KR101688811B1 - Method of encrypting and decrypting data - Google Patents

Method of encrypting and decrypting data Download PDF

Info

Publication number
KR101688811B1
KR101688811B1 KR1020150064462A KR20150064462A KR101688811B1 KR 101688811 B1 KR101688811 B1 KR 101688811B1 KR 1020150064462 A KR1020150064462 A KR 1020150064462A KR 20150064462 A KR20150064462 A KR 20150064462A KR 101688811 B1 KR101688811 B1 KR 101688811B1
Authority
KR
South Korea
Prior art keywords
key
encryption
text data
token
data
Prior art date
Application number
KR1020150064462A
Other languages
Korean (ko)
Other versions
KR20160131620A (en
Inventor
박성은
Original Assignee
(주)케이사인
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)케이사인 filed Critical (주)케이사인
Priority to KR1020150064462A priority Critical patent/KR101688811B1/en
Publication of KR20160131620A publication Critical patent/KR20160131620A/en
Application granted granted Critical
Publication of KR101688811B1 publication Critical patent/KR101688811B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

In the data encryption / decryption method, the encryption / decryption requesting apparatus requests encryption of original data. The token server encrypts the original text data based on the first cryptographic key to generate the first text cipher text data, and provides a token value corresponding to the original text data. When the encryption decryption request apparatus requests decryption of the token value after the first encryption key is updated to the second encryption key, the token server decrypts the first original text cipher text data based on the first encryption key, And encrypts the original text data based on the second cryptographic key to provide the second original text ciphertext data. In the data encryption / decryption method according to the present invention, when the encryption decryption requesting apparatus requests decryption of the token value after the first encryption key is updated with the second encryption key, the token server encrypts the first original key The ciphertext data is decrypted to provide the original text data, and the original text data is encrypted based on the second ciphertext to provide the second text ciphertext data, thereby protecting the personal information in the ciphering key leakage.

Description

[0001] METHOD OF ENCRYPTING AND DECRYPTING DATA [0002]

The present invention relates to data processing, and more particularly, to a data encryption / decryption method.

Personal information may be encrypted in order to maintain the security of personal information. Even if the personal information is encrypted, the personal information may be illegally used if the encryption key is leaked. Various studies have been conducted to protect personal information when a cryptographic key is leaked.

In order to solve the above problems, an object of the present invention is to provide a token server, in which when a first encryption key is updated with a second encryption key, and the encryption / decryption request apparatus requests decryption of a token value, Decrypting the first original text cipher text data to provide original text data and encrypting the original text data based on the second cryptographic key to provide the second original text cipher text data, Method.

According to an aspect of the present invention, there is provided a method of encrypting data according to embodiments of the present invention, the method comprising: requesting encryption of an original data by an encryption / decryption requesting apparatus; Encrypting the first ciphertext data to generate first ciphertext data and providing a token value corresponding to the original text data; and after the first ciphering key is updated with the second ciphering key, The token server decrypts the first cipher text data based on the first cipher key to provide the original text data, encrypts the original text data based on the second cipher key, And providing the original text ciphertext data.

In an exemplary embodiment, after the first cryptographic key is updated with the second cryptographic key, if the encryption decryption request apparatus requests encryption, the token server performs encryption based on the second cryptographic key .

In an exemplary embodiment, the version of the token value, the first text cipher text data, and the first cryptographic key corresponding to the original text data may be stored in a database.

In an exemplary embodiment, the database may be located outside the token server.

In an exemplary embodiment, when the first cryptographic key is updated with the second cryptographic key, the version of the token value, the second original cipher text data, and the second cryptographic key corresponding to the original text data, Lt; / RTI >

In an exemplary embodiment, the database may be located within the token server.

In an exemplary embodiment, the token server may provide a latest update key request signal requesting the key server for information about the most recently updated latest update cipher key at predetermined time intervals.

In an exemplary embodiment, the key server may include a key request processing module that provides a version of the latest update cipher key and the latest update cipher key based on the latest update key request signal.

In an exemplary embodiment, the key request processing module may receive a version of the latest update encryption key from a key pointer included in the key server.

In the exemplary embodiment, the token server may further include a token server for storing the version of the token value, the first original text ciphertext data, and the first cryptographic key corresponding to the original text data stored in the database, The token value corresponding to the original text data, the second original text cipher text data, and the second cryptographic key.

In the data encryption / decryption method according to embodiments of the present invention, after the first encryption key is updated with the second encryption key, when the encryption / decryption requesting apparatus requests decryption of the token value, And provides the original text data by decrypting the first text cipher text data, and encrypts the original text data based on the second cryptographic key to provide the second text cipher text data, thereby protecting the personal information when the encryption key is leaked.

1 is a flowchart illustrating a data encryption / decryption method according to embodiments of the present invention.
2 is a block diagram illustrating a data encryption and decryption system according to embodiments of the present invention.
FIG. 3 is a diagram for explaining an example of the data encryption / decryption method of FIG.
FIG. 4 is a view for explaining an example of operation of the data encryption / decryption system of FIG.
5 is a block diagram illustrating an example of a token server included in the data encryption / decryption system of FIG.
FIG. 6 is a diagram for explaining another operation example of the data encryption / decryption system of FIG. 2. FIG.
FIG. 7 is a diagram for explaining another operation example of the data encryption / decryption system of FIG.
8 is a view for explaining a batch key update operation of the data encryption / decryption system of FIG.

For the embodiments of the invention disclosed herein, specific structural and functional descriptions are set forth for the purpose of describing an embodiment of the invention only, and it is to be understood that the embodiments of the invention may be practiced in various forms, And is not to be construed as limited to the embodiments described in Figs.

The present invention is capable of various modifications and various forms, and specific embodiments are illustrated in the drawings and described in detail in the text. It is to be understood, however, that the invention is not intended to be limited to the particular forms disclosed, but on the contrary, is intended to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms may be used for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprise", "having", and the like are intended to specify the presence of stated features, integers, steps, operations, elements, components, or combinations thereof, , Steps, operations, components, parts, or combinations thereof, as a matter of principle.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries should be construed as meaning consistent with meaning in the context of the relevant art and are not to be construed as ideal or overly formal in meaning unless expressly defined in the present application .

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The same reference numerals are used for the same constituent elements in the drawings and redundant explanations for the same constituent elements are omitted.

FIG. 1 is a flowchart illustrating a data encryption / decryption method according to an embodiment of the present invention. FIG. 2 is a block diagram illustrating a data encryption / decryption system according to an embodiment of the present invention. Fig. 8 is a diagram for explaining an example of a method.

1 to 3, the data encryption / decryption system 10 may include an encryption / decryption request apparatus 100, a token server 200, a key server 300, and a database 400. When the encryption / decryption request apparatus 100 requests encryption to the token server 200, the encryption / decryption request apparatus 100 may provide the original data O_D to the token server 200. When the encryption decryption request apparatus 100 provides the original document data O_D to the token server 200, the token server 200 transmits the token value T_V corresponding to the original document data O_D to the encryption decryption request apparatus 100 ). In addition, when the encryption / decryption request apparatus 100 requests decryption from the token server 200, the encryption / decryption request apparatus 100 may provide the token server 200 with the token value T_V. When the encryption / decryption request apparatus 100 provides the token value T_V to the token server 200, the token server 200 transmits the original data O_D corresponding to the token value T_V to the encryption / decryption request apparatus 100 ).

When the token server 200 provides the latest update key request signal LKR_S requesting the key server 300 to provide information on the latest update cipher key KEY2 that has been most recently updated, The update encryption key (KEY2) and the version (KEY_V2) of the latest update encryption key to the token server (200). The token server 200 may store the version (KEY_V2) of the latest update encryption key in the database 400. [

When the encryption / decryption request apparatus 100 provides the original text data O_D to the token server 200, the token server 200 may generate the original text ciphertext data OE_D based on the encryption key KEY. The token server 200 may store the original text cipher text data OE_D in the database 400. [ In addition, when the encryption / decryption request apparatus 100 provides the original document data O_D to the token server 200, the token server 200 may generate the token value T_V corresponding to the original document data O_D . The token server 200 may store the token value T_V in the database 400.

In the data encryption / decryption method, the encryption / decryption request apparatus 100 requests encryption of the original document data O_D (S100). For example, the cipher key KEY is the first cipher key KEY1, and the original text data O_D requested by the encryption decryption request apparatus 100 to encrypt is "1234561234567 ".

The token server 200 encrypts the original text data O_D based on the first encryption key KEY1 to generate the first text cipher text data OE_D1 and outputs the token value T_V corresponding to the original text data O_D (S110). For example, when the original text data O_D requested by the encryption / decryption request apparatus 100 is "1234561234567", the token server 200 uses the first encryption key KEY1 to generate the original text data O_D " Quot; 1234561234567 ". When the token server 200 encrypts the original text data O_D "1234561234567" using the first cryptographic key KEY1, the first original text cipher text data OE_D1 may be E (1234561234567). The token server 200 may store E (1234561234567) corresponding to the first original text cipher text data (OE_D1) in the database 400 together with the version (KEY_V) of the encryption key. In this case, the version (KEY_V) of the encryption key may be one. If the original text data O_D requested by the encryption / decryption request apparatus 100 is "1234561234567", the token value T_V of "1234561234567" corresponding to the original text data O_D may be "VUZPOLOIUYTRN" . The token server 200 may store "VUZPOLOIUYTRN" in the database 400 corresponding to the token value T_V. Further, the token server 200 may provide "VUZPOLOIUYTRN" corresponding to the token value T_V to the encryption decryption request apparatus 100. [

When the encryption decryption request apparatus 100 requests decryption for the token value T_V after the first encryption key KEY1 is updated to the second encryption key KEY2, Decrypts the first original text cipher text data OE_D1 based on the key KEY1 to provide the original text data O_D and encrypts the original text data O_D based on the second cryptographic key KEY2, (OE_D2) (S120). For example, the first cryptographic key KEY1 may be updated with the second cryptographic key KEY2 at the first time T1. After the first cipher key KEY1 is updated with the second cipher key KEY2, the encryption decryption request apparatus 100 may request decryption for "VUZPOLOIUYTRN" corresponding to the token value T_V. When the encryption / decryption request apparatus 100 requests decryption for "VUZPOLOIUYTRN" corresponding to the token value T_V, the token server 200 generates the first original-text cipher text data OE_D1 (OE_D1) based on the first encryption key KEY1 (1234561234567) corresponding to E (1234561234567) can be decoded to provide the original text data O_D. When the token server 200 decrypts E (1234561234567) corresponding to the first original text cipher text data OE_D1 based on the first encryption key KEY1, the original text data O_D may be "1234561234567". In this case, the token server 200 may provide "1234561234567" corresponding to the original text data O_D to the encryption decryption request apparatus 100. [ Also, the token server 200 can encrypt the original text data O_D "1234561234567" by using the second cipher key KEY2. When the token server 200 encrypts the original text data O_D "1234561234567" using the second cipher key KEY2, the second original text cipher text data OE_D2 may be E (1234561234567). The token server 200 may store E (1234561234567) corresponding to the second original text cipher text data (OE_D2) in the database 400 together with the version (KEY_V) of the encryption key. In this case, the version (KEY_V) of the encryption key may be 2.

The data encryption / decryption method according to embodiments of the present invention is a method in which the encryption / decryption request apparatus 100 decrypts the token value T_V after the first encryption key KEY1 is updated with the second encryption key KEY2 When requested, the token server 200 decrypts the first text cipher text data OE_D1 based on the first cryptographic key KEY1 to provide the original text data O_D, and based on the second cryptographic key KEY2, The original text data O_D is encrypted to provide the second original text cipher text data OE_D2 to protect the personal information when the encryption key KEY is leaked.

FIG. 4 is a view for explaining an example of operation of the data encryption / decryption system of FIG.

Referring to FIGS. 1, 2 and 4, the data encryption / decryption system 10 may include an encryption / decryption request apparatus 100, a token server 200, a key server 300, and a database 400. When the encryption decryption request apparatus 100 requests encryption after the first encryption key KEY1 is updated to the second encryption key KEY2, the token server 200 generates the second encryption key KEY2 based on the second encryption key KEY2 Encryption can be performed. For example, if the original text data O_D requesting encryption by the encryption / decryption request apparatus 100 is "1234561234567", the token server 200 provides E (1234561234567) with the first original text cipher text data OE_D1 , And can provide "VUZPOLOIUYTRN" as the token value T_V. Thereafter, the first cryptographic key KEY1 may be updated with the second cryptographic key KEY2 at the first time T1.

After the first cryptographic key KEY1 is updated to the second cryptographic key KEY2, the cryptographic key KEY is the second cryptographic key KEY2, and the original decryption data O_D) may be "0987654321123 ". If the original text data O_D requested by the encryption / decryption request apparatus 100 is "0987654321123", the token server 200 encrypts the original text data O_D "0987654321123" using the second encryption key KEY2 can do. When the token server 200 encrypts the original text data O_D "0987654321123" using the second cipher key KEY2, the original text cipher text data OE_D may be E (0987654321123). The token server 200 may store E (0987654321123) corresponding to the original text ciphertext data (OE_D) in the database 400 together with the version (KEY_V) of the encryption key. In this case, the version (KEY_V) of the encryption key may be 2. If the original text data O_D requested by the encryption / decryption request apparatus 100 is "0987654321123", the token value T_V of "0987654321123" corresponding to the original text data O_D may be "ZXCVBNMLKJHGF" . The token server 200 may store "ZXCVBNMLKJHGF" corresponding to the token value T_V in the database 400 together with the source text cipher text data OE_D and the version KEY_V of the encryption key. Further, the token server 200 may provide "ZXCVBNMLKJHGF" corresponding to the token value T_V to the encryption decryption request apparatus 100. [ In the exemplary embodiment, when the encryption decryption request apparatus 100 requests encryption after the first encryption key KEY1 is updated with the second encryption key KEY2, the token server 200 transmits the second encryption key KEY2, Encryption can be performed based on the key KEY2.

In an exemplary embodiment, the token value T_V, the first original cipher text data OE_D1, and the version (KEY_V1) of the first cryptographic key corresponding to the original text data O_D may be stored in the database 400 . For example, the cipher key KEY is the first cipher key KEY1, and the original text data O_D requested by the encryption decryption request apparatus 100 to encrypt is "1234561234567 ". The token value T_V may be "VUZPOLOIUYYTRN ", and the first original text cipher text data OE_D1 may be E (1234561234567) if the original text data O_D requesting encryption / decryption request apparatus 100 is" 1234561234567 " , And the version (KEY_V) of the encryption key may be one. In this case, 1 corresponding to "VUZPOLOIUYTRN" corresponding to the token value T_V, E (1234561234567) corresponding to the first source text ciphertext data OE_D1, and version (KEY_V) Can be stored in a column. In an exemplary embodiment, the database 400 may be located outside the token server 200.

5 is a block diagram illustrating an example of a token server included in the data encryption / decryption system of FIG.

1 to 5, the data encryption / decryption system 10 may include an encryption / decryption request apparatus 100, a token server 200, a key server 300, and a database 400. When the encryption / decryption request apparatus 100 requests encryption to the token server 200, the encryption / decryption request apparatus 100 may provide the original data O_D to the token server 200. When the encryption decryption request apparatus 100 provides the original document data O_D to the token server 200, the token server 200 transmits the token value T_V corresponding to the original document data O_D to the encryption decryption request apparatus 100 ). In addition, when the encryption / decryption request apparatus 100 requests decryption from the token server 200, the encryption / decryption request apparatus 100 may provide the token server 200 with the token value T_V. When the encryption / decryption request apparatus 100 provides the token value T_V to the token server 200, the token server 200 transmits the original data O_D corresponding to the token value T_V to the encryption / decryption request apparatus 100 ). In an exemplary embodiment, the database 400 may be located within the token server 200.

In the exemplary embodiment, when the first cryptographic key KEY1 is updated with the second cryptographic key KEY2, the token value T_V corresponding to the original text data O_D, the second original text cipher text data OE_D2, The version (KEY_V2) of the second cryptographic key may be updated in the database (400). For example, the first cryptographic key KEY1 may be updated with the second cryptographic key KEY2 at the first time T1. After the first cipher key KEY1 is updated with the second cipher key KEY2, the encryption decryption request apparatus 100 may request decryption for "VUZPOLOIUYTRN" corresponding to the token value T_V. When the encryption / decryption request apparatus 100 requests decryption for "VUZPOLOIUYTRN" corresponding to the token value T_V, the second original text cipher text data OE_D2 may be E (1234561234567) and the version of the encryption key (KEY_V ) May be two. In this case, 2 corresponding to "VUZPOLOIUYTRN" corresponding to the token value T_V, E (1234561234567) corresponding to the second original text ciphertext data OE_D2, and version (KEY_V) Can be stored in a column.

The data encryption / decryption method according to embodiments of the present invention is a method in which the encryption / decryption request apparatus 100 decrypts the token value T_V after the first encryption key KEY1 is updated with the second encryption key KEY2 When requested, the token server 200 decrypts the first text cipher text data OE_D1 based on the first cryptographic key KEY1 to provide the original text data O_D, and based on the second cryptographic key KEY2, The original text data O_D is encrypted to provide the second original text cipher text data OE_D2 to protect the personal information when the encryption key KEY is leaked.

FIG. 6 is a diagram for explaining another operation example of the data encryption / decryption system of FIG. 2. FIG.

6, the token server 200 transmits a latest update key request signal (LKR_S) requesting the key server 300 for information on the latest update encryption key (KEY2) most recently updated at a predetermined time interval . For example, the predetermined time interval may include a first time interval PTI1, a second time interval PTI2, and a third time interval PTI3. The first time interval PTI1 may be the difference time between the first time T1 and the second time T2 and the second time interval PTI2 may be the difference time between the second time T2 and the third time T3 And the third time interval PTI3 may be the difference time between the third time T3 and the fourth time T4. The token server 200 may provide the latest update key request signal LKR_S to the key server 300 at the first time T1. When the first encryption key KEY1 is updated with the second encryption key KEY2, the key server 300 transmits the version KEY_V2 of the second encryption key and the second encryption key KEY2 to the token server 200 . If the second cryptographic key KEY2 is not updated after the first time interval PTI1 elapses from the first time T1, the key server 300 transmits the cryptographic key KEY and the version of the cryptographic key The key server 300 may not provide the key KEY_V to the token server 200. If the second cryptographic key KEY2 is updated with the third cryptographic key KEY, KEY_V) and the third encryption key (KEY) to the token server 200.

The data encryption / decryption method according to embodiments of the present invention is a method in which the encryption / decryption request apparatus 100 decrypts the token value T_V after the first encryption key KEY1 is updated with the second encryption key KEY2 When requested, the token server 200 decrypts the first text cipher text data OE_D1 based on the first cryptographic key KEY1 to provide the original text data O_D, and based on the second cryptographic key KEY2, The original text data O_D is encrypted to provide the second original text cipher text data OE_D2 to protect the personal information when the encryption key KEY is leaked.

FIG. 7 is a diagram for explaining another operation example of the data encryption / decryption system of FIG.

Referring to FIGS. 2 and 7, the data encryption / decryption system 10 may include an encryption / decryption request apparatus 100, a token server 200, a key server 300, and a database 400. When the encryption / decryption request apparatus 100 requests encryption to the token server 200, the encryption / decryption request apparatus 100 may provide the original data O_D to the token server 200. When the encryption decryption request apparatus 100 provides the original document data O_D to the token server 200, the token server 200 transmits the token value T_V corresponding to the original document data O_D to the encryption decryption request apparatus 100 ). In addition, when the encryption / decryption request apparatus 100 requests decryption from the token server 200, the encryption / decryption request apparatus 100 may provide the token server 200 with the token value T_V. When the encryption / decryption request apparatus 100 provides the token value T_V to the token server 200, the token server 200 transmits the original data O_D corresponding to the token value T_V to the encryption / decryption request apparatus 100 ).

In an exemplary embodiment, the key server 300 includes a key request processing module 310 (KEY2) that provides a latest update cryptographic key KEY2 and a version KEY_V2 of the latest update cryptographic key based on the latest update key request signal LKR_S ). For example, the token server 200 may periodically provide the latest update key request signal LKR_S. When the token server 200 periodically provides the latest update key request signal LKR_S, the key request processing module 310 receives the key update request signal LKR_S from the key pointer 320, the first key block 330 and the second key block 340, The latest update encryption key (KEY2) and the latest update encryption key version (KEY_V2).

For example, the version (KEY_V2) of the latest update cryptographic key stored in the key pointer 320 may be the same as the version (KEY_V1) of the first cryptographic key. If the version KEY_V2 of the latest update cipher key stored in the key pointer 320 is equal to the version KEY_V1 of the first cipher key, the key request processing module 310 receives the first cipher key from the first key block 330, It is possible to receive the key KEY1. In this case, the key request processing module 310 may provide the first cryptographic key KEY1 as the latest update cryptographic key KEY2 to the token server 200, 1 as the version (KEY_V2) of the token server 200. [ Also, the version (KEY_V2) of the latest update cipher key stored in the key pointer 320 may be the same as the version (KEY_V2) of the second cipher key. When the version KEY_V2 of the latest update cipher key stored in the key pointer 320 is equal to the version KEY_V2 of the second cipher key, the key request processing module 310 receives the second cipher key from the second key block 340 Key KEY2. In this case, the key request processing module 310 may provide the second cryptographic key KEY2 as the latest update cryptographic key KEY2 to the token server 200, 2 as a version (KEY_V2) of the token server 200. [

In an exemplary embodiment, the key request processing module 310 may receive a version (KEY_V2) of the latest update cryptographic key from a key pointer 320 included in the key server 300.

8 is a view for explaining a batch key update operation of the data encryption / decryption system of FIG.

Referring to FIG. 8, in the data encryption / decryption method, the encryption / decryption request apparatus 100 requests encryption of the original text data O_D. For example, the cipher key KEY is the first cipher key KEY1, and the original text data O_D requested by the encryption decryption request apparatus 100 to encrypt is "1234561234567 ".

The token server 200 encrypts the original text data O_D based on the first encryption key KEY1 to generate the first text cipher text data OE_D1 and outputs the token value T_V corresponding to the original text data O_D to provide. For example, when the original text data O_D requested by the encryption / decryption request apparatus 100 is "1234561234567", the token server 200 uses the first encryption key KEY1 to generate the original text data O_D " Quot; 1234561234567 ". When the token server 200 encrypts the original text data O_D "1234561234567" using the first cryptographic key KEY1, the first original text cipher text data OE_D1 may be E (1234561234567). The token server 200 may store E (1234561234567) corresponding to the first original text cipher text data (OE_D1) in the database 400 together with the version (KEY_V) of the encryption key. In this case, the version (KEY_V) of the encryption key may be one. If the original text data O_D requested by the encryption / decryption request apparatus 100 is "1234561234567", the token value T_V of "1234561234567" corresponding to the original text data O_D may be "VUZPOLOIUYTRN" . The token server 200 may store "VUZPOLOIUYTRN" in the database 400 corresponding to the token value T_V. Further, the token server 200 may provide "VUZPOLOIUYTRN" corresponding to the token value T_V to the encryption decryption request apparatus 100. [

When the encryption decryption request apparatus 100 requests decryption for the token value T_V after the first encryption key KEY1 is updated to the second encryption key KEY2, Decrypts the first original text cipher text data OE_D1 based on the key KEY1 to provide the original text data O_D and encrypts the original text data O_D based on the second cryptographic key KEY2, (OE_D2). For example, the first cryptographic key KEY1 may be updated with the second cryptographic key KEY2 at the first time T1. After the first cipher key KEY1 is updated with the second cipher key KEY2, the encryption decryption request apparatus 100 may request decryption for "VUZPOLOIUYTRN" corresponding to the token value T_V. When the encryption / decryption request apparatus 100 requests decryption for "VUZPOLOIUYTRN" corresponding to the token value T_V, the token server 200 generates the first original-text cipher text data OE_D1 (OE_D1) based on the first encryption key KEY1 (1234561234567) corresponding to E (1234561234567) can be decoded to provide the original text data O_D. When the token server 200 decrypts E (1234561234567) corresponding to the first original text cipher text data OE_D1 based on the first encryption key KEY1, the original text data O_D may be "1234561234567". In this case, the token server 200 may provide "1234561234567" corresponding to the original text data O_D to the encryption decryption request apparatus 100. [ Also, the token server 200 can encrypt the original text data O_D "1234561234567" by using the second cipher key KEY2. When the token server 200 encrypts the original text data O_D "1234561234567" using the second cipher key KEY2, the second original text cipher text data OE_D2 may be E (1234561234567). The token server 200 may store E (1234561234567) corresponding to the second original text cipher text data (OE_D2) in the database 400 together with the version (KEY_V) of the encryption key. In this case, the version (KEY_V) of the encryption key may be 2.

In the exemplary embodiment, the token server 200 includes a token value T_V corresponding to the original text data O_D stored in the database 400 based on the batch key update signal TKU_S, (OE_D1) and the version (KEY_V1) of the first cryptographic key to the token value (T_V) corresponding to the original text data (O_D), the second original cipher text data (OE_D2) have. For example, the token value T_V corresponding to the original text data O_D stored in the database 400 is "QAZXSWEDCVFRT", and the first original text corresponding to the original text data O_D stored in the database 400 The ciphertext data OE_D1 is E (3019283746578), and the version (KEY_V1) of the first cryptographic key may be 1. [ At this time, when the batch key update signal TKU_S is enabled, the token value T_V corresponding to the original text data O_D is "QAZXSWEDCVFRT" and the second original text cipher text data OE_D2 (O_D2) corresponding to the original text data O_D ) Is E (3019283746578), and the version (KEY_V2) of the second cryptographic key may be two.

The token value T_V corresponding to the original text data O_D stored in the database 400 is "PLMKOIJNHUYUI", and the first original text ciphertext data corresponding to the original text data O_D stored in the database 400 (OE_D1) is E (5432178935423), and the version (KEY_V1) of the first cryptographic key may be one. At this time, when the batch key update signal TKU_S is enabled, the token value T_V corresponding to the original text data O_D is "PLMKOIJNHUYUI" and the second original text ciphertext data OE_D2 (corresponding to the original text data O_D) ) May be E (5432178935423), and the version (KEY_V2) of the second cryptographic key may be two. When the batch key update signal TKU_S is enabled, the token server 200 generates a token value T_V corresponding to the original text data O_D stored in the database 400, first original text cipher text data OE_D1, The version KEY_V1 of the first cryptographic key can be updated to the token value T_V corresponding to the original text data O_D, the second original cipher text data OE_D2 and the version KEY_V2 of the second cryptographic key. All the token values T_V stored in the database 400 based on the first cryptographic key KEY1, the first cryptogram data OE_D1 and the version KEY_V1 of the first cryptographic key are stored in the second cryptographic key KEY1, (T_V) based on the first key ciphertext (KEY2) and the version (KEY_V2) of the second ciphertext data (OE_D2) and the second cipher key.

The data encryption / decryption method according to embodiments of the present invention is a method in which the encryption / decryption request apparatus 100 decrypts the token value T_V after the first encryption key KEY1 is updated with the second encryption key KEY2 When requested, the token server 200 decrypts the first text cipher text data OE_D1 based on the first cryptographic key KEY1 to provide the original text data O_D, and based on the second cryptographic key KEY2, The original text data O_D is encrypted to provide the second original text cipher text data OE_D2 to protect the personal information when the encryption key KEY is leaked.

In the data encryption / decryption method according to embodiments of the present invention, after the first encryption key is updated with the second encryption key, when the encryption / decryption requesting apparatus requests decryption of the token value, Decrypting the first text ciphertext data to provide the original text data and encrypting the original text data based on the second cryptographic key to provide the second text ciphertext data, Lt; / RTI >

While the present invention has been described with reference to the preferred embodiments thereof, it will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit and scope of the invention as defined in the appended claims. It will be understood.

Claims (10)

Requesting the encryption / decryption request apparatus to encrypt the original text data;
The token server encrypts the original text data based on the first cryptographic key to generate first original text cipher text data and generates a token value corresponding to the original text data;
Associating the token value, the first text cipher text data, and the version of the first cryptographic key, which correspond to the original text data, in a database;
Providing the token value to the encryption decryption request apparatus;
When the encryption decryption request apparatus requests decryption of the token value after the first encryption key is updated to the second encryption key, the token server extracts, from the database, the first original text cipher text Reading the data;
Decrypting the first cipher text data based on the first cipher key to generate the original text data and providing the original text data to the encryption decryption request apparatus;
The token server encrypting the original text data based on the second cryptographic key to generate second text ciphertext data; And
Wherein the token server updates the version of the first original cipher text data and the first cipher key stored in the database with the version of the second original cipher text data and the second cipher key respectively associated with the token value The method comprising the steps of: The method according to claim 1,
Wherein the token server performs encryption based on the second cryptographic key if the encryption decryption request apparatus requests encryption after the first cryptographic key is updated with the second cryptographic key. Way. delete The method according to claim 1,
Wherein the database is located outside the token server. delete The method according to claim 1,
Wherein the database is located within the token server. The method according to claim 1,
Wherein the token server provides a latest update key request signal requesting the key server for information on the latest update cipher key most recently updated at a predetermined time interval. 8. The method of claim 7,
And a key request processing module for providing a version of the latest update cipher key and the latest update cipher key based on the latest update key request signal. 9. The method of claim 8,
Wherein the key request processing module receives a version of the latest update encryption key from a key pointer included in the key server. The method according to claim 1,
The token server transmits a version of the token value, the first original-text cipher text data and the first cryptographic key corresponding to the original text data stored in the database based on the batch key update signal to the token corresponding to the original text data Value, the second original-text ciphertext data, and the second cipher key.
KR1020150064462A 2015-05-08 2015-05-08 Method of encrypting and decrypting data KR101688811B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150064462A KR101688811B1 (en) 2015-05-08 2015-05-08 Method of encrypting and decrypting data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150064462A KR101688811B1 (en) 2015-05-08 2015-05-08 Method of encrypting and decrypting data

Publications (2)

Publication Number Publication Date
KR20160131620A KR20160131620A (en) 2016-11-16
KR101688811B1 true KR101688811B1 (en) 2016-12-22

Family

ID=57541126

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150064462A KR101688811B1 (en) 2015-05-08 2015-05-08 Method of encrypting and decrypting data

Country Status (1)

Country Link
KR (1) KR101688811B1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200047992A (en) 2018-10-29 2020-05-08 주식회사 스파이스웨어 Method for simultaneously processing encryption and de-identification of privacy information, server and cloud computing service server for the same
KR102276189B1 (en) 2020-11-13 2021-07-12 주식회사 스파이스웨어 Method and Apparatus for Personal Information Encryption Using an Encryption Network
KR102318981B1 (en) 2020-11-13 2021-10-29 주식회사 스파이스웨어 Method and Apparatus for Personal Information Encryption Using Image Composing
KR102338191B1 (en) 2020-10-28 2021-12-13 주식회사 스파이스웨어 Data encryption apparatus and method using supervised learning

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101929355B1 (en) 2016-12-14 2019-03-12 (주)네오와인 Encryption and decryption system using unique serial number and symmetric cryptography
KR102617447B1 (en) * 2023-01-30 2023-12-27 박성곤 File management system providing file encryption function and method of the same

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002217896A (en) 2001-01-23 2002-08-02 Matsushita Electric Ind Co Ltd Method for cipher communication and gateway device
JP2002300151A (en) 2001-03-29 2002-10-11 Fujitsu Fip Corp Encryption key management method, encryption key management program, and recording medium
KR101428648B1 (en) 2014-01-29 2014-08-13 (주)케이사인 Method of block token-based encryption and method of block token-based decryption

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002217896A (en) 2001-01-23 2002-08-02 Matsushita Electric Ind Co Ltd Method for cipher communication and gateway device
JP2002300151A (en) 2001-03-29 2002-10-11 Fujitsu Fip Corp Encryption key management method, encryption key management program, and recording medium
KR101428648B1 (en) 2014-01-29 2014-08-13 (주)케이사인 Method of block token-based encryption and method of block token-based decryption

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200047992A (en) 2018-10-29 2020-05-08 주식회사 스파이스웨어 Method for simultaneously processing encryption and de-identification of privacy information, server and cloud computing service server for the same
KR102338191B1 (en) 2020-10-28 2021-12-13 주식회사 스파이스웨어 Data encryption apparatus and method using supervised learning
KR102276189B1 (en) 2020-11-13 2021-07-12 주식회사 스파이스웨어 Method and Apparatus for Personal Information Encryption Using an Encryption Network
KR102318981B1 (en) 2020-11-13 2021-10-29 주식회사 스파이스웨어 Method and Apparatus for Personal Information Encryption Using Image Composing

Also Published As

Publication number Publication date
KR20160131620A (en) 2016-11-16

Similar Documents

Publication Publication Date Title
KR101688811B1 (en) Method of encrypting and decrypting data
US10778427B2 (en) Method and apparatus for encrypting and decrypting product information
KR100753932B1 (en) contents encryption method, system and method for providing contents through network using the encryption method
CN101271501B (en) Encryption and decryption method and device of digital media file
KR101371608B1 (en) Database Management System and Encrypting Method thereof
US9798893B2 (en) Secure format-preserving encryption of data fields
US20080247540A1 (en) Method and apparatus for protecting digital contents stored in usb mass storage device
CN108432178B (en) Method for securing recording of multimedia content in a storage medium
US10630474B2 (en) Method and system for encrypted data synchronization for secure data management
EP2797254A1 (en) Encrypted data administration device, encrypted data administration method, and encrypted data administration program
CN103237010B (en) The server end of digital content is cryptographically provided
CN103488915A (en) Double-secret-key-encryption resource encryption and decryption method with combination of software and hardware
KR20140109321A (en) Device for generating an encrypted key and method for providing an encrypted key to a receiver
KR102160523B1 (en) Method and apparatus for encrypting and decrypting a multimedia content
US20170351871A1 (en) Data Owner Controlled Data Storage Privacy Protection Technique
JP6930053B2 (en) Data encryption method and system using device authentication key
CN102103668B (en) Method for operating a security device
CN103237011B (en) Digital content encryption transmission method and server end
US9559840B2 (en) Low-bandwidth time-embargoed content disclosure
US8391497B2 (en) Method for importing rights object and rights issuer
US10380353B2 (en) Document security in enterprise content management systems
KR101473656B1 (en) Method and apparatus for security of mobile data
US9038194B2 (en) Client-side encryption in a distributed environment
CN103745170A (en) Processing method and device for disk data
KR101428648B1 (en) Method of block token-based encryption and method of block token-based decryption

Legal Events

Date Code Title Description
E90F Notification of reason for final refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant