KR102481024B1 - Processing method for encrypting data, system and computer program - Google Patents

Abstract

According to the present invention, a method for data encryption and decryption to increase security comprises the following steps of: determining whether data for transmission is a multiple of n bits; and setting a plurality of encryption blocks for the data for transmission in units of n bits and setting an arbitrary location block as a remnant block according to a specific criterion if the data for transmission is not a multiple of n bits.

Description

Data processing method, device, system and computer program performed for data encryption

The present invention relates to a method and computer program for encrypting and decrypting data to improve security by using a remnant block.

In the process of transmitting data using a computer network, various encryption methods are used to prevent data hacking, and a block cipher algorithm is used as one method that considers stability and processing speed.

A block cipher algorithm is an algorithm that divides given data into blocks (eg, 64 bits, 128 bits, etc.) of a predetermined length and performs encryption in block units.

64-bit block ciphers include DES, DES3, DESX, RC5, BLOWFISH, CAST128, IDEA, SAFER, and RC2, and 128-bit block ciphers include SEED, CRYPTON, RIJNDAEL, CAST256, RC6, TWOFISH, MARS, and SERPENT.

Block cipher algorithms are implemented in various 'modes of operation' and require 'padding'.

More specifically, among the ciphers, DES, which is a 64-bit block cipher, and SEED, which is a 128-bit block cipher, DES divides the length of input data by a multiple of 8, and SEED by a multiple of 16. If the length of the input data is 8 or 16 If it is not a multiple, data is appended to make it a multiple of 8 or 16, which is called 'padding' (Korean Patent Registration No. 10-1663274).

When the length of the input data is not a multiple of 8 or 16, the remaining last block may be referred to as a remnant block, and 'padding' is performed to append data to the remnant block for normal encryption.

An object of the present invention is to provide a data processing method and apparatus for data encryption and decryption in order to improve security by utilizing remnant blocks.

A method for data encryption and decryption for improving security according to an embodiment of the present invention includes determining whether data for transmission is a multiple of n; And setting a plurality of encryption blocks for data for transmission in units of n bits, but setting an arbitrary location block as a remnant block according to a specific criterion if the data for transmission is not a multiple of n. . ( At this time, n means the unit block data length in block encryption and is a natural number)

In addition, after setting the remnant block to the remnant block, changing the remnant block to an operation mode (eg, CTR) of a block cipher algorithm or processing it with an encryption algorithm other than a block cipher algorithm; improving security further comprising: can make it The method may further include padding with n bits by inserting arbitrary y bits into the remnant block after setting the remnant block.

Also, the remnant block may mean a block having the number of bits corresponding to the remainder when the data for transmission is divided into n-bit units.

In addition, the setting of the remnant block may correspond to a step of selecting an arbitrary location block as the remnant block by using a One Time Password (OTP) as the specific criterion and using OTP code generation information.

In addition, the step of selecting as the remnant block is the step of determining and setting an arbitrary location block as a remnant block using the OTP code generation information, using the counter value of HOTP corresponding to the reference value of OTP code generation and the timestamp of TOTP may apply.

The OTP code generation information is an arbitrary code value and can be used after being converted into a natural number of a specific length (eg, a 4-digit natural number). A natural number of a specific length can be calculated as a natural number in a specific range of 0 or more using the remainder calculation method. (e.g. 3218 % 3 = 2)

An encryption apparatus for improving security according to an embodiment of the present invention includes a first determination unit for determining whether data for transmission is a multiple of n; and a first processing unit configured to set a plurality of encryption blocks for data for transmission in units of n bits, and to set an arbitrary location block as a remnant block according to a specific criterion if the data for transmission is not a multiple of n. can (At this time, n means the unit block data length in block encryption and is a natural number)

In addition, the first determination unit uses OTP (One Time Password) including HOTP (HMAC-based One-Time Password) and TOPT (Time-Based One Time Password) as the specific criterion, and according to the reference value of OTP code generation An arbitrary location block may be determined and set as a remnant block through a reference value for generating the OTP code by using a corresponding HOTP counter value and a TOTP timestamp and an ID (Identification) value of an IP header.

In addition, the first processing unit encrypts the remnant block in another operation mode (eg, CTR), encrypts the remnant block with an encryption algorithm other than a block cipher algorithm, or inserts arbitrary y bits into the remnant block to obtain n By padding with bits, the padding block can be encrypted with a block cipher algorithm.

A system for encrypting and decrypting data to improve security according to an embodiment of the present invention includes the encryption device; and a decoding device that decodes a remnant block or padding block located in an arbitrary location block using a reference value for generating the OTP code generated by using it as an ID (Identification) value of an IP header.

The method for encrypting and decrypting data to improve security may be implemented as a computer program recorded on a computer readable recording medium to execute the method.

According to the present invention, the position of the remnant block randomly By selecting and utilizing it, it has the effect of improving security compared to block cipher algorithms using padding that is currently used in a fixed manner (eg, the last remaining block).

1 is a block diagram illustrating an encryption/decryption system that performs a method for encrypting and decrypting data to improve security according to an example of the present invention.
2 shows a CCTV system as a comparison example for explaining the encryption/decryption system of the present invention.
3 illustrates a CCTV system as an example for explaining the encryption/decryption system of the present invention.
4A is an exemplary diagram for explaining an IP header.
4B is an exemplary diagram for explaining BLOCK in PAYLOAD.
5 is a flowchart illustrating a method for data encryption and decryption for improving security according to an example of the present invention.
6 is a diagram for explaining a method for data encryption and decryption for improving security according to an example of the present invention.
7 is a flowchart for explaining a method for data encryption and decryption to improve security according to a more specific embodiment of the present invention.

Embodiments according to the concept of the present invention can apply various changes and can have various forms, so the embodiments are illustrated in the drawings and described in detail in this specification. However, this is not intended to limit the embodiments according to the concept of the present invention to specific disclosures, and includes all modifications, equivalents, or substitutes included in the spirit and scope of the present invention.

Terms such as first and/or second may be used to describe various components, but the components should not be limited by the terms. The above terms are only for the purpose of distinguishing one component from another component, e.g., without departing from the scope of rights according to the concept of the present invention, a first component may be termed a second component, and similarly The second component may also be referred to as the first component.

Hereinafter, preferred embodiments of the present invention will be described in more detail with reference to the accompanying drawings. Embodiments of the present invention may be modified in various forms, and the scope of the present invention should not be construed as being limited to the embodiments described below. These embodiments are provided to explain the present invention in more detail to those skilled in the art to which the present invention pertains.

1 is a block diagram illustrating an encryption/decryption system that performs a method for encrypting and decrypting data to improve security according to an example of the present invention.

Referring to FIG. 1 , an encryption/decryption system 10 may include an encryption device 100 and a decryption device 200 . The encryption device 100 includes a first communication unit 110, a first processing unit 120, and a first determination unit 130.

The first communication unit 110 has a function of transmitting and receiving data to and from the decoding device 200 and may be a wired or wireless device. For example, the first communication unit 110 may include a communication capable module such as a wired Internet module, a mobile communication module, a wireless Internet module, and a short-distance communication module.

The first determination unit 130 may determine whether the data for transmission is a multiple of n, which is the size of one block (n is a natural number). For example, when the block size is 16 bits, the first determination unit 130 may determine whether the length of the input data is a multiple of 16.

The first processing unit 120 may perform encryption using a block cipher algorithm if the data for transmission is a multiple of n, the size of one block, and if the data for transmission is not a multiple of n, the size of one block, a specific criterion According to , a random location block is set as a remnant block, the remnant block is encrypted in another operation mode (eg CTR), the remnant block is encrypted with an encryption algorithm other than the block cipher algorithm, or the remnant block is It can be encrypted with a block cipher algorithm by inserting y bits and padding with n bits.

Here, OTP (One Time Password) can be used as the specific criterion.

At this time, when the OTP is used as the specific criterion, the OTP of the first determination unit 130 and the OTP of the second determination unit 230 match the operation mode (HOTP or TOTP) to the same, and the secret key (SECRET) of the OTP ) are set the same.

At this time, the first determination unit 130 selects an arbitrary location block using the OTP value generated by using the OTP code generation reference value (HOTP: counter value, TOTP: timestamp) as the identification (ID). judged and set as

The first processing unit 120 encrypts the remnant block in another operation mode (eg, CTR), encrypts the remnant block with an encryption algorithm other than a block cipher algorithm, or inserts random y bits into the remnant block to By padding with n bits, the padding block can be encrypted with a block cipher algorithm.

The second communication unit 210 has a function of transmitting and receiving data to and from the encryption device 100 and may be a wired or wireless device. For example, the second communication unit 210 may include a communicable module such as a wired Internet module, a mobile communication module, a wireless Internet module, and a short-distance communication module.

The second determination unit 230 may determine a remnant block or a padding block located in an arbitrary location block using an OTP value generated using the identification (ID), and the second processing unit 220 Remnant blocks or padding blocks and blocks other than these may be decoded.

That is, by including the OTP function in the first determination unit 130 of the encryption device 100 and the second determination unit 230 of the decryption apparatus 200 on a specific basis, the encryption apparatus 100 and the decryption apparatus 200 ), it is possible to improve security by making the position of a remnant block or padding block unpredictable through OTP.

A more detailed description will be made in detail with reference to FIGS. 2 to 7 below.

2 shows a CCTV system as a comparative example for explaining the encryption/decryption system 10 of the present invention, and the PAYLOAD plain text of video and audio data of the camera 20 is monitored by the monitoring client 30 without encryption and decryption. indicates that it is being sent to

3 shows a CCTV system as an example for explaining the encryption/decryption system of the present invention, and the PAYLOAD plain text of video and audio data of the camera 20 is encrypted through the encryption device 100 and transmitted as PAYLOAD cipher text It indicates that decryption is performed through the decryption device 200 and transmitted to the monitoring client 30 .

A packet switching method is generally used as a network communication method, which is a method of using network resources only during transmission while transmitting data in small block packets.

In the case of an IP packet, an IP header and actual information, PAYLOAD, are included. The IP header will be described in more detail in FIG. 4A.

4A is an exemplary diagram for explaining an IP header.

Referring to FIG. 4A, Version indicates the IP type supported by the corresponding packet.

IHL indicates the header length, and since several option fields can be attached to the end of the IP header, the header length can be variable.

Type of Service (TOS) is used for various purposes such as congestion control or service identifier, and higher values are given priority. Total Length indicates the length of the entire packet, and the length is the sum of the header and payload.

Identification (ID) may refer to an identification number or identifier given when an IP packet is created, and may be used for packet fragmentation to indicate which packet the fragment was originally in, and all fragments from the same packet fields have the same value.

IP Flags are used for packet fragmentation to determine the status or creation of fragmented packets.

Fragment Offset is used for packet fragmentation, and since the order of packets can be reversed, the order can be established through this value.

Time To Live (TTL) represents a limit on the number of times a packet can be delivered. For example, each time a packet passes through a router, the count is decreased by one, and packets that have not been transmitted until the TTL becomes 0 are regarded as untransmittable and discarded.

Protocol indicates which protocol should be used to interpret the contents of PAYLOAD.

Header Checksum checks the bits in the IP header whenever it is created or modified. If the check result values are different, it can be seen that part of the IP packet has been corrupted or manipulated during transmission.

Source Address and Destination Address refer to the IP address of the source and destination of the IP packet.

The present invention may use OTP (One Time Password) as the specific criterion described in FIG. 1 . The encryption device 100 and the decryption device 200 may include an OTP function unit (not shown), and a reference value (HOTP: counter for OTP code generation during packet communication between the encryption device 100 and the decryption device 200). value, TOTP: timestamp) as the identification (ID), and by using the generated OTP value, the location of the leftover block can be randomly selected, thereby improving security.

The OTP function unit (not shown) must match the operation mode (HOTP or TOTP), the mutual secret key (SECRET) value, and the OTP code generation reference value (HOTP: counter value, TOTP: timestamp) to match the same OTP. value can be generated.

If the OTP value is not hacked, the location of the remnant block or the padding block cannot be known, so security can be improved.

4B is an exemplary diagram for explaining BLOCK in PAYLOAD.

Referring to FIG. 4B, 1 block (Block #1) to N-1 blocks (Block #N-1) are made through the block encryption algorithm in units of n bits of PAYLOAD, and N blocks smaller than n bits (Block #N) indicates that it is formed of scrap blocks.

5 is a flowchart illustrating a method for data encryption and decryption for improving security according to an example of the present invention. The method for data encryption and decryption to improve security may be performed through the encryption device 100 of the encryption/decryption system 10 shown in FIG. 1 .

Referring to FIG. 5 , the encryption device 100 determines whether data for transmission is a multiple of n bits (S110). Here, determining whether the data for transmission is a multiple of n bits is to set a plurality of encryption blocks in units of n bits using a block cipher algorithm.

Next, the encryption device 100 sets a plurality of encryption blocks for data for transmission in units of n bits, but if the data for transmission is not a multiple of n bits, a block at an arbitrary position is converted into a remnant block according to a specific criterion. Set (S120).

In the case of the block encryption algorithm, if the length of data for transmission is not a multiple of n bits, a random number or the like is inserted into the last remaining block, not in units of n bits, to make a block in units of n bits.

Here, a block that is not in units of n bits may be referred to as a remnant block.

Normally, the last remaining block is used as a remnant block, but according to the present invention, a randomly located block other than the last block is set as a remnant block according to a specific criterion.

Accordingly, according to the present invention, the position of the remnant block is arbitrarily changed according to a specific criterion to improve security through unpredictability.

The specific criterion can be achieved through OTP (One Time Password), and a detailed description thereof will be given in FIG. 7 below.

6 is a diagram for explaining a method for data encryption and decryption for improving security according to an example of the present invention.

(a) of FIG. 6 shows N blocks (Block#1 to Block#N) corresponding to the case where data to be transmitted is a multiple of n bits.

(b) corresponds to the case where the data to be transmitted is not a multiple of n bits, indicating that a remnant block (R) remains at the end, and when the block cipher algorithm is applied, padding to be a multiple of n bits indicates that

(c) corresponds to a case where the data to be transmitted is not a multiple of n bits, as shown in (b), and indicates that the padding is performed by applying a remnant block to an arbitrary position according to a specific criterion. In (c), unlike (b), it can be seen that a padding block is formed in Block #2, which corresponds to the case where the present invention is applied.

7 is a flowchart for explaining a method for data encryption and decryption to improve security according to a more specific embodiment of the present invention. The method for data encryption and decryption to improve security may be performed through the encryption device 100 of the encryption/decryption system 10 shown in FIG. 1 .

7 shows that OTP (One Time Password) is used as the specific criterion described in S120 of FIG. 5 .

Referring to FIG. 7 , the encryption device 100 generates OTP information including HOTP and TOPT (S210).

Next, an arbitrary location block of data to be transmitted can be generated as a remnant block using the generated OTP information (S220). At this time, the reference value of the OTP code information may be set to the identification (ID) of the IP header, and an arbitrary location block may be selected as a remnant block using the generated OTP information (S220).

Next, the remnant block may be encrypted in another operation mode (eg, CTR) or by a method other than the block cipher algorithm, or the remnant block may be encrypted using a block cipher algorithm after padding (S230).

On the other hand, even if all components constituting the embodiments of the present invention described above are described as being combined or operated as one, the present invention is not necessarily limited to these embodiments.

That is, within the scope of the object of the present invention, all of the components may be selectively combined with one or more to operate. In addition, although all of the components may be implemented as a single independent piece of hardware, some or all of the components are selectively combined to perform some or all of the combined functions in one or a plurality of hardware. It may be implemented as a computer program having.

In addition, such a computer program can implement an embodiment of the present invention by being stored in a computer readable storage medium such as a USB memory, a CD disk, a flash memory, etc. and read and executed by a computer. A storage medium of a computer program may include a magnetic recording medium, an optical recording medium, and the like.

The embodiments described above are examples, and various modifications and variations may be made to those skilled in the art without departing from the essential characteristics of the present invention.

Therefore, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention, but to explain, and the scope of the technical idea of the present invention is not limited by these embodiments.

The protection scope of the present invention should be construed according to the claims below, and all technical ideas within the equivalent range should be construed as being included in the scope of the present invention.

Claims (11)

In the data processing method performed for data encryption,
determining whether the length of data for transmission is a multiple of n; and
Setting a plurality of encryption blocks for data for transmission in units of n bits, but if the length of the data for transmission is not a multiple of n, randomly setting random location blocks as remnant blocks according to a specific criterion; How to process data. (where n is a natural number) According to claim 1,
After the step of setting the remnant block,
The data processing method further comprising processing the remnant block with an encryption algorithm other than a block encryption algorithm. According to claim 1,
After the step of setting the leftover block,
The data processing method further comprising processing the remnant block with an encryption algorithm of another operation mode. According to claim 1,
After the step of setting the leftover block,
and inserting random y bits into the remnant block to pad with n bits. According to claim 1,
The remnant block,
When the data for transmission is divided by n bits, it means a block having the number of bits corresponding to the remainder. According to claim 1,
The step of setting the remnant block,
A data processing method characterized in that it corresponds to the step of selecting an arbitrary location block as a remnant block using OTP (One Time Password) as the specific criterion and using OTP code generation information. According to claim 6,
The step of selecting as the remnant block,
characterized in that it corresponds to the step of determining and setting an arbitrary location block as a remnant block by using a counter value of HOTP corresponding to a reference value of OTP code generation and a timestamp of TOTP as the OTP code generation information. a first determination unit that determines whether the length of data for transmission is a multiple of n; and
A first processing unit that sets a plurality of encryption blocks for data for transmission in units of n bits, and sets random location blocks as remnant blocks according to a specific criterion if the length of the data for transmission is not a multiple of n; Encryption device comprising a. (where n is a natural number) According to claim 8,
The first judgment unit,
As the specific criterion, OTP (One Time Password) including HOTP (HMAC-based One-Time Password) and TOTP (Time-Based One Time Password) is used, and the counter value of HOTP corresponding to the reference value of OTP code generation and Using the timestamp of TOTP as a header ID, determining and setting an arbitrary location block as a remnant block through a reference value for generating the OTP code,
The first processing unit,
Encrypting the remnant block in another operation mode, encrypting the remnant block with an encryption algorithm other than a block cipher algorithm, or inserting random y bits into the remnant block and padding with n bits to encrypt the padding block with a block cipher algorithm. Encryption device with. the encryption device of claim 9; and
A system for data encryption and decryption for improving security, comprising: a decryption device for decrypting a remnant block or a padding block located in an arbitrary position block using a reference value for generating the OTP code generated using the ID as the ID. A computer program recorded on a computer readable recording medium to execute the method according to any one of claims 1 to 7.

Images