithm---a kind of disclosed rivest, shamir, adelman belongs to public-key cryptosystem).With above-mentioned first embodiment, both sides refer to information transmitting apparatus 2 and information receiver 3, and it specifically may further comprise the steps:
Step 501: propose operation requests;
Step 502: the key control is distributed device 1 and is called control information generating unit 11, generation comprises the control information of security control ID, version number and control useful life, and call key control generation unit 12, choose two kinds of keys and generate control algorithm, for example F (X)=g xMod n (1<g<n, and g and n are required to be bigger prime number) and G (X, Y)=Y xMod n, generate mutual key respectively and generate control and transmission security key generation control, again control information is added to and generate above-mentioned two kinds of keys generation control, add that then the key control distributes the private key of device 1 and sign, the final key that forms generates the control packets of information, distributes to information transmitting apparatus 2 and information receiver 3; Described control information comprises security control ID, for example " FIFA.ACCA.COM.hk. ", version number, for example " V+2.7.0 ", control useful life, for example " 2010-01-28to2010-02-10 ".
Step 503: both sides' main control unit 209 calls signing messages authentication ' unit 204 separately, distributing the PKI that key control packets of information that device 1 distributes distributes device 1 according to known key control according to the key control respectively is decrypted in this locality, obtain the control authentication information, the described control authentication information that obtained comprises security control ID " FIFA.ACCA.COM.hk ", version number " V+2.7.0 ", control useful life " 2010-01-28to2010-02-10 ";
Step 504: 209 pairs of described control authentication informations of both sides' main control unit carry out the legitimacy verification, confirm that by authenticating security control ID whether the information that receives be the third party ID content of having arranged, confirm that by checking control useful life the local system time of device separately is whether within the control useful life that receives; If checking is passed through, then enter step 506, if checking is not passed through, transaction is interrupted, and enters step 505;
Step 505: transaction is interrupted, and verification is not distributed device by a side main control unit 209 recalls information transmitting elements 208 to the key control and sent the notice that resends, and finishes;
Step 506: checking is passed through, and the main control unit 209 recalls information transmitting elements 208 of information transmitting apparatus 2 are initiated the cipher key interaction request to information receiver 3; Step 506 checking by after also comprise: both sides' main control unit 209 calls data and preserves cleaning unit 204, is used for preserving the key control algorithm information of the control packets of information that receives, with the fail safe of guarantee information;
Step 507: information receiver 3 is confirmed the request that receives, and sets up SSL with information transmitting apparatus 2 and be connected;
Step 508: both sides SSL carries out alternately the control version information after connecting foundation;
Step 509: both sides verify whether mutual version information is consistent, if consistent, then checking is passed through, and carries out next step; If inconsistent, then transaction is interrupted, and both sides notify separately main control unit 209 contact key controls to distribute device 1 and retransmit, and finish;
Step 510: after consistency checking passes through, both sides' main control unit 209 calls separately respectively, and private key generation unit 201 generates local private key, get private key numerical value in this example and be respectively a=e and b=f, preserve cleaning unit 207 and be saved in the fail safe that guarantees private key in the safety zone of this unit to guarantee random key a and b thereby main control unit 209 calls data more respectively;
Step 511: both sides' main control unit 209 calls data respectively and preserves the mutual key algorithm control of clearing up in the unit 204, uses algorithm F (the X)=g in the control xMod n (1<g<n, and g and n are required to be bigger prime number) generates separately mutual cipher key number K respectively according to the local private key that has generated a=g eMod n and K b=g fMod n calls mutual key generation unit 202 again, and timestamp is added into mutual key K aAnd K b, call check code authentication ' unit 205 then, use any one check code generating algorithm wherein to generate check code, the last control version information composition cipher key interaction packets of information A=g separately that replenishes again eMod n|201001051357|1 and B=g fMod n|201001051357|0 signs to packets of information separately at last;
Step 512: both sides' main control unit 209 calls information transmitting unit 208 separately, and by the SSL traffic connection of having set up cipher key interaction packets of information clear data is exchanged;
Step 513: both sides' main control unit 209 calls data and preserves the cleaning unit the other side's interactive information bag clear data that receives is stored fail safe with guarantee information, obtains encrypt data in the interactive information bag thereby in this locality cipher key interaction information is decrypted again;
Step 514: both sides' main control unit 209 calls each self-checking code authentication ' unit 205 and 206 pairs of timestamp verification unit respectively and is kept at data and preserves the encrypt data of cleaning unit 207 and carry out the verification of parity check sum timestamp, verification is by then carrying out next step transaction, if verification is not passed through, then recalls information transmitting element 208 contact key controls are distributed device 1 and are retransmitted end;
Further, the described parity check concrete steps of described step 514 are carried out parity check according to the described parity check method of step 511 to the data that receive for both sides' main control unit 209 calls check code authentication ' unit 205, the timestamp 201001051357 and the current system time of 206 pairs of cipher key interaction packets of information of allocating time stamp verification unit compare again by back main control unit 209, if it is overtime that the time shown in the timestamp then is judged as more than 1 minute greater than current system time, refusal is transaction further;
Step 515: both sides' main control unit 209 calls data and preserves cleaning unit 207, therefrom takes out separately private key a=e and b=f, and the mutual key that transmits of the other side, call transmission security key and generate control 203, for example G (X, Y)=Y xMod n calculates final transmission security key K, K=[Kb among this embodiment] aMod n=[g fMod n] eMod n=(g f) eMod n ,=g F* eMod n and K=[K a] bModn=[g eMod n] fMod n=(g e) fMod n ,=g E*fMod n;
Step 516: both sides' main control unit 209 calls data transmission unit 208 respectively, sends to information receiving device 3 after the data that will need to transmit with the transmission security key that generates in the described step 417 are encrypted;
Step 517: finish.
Above-described specific embodiment; the purpose of this utility model, technical scheme and beneficial effect are further described; institute is understood that; the above only is a specific embodiment of the utility model; be not limited to the utility model; all within spirit of the present utility model and principle, any modification of being made, be equal to replacement, improvement etc., all should be included within the protection range of the present utility model.

Claims (15)

1. a device that generates transmission security key is characterized in that, this device comprises by the network key control that connects that intercouples distributes device (1), information transmitting apparatus (2) and information receiver (3), wherein:
The key control is distributed device (1), be the information transmitting apparatus (2) as communication two party and the third party of information receiver (3), produce key control and key control information, this key control includes mutual key schedule and transmission security key generating algorithm, add this key control information to this key control, and send to information transmitting apparatus (2) and information receiver (3);
Information transmitting apparatus (2) and information receiver (3), all are web servers, reception is distributed the key control that device (1) sends by the key control, according to the control information that is added in the key control key control that is received is authenticated respectively, and utilize mutual key schedule in the key control to generate separately mutual key respectively, re-use check code, timestamp and authentication information are formed mutual key information bag, then described mutual key information bag is transferred to the other side, after receiving the other side's mutual key information bag respectively, the other side's who utilizes local private key and receive mutual key, by calling the transmission security key generating algorithm generation transmission security key separately in the transmission security key generation control, these two transmission security keys equate; At last, utilize the transmission security key that generates that the needs information transmitted is carried out encryption and decryption separately.
2. the device of generation transmission security key according to claim 1 is characterized in that, described key control is distributed device (1) and comprised interconnective control information generating unit (11) and key control generation unit (12), wherein:
Control information generating unit (11) produces key control information, and this key control information comprises security control ID, version number and control useful life at least,
Key control generation unit (12) is taken out with various algorithms and is generated the key control, and this key control comprises mutual key schedule control and transmission security key generating algorithm control.
3. the device of generation transmission security key according to claim 1, it is characterized in that, described information transmitting apparatus (2) or information receiver (3) include private key generation unit (201), mutual key generation unit (202), transmission security key generation unit (203), signing messages authentication ' unit (204), check code authentication ' unit (205), timestamp verification unit (206), data are preserved cleaning unit (207), information transmitting unit (208) and main control unit (209), and private key generation unit (201), mutual key generation unit (202), transmission security key generation unit (203), signing messages authentication ' unit (204), check code authentication ' unit (205), timestamp verification unit (206), data are preserved cleaning unit (207) and information transmitting unit (208) all is connected in main control unit (209).
4. the device of generation transmission security key according to claim 3, it is characterized in that, described main control unit (209) receives and distributes the data of device (1) from the key control, and coordinates inner private key generation unit (201), mutual key generation unit (202), transmission security key generation unit (203), signing messages authentication ' unit (204), check code authentication ' unit (205), timestamp verification unit (206), data preservation cleaning unit (207) and information transmitting unit (208) and finish key generation, mutual and certification work.
5. the device of generation transmission security key according to claim 3 is characterized in that, described private key generation unit (201) generates local private key, and offers main control unit (209), as the input of mutual key generation unit.
6. the device of generation transmission security key according to claim 3, it is characterized in that, described mutual key generation unit (202) receives the key control from main control unit (209) and distributes the mutual key generation control F (X) that device (1) sends, the local private key that described private key generation unit (201) is generated generates mutual key as input.
7. the device of generation transmission security key according to claim 3, it is characterized in that, described transmission security key generation unit (203) receives the key control from main control unit (209) and distributes the mutual key generation control G (X that device (1) sends, Y), mutual key of the other side who has generated and the local private key information of utilizing the other side's device to send generate transmission security key.
8. the device of generation transmission security key according to claim 3, it is characterized in that, signed data in described signing messages authentication ' unit (204) the checking interactive information, cipher controlled is distributed device (1) control information all has been provided when providing two kinds of keys to generate control, key after signing messages authentication ' unit (204) uses public signature key that known key control distributes device to two kinds of encryptions generates control and is decrypted, only control the control of distributing device and just can solve correct plaintext from legitimate secret, at first whether identity verification ID is correct after solving expressly, judge that then current date whether in the control effective range, obtains version information at last as follow-up mutual affirmation control consistency.
9. the device of generation transmission security key according to claim 8, it is characterized in that, described signing messages authentication ' unit (204) is further before the other side's device sends mutual key, use the signature private key of self that mutual key information bag is encrypted earlier, after receiving the other side's mutual key information bag, could use known the other side's public signature key deciphering interactive information bag, transfer to main control unit (209) distribution processor then.
10. the device of generation transmission security key according to claim 3, it is characterized in that, described check code authentication ' unit (205) is called self-contained certain check code algorithm increases check code information to the mutual key information bag that has generated, to guarantee to form safer mutual key information bag, wherein check code authentication ' unit (205) includes multiple check code algorithm, and this check code algorithm is CRC check algorithm or parity arithmetic at least.
11. the device of generation transmission security key according to claim 10 is characterized in that, described check code authentication ' unit (205) further receives the mutual key information bag that the other side's device sends from main control unit (209), and its check code is verified.
12. the device of generation transmission security key according to claim 3, it is characterized in that, whether the mutual transmission package of described timestamp authentication ' unit (206) authenticate key lost efficacy, and compare with the local zone time of system separately according to timestamp information in the bag, judge whether overtime to prevent simple Replay Attack.
13. the device of generation transmission security key according to claim 3 is characterized in that, ephemeral data during described data preservation cleaning unit (207) the preservation cipher key interaction and the data scrubbing work behind mutual the end.
14. the device of generation transmission security key according to claim 13, it is characterized in that, described data are preserved cleaning unit (207) and are also comprised a symmetric cryptography module, described main control unit (209) deposits ephemeral data in before this unit, at first temporary information is encrypted by the signature key of this symmetric cryptography module invokes main control unit (209), put into data preservation cleaning unit with the ciphertext pattern and carry out safe storage, when need calling temporary information, other unit, pay other unit uses thereby obtain cleartext information earlier by this symmetric cryptography module decrypts ciphertext.
15. the device of generation transmission security key according to claim 3 is characterized in that, described information transmitting unit (208) is obtained mutual key information bag to be sent from main control unit (209).
CN2010201771189U 2010-04-28 2010-04-28 Device for generating transmission key Expired - Lifetime CN201656997U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010201771189U CN201656997U (en) 2010-04-28 2010-04-28 Device for generating transmission key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010201771189U CN201656997U (en) 2010-04-28 2010-04-28 Device for generating transmission key

Publications (1)

Publication Number Publication Date
CN201656997U true CN201656997U (en) 2010-11-24

Family

ID=43122225

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010201771189U Expired - Lifetime CN201656997U (en) 2010-04-28 2010-04-28 Device for generating transmission key

Country Status (1)

Country Link
CN (1) CN201656997U (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101807997A (en) * 2010-04-28 2010-08-18 中国工商银行股份有限公司 Device and method for generating transmission key
CN102394749A (en) * 2011-09-26 2012-03-28 深圳市文鼎创数据科技有限公司 Line protection method, system, information safety equipment and application equipment for data transmission
CN103714633A (en) * 2013-03-15 2014-04-09 福建联迪商用设备有限公司 Method and POS terminal for safely generating transmission key
CN104661215A (en) * 2015-01-15 2015-05-27 天地融科技股份有限公司 Communication method of wireless equipment and wireless equipment
CN106549768A (en) * 2016-12-08 2017-03-29 上海众人网络安全技术有限公司 A kind of method and system of time type plug-in authentication

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101807997A (en) * 2010-04-28 2010-08-18 中国工商银行股份有限公司 Device and method for generating transmission key
CN101807997B (en) * 2010-04-28 2012-08-22 中国工商银行股份有限公司 Device and method for generating transmission key
CN102394749A (en) * 2011-09-26 2012-03-28 深圳市文鼎创数据科技有限公司 Line protection method, system, information safety equipment and application equipment for data transmission
CN103714633A (en) * 2013-03-15 2014-04-09 福建联迪商用设备有限公司 Method and POS terminal for safely generating transmission key
CN104661215A (en) * 2015-01-15 2015-05-27 天地融科技股份有限公司 Communication method of wireless equipment and wireless equipment
CN106549768A (en) * 2016-12-08 2017-03-29 上海众人网络安全技术有限公司 A kind of method and system of time type plug-in authentication

Similar Documents

Publication Publication Date Title
CN101807997B (en) Device and method for generating transmission key
CN105959269B (en) A kind of identifiable dynamic group key agreement method of identity-based
Burmester On the risk of opening distributed keys
CN101052033B (en) Certifying and key consulting method and its device based on TTP
CN110535868A (en) Data transmission method and system based on Hybrid Encryption algorithm
CN101741555B (en) Method and system for identity authentication and key agreement
CN102547688B (en) Virtual-dedicated-channel-based establishment method for high-credibility mobile security communication channel
CN102394749B (en) Line protection method, system, information safety equipment and application equipment for data transmission
CN101978650B (en) A system and method of secure network authentication
US20030210789A1 (en) Data transmission links
CN113612605A (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
EP2182672A1 (en) Method, system and equipment for key distribution
CN108768930A (en) A kind of encrypted transmission method of data
JP2005515701A6 (en) Data transmission link
GB2404126A (en) Secure communications using a secret key valid for a certain period and verified using a time stamp
CN104506534A (en) Safety communication secret key negotiation interaction scheme
CN105376213A (en) Identity-based broadcast encryption scheme
CN111277412B (en) Data security sharing system and method based on block chain key distribution
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN102111273B (en) Pre-sharing-based secure data transmission method for electric load management system
CN101286849A (en) Authentication system and method of a third party based on engagement arithmetic
CN201656997U (en) Device for generating transmission key
CN110278088A (en) A kind of SM2 collaboration endorsement method
US8117447B2 (en) Authentication method employing elliptic curve cryptography
CN103118363A (en) Method, system, terminal device and platform device of secret information transmission

Legal Events

Date Code Title Description
C14 Grant of patent or utility model
GR01 Patent grant
AV01 Patent right actively abandoned

Granted publication date: 20101124

Effective date of abandoning: 20120822