WO2017036251A1 - Procédé, dispositif et support d'informations de chiffrement et de déchiffrement de norme de chiffrement perfectionnée - Google Patents

Procédé, dispositif et support d'informations de chiffrement et de déchiffrement de norme de chiffrement perfectionnée Download PDF

Info

Publication number
WO2017036251A1
WO2017036251A1 PCT/CN2016/089940 CN2016089940W WO2017036251A1 WO 2017036251 A1 WO2017036251 A1 WO 2017036251A1 CN 2016089940 W CN2016089940 W CN 2016089940W WO 2017036251 A1 WO2017036251 A1 WO 2017036251A1
Authority
WO
WIPO (PCT)
Prior art keywords
decryption
encryption
data
round
data packet
Prior art date
Application number
PCT/CN2016/089940
Other languages
English (en)
Chinese (zh)
Inventor
盛雪飞
Original Assignee
深圳市中兴微电子技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市中兴微电子技术有限公司 filed Critical 深圳市中兴微电子技术有限公司
Publication of WO2017036251A1 publication Critical patent/WO2017036251A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators

Definitions

  • the present invention relates to Advanced Encryption Standard (AES) encryption and decryption technology, and more particularly to an AES encryption and decryption method and apparatus.
  • AES Advanced Encryption Standard
  • AES algorithm As a symmetric key encryption algorithm, AES algorithm has attracted more and more people's attention. However, when AES algorithm performs encryption and decryption, it usually uses fixed key, which makes it easy to bring hidden dangers to data security. The technical solution for replacing the key during the AES encryption and decryption process.
  • an embodiment of the present invention is to provide an AES encryption and decryption method and apparatus, and a storage medium, which can replace a key without interrupting the encryption and decryption process, thereby improving the security of data usage.
  • An embodiment of the present invention provides an AES encryption and decryption method, including:
  • the AES decryption is sequentially performed on each group of the data to be decrypted by using the original key until the new key is obtained; and the AED decryption data of each group to be decrypted is not decrypted by using the new key.
  • each group of data to be encrypted includes a plurality of data packets; and the adding the new key to the next group of data to be encrypted includes: adding in each data packet of the next group of data to be encrypted New key
  • Each set of data to be decrypted includes a plurality of data packets, and the AES decrypts the data to be decrypted by the original key in sequence, until the new key is obtained, including: using the original key pair
  • Each packet of the group to be decrypted data is subjected to AES decryption, and each packet of each group of data to be decrypted is detected to determine whether each packet detected includes a new key.
  • the AES decryption is performed on each group of the data to be decrypted by using the original key until the new key is obtained, including: the data including the new key detected for each group of data to be decrypted.
  • the new key is obtained, and the new key is used for AES decryption of the remaining groups of data to be decrypted that are not decrypted.
  • each group of data to be encrypted includes multiple data packets
  • Performing AES encryption on each set of data to be encrypted includes: performing, respectively, performing electrical codebook ECB mode pipeline encryption or counting CTR mode pipeline encryption for each data packet of each group of data to be encrypted;
  • the ECB mode pipeline encryption for each data packet includes: performing, for each data packet, the first round of encryption logic operation to the Nth round encryption logic operation, and obtaining the AES encryption result of the corresponding data packet in the ECB mode, where N is greater than 1
  • the hardware that implements each round of encryption logic operations exists at the same time, and the hardware that implements each round of encryption logic operations is not reused;
  • Performing CTR mode pipeline encryption for each data packet includes: pre-acquiring the count value before acquiring the corresponding data packet, and sequentially performing the first round of encryption logic operation to the K-th round encryption logic operation on the count value, and obtaining the count encryption result.
  • K is greater than 1; after obtaining the corresponding data packet, XOR operation is performed on the data in each data packet and the count encryption result, and the AES encryption result of the corresponding data packet in the CTR mode is obtained; wherein, each round of encryption logic operation is implemented.
  • the hardware exists at the same time, and the hardware that implements each round of encryption logic operations is not reused.
  • each set of data to be decrypted includes multiple data packets
  • Performing AES decryption on each set of data to be decrypted includes: performing ECB mode pipeline decryption or CTR mode pipeline decryption for each packet of each group of data to be decrypted;
  • Performing ECB mode pipeline decryption for each packet includes: sequentially for each packet The first round of decryption logic operation to the Nth round of decryption logic operation, the AES decryption result of the corresponding data packet in the ECB mode is obtained, and N is greater than 1; wherein the hardware for realizing each round of decryption logic operation exists at the same time, and each round of decryption is realized. The hardware of the logic operation will not be reused;
  • Performing CTR mode pipeline decryption for each data packet includes: pre-acquiring the count value before acquiring the corresponding data packet, and sequentially performing the first round of decryption logic operation to the K-th round decryption logic operation on the count value, and obtaining the count decryption result.
  • K is greater than 1; after obtaining the corresponding data packet, XOR operation is performed on the data in each data packet and the count decryption result, and the AES decryption result of the corresponding data packet in the CTR mode is obtained; wherein, each round of decryption logic operation is realized.
  • the hardware exists at the same time, and the hardware that implements each round of decryption logic operations is not reused.
  • the decryption order of each group of data to be decrypted is consistent with the encryption order of each group of data to be encrypted.
  • An embodiment of the present invention further provides an AES encryption and decryption apparatus, including an encryption end and a decryption end;
  • the encryption end is configured to acquire a new key, add the new key to the next set of data to be encrypted, and use the original key to perform AES encryption on the next set of data to be encrypted added with the new key, and utilize The new key performs AES encryption on each group of data to be encrypted that is not AES encrypted;
  • the decryption end is configured to sequentially perform AES decryption on each group of data to be decrypted by using the original key until the new key is obtained; and use the new key to perform AES decryption on each group of data to be decrypted that has not been decrypted.
  • each group of data to be encrypted includes multiple data packets
  • the encryption end is further configured to add a new key to each data packet of the corresponding next group of data to be encrypted
  • Each set of data to be decrypted includes a plurality of data packets
  • the decryption end is further configured to perform AES decryption on each data packet of each group of data to be decrypted by using the original key, and perform detection on each data packet of each group of data to be decrypted, and determine each detected packet. Whether the new key is included in the data packet.
  • the decrypting end is configured to, when for each set of data to be decrypted, the number of the headers of the detected data packet containing the new key is greater than or equal to a set threshold, from the data of the corresponding group to be decrypted. Obtaining the new key, the new key is used for AES decryption of the remaining sets of data to be decrypted that are not decrypted.
  • each group of data to be encrypted includes multiple data packets
  • the encryption end is further configured to perform ECB mode pipeline encryption or CTR mode pipeline encryption for each data packet of each group of data to be encrypted;
  • the encryption end is further configured to sequentially perform the first round of encryption logic operation to the Nth round encryption logic operation for each data packet, and obtain an AES encryption result of the corresponding data packet in the ECB mode, where N is greater than 1;
  • the hardware of each round of encryption logic operations exists at the same time, and the hardware that implements each round of encryption logic operations is not reused;
  • the encryption end is further configured to pre-acquire the count value before acquiring the corresponding data packet, and sequentially perform the first round of encryption logic operation to the K-th round encryption logic operation, and obtain a count encryption result, where K is greater than 1; After obtaining the corresponding data packet, performing an exclusive-OR operation on the data in the corresponding data packet and the counting and encrypting result, and obtaining an AES encryption result of the corresponding data packet in the CTR mode; wherein the hardware for implementing each round of encryption logic operation exists at the same time, And the hardware that implements each round of encryption logic operations will not be reused.
  • each set of data to be decrypted includes multiple data packets
  • the decryption end is further configured to perform ECB mode pipeline decryption or CTR mode pipeline decryption for each data packet of each group of data to be decrypted;
  • the decryption end is further configured to sequentially perform the first round of decryption logic operation to the Nth round of decryption logic operation for each data packet, and obtain an AES decryption result of the corresponding data packet in the ECB mode, where N is greater than 1;
  • the hardware of each round of decryption logic operations exists at the same time, and the hardware that realizes each round of decryption logic operations is not reused;
  • the decryption end is further configured to pre-acquire the counter value before acquiring the corresponding data packet, and sequentially perform the first round of decryption logic operation to the K-th round decryption logic operation, and obtain the count decryption result, where K is greater than 1; After obtaining the corresponding data packet, performing an exclusive-OR operation on the data in the corresponding data packet and the counting and decrypting result, and obtaining an AES decrypting result of the corresponding data packet in the CTR mode; wherein the hardware for realizing each round of decrypting logical operations exists at the same time, And the hardware that implements each round of decryption logic operations will not be reused.
  • the embodiment of the present invention provides a storage medium, where the executable medium is stored with an executable instruction, and the executable instruction is used to execute the AES encryption and decryption method provided by the embodiment of the present invention.
  • the AES encryption and decryption method and device and the storage medium provided by the embodiment of the present invention acquire a new key when encrypting the current group to be encrypted data, and add the new key to the next group of data to be encrypted;
  • the original key pair performs AES encryption on the next set of data to be encrypted to which the new key is added, and uses the new key to perform AES encryption on each group of data to be encrypted that is not AES encrypted; using the original key pair
  • Each group of to-be-decrypted data is sequentially subjected to AES decryption until the new key is acquired; and the group of to-be-decrypted data that has not been decrypted is subjected to AES decryption by using the new key.
  • the encryption terminal carries the new key to the decryption end in the data encrypted by the old key, so that the decryption end can obtain the new key for decrypting the remaining data while decrypting the data by using the key, so that Change the key without interrupting the encryption and decryption process to improve the security of data usage.
  • FIG. 1 is a flow chart of a first embodiment of an AES encryption and decryption method of the present invention
  • FIG. 2 is a flow chart showing a multi-round encryption logic operation in the first embodiment of the AES encryption and decryption method of the present invention
  • FIG. 3 is a flow chart showing a multi-round decryption logic operation in the first embodiment of the AES encryption and decryption method of the present invention
  • FIG. 4 is a flow chart of a second embodiment of the AES encryption and decryption method of the present invention.
  • FIG. 5 is a schematic structural diagram of a structure of an AES encryption and decryption apparatus according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a first embodiment of an AES encryption and decryption method according to the present invention. As shown in FIG. 1, the method includes:
  • Step 100 Acquire a new key, add the new key to the next set of data to be encrypted; use the original key to perform AES encryption on the next set of data to be encrypted to which the new key is added, and use the The new key performs AES encryption on each group of data to be encrypted that is not AES encrypted.
  • the AES encryption can be implemented by using the encryption end; here, the encryption end can perform AES encryption by a combination of hardware, software, or software and hardware.
  • acquiring a new key includes generating a new key or receiving a new key from an external device.
  • the encryption end acquires a new key in the process of encrypting the current group to be encrypted data, and adds the new key to the next group of data to be encrypted.
  • the data to be encrypted includes M group data, and M is greater than 1; here, the encryption order of each group of data may be preset.
  • each set of data to be encrypted includes a plurality of data packets.
  • the new key is added to the next set of data to be encrypted, including: each data packet in the next group of data to be encrypted. Add a new key; here, you can add the new key to the header of each packet of the next set of data to be encrypted.
  • the packet header of each data packet carries indication information for indicating that the data packet is the first data packet corresponding to a group of data to be encrypted.
  • AES encryption can be implemented in an Electronic Codebook Book (ECB) mode or a Counter (CTR) mode.
  • ECB Electronic Codebook Book
  • CTR Counter
  • performing AES encryption on each set of data to be encrypted includes: performing ECB mode pipeline encryption or CTR mode pipeline encryption for each data packet of each group of data to be encrypted.
  • performing ECB mode pipeline encryption for each data packet includes: performing key exclusive OR operation, first round encryption logic operation to the Nth round encryption logic operation for the corresponding data packet, and obtaining corresponding data packet in ECB mode.
  • the result of AES encryption is that N is greater than 1; wherein the hardware for implementing each round of encryption logic operations is different from each other, that is, the hardware for implementing each round of encryption logic operations exists at the same time, and the hardware for implementing each round of encryption logic operations is not Reuse; in this way, multiple rounds of encryption logic operations in the form of pipelines can be implemented to speed up the computational process in AES encryption in ECB mode.
  • the i-th round encryption logic operation includes a S-box conversion (SubBytes) calculation step, a row shift transformation (ShiftRows) calculation step, a column hybrid transformation (Mixcolumns) calculation step, and a round key addition transformation (AddRound key) which are sequentially executed.
  • i takes 1 to N-1;
  • the Nth round of encryption logic operation includes only the S box transformation calculation step, the row shift transformation calculation step, and the round key addition transformation calculation step which are sequentially performed.
  • the initial key when performing ECB mode pipeline encryption for each data packet, the initial key needs to be acquired first, and the initial key is expanded to N+1 extended keys; the key exclusive OR operation for each data packet includes: The data of the corresponding data packet is XORed with the first extended key of the N+1 extended keys.
  • the i'th round of encryption logic operation for each data packet it is necessary to use the i'thth expansion key of the N+1 extension keys, i' taking 1 to N.
  • performing CTR mode pipeline encryption for each data packet includes: pre-acquiring the count (COUNTER) value before acquiring the corresponding data packet, performing key exclusive OR operation on the count value, and performing the first round of encryption logic operation to the Kth. Round encryption logic operation, the result of counting encryption is obtained, K is greater than 1; after obtaining the corresponding data packet, XOR encryption is performed on the data in the corresponding data packet and the counting encryption result, and the AES encryption of the corresponding data packet in CTR mode is obtained.
  • the hardware for implementing each round of encryption logic operations is different from each other, that is, the hardware for realizing each round of encryption logic operations exists at the same time, and the hardware for realizing each round of encryption logic operations is not reused; Multiple rounds of encryption logic in the form of pipelines to speed up the computational process in AES encryption in CTR mode.
  • the j-th round encryption logic operation includes S-box transformation calculation steps and row shifts performed in order
  • the bit transformation calculation step, the column hybrid transformation calculation step, and the round key addition transformation calculation step, j takes 1 to K-1;
  • the Kth round encryption logic operation includes only the S box transformation calculation step and the row shift transformation calculation executed in order Step and round key plus transformation calculation steps.
  • the count encryption result is not obtained in advance before the corresponding data packet is acquired, after the corresponding data packet is acquired, the count encryption result and the data in the data packet need to be XORed after the count encryption result is obtained. In this way, the corresponding data packet needs to be cached. Therefore, in the embodiment of the present invention, by obtaining the count encryption result in advance, the cache resource can be effectively saved.
  • the initial key when performing CTR mode pipeline encryption for each data packet, the initial key needs to be acquired first, and the initial key is expanded to K+1 extended keys; the key exclusive OR operation on the count value includes: counting the value The XOR operation is performed with the first extended key of the K+1 extended keys.
  • the j'th round encryption logical operation on the count value it is necessary to use the j'+1th extended key of the K+1 extended keys, and j' takes 1 to K.
  • Input represents input data of a data packet to be encrypted when performing AES encryption in ECB mode, or represents The count value to be encrypted when performing AES encryption in CTR mode, the bit width of Input is 128 bits; round represents each round of encryption logic operation, except for the last round of encryption logic operation, each round of encryption logic operation includes S box executed in order Transformation calculation step, row shift transformation calculation step, column hybrid transformation calculation step, and round key addition transformation calculation step; the last round of encryption logic operation includes only S box transformation calculation step, row shift transformation calculation step, and round key addition Transform the calculation steps.
  • Output indicates the output data finally obtained when the AES encryption is performed in the ECB mode, or the count encryption result when the AES encryption is performed in the CTR mode;
  • the first key expansion module is configured to expand the initial key into a plurality of extended keys Among the extended keys extended by the first key expansion module, one extended key is used to perform an exclusive OR operation on the Input, and the remaining extended keys are used for the corresponding round encryption logic operation.
  • the bit width of the initial key may be 128 bits, 192 bits, or 256 bits.
  • the bit width of the initial key is 128 bits, the number of rounds of the multi-round encryption logic operation is 10; when the bit width of the initial key is 192 bits, The number of rounds of the round encryption logic operation is 12; when the bit width of the initial key is 256 bits, the number of rounds of the multi-round encryption logic operation is 14.
  • Step 101 Perform AES decryption on each group of data to be decrypted by using the original key until the new key is obtained; and use the new key to perform AES decryption on each group of data to be decrypted that has not been decrypted.
  • the AES decryption can be implemented by using the decryption end; here, the decryption end can perform AES decryption by means of hardware, software or a combination of hardware and software.
  • the decryption order of the data to be decrypted in each group is consistent with the encryption order of the data to be encrypted in each group, that is, in step 100, AES is sequentially performed on the data to be encrypted from the first group to the Mth group to be encrypted. Encrypting, obtaining the corresponding first group of data to be decrypted to the Mth group to be decrypted data; in this step, the first group of data to be decrypted to the Mth group to be decrypted data are sequentially subjected to AES decryption.
  • the new key can be obtained by means of AES decryption.
  • each set of data to be decrypted includes a plurality of data packets.
  • the data to be decrypted by the original key is sequentially subjected to AES decryption until the new key is obtained, including : AES decrypting each data packet of each group of data to be decrypted by using the original key, and detecting the header of each data packet of each group of data to be decrypted, and determining whether the packet header of each data packet detected includes new a key; if, for each set of data to be decrypted, the number of detected headers of the data packet including the new key is greater than or equal to a set threshold, the new key is acquired; otherwise, the new key is not acquired. .
  • AES decryption can be implemented in the ECB mode or the CTR mode.
  • performing AES decryption on each set of data to be decrypted includes performing ECB mode pipeline decryption or CTR mode pipeline decryption for each group of data to be decrypted.
  • performing ECB mode pipeline decryption for each data packet includes: for the corresponding data packet, The key XOR operation, the first round of decryption logic operation to the Nth round decryption logic operation, and the AES decryption result of the corresponding data packet in the ECB mode, and N is greater than 1; wherein, the hardware for realizing each round of decryption logic operation is obtained. Different from each other, that is to say, the hardware that realizes each round of decryption logic operation exists at the same time, and the hardware that realizes each round of decryption logic operation is not reused; thus, multiple rounds of decryption logic operations in the form of pipeline can be realized, and the ECB mode is accelerated. The calculation process in the AES decryption.
  • the ith round decryption logical operation includes a reverse shift shift (InvShiftRows) calculation step, an inverse S box transform (InvSubBytes) calculation step, a round key addition transform (AddRound key) calculation step, and an inverse column hybrid transform which are sequentially executed.
  • (InvMixcolumns) calculation step i takes 1 to N-1; the Nth round decryption logic operation includes only the reverse row shift transform calculation step, the inverse S box transform calculation step, and the round key addition transform calculation step which are sequentially performed.
  • the initial key when performing ECB mode pipeline decryption for each data packet, the initial key needs to be acquired first, and the initial key is expanded to N+1 extended keys; the key exclusive OR operation for each data packet includes: The data of the corresponding data packet is XORed with the first extended key of the N+1 extended keys.
  • the i'th round of decryption logic operation for each data packet it is necessary to use the i'thth extended key of the N+1 extended keys, i' taking 1 to N.
  • the N+1 extended keys used in the ECB mode pipeline decryption for each data packet are the same as the N+1 extended keys used in the ECB mode pipeline encryption for each data packet.
  • the order of use of the N+1 extended keys used in the ECB mode pipeline decryption for each data packet is: the N+1 extended keys used in the ECB mode pipeline encryption for each data packet. Use the reverse order of the order.
  • performing CTR mode pipeline decryption for each data packet includes: pre-acquiring the count value before acquiring the corresponding data packet, performing key exclusive OR operation on the count value, and performing the first round of decryption logic operation to the Kth round decryption logic.
  • the j-th round decryption logic operation includes a reverse row shift transform calculation step, an inverse S-box transform calculation step, a round key addition transform calculation step, and an inverse column hybrid transform calculation step, which are sequentially performed, j takes 1 to K-1;
  • the Kth round decryption logical operation includes only the reverse shift shift calculation step, the inverse S box transform calculation step, and the round key addition transform calculation step which are sequentially performed.
  • the cache resource can be effectively saved.
  • the initial key when performing CTR mode pipeline decryption for each data packet, the initial key needs to be acquired first, and the initial key is extended to K+1 extended keys; the key exclusive OR operation on the count value includes: counting the value The XOR operation is performed with the first extended key of the K+1 extended keys.
  • the j'th round decryption logical operation on the count value it is necessary to use the j'+1th extended key of the K+1 extended keys, and j' takes 1 to K.
  • K+1 extended keys used in the CTR mode pipeline decryption for each data packet are the same as the K+1 extended keys used in the CTR mode pipeline encryption for each data packet.
  • the order of use of the K+1 extended keys used in the CTR mode stream decryption for each data packet is: K+1 extended keys used for CTR mode stream encryption for each data packet. Use the reverse order of the order.
  • FIG. 3 is a flow chart of a multi-round decryption logic operation in the first embodiment of the AES encryption and decryption method of the present invention.
  • In represents data of a data packet to be encrypted when performing AES encryption in the ECB mode, or indicates that the data is performed.
  • the count value to be encrypted when AES is encrypted in CTR mode the bit width of In is 128bit; Round represents each round of decryption logic operation, except for the last round of decryption logic operations, each round of decryption logic operations includes sequential reverse shift transform calculation steps, inverse S-box transformation calculation steps, round key plus transformation calculations The step and the inverse column hybrid transform calculation step; the last round of the decryption logic operation includes only the reverse row shift transform calculation step, the inverse S box transform calculation step, and the round key addition transform calculation step.
  • Out indicates the result of the encryption obtained when performing AES encryption in the ECB mode, or the result of the counting encryption when performing AES encryption in the CTR mode;
  • the second key expansion module is configured to expand the initial key into multiple extended keys. Among the extended keys derived from the extension of the second key expansion module, one extended key is used to perform an exclusive OR operation on In, and the remaining extended keys are used for the corresponding round decryption logic operation.
  • the bit width of the initial key may be 128 bits, 192 bits, or 256 bits.
  • the bit width of the initial key is 128 bits, the number of rounds of the multi-round decryption logic operation is 10; when the bit width of the initial key is 192 bits, The number of rounds of the round decryption logic operation is 12; when the bit width of the initial key is 256 bits, the number of rounds of the multi-round decryption logic operation is 14.
  • the process of adding a new key is set in the process of AES encryption, so that the key can be replaced without interrupting the data flow.
  • FIG. 4 is a flowchart of a second embodiment of an AES encryption and decryption method according to the present invention. As shown in FIG. 4, the method includes:
  • Step 400 The control unit sends a key replacement notification carrying the new key to the encryption end.
  • Step 401 After receiving the key replacement notification, the encryption end adds a new key to the header of each data packet of the next group of data to be encrypted; and after adding the new key, using the new key pair Each data packet of a group of data to be encrypted is encrypted, and the encrypted terminal key replacement information is sent to the control unit.
  • Step 402 The decryption end decrypts the data of the mth group to be decrypted by using the original key, and detects each data packet header of the mth group of data to be decrypted, and obtains a new secret corresponding to the data of the mth group to be decrypted.
  • the number of headers of the key packet, the initial value of m is 1.
  • Step 403 When m is less than M, skip to step 404, where M represents the number of groups of data to be decrypted; when m is equal to M, the process ends.
  • Step 404 When the number of the headers of the data packet containing the new key corresponding to the data to be decrypted is greater than zero, step 405 is performed; otherwise, when the data of the mth group to be decrypted corresponds to the data containing the new key The number of packets of the packet is zero, and the value of m is incremented by one, and the process returns to step 402.
  • Step 405 It is determined whether the number of the packet headers of the data packet containing the new key corresponding to the data to be decrypted in the mth group is greater than or equal to the set threshold Y. If the threshold value Y is greater than or equal to the threshold value, the process proceeds to step 406. Otherwise, the packet is skipped. Go to step 407.
  • Step 406 The decryption end uses the new key to perform AES decryption on the m+1th group data to the Mth group data in sequence, and sends the key replacement information to the control unit; the process ends.
  • control unit knows that both the encryption end and the decryption end have performed the key replacement process.
  • Step 407 The decryption end sends a key replacement failure message to the control unit. After receiving the key replacement failure message, the control unit re-adds a new key to the packet header of each data packet for the data to be encrypted to be added with the new key. And replacing the original data packet with each data packet after re-adding the new key, using the new key to encrypt each data packet of the next group of data to be encrypted, and sending the encryption terminal key to the control unit. Replace the information and return to step 402.
  • an embodiment of the present invention further provides an AES encryption and decryption apparatus.
  • FIG. 5 is a schematic structural diagram of an AES encryption and decryption apparatus according to an embodiment of the present invention. As shown in FIG. 5, the apparatus includes an encryption end 500 and a decryption end 501.
  • the encryption terminal 500 is configured to acquire a new key when encrypting the current group to be encrypted data. Adding the new key to the next set of data to be encrypted; using the original key to perform AES encryption on the next set of data to be encrypted to which the new key is added, and using the new key, the AES is not performed. Encrypted data to be encrypted for each group to be AES encrypted;
  • the decryption end 501 is configured to perform AES decryption on each group of data to be decrypted by using the original key until the new key is obtained; and use the new key to perform AES decryption on each group of data to be decrypted that is not decrypted. .
  • each set of data to be encrypted includes a plurality of data packets; each set of data to be decrypted includes a plurality of data packets.
  • the encryption terminal 500 is further configured to add a new key to each data packet of the next group of data to be encrypted.
  • the decryption end 501 is further configured to perform AES decryption on each data packet of each group of data to be decrypted by using the original key, and detect each data packet of each group of data to be decrypted, and determine each data packet to be detected. Whether the new key is included.
  • the decrypting end 501 is configured to acquire the new key when the number of the headers of the detected data packet containing the new key is greater than or equal to a set threshold for each set of data to be decrypted.
  • the encryption terminal 500 is further configured to perform ECB mode pipeline encryption or CTR mode pipeline encryption for each data packet of each group of data to be encrypted;
  • the encryption terminal 500 is configured to sequentially perform the first round of encryption logic operation to the Nth round encryption logic operation for the corresponding data packet, and obtain an AES encryption result of the corresponding data packet in the ECB mode, where N is greater than 1;
  • the hardware of each round of encryption logic operations is different from each other; that is, the hardware that implements each round of encryption logic operations exists at the same time, and the hardware that implements each round of encryption logic operations is not reused;
  • the encryption end 500 is configured to acquire a count value in advance before acquiring the corresponding data packet, and sequentially perform the first round of encryption logic operation to the K-th round encryption logic operation on the count value to obtain a count encryption result, where K is greater than 1; after obtaining the corresponding data packet, the data in the corresponding data packet And performing an exclusive-OR operation on the counted encryption result, and obtaining the AES encryption result of the corresponding data packet in the CTR mode; wherein, the hardware for realizing each round of encryption logic operation is different from each other; that is, the hardware for implementing each round of encryption logic operation is simultaneously Hardware that exists and implements each round of encryption logic operations is not reused;
  • the decryption end 501 is further configured to perform ECB mode pipeline decryption or CTR mode pipeline decryption for each data packet of each group of data to be decrypted;
  • the decryption end 501 is configured to sequentially perform the first round of decryption logic operation to the Nth round of decryption logic operation for the corresponding data packet, and obtain the AES decryption result of the corresponding data packet in the ECB mode, where N is greater than 1;
  • the hardware of each round of decryption logic operations is different from each other; that is, the hardware that implements each round of decryption logic operations exists at the same time, and the hardware that implements each round of decryption logic operations is not reused;
  • the decryption end 501 is configured to acquire a counter value in advance before acquiring the corresponding data packet, and sequentially perform the first round of decryption logic operation to the Kth round decryption logic operation on the count value, to obtain a count decryption result, where K is greater than 1; after obtaining the corresponding data packet, performing an exclusive-OR operation on the data in the corresponding data packet and the counting and decrypting result, and obtaining an AES decrypting result of the corresponding data packet in the CTR mode; wherein, the hardware implementation of each round of decrypting logic operations is implemented. It is not the same; that is, the hardware that implements each round of decryption logic operations exists at the same time, and the hardware that implements each round of decryption logic operations is not reused.
  • the encryption terminal 500 and the decryption terminal 501 can be configured by a central processing unit (CPU), a microprocessor (Micro Processor Unit, MPU), and a digital signal processor (Digital Signal Processor) located in the terminal. , DSP), or Field Programmable Gate Array (FPGA) implementation.
  • CPU central processing unit
  • MPU Micro Processor Unit
  • DSP Digital Signal Processor
  • FPGA Field Programmable Gate Array
  • the embodiment of the present invention provides a storage medium, where the executable medium is stored with an executable instruction, and the executable instruction is used to execute the AES encryption and decryption method provided by the embodiment of the present invention.
  • embodiments of the present invention may be provided as a method, system, or Computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé, un dispositif et un support de stockage pour un chiffrement et un déchiffrement de norme de chiffrement perfectionnée (AES). Le procédé consiste à : acquérir une nouvelle clé et ajouter la nouvelle clé à l'ensemble suivant de données à chiffrer ; utiliser la clé d'origine pour réaliser un chiffrement d'AES dudit ensemble suivant de données à chiffrer auquel la nouvelle clé a été ajoutée, et utiliser la nouvelle clé pour réaliser un chiffrement d'AES de chaque ensemble de données à chiffrer qui n'a pas encore subi un chiffrement d'AES ; utiliser la clé d'origine pour réaliser un déchiffrement d'AES de chaque ensemble de données à déchiffrer séquentiellement jusqu'à ce que la nouvelle clé soit acquise ; et utiliser la nouvelle clé pour réaliser un déchiffrement d'AES de chaque ensemble de données à déchiffrer qui n'est pas encore déchiffré.
PCT/CN2016/089940 2015-09-06 2016-07-13 Procédé, dispositif et support d'informations de chiffrement et de déchiffrement de norme de chiffrement perfectionnée WO2017036251A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510559903.8A CN106506140A (zh) 2015-09-06 2015-09-06 一种aes加解密方法和装置
CN201510559903.8 2015-09-06

Publications (1)

Publication Number Publication Date
WO2017036251A1 true WO2017036251A1 (fr) 2017-03-09

Family

ID=58186628

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/089940 WO2017036251A1 (fr) 2015-09-06 2016-07-13 Procédé, dispositif et support d'informations de chiffrement et de déchiffrement de norme de chiffrement perfectionnée

Country Status (2)

Country Link
CN (1) CN106506140A (fr)
WO (1) WO2017036251A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109299614A (zh) * 2018-10-30 2019-02-01 天津津航计算技术研究所 一种采用流水线方式实现sm4密码算法的系统及方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120173865A1 (en) * 2010-12-29 2012-07-05 Viswanathan Swaminathan System And Method For Generating Multiple Protected Content Formats Without Redundant Encryption Of Content
CN104038337A (zh) * 2014-06-20 2014-09-10 上海动联信息技术股份有限公司 一种基于aes128的数据加密方法
CN104579645A (zh) * 2015-01-26 2015-04-29 中国科学院半导体研究所 基于aes加密系统的密钥更新方法
CN104639314A (zh) * 2014-12-31 2015-05-20 深圳先进技术研究院 基于aes加密/解密算法的装置和流水控制方法

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8045714B2 (en) * 2005-02-07 2011-10-25 Microsoft Corporation Systems and methods for managing multiple keys for file encryption and decryption
CN103166758A (zh) * 2011-12-19 2013-06-19 中兴通讯股份有限公司 Gpon上行aes加密的密钥更新方法及系统
US9602280B2 (en) * 2013-03-13 2017-03-21 Futurewei Technologies, Inc. System and method for content encryption in a key/value store
US10403173B2 (en) * 2013-08-13 2019-09-03 Fiske Software, Llc NADO cryptography using one-way functions

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120173865A1 (en) * 2010-12-29 2012-07-05 Viswanathan Swaminathan System And Method For Generating Multiple Protected Content Formats Without Redundant Encryption Of Content
CN104038337A (zh) * 2014-06-20 2014-09-10 上海动联信息技术股份有限公司 一种基于aes128的数据加密方法
CN104639314A (zh) * 2014-12-31 2015-05-20 深圳先进技术研究院 基于aes加密/解密算法的装置和流水控制方法
CN104579645A (zh) * 2015-01-26 2015-04-29 中国科学院半导体研究所 基于aes加密系统的密钥更新方法

Also Published As

Publication number Publication date
CN106506140A (zh) 2017-03-15

Similar Documents

Publication Publication Date Title
US11546135B2 (en) Key sequence generation for cryptographic operations
KR101068367B1 (ko) 병렬 연산 모드에서 aes 암호화 및 암호 해독을 최적화하는 방법 및 장치
Bagheri et al. New differential fault analysis on PRESENT
US20120134490A1 (en) Selective Data Encryption and Decryption Method and Apparatus
WO2016027454A1 (fr) Procédé de cryptage d'authentification, procédé de décryptage d'authentification, et dispositif de traitement d'informations
US11153068B2 (en) Encryption device, encryption method, decryption device and decryption method
JP2010140026A (ja) 連鎖暗号モードのための方法および装置
JP2008058831A (ja) 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
JP7323196B2 (ja) 暗号化装置、暗号化方法、プログラム、復号装置、復号方法
WO2016088453A1 (fr) Appareil de chiffrement, appareil de déchiffrement, système de traitement cryptographique, procédé de chiffrement, procédé de déchiffrement, programme de chiffrement et programme de déchiffrement
Liu et al. Chaos-based image hybrid encryption algorithm using key stretching and hash feedback
CN116488794B (zh) 基于fpga的高速sm4密码模组实现方法及装置
US11764945B2 (en) Data processing device, method, and computer program
Wu et al. Resynchronization Attacks on WG and LEX
Ojha et al. An Innovative Approach to Enhance the Security of Data Encryption Scheme
CN106452743B (zh) 通信密钥获取方法及装置、通信报文解密方法及装置
WO2017036251A1 (fr) Procédé, dispositif et support d'informations de chiffrement et de déchiffrement de norme de chiffrement perfectionnée
Jeddi et al. A novel authenticated encryption algorithm for RFID systems
Qiu et al. A dual dynamic key chaotic encryption system for industrial cyber-physical systems
Mohan et al. Revised aes and its modes of operation
Labbi et al. Symmetric encryption algorithm for RFID systems using a dynamic generation of key
Khaleel et al. A Comparative Performance Analysis of Modified DÓ § mÓ § si’ s Cryptosystem and Data Encryption Standard
US20230188336A1 (en) Automatic Key Rolling for Link Encryption
JP2010164897A (ja) 暗号化数値二進変換システム、暗号化数値二進変換方法、暗号化数値二進変換プログラム
KR20240046850A (ko) 암호화 처리 장치, 암호화 처리 장치의 암호화 처리 방법, 및 저장 매체

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16840680

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16840680

Country of ref document: EP

Kind code of ref document: A1