KR19980050938A - How to Send Encrypted Documents on the Internet - Google Patents

Abstract

1. TECHNICAL FIELD OF THE INVENTION

How to send encrypted documents over the Internet.

2. The technical problem to be solved by the invention

To prevent illegal information leakage or data tampering that may occur when transmitting data on the Internet.

3. Summary of Solution to Invention

By using the IDEA (Encryption Data Encryption) encryption algorithm and MD using message authentication method to ensure the confidentiality of documents and to prevent document tampering during transmission, the session key is shared between the server and client, and the user data is read and encrypted. Generates the session key and hash value and sends it to the server, and the server decrypts the received session key and inspects the hash value, generates a response message and sends it to the client. If the hash value is normal, the client reads the file and encrypts it. The server transmits the control data to the server. The server decrypts the encrypted data, inspects the hash value, and sends a response message to the client.

4. Important uses of the invention

Used to transmit documents for confidentiality on the Internet.

Description

How to send encrypted documents over the Internet

The present invention relates to a method for transmitting an encrypted document when transmitting a document requiring security in a specific user group using the World Wide Web (WWW) interface, which is currently the focus of attention around the world. WWW is a unified interface that can handle and display all the data formats (pictures, movies, and sounds) handled on the Internet. However, since there is no method to prevent illegal information leakage or data tampering that can occur during the transmission of data, there is a fatal problem in the security of the transmission of documents or data in principle of confidentiality.

Currently, there are products made using technologies such as SSL (Secure Socket Layer) or S-HTTP (Secured Hypertext Transfer Protoco1) related to this encryption, but all are expensive and require separate authentication for each server. There was a problem that its use is inconvenient.

Accordingly, the present invention for solving the above problems is a function of performing transmission and reception of encrypted documents based on WWW, which is currently used the most in the world, and encryption method using IDEA (International Data Encryption Standad) encryption algorithm and message using MD5. It is an object of the present invention to provide an encrypted document transmission method over the Internet that can guarantee document confidentiality and prevent document tampering during transmission using an authentication technique.

1 is a structural diagram of an encrypted document transmission system to which the present invention is applied;

2 is an explanatory diagram of a session key sharing procedure according to the present invention;

3 is an encrypted document transmission flowchart according to the present invention;

4 is a flowchart for receiving an encrypted document according to the present invention;

5 is a configuration diagram of a key management module according to the present invention;

6 is a flowchart of key management according to the present invention;

In accordance with another aspect of the present invention, there is provided a method for transmitting an encrypted document, which is applied to a communication system via the Internet, in which a client and a server exchange a session key to be used for encryption and share the first step. In the second step of reading the data and generating an encrypted session key and hash value and transmitting it to the server, the server decrypts the received session key, inspects the hash value, generates a response message, and sends it to the client, and stores the session key. In the third step, the client analyzes the response message, the fourth step to check whether the hash value is normal, if the hash value is an error, the fifth step is finished, if the file is read and encrypted, and the fifth with the control data sent to the server Step 6, the server decrypts the encrypted data to check the hash value and sends a response message to the client, and The client is made to analyze the response message including the seventh step of the hash value it is normal if the data transfer ends, characterized.

The present invention provides a technique for preventing illegal tampering as well as protecting its contents from unauthorized users by encrypting document transmissions within a specific group through the WWW, which is currently the most widely used worldwide. It is a function to perform the transmission and reception of encrypted documents. The encryption method using the International Data Encryption Standard (IDEA) encryption algorithm and the message authentication method using the MD5 function ensure the confidentiality of the document and prevent the document from being tampered with. In this way, the individual can manage his own key, thereby reducing the burden of managing the key centrally, and it is almost impossible to decrypt it because the document itself is completely encrypted and transmitted. In the case of data transmission on a general WWW, the transmitted data may not only be exposed to unauthorized users, but may also be changed during transmission.

The present invention has a structure of encrypting data using an IDEA algorithm, encrypting and transmitting data using an MD5 hash function, and decrypting the data again. To this end, it is required to define, manage and change various keys to be used for transmission. The transmission of a document made in the present invention is largely divided into two cases in which a document is transmitted from a server to each user and each user registers a document in the server.

Hereinafter, with reference to the accompanying drawings will be described an embodiment of the present invention;

1 is a structural diagram of an encrypted document transmission system to which the present invention is applied.

As shown in FIG. 1, the user side is largely composed of a browser, an encryption / authentication module, and a key management module, and is intended for a user who uses a PC. To exchange data between browser and encryption / authentication module, use NCAPI function provided by Nescap. Here, the role of the key management module is used to decrypt a user's key stored in an encrypted form on a diskette and provide it to the encryption program or to manage the user key.

It is the WWW browser that performs the actual document transmission and reception, and the encryption program only performs encryption / decryption of data through data exchange with the browser. Therefore, the document transmission and reception provided in the present invention is performed based on HTTP. The server side consists of HTTPD process, encryption / authentication module and key management program, and targets UNIX system. HTTPD is a commonly used WWW server and performs encryption / authentication module using CGI program. The server-side key management program finds the key of the user who requested the transmission and delivers it to the CGI program, or performs the key change or authentication according to the request of the user-side key management program. Data transfer between the user-side and server-side key management programs is based on the UNIX socket interface. On the other hand, in order to enhance the security function of the system and to prevent key exposure, various complex keys are used. The following is a description of the keys proposed in the present invention.

First, the primary key (Kb) is the most basic 64-bit key for encrypted communication and must be shared between the user and the server.The key is not directly used for encryption to maintain the confidentiality and efficient management of the key, but for the actual encryption. It is used to create and transfer session key, a kind of temporary key that is shared between server and server. Every user who registers with this encryption transmission system receives one basic key from system administrator. At this time, the basic key is recorded and transferred to 3.5-inch floppy disk to increase security confidentiality. Since the server must respond to the user's request for sending and receiving documents, it must have all the primary keys for each user. The primary key's storage on the server is ID: Encryptedkey: and the ID must be unique. The primary key must be stored encrypted. At this time, the server key is used for encryption. The primary key delivered to the user is stored encrypted with the user key. The algorithm used to encrypt the primary key is IDEA.

Second, the server key (Kv) is 128 bits in size and used to encrypt the user's primary key. The server key should only be known to system administrators and is not stored in unencrypted form. The subkey is stored with the primary keys in the form of ID: EncryptedKey: like other primary keys, but with the ID root '' and encrypted using the UNIX password mechanism. The UNIX password mechanism is a one-way hash function that is virtually impossible to decrypt.

Third, the message key (km) is a temporary key used to generate a session key used for encrypted communication and has a size of 64 bits. Because it is a kind of Randy key, it is not stored separately. It is synthesized with the primary key to generate the session key.

Fourth, the session key (ks) is a kind of temporary key that is directly used for encrypted communication between the user and the server and disappears when the document is transmitted. For proper encryption / decryption, it must be shared by the user and the server, and in principle, it must be created by the user requesting the transmission or reception of the document. At this time, because the server knows the basic keys of all users, the user can authenticate the session key that the user wants to use. If the user requests the authenticated user, the server keeps them in a file and deletes them when the document transfer ends. The session key is generated from a combination of a 64-bit primary key and a 64-bit message key.

Fifth, since the user key (kc) is the most basic of encryption transmission and reception, protecting the primary key from unauthorized users is the principle that the system administrator stores and transmits the primary key distributed to the user on a floppy disk. . However, the general system user may lack security awareness, and in order to prevent the loss of the disk, it is necessary to encrypt with a key known only to the user key. Sending and receiving documents between user and server is divided into two parts. The first is the exchange and sharing of session keys to be used for encryption, and the second is the transmission and reception of encrypted documents using a shared session key. Both session keys and document transfers are based on encryption and message authentication.

First, a process of exchanging a session key will be described with reference to FIG. 2. When a client wants to send or receive a document to the server, it first sends a request message. The server then returns a special content format depending on the type of request. The browser will run the helper application according to the content format sent from the server, which must be registered in advance by the user. Once the helper application is running, the helper application uses NCAPI to exchange data with the browser. When the client sends the session key encrypted with its identifier (ID) and primary key to the server with the hash value, the server looks at the identifier (ID) of the user, finds the corresponding primary key, decrypts the session key, and then returns the primary key. Combine with and encrypt and return. The client decrypts the message sent by the server with its primary key, and then confirms that the key has been successfully shared with the server if the result of the combination with the primary key matches the previously created and transmitted session key.

When the session key is shared, data to be actually transmitted is transmitted. FIG. 3 illustrates a process of transmitting an encrypted document according to the present invention. First of all, there are two cases where a user sends a document to a server and receives a document from a server. Each process is performed in a similar manner to a session key sharing process. In this case, the control information (Control info.) Is a part indicating the data information being transmitted to control the transmission through this. First, open a program to send and receive files through the help program. The program reads various information about the user (101) and generates an encrypted session key and hash value (102). These values decrypt the session key via Netscape (103), examine the hash value (104), respond to this check, and store the session key (105). As a result of the check, if the hash value is incorrect (106), the program terminates. If the hash value is correct (106), the file is read (107) and the encrypted data and the control data are transmitted (108). The transmitted data is decrypted (109), the hash value is checked (110), the response message is transmitted (111), if it is correct, the transmission is terminated, and if the hash value is wrong, the program exits. .

4 shows an encrypted document receiving processing flow chart according to the present invention. First, open a program to send and receive files through the help program. The program reads various information about the user (201) and generates an encrypted session key and hash value (202). These values decrypt the session key via Netscape (203), check the hash value (204), respond to this check, and store the session key (205). If the hash value is incorrect (206), the program terminates. If the hash value is correct, the server transmits control data and transmits a file (207). After the client has received all the files (208, 209) and sends control data to the server (211), the server decrypts these data (212), checks the hash value (213) and terminates the file transfer if there is nothing wrong. do.

5 is a description of programs for managing various keys used in an encryption system. The user can not only authenticate his or her primary key from the server using the primary key manager, but also change it if he suspects it has been compromised. Of course, the verification and change of the primary key is performed based on encryption and message authentication, so that it can be protected from illegal user's access. The user's manager provides the function to change the user key used to encrypt and store its own primary key, and is used to change the server key manager server key. In the case of a server key change, the primary key of all currently stored users must be re-encrypted, and it must be taken into account that the service cannot be provided to the user's request during the change. The session key generator generates a session key using the primary key and the message key. The message key generator and the nonce generator generate a random key that cannot be easily guessed. The primary key created using the server-side primary key generator is stored on diskette through the primary key distributor and then distributed to users. The system administrator can remotely connect to the server system using the default key distributor and verify the server key before creating a diskette.

6 shows a flowchart of a key management method according to the present invention. After the key management window is executed, the user data is read (301), and an encrypted message and hash value are generated and transmitted (302). The encrypted key is decrypted via the socket interface (303), the hash value is checked (304), and the key is generated (305), which is sent back through the socket interface, and checked (306) by the response message. The result is output (307). This process is repeated every time a key value is created.

The present invention described above is capable of various substitutions, modifications, and changes within the scope without departing from the technical spirit of the present invention for those skilled in the art to which the present invention pertains, and thus is limited to the above-described embodiments and drawings. It is not.

The present invention made as described above can protect the contents of the document from an unauthorized user by performing an encryption and message authentication process when transmitting the document on the Web (Web), through which the user securely transmits the data he has It can work.

Claims (2)

In a method for transmitting an encrypted document applied to a communication system via the Internet, a first step of exchanging and sharing a session key to be used for encryption by a client and a server, The client reads the user data to be transmitted and generates an encrypted session key and hash value and transmits it to the server; The server decrypts the received session key, inspects the hash value, generates and sends a response message to the client, and stores the received session key; In step 4, the client analyzes the response message to check whether the hash value is normal. A fifth step if the hash value is an error, and if the hash value is normal, the file is read and encrypted and transmitted to the server together with the control data; A sixth step of the server decrypting the encrypted data, checking the hash value, and sending a response message to the client, and And a seventh step of analyzing the response message and terminating the data transmission if the hash value is normal. The method of claim 1, In the first step, the client transmits the session key encrypted with its identifier and the primary key to the server together with the hash value. The server looks up the identifier of the user, finds the corresponding primary key, decrypts the session key, and combines it with the primary key to encrypt it and send it to the client, and The client decrypts the message sent by the server with its primary key, and then confirms that the key has been successfully shared with the server if the result of the combination with the primary key matches the session key previously created and sent. Method for transmitting an encrypted document on the Internet, characterized in that made.