WO2019242645A1 - Key generation apparatus, encryption and decryption apparatus, key generation and distribution system and information secure transmission system - Google Patents

Key generation apparatus, encryption and decryption apparatus, key generation and distribution system and information secure transmission system Download PDF

Info

Publication number
WO2019242645A1
WO2019242645A1 PCT/CN2019/091899 CN2019091899W WO2019242645A1 WO 2019242645 A1 WO2019242645 A1 WO 2019242645A1 CN 2019091899 W CN2019091899 W CN 2019091899W WO 2019242645 A1 WO2019242645 A1 WO 2019242645A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
key
database
module
sequence
Prior art date
Application number
PCT/CN2019/091899
Other languages
French (fr)
Chinese (zh)
Inventor
蔡利锋
蔡嘉禾
王艳
Original Assignee
蔡利锋
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 蔡利锋 filed Critical 蔡利锋
Publication of WO2019242645A1 publication Critical patent/WO2019242645A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Definitions

  • the present invention relates to the field of information security, and more particularly, the present invention relates to a key generation device, an encryption and decryption device, a key generation and distribution system, and an information security delivery system.
  • OTP is currently the only realistic and absolutely secure encryption scheme in theory. Quantum encryption schemes are theoretically unbreakable, but technical breakthroughs are still needed before widespread application. Limited by the key cannot be reused, the amount of information that OTP can safely transmit cannot be greater than the amount of information contained in the key book, which limits its use. Therefore, a method that can generate a large number of security keys and distribute them conveniently and securely will overcome the inherent limitations and solve the fundamental problems of information security on the basis of making full use of the theoretically absolute security of the OTP scheme.
  • the present invention will focus on solving the problem of generating and distributing unpredictable information as a security key, and based on this, establish an information security delivery scheme and an information security system.
  • Information is a certain kind of symbol or signal, which can be detected, perceived, and identified by specific subjects, and used for interaction and communication between subjects. For information used for communication, its symbols or signals should also satisfy the purpose of being able to be communicated by the subject. Generate, send, receive, identify, and reproduce. At the material level, information is some kind of signal, including sound waves, light waves, electromagnetic, electronic, radiation signals, etc., which can be generated, sent, detected, sensed, and identified by specific subjects in a suitable way. At the technical level, identifiable signals can be decomposed into different signal primitives determined and distinguished by intensity, spatiotemporal distribution, and other distinguishable finite attributes. Signals can be expressed as an ordered combination of signal primitives and can be identified as information .
  • Signal primitives can be used to abstract information.
  • Signal primitives are abstracted into symbols. They are carried and represented by signals in a uniform format that can be easily perceived and distinguished, such as graphics and interval pulse waves.
  • the sequence of symbols can be further accurately represented by a sequence of non-negative integers.
  • the range of the number of elements in the sequence corresponds to the number N of independent orthogonal symbols.
  • the number of elements in the sequence is an integer between 0 and N-1.
  • the sequence can be represented by a binary sequence and received by the computer. , Identify, store, process, and send to become digital information.
  • Unpredictable information In cryptography, any published information, or information generated by known rules based on known information or easily inferred limited information, may be used for prediction purposes no matter how limited the scope of public and corresponding laws is; Therefore, unpredictable information can be defined as information that is not disclosed and that is not generated by known rules. Methodologically, no purely random information is disclosed, that is, no purely random symbol sequence is disclosed, or a random sequence of signal primitives that has not been detected, identified, or used by a communicable subject, which meets the unpredictable requirements and is also the only information that meets the unpredictable requirements. .
  • a key with an information volume of N bytes has a different key space of 256 N ; similarly, an information space is defined, and the information space with an information volume of N bytes is 256 N.
  • the unpredictable information includes the unpredictable information defined in accordance with the actual application of cryptography, and the pseudo-random information that meets the unpredictable requirements is much larger than the corresponding key information space is regarded as unpredictable information , So as to achieve the initial unpredictable information relying on a limited capacity, and generate an amount of unpredictable information that can be expanded as needed as a key.
  • any used key may be disclosed in the future because of the information it carries, which can effectively predict the information by intercepting the ciphertext. Therefore, the unpredictability implies that the key can only be used once. Therefore, in the present invention, undisclosed pure random information and unpredictable information are used as synonyms and are replaced with each other according to different contexts.
  • sequence In modern informatics, identifiable information can be represented by a sequence of non-negative integers.
  • the elements of the sequence can be integers between 0 and n-1, and n is defined as the value range of the sequence elements.
  • the sequence is limited to a non-negative integer sequence. Since any sequence can correspond one-to-one with a non-negative integer sequence, the above limitation does not affect the representativeness of the description of the invention.
  • a sequence consists of the same element sequence with the same value range.
  • the number of elements and the range of element values are defined as the format of the sequence. Sequences of the same format carry the same amount of information and have the same sequence space.
  • the undisclosed pure random number sequence and the unpredictable number sequence are used as synonyms and can be replaced with each other according to different contexts. Information in the form of numbers can be converted into binary information to facilitate computer processing.
  • the present invention first solves the problems of generating and distributing unpredictable information that can be used as a security key.
  • a key generation and sending device including:
  • a system information module configured to store system information of the key generation device
  • a key generation module configured to controllably and orderly generate unpredictable information as a key and use the generated serial number as a corresponding key serial number according to the system information
  • the transmission module is configured to send the key serial number to a paired key generation device, wherein the paired key generation device stores second system information corresponding to the system information.
  • the present invention proposes the concept of controllable and orderly generation of unpredictable information.
  • a controllable and orderly generation device for information is designed to enable the orderly generation of serial numbers through the serial number control based on system information. Forecast information.
  • the unpredictable information is used as a key to form a controllable and orderly key generation device.
  • Use the device to sequentially generate keys according to requirements and use them to generate serial number tags, and generate or reproduce corresponding keys synchronously between the same or corresponding key generation devices that are separated in space and time by serial numbers, so that keys can be used in Exclusively share the same or corresponding key generation devices with secure distribution among the subjects, and build a key generation and secure distribution system.
  • the system information module further includes a database module configured to store unpredictable information, a control module configured to control key generation and other system processes through fixed programs and parameters, and the key generation module is in the control module Orderly extract the stored unpredictable information from the database module as the key under the control, and use its generated serial number as the key serial number, and feed it back to the control module to update the serial number control parameters, and can be based on the same or corresponding key paired
  • the key serial number generated by the generating device depends on the database information to generate a key corresponding to the serial number.
  • the paired key generation device and its system information are completely the same as the key generation device and its system information.
  • system information stored in the database of the paired key generation device may be in a mirror relationship with the information system stored in the database of the key generation device.
  • system information stored in the database of the paired key generation device may be offset from the information system stored in the database of the key generation device in a predetermined manner.
  • system information module further includes:
  • a control module configured to control the generation of unpredictable information through a fixed program or parameter
  • Dynamic information module configured to provide pending input information
  • the information processing module is configured to convert the input information provided by the dynamic information module into generated information through a predetermined algorithm according to the control of the control module, and extract part of the information from the generated information as unpredictable information for generating a key, and other information
  • the feedback information is provided to the dynamic information module to keep it updated steadily.
  • the irreversible one-way evolution of dynamic information can be achieved through the above feedback mechanism, that is, by selecting an appropriate information processing method, all subsequent dynamic information can be evolved from the initial dynamic information.
  • Dynamic information and all public key information cannot be determined and derived from previous dynamic information in a reasonable number of steps.
  • the irreversible one-way evolution characteristics of the unpredictable dynamic information lay the foundation for the continuous generation of security keys.
  • the dynamic information module includes an input information sub-module configured to receive unpredictable information as initial input information,
  • the information processing module converts the input information into generated information that can be expanded by an amount of information determined by the input information through an iterative information processing method, and extracts a first portion of the non-overlapping portion from the generated information in an equal amount as the input information in a predetermined manner.
  • the information is fed back to the input information sub-module as iterative information as input information for the next step, and the second part that does not overlap with each other is extracted as unpredictable information for generating a key.
  • the dynamic information module includes a database sub-module configured to store a predetermined amount of unpredictable information
  • the information processing module is controlled by the control module and relies on the information in the database sub-module to controllably and orderly generate the advance information. Determine a certain amount of unpredictable information as a key, and use its generated serial number as the corresponding key serial number, and then generate additional unpredictable information as database regeneration information and feed it back to the database submodule to update the information in the database submodule.
  • the information processing module relies on the update The information in the subsequent database submodules continues to generate keys.
  • the embodiment of the present application introduces the concept of proliferative encoding information: the encoding information is generated through a database; the specific form and content of the encoding information is determined by the information stored in the database, and all data structure relationships corresponding to the encoding determination information generation process can be obtained through encoding. Rely on the same database to completely restore the corresponding information; the specific form and content of the coding and information are independent of each other, and the information can be generated and controlled in an orderly manner through the limited information amount of coding tracking and manipulation of unrestricted form and content information;
  • proliferative information and generate an expanded number of progeny information through a random combination of database information, so that the information can be proliferated through the database to become proliferable information, and the value space of the progeny information can be expanded through continuous random passage of proliferation.
  • make the value space reach the information space of the corresponding format information, so that the child information selected in a random manner is unpredictable, and the proliferated child information is randomly selected to replace the original database information to achieve unpredictable information in the database Effective regeneration
  • the coding information concept design database includes a main database and a coding database.
  • the main database provides information in a specific format to be processed. Through coding tracking and manipulation of information generation and generation, the controllable and orderly generation of unpredictable information and the unpredictable database are realized. Spontaneous controlled regeneration.
  • the dynamic information module includes a database submodule
  • the database submodule includes a main database storing a predetermined number of unpredictable information units, and a coding database formed by coding a predetermined number of unpredictable information, wherein the number of codes is Greater than the number of unpredictable information units stored in the database submodule,
  • the control module sequentially extracts codes from the coding database, extracts a plurality of unpredictable information units from the main database according to the coding information, and passes them as a set of input information to the information processing module.
  • the codes are not repeatedly used and the sequence number control information is sequentially updated.
  • the information processing module combines a group of input information to generate a secondary information.
  • the information processing module can control the orderly generation of a predetermined number of secondary information as unpredictable information for generating a key, and use the generation sequence number of each unpredictable information as the key sequence number.
  • the information processing module After the predetermined number of keys are generated, the information processing module generates the secondary information in the same amount as the unpredictable information stored in the database sub-module in an orderly and controllable manner as database regeneration information and feeds it back to the database sub-module to update the information in the database sub-module.
  • Another embodiment of the present application preliminarily and theoretically proved the correct use of the concept of the proliferative coding information.
  • each secondary information generated is for the non-initial information owner. It is unpredictable and cannot detect the information in the database submodule effectively based on all the published secondary information.
  • the transmission module is further configured to receive a key sequence number sent from the paired key generation device,
  • the key generation module is further configured to generate a decryption key corresponding to the serial number through the system information according to the received serial number of the key.
  • an encryption and decryption device including:
  • the key generation device is configured to generate a one-time key, wherein the control module adds functions and simultaneously functions as a control module of the entire encryption device;
  • Input port configured to read or enter data to be encrypted
  • a formatting unit configured to convert the data to be encrypted input from the input port into a formatted plain text that matches the key format
  • the encryption module is configured to convert the formatted plain text generated by the formatting unit into a main cipher text using the generated one-time key, use the serial number of the one-time key as the cipher text title, and merge the main cipher text and the cipher text title to Generate ciphertext;
  • the sending port is configured to send the generated ciphertext to a paired decryption device.
  • the encryption and decryption device further includes:
  • a receiving port configured to receive a ciphertext sent from a paired encryption device
  • a decryption module configured to parse the received ciphertext to extract the key sequence number in the ciphertext header
  • the key generation device generates a decryption key corresponding to the serial number by using the received key serial number according to the system information
  • the decryption module uses the decryption key to decrypt the ciphertext to generate a decrypted plaintext
  • the formatting unit converts the plaintext after decryption into recovered data
  • An output port configured to output the restored data.
  • a key generation and distribution system including a paired first key generation device and a second key generation device, where
  • the first key generation device includes:
  • a first system information module configured to store first system information of the first key generation device
  • a first key generation module configured to controllably and orderly generate unpredictable information as the first key, and use a generation number thereof as a corresponding first key number according to the first system information;
  • a first sending module configured to send the first key serial number to a second key generating device
  • the second key generation device includes:
  • a second receiving module configured to receive a first key sequence number sent from the first sending module
  • a second system information module configured to store second system information of the second key generation device, the second system information being the same as or corresponding to the first system information;
  • the second key generation module is configured to generate a second decryption key corresponding to the first key number according to the received first key number according to the second system information.
  • the second key generation module generates the unpredictable information as the second key in a controlled and orderly manner according to the second system information, and uses the generated serial number as the corresponding second key serial number,
  • the second key generating device further includes a second sending module configured to send the second key serial number to the first key generating device,
  • the first key generating device further includes a first receiving module configured to receive a second key sequence number sent from the second sending module,
  • the first key generation module generates a first decryption key corresponding to the second key number according to the accepted second key number according to the system information.
  • an information security transfer system including a first communication device and a second communication device, wherein
  • the first communication device includes:
  • the first key generating device is configured to generate a one-time first key
  • a first input port configured to read or input data to be encrypted
  • a first formatting unit configured to convert the data to be encrypted input from the input port into a first formatted plain text that matches a key format
  • a first encryption module configured to use a generated one-time key to convert a first formatted plain text generated by a first formatting unit into a first main cipher text, and use a first key sequence number of the first key as a first A ciphertext title, combining the main ciphertext and the ciphertext title to generate the first ciphertext;
  • a first sending port configured to send the generated first ciphertext to a second communication device
  • the second communication device includes:
  • a second receiving port configured to receive a first ciphertext sent by the first sending port
  • a second decryption module configured to parse the received first ciphertext to extract a first key sequence number in the first ciphertext header
  • the second key generation device is configured to generate a second decryption key corresponding to the serial number according to the first system serial number according to the second system information;
  • the second decryption module uses the second decryption key to decrypt the received first ciphertext to generate a second decrypted plaintext
  • a second formatting unit configured to convert the second decrypted plaintext into second restored data
  • the second output port is configured to output second restoration data.
  • the second communication device includes:
  • a second input port configured to read or input a second data to be encrypted
  • the second key generating device may controllably and orderly generate unpredictable information as the second key, and use the generated serial number as the second key serial number according to the second system information;
  • the second formatting unit converts the data to be encrypted input from the second input port into a second formatted plain text that matches the key format
  • a second encryption module configured to use the generated second key to convert the second formatted plain text generated by the second formatting unit into a second main cipher text, and use the second key sequence number of the second key as the first Second ciphertext title, combining the second main ciphertext and the second ciphertext title to generate a second ciphertext;
  • a second sending port configured to send the generated second ciphertext to the first communication device
  • the first communication device includes:
  • a first receiving port configured to receive a second ciphertext sent by the second sending port
  • a first decryption module configured to parse the received second ciphertext to extract a second key sequence number in a second ciphertext header
  • the first key generation device generates a first decryption key corresponding to the second sequence number according to the second key sequence number according to the system information;
  • the first decryption module uses the first decryption key to decrypt the second ciphertext to generate a first decrypted plaintext
  • the first formatting unit converts the first decrypted plain text into first restored data
  • the first output port is configured to output the first restoration data.
  • the key generation device, encryption and decryption device, key generation and distribution system, and information security delivery system can generate a large number of security keys by relying on limited and unpredictable shared unpredictable information and can conveniently generate the generated keys And secure distribution, thereby solving the fundamental problem of information security.
  • FIG. 1 is a schematic diagram illustrating a key generation device and a key distribution system according to an embodiment of the present invention.
  • FIG. 2 is a schematic diagram illustrating a correspondence relationship between unpredictable information and a serial number stored in a database.
  • FIG. 3 is a schematic diagram illustrating an embodiment of an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram illustrating another embodiment of an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram illustrating another embodiment of an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram illustrating another embodiment of an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram illustrating an encryption and decryption apparatus according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram illustrating an information security transfer system according to an embodiment of the present invention.
  • FIG. 1 is a schematic diagram illustrating a key generation device and a key distribution system according to an embodiment of the present invention.
  • a key distribution system 1 according to an embodiment of the present invention includes a paired key generation device 100 and a key generation device 200.
  • the key generation apparatus 100 may include:
  • a system information module 101 configured to store system information of the key generation device
  • the key generation module 102 is configured to controllably and orderly generate unpredictable information as a key based on the system information, and use a generation number of the unpredictable information as a corresponding key number;
  • the transmission module 103 is configured to send the key serial number to a paired key generation device, wherein the paired key generation device stores second system information corresponding to the system information, where the corresponding system
  • the information can be completely identical, one-to-one correspondence, or a limited number of one-to-one correspondences or one-to-one correspondences.
  • the key generation device 200 has the same structure as the key generation device 100.
  • the key generation device may also include a system information module 201, a key generation module 202, and a transmission module 203.
  • Configurations and functions of the system information module 201, the key generation module 202, and the transmission module 203 are the same as those of the system information module 101, the key generation module 102, and the transmission module 103, and detailed descriptions thereof are omitted here.
  • the system information module 101 stores system information of the key generation device, and the system information may include, for example, a database, information about a method of generating a database, system settings and control information, and the like.
  • the key generation module 102 can controllably and orderly generate unpredictable information as a key based on the system information, and use its generated serial number as the corresponding key serial number, and can generate the key sent by the paired key generation device according to the received The serial number generates a key corresponding to the serial number.
  • the system information module 101 includes a database that stores unpredictable information.
  • the key generation module 102 sequentially extracts unpredictable information from the database as a key, and uses its generated serial number as the corresponding key serial number, and can rely on the key serial number of the key generated by the received paired key generation module, depending on the The database generates a key corresponding to the serial number.
  • FIG. 2 is a schematic diagram illustrating a correspondence relationship between unpredictable information and a serial number stored in a database.
  • the unpredictable information corresponding to sequence number 1 in the database is “1234abcd”
  • the unpredictable information corresponding to sequence number 2 is “bcde2345”
  • the unpredictable information corresponding to sequence number 3 is “ef34gh56”
  • the unpredictable information corresponding to sequence number 4 The message is "78ab12cd” and so on.
  • the database in Figure 2 only shows the serial number and unpredictable information, but additional information can be added as needed.
  • the unpredictable information shown in the database in FIG. 2 is merely an example. Actually, the unpredictable information may be unpredictable information generated in any manner.
  • the key generation module 102 may select any existing serial number and extract unpredictable information corresponding to the serial number from the database as a key.
  • the key generation module 102 randomly selects a serial number 1, extracts unpredictable information “1234abcd” corresponding to the serial number 1 as a key, and uses 1 as a corresponding key serial number.
  • the unpredictable information is not generated by a specific algorithm, but by the information stored in the system information database in advance. Generating in an orderly manner in a general manner, and then extracting some or all of the information from the generated information as a secret key.
  • the simplest form of the generated information is to retrieve the unpredictable information directly from the database information and orderly extract the information from it as a key; This embodiment does not exclude that the corresponding unpredictable information retrieved through a non-degenerate transformation is used as a key through a specific algorithm.
  • the transmission module 103 may send the key sequence number 1 to the paired key generation device 200, where the paired key generation device 200 stores second system information corresponding to the system information.
  • the second system information of the paired key generation device 200 and the system information of the key generation device 100 are completely the same.
  • the unpredictable information corresponding to sequence number 1 in the database is "1234abcd”
  • the unpredictable information corresponding to sequence number 2 is "bcde2345”
  • the unpredictable information corresponding to sequence number 3 is "ef34gh56”.
  • the unpredictable information corresponding to the serial number 4 is "78ab12cd” and so on.
  • the second system information of the paired key generation device 200 and the system information of the key generation device 100 may correspond according to a predetermined correspondence relationship.
  • the unpredictable information corresponding to each serial number in the database may be offset by a predetermined number from the serial number in the key generation device 100.
  • the unpredictable information corresponding to sequence number 1 in the database is "bcde2345”
  • the unpredictable information corresponding to sequence number 2 is "ef34gh56”
  • the unpredictable information corresponding to sequence number 3 is "78ab12cd”
  • the unpredictable information corresponding to sequence number 4 is "1234abcd" and so on.
  • the second system information of the key generation apparatus 200 and the system information of the key generation apparatus 100 may correspond in a corresponding relationship in the reverse order, and so on.
  • the transmission module 103 may be further configured to receive a key sequence number sent from the paired key generation device 200.
  • the key generation module 102 is further configured to generate a decryption key corresponding to the serial number through the system information according to the received serial number of the key.
  • the transmission module 103 may send the serial number 1 used to generate the key to the paired key generation device 200. Then, when the paired key generation device 200 receives the serial number 1 sent by the key generation device 100 through the transmission module 203, the key generation module 202 searches the database corresponding to the serial number 1 from the database of the system information module 201 according to the serial number 1 Prediction information, thereby obtaining the same key information as the key generation device 100 intends to transmit, that is, "1234abcd”.
  • the information sent by the key generation device 100 to the key generation device 200 includes only the serial number 1, there is no specific key information other than this, so even if the information is intercepted during the transmission process, the information is intercepted. The information person cannot obtain the key information from the serial number 1.
  • the key generating device 200 is used as the key information sender, and the key generating device 100 is used as the key information receiver.
  • the system information module 101 in the key generation device 100 described in the first embodiment above includes the unpredictable information controllable and ordered generation module 300 shown in FIG. 3.
  • controllable and ordered generation module 300 includes:
  • a control module 301 configured to control generation of unpredictable information
  • a database module 302 configured to store unpredictable information
  • the key generation module 102 in the first embodiment extracts the unpredictable information from the database module 302 in a controlled and orderly manner as a key, and uses its generated serial number as the corresponding key serial number.
  • the key generation device extracts the corresponding unpredictable information from the database as the corresponding key by receiving the key serial number sent from the paired key generation device.
  • the database may be designed as a large-capacity database, in which unpredictable information is stored in an orderly manner.
  • the key generation module 102 extracts non-overlapping pieces of information from the database in a controlled and orderly manner through sequence control according to the received serial number as mutually independent and unpredictable one-time keys to form an unconditional security key in a controlled and orderly manner Generate device.
  • the system information module 101 in the key generation device 100 described in the first embodiment above includes the unpredictable information controllable and ordered generation module 400 shown in FIG. 4.
  • controllable and ordered generation module 400 includes:
  • a control module 401 configured to control generation of unpredictable information
  • a dynamic information module 402 configured to provide input information to be processed
  • the information processing module 403 is configured to convert the input information provided by the dynamic information module into generated information through a predetermined algorithm according to the control of the control module, and extract part of the information from the generated information as output information for generating a key through information distribution. Another part of the information is provided as feedback information to the dynamic information module to keep it stable and updated.
  • control module 401 sequentially retrieves input information from the dynamic information module 402 and passes it to the information processing module 403 according to requirements, and sequentially updates serial number control information.
  • the dynamic information module 402 may provide input information to be processed.
  • the information processing module 403 converts the input information provided by the dynamic information module 402 into generated information that can be expanded by the amount of information determined by the input information, and then allocates the generated information in a predetermined manner, such as orderly selecting feedback from the generated information that has the same capacity as the input information
  • the information is passed to the dynamic information module 402 to compensate the used information in order to keep it stable and updated.
  • the output information that does not overlap with the feedback information is sequentially selected as a key and a serial number is generated for it as the key serial number.
  • the feedback information forms an irreversible one-way evolution system of unpredictable dynamic information. It can pass through the cycle of information input, information processing, information output, and information feedback, and rely on limited initial unpredictable dynamic information to form a sustainable key that can be controlled and ordered. Generate device.
  • the system information module 101 in the key generation device 100 described in the first embodiment above includes the unpredictable information controllable and ordered generation module 500 shown in FIG. 5.
  • controllable and ordered generation module 500 includes:
  • a control module 501 configured to control generation of unpredictable information
  • An input information sub-module 502 configured to provide input information to be processed
  • the information processing module 503 is configured to convert the input information into generated information whose information amount can be determined by the input information through an iterative information processing method, and extract a first part and a non-overlapping part of the generated information from the generated information according to a predetermined information distribution method.
  • the input information is fed back to the input information sub-module as iterative information as input information for the next step, and the second part that does not overlap with each other is extracted as unpredictable information for generating a key.
  • the input information sub-module 502 may be a part of the dynamic information module 402 shown in FIG. 4 and configured to receive unpredictable information as initial input information.
  • the information processing module 503 converts the input information input from the input information submodule 502 into generated information with an expanded amount of information that can be determined by the input information through an iterative information processing method.
  • the allocation method extracts from the generated information the first part of the non-overlapping part and the same amount of input information as iterative information and feeds it back to the input information sub-module as the next input information, and extracts the second part of the non-overlapping part as Outputs information for generating keys.
  • other base numbers can be used and selected. Suitable number of significant digits.
  • the iterative method of key generation with encoding information "... 1A2379D4 " is achieved.
  • the key information is ... 15254815870289282110919868440514 ..., where the serial number parameter is "23758715", and the feedback information from the previous step is used as the next Enter the information.
  • the serial number parameter value remains the same during the same key generation process. After an orderly generation of a key, the sequence is increased by 1 to avoid premature data cycles.
  • the information processing module 503 can convert the input information into the determined key information and feedback information, and there is no analyzable mathematical relationship and limited corresponding logic between the output information and between the output information and the input information and other information of the device. Relationship; so that the above information is transformed into an irreversible one-way process, and sustainable key generation can be controlled and ordered through information input, information generation, key output, and iterative cycles.
  • the above example provides a basic iterative process.
  • the iterative algorithm in the following embodiments can be used as a reference. More complex iterative processes can be set up on this basis. For example, different algorithms, allocation parameters, and serial number parameters can be encoded and processed. Encoding information, and performing different conversions on the distributed information, etc., improve the diversity and security of the system.
  • the system information module 101 in the key generation device 100 described in the first embodiment above includes the unpredictable information controllable and ordered generation module 600 shown in FIG. 6.
  • controllable and ordered generation module 600 includes:
  • a control module 601 configured to control generation of unpredictable information
  • the database module 602 is configured to include a main database storing a predetermined number of unpredictable information units, and an encoding database formed by encoding a predetermined number of unpredictable information units, where the number of codes is greater than the number of unpredictable information units stored in the database submodule.
  • the control module 601 sequentially extracts codes from the coding database, extracts a plurality of unpredictable information units from the main database according to the coding information, and passes them as a set of input information to the information processing module 603.
  • the codes are not reused and the sequence numbers are sequentially updated. Control information,
  • the information processing module 603 generates a secondary information by combining a set of input information
  • the information processing module 603 generates secondary information in an orderly manner under the control of the control module 601, and selects a predetermined number of output information as a key according to a set information distribution scheme, and uses a generation number of the output information as a corresponding key number.
  • the information processing module 603 After generating a predetermined number of keys, the information processing module 603 generates secondary information with the same amount of unpredictable information stored in the database submodule 602 according to the instruction sequence of the control module 601 and feeds it back to the database submodule 602 as database regeneration information to update Information in the database submodule.
  • the information processing module continues to produce keys based on the information in the updated database submodule,
  • the database 602 may be, for example, a part of the dynamic information module 402 shown in FIG. 4 and configured to store a predetermined number of unpredictable information units and store a predetermined number of unpredictable information codes.
  • the database 602 includes two sub-databases, that is, a main database storing a predetermined number of unpredictable information units and an encoding database formed by encoding a predetermined number of unpredictable information.
  • the length of the unpredictable information unit stored in the main database in this example is an arbitrary length and the number is 16.
  • Table 1 below shows examples of unpredictable information units stored in the main database. It should be noted that only 8-bit unpredictable information is shown in Table 1 below. Actually, the length of the unpredictable information can be any length.
  • the length of the encoding stored in the encoding database in this example is 2 bytes, and the number is 32.
  • the value of the encoding information is expressed in binary.
  • the control module sequentially extracts the code from the coding database. For example, when the key is generated for the first time, the serial number is 1. Therefore, the control module extracts the code corresponding to the serial number 1 from the coding database, that is, (0000 0111 1010 1111), and the corresponding hexadecimal value is 07AF.
  • the control module extracts a plurality of unpredictable information units corresponding to the coding information from the main database according to the coding information 07AF, and passes the information to the information processing module as a set of input information.
  • the control module extracts from the main database corresponding to the encoded information 07AF, the 0th unpredictable information unit (13, 8, 2, 1 %) and the 7th unpredictable information unit (15, 3, 14, 0 7), the Ath (ie, 10th) unpredictable information unit (8, 15, 3, 7 %), and the 15th unpredictable information unit (12, 10, 6, 15 ).
  • the encoding is not repeatedly used.
  • the information processing module combines the set of input information to generate a secondary information. For example, the information processing module sums the four sets of input information and then uses the hexadecimal to take the remainder to generate secondary information.
  • the secondary information generated is as follows:
  • a piece of secondary information generated by the set of input information including four pieces of unpredictable information is (0, 4, 9, 7 ).
  • the generation number 1 of the piece of secondary information is its corresponding key number.
  • the serial number control information in the control module is sequentially updated.
  • the information processing module After using the information in the current database submodule to generate the predetermined number of keys, the information processing module generates the same amount of secondary information as the database regeneration information feedback as the number of unpredictable information stored in the database submodule. Give the database submodule to update the information in the database submodule.
  • the information processing module then continues to produce keys based on the information in the updated database submodule, and iterates through the database submodule update and key generation process.
  • the above example provides a basic process for generating a secondary sequence with the encoding information of 07AF by a combination method.
  • the combination algorithm in the following embodiments can be used as a reference, and a more complex secondary sequence generation process can be set on this basis, such as taking a different
  • the combination algorithm, encoding format and sequence extraction mode, database update mode, etc. of the series can improve the diversity and security of the system.
  • the modulo operation adopted above is an irreversible one-way algorithm, that is, the secondary sequence generated by the original sequence can be determined, but the original sequence cannot be effectively inferred from the secondary sequence. Since the possible values of the corresponding elements of the original sequence inferred from the elements in each of the secondary sequence are distributed without preference in the range of the sequence elements, the algorithm is a mathematically strict irreversible one-way algorithm.
  • This embodiment uses the basic mathematical principle that the type of the arrangement and combination between elements can be much larger than the number of elements, uses the combination method to generate information with an expanded amount of information, and realizes the controllable and orderly generation of sustainable unpredictable information through information generation and feedback loops.
  • the database 602 is designed to store a limited number of unpredictable information units in an orderly manner.
  • the method of generating a secondary information by combining the information units makes the amount of secondary information that can be generated greater than that of the database.
  • the dynamic information module is in the form of a database, and the control module sequentially extracts a number of information units from the database as a set of input information to pass to the information processing module, and at the same time sequentially updates the serial number control information; the information processing module sends a set of inputs
  • the information unit combines to generate a secondary information that can be determined by the input information.
  • the number of secondary information generated by the method is greater than the number of information units in the database.
  • the system sequentially generates a set of agreed number of secondary sequence numbers as keys and uses them to generate serial numbers. Mark them in turn, and then spontaneously and controllably generate secondary information equal to the database capacity to update the database in an orderly manner as the database regeneration information.
  • the next round of key generation is performed; the output information is between the output information and the output information and the database through appropriate settings
  • a universally applicable sustainable and unpredictable information controllable and orderly generation device design scheme can be constructed through the concept of multiplyable encoding information.
  • the database is determined by the identified structural units and the information stored in the units.
  • the storage unit and the structural relationship between them form the fixed frame of the database and can be adjusted by parameters.
  • the information stored in the unit The variable part of the database, the information in the database is related through the structural relationship between the structural units to which it belongs; the specific form and content of the encoded information is determined by the information stored in the database structural unit, and the encoding determines all data structures corresponding to the information generation process
  • the relationship can be completely restored through the same database through coding; the specific form and content of the coding and information are independent of each other, and the information can be tracked and manipulated with limited information and the form and content are not restricted to achieve the controlled and orderly generation of information .
  • the concept of multiplication information is introduced, and the number of progeny information is generated by random combination of database information, so that the information can be multiplied through the database to become multiplication information, and the value space of the progeny information is expanded by continuous random passage and multiplication.
  • the value space is made to the information space of the corresponding format information, so that the child information selected by a random method is unpredictable, and the proliferated child information is randomly selected to replace the database information, thereby achieving effective regeneration of unpredictable information in the database.
  • Enrichable information is encoded according to the combination of database information and all related data structure relationships at the time of its generation, and becomes an expandable coded information.
  • the database is designed according to the concept of the augmentable coded information, and organized to store unpredictable information of limited capacity, including the main database and A coding database composed of random codes; the information units in the main database are stored in an orderly manner for the information generating device to retrieve the corresponding information units according to the coded order in the coding database to generate secondary information, and to track and manipulate the information through the random coding in the coding database Generation and generation, to achieve spontaneous and controllable regeneration of unpredictable databases.
  • the present invention can rely on an unpredictable database with limited capacity to form a secondary information generation and database regeneration cycle. Sustainable and unpredictable information controllable and orderly generating device.
  • the universality of the information definition makes the design of the above-mentioned sustainable and unpredictable information controllable and ordered generation device based on the concept of multiply-encoding information universally applicable.
  • Various forms of unpredictable information and signal units can be put into the main database.
  • the concept of multiplyable coding information and appropriate information processing technologies can be used to achieve sustainable and unpredictable information controllability. Ordered generation.
  • the encryption and decryption apparatus 700 includes:
  • the key generation device 100 described in the first embodiment is configured to controllably and orderly generate a one-time key.
  • the control module 701 in the encryption and decryption device 700 adds parameters and functions as a control module of the encryption device.
  • Input port 702 is configured to read or input data to be encrypted
  • a formatting unit 703 configured to convert the data to be encrypted input from the input port into a formatted plain text that matches the key format
  • the encryption module 704 is configured to convert the formatted plain text generated by the formatting unit 703 into a main cipher text using the one-time key that is controlledly and orderly generated by the key generation device 100, and use the serial number of the one-time key as Ciphertext title, combining main ciphertext and ciphertext title to generate ciphertext;
  • the sending port 705 is configured to send the generated ciphertext to the paired decryption device.
  • the encryption and decryption apparatus 700 further includes:
  • a receiving port 706 configured to receive a ciphertext sent from a paired encryption device
  • the decryption module 707 is configured to parse the received ciphertext to extract the key sequence number in the ciphertext header, and use the key generation device 100 to generate a decryption key corresponding to the key sequence number according to the key sequence number, and use the The decryption key decrypts the ciphertext to generate the decrypted plaintext;
  • the formatting unit 703 is further configured to convert the decrypted plain text into recovered data
  • An output port 708 is configured to output the restored data.
  • the sender inputs file information through the input port, and becomes formatted plain text that can be processed by the encryption module through the formatting unit, and the key generation device extracts the required information from the database in order to generate one-time
  • the key is combined with the formatted plain text to form the main cipher text, and the key generation sequence number is used as the cipher text title to generate a cipher text to complete the encryption;
  • the cipher text enters the regular channel through the sending port; Extract the key generation sequence number from the ciphertext title, generate the corresponding decryption key, decrypt the main ciphertext to generate the formatted plaintext, and complete the decryption;
  • the formatted plaintext is restored to the original file by the formatting unit and output through the output port.
  • the decryption clue accompanying the ciphertext is a universal serial number and does not contain any key information, which completely avoids the risk of key information leakage during the ciphertext transfer process. Therefore, the encryption and decryption device according to this embodiment can Achieve secure file transfer.
  • exogenous random information can be used as a sending file, and random information from different sources can be securely shared between the paired encryption and decryption devices separated in time and space by cipher text, and the exclusive shared database can be updated synchronously.
  • the information security transfer system includes a paired first communication device 800 and a second communication device 900, where the first communication device 800 and the second communication device 900 may have the same configuration. Both the first communication device 800 and the second communication device 900 may include encryption and decryption means as in the above embodiment.
  • the first communication device 800 is held by the correspondent A, for example, and the second communication device 900 is held by the correspondent B, for example.
  • the first communication device 800 includes:
  • the first key generation device 100 is configured to controllably and orderly generate a one-time key as the first key; the control module 801 in the key generation device 100 adds parameters and functions as the encryption Control module of the device.
  • a first input port 802 configured to read or input first data to be encrypted
  • a first formatting unit 803 configured to convert the first to-be-encrypted data input from the input port into a first formatted plaintext having the same key format;
  • the first encryption module 804 is configured to convert the first formatted plain text into a first main cipher text by using a first key generated by a first key generation device, and use a generation number of the first key as a first Ciphertext title, combining the first main ciphertext and the first ciphertext title to generate the first ciphertext;
  • a first sending port 805 configured to send the generated first ciphertext to a second communication device
  • the second communication device 900 includes:
  • the second key generation device 100 is configured to controllably and orderly generate a one-time key as the second key; the control module 901 in the key generation device 100 adds parameters and functions as the encryption Control module of the device.
  • a second receiving port 906 configured to receive a first ciphertext sent by a first sending port
  • a second decryption module 907 is configured to parse the received first ciphertext to extract a first key sequence number in a first ciphertext header, and pass the second key generation device according to the first key sequence number. Generating a corresponding second decryption key text, and using the second key to decrypt the first cipher text to generate a second decrypted plain text;
  • a second formatting unit 903 configured to convert the second decrypted plain text into second restored data
  • the second output port 908 is configured to output the second restoration data.
  • the second communication device 900 includes:
  • the second input port 902 is configured to read or input the second data to be encrypted
  • the second formatting unit is also configured to convert the second to-be-encrypted data input from the second input port into a second formatted plain text that matches the key format;
  • a second encryption module 904 configured to convert the second formatted plain text into a second main cipher text through a second key that is controllably and orderly generated by the second key generation device, and convert the second key
  • the second key sequence number of the key is used as the second ciphertext title, and the second main ciphertext and the second ciphertext title are combined to generate a second ciphertext;
  • a second sending port 905, configured to send the generated second ciphertext to the first communication device
  • a first receiving port 806 of the first communication device configured to receive a second ciphertext sent by the second sending port
  • a first decryption module 807 configured to parse the received second ciphertext to extract a second key sequence number in a header of the second ciphertext, generate a sequence number according to the second key, and generate the sequence by using the first key
  • the device generates a first decryption key corresponding to the second key serial number, and uses the first key to decrypt the second ciphertext to generate a first decrypted plaintext;
  • the first formatting unit simultaneously converts the first decrypted plaintext into the first restored data
  • the first output port 808 is configured to output the first restoration data.
  • the target correspondent uses the encryption device to sequentially generate a one-time key to encrypt the file to generate a ciphertext with the corresponding key serial number as the title, through the regular channel Pass; the ciphertext receiver obtains the corresponding key generation sequence number according to the ciphertext title, generates the corresponding key to decrypt the ciphertext, and realizes the secure transmission of the file; the correspondent can securely share random information from different sources through the ciphertext and update the exclusive shared database And related system information to form an evolvable open key generation and secure distribution system.
  • the decryption clue accompanying the ciphertext is a universal serial number and does not contain any key information, which completely avoids the risk of key information leakage during the ciphertext transmission process. Therefore, the information security transmission system according to this embodiment Enables secure transmission of information.
  • the formatting unit of the encryptor according to the present invention is coupled to a modem; the key uses a sequence of the same format, and the value range of the sequence element is a value that is easily processed by a computer binary system. For example, 2, 16 (compatible with hexadecimal numbers commonly used by computers), 256 (one byte of information), etc., and when necessary, treat the sequence as a multi-digit number with its element value range as the base value, and define The multi-digit number is a sequence value.
  • the formatting unit converts all forms of input information into analogue key sequences through analog-to-digital conversion, that is, formatting plaintext; digitizing information processed by the encryptor, including ciphertext and decrypted formatted plaintext, by Digital-to-analog conversion generates the appropriate form of output information.
  • All information processed in the digital encryptor is a sequence of the same format; when encrypted, the formatted plaintext and key are generated by modulo operation; when decrypted, the ciphertext and corresponding key are recovered by the inverse process of modulo operation To format plain text; the encryption-decryption and the entire information processing process can be implemented intuitively by computer.
  • the key problem to be solved by the present invention will be the controlled and orderly generation of an unpredictable sequence as a key.
  • the inventor adopts a combination strategy and develops a universal design strategy for a sustainable and unpredictable information controllable and ordered generation device through the concept of multiply-encoded information.
  • Combining the concept of coded information and the concept of multiplyable information an updatable database is constructed through the concept of multiplyable coded information, and the secondary sequence output and database update are circulated to achieve the controllable, orderly and infinite generation of unpredictable information.
  • the database structure and the form of information in it can be unlimited, and the combined strategy provides a universal sustainable unpredictable sequence controlled and orderly generation strategy.
  • the key of the combination strategy is the secondary sequence generation algorithm.
  • the inventor first solved the problem of the sequence generation algorithm.
  • the common modulo operation of information encryption is to add the values of the corresponding sequence elements in the same format sequence, divide the sum by the value range of the element, and then take the remainder.
  • Secondary sequence The algorithm for generating the secondary sequence by modulo operation is an irreversible one-way algorithm, that is, the secondary sequence generated by the original sequence can be determined based on the combination of the original sequence, but the original sequence cannot be effectively inferred from the secondary sequence. Since the possible values of the corresponding elements of the original sequence inferred from the elements in each of the secondary sequence are distributed without preference in the range of the sequence elements, the algorithm is a mathematically strict irreversible one-way algorithm.
  • the inventor introduced a carry on the basis of the modulo operation, taking the quotient appearing in the calculation of the sequence element value as a carry, adding it to the calculation of the next sequence element, deleting the carry of the last digit, and keeping the length of the secondary sequence unchanged.
  • the carry modulo operation is equivalent to the modulo operation that takes the sequence sequence space value of the sequence between the sequence values and is defined as the sequence addition.
  • the process of generating a secondary sequence by the algorithm determined by the defined sequence addition also has the mathematically irreversible algorithm characteristics. Based on the addition between the same sequence, the inventor defines the multiplication of the sequence and the natural number.
  • sequence addition and sequence multiplication defined above are used for the generation operation of the secondary sequence in the present invention. If there is no common number greater than 1 between the seed sequence values in the database, that is, coprime, and there is no premature cycle in the process of continuous passage and proliferation, theoretically the possible sequence value of the secondary sequence can be extended to its entire sequence space. Mathematically, it can be considered to ensure that the secondary sequence selected from the random method is unpredictable.
  • control template operation here: one sequence is used as the template sequence, the other is used as the control sequence, the value m of the element with the sequence number n in the control sequence is used as the sequence number, and the element with the sequence number m is extracted from the template sequence. As an element of the new sequence number n, a secondary sequence is obtained.
  • the inventor constructed an unpredictable secondary sequence generation system through the following schemes, but not limited to the following schemes.
  • each secondary sequence generated by the method is unpredictable to outside observers when the primary database remains unpredictable, and database information cannot be effectively predicted based on any single secondary sequence.
  • the encoding contains the combination information of the seed sequence used in the generation of the secondary sequence, so that the secondary sequence is related to each other through the encoding and the seed sequence; the unused secondary sequence of the specific encoding can be derived based on the encoding combination of the published secondary sequence, or
  • the entire database is solved by solving the system of equations to determine all secondary sequences of a given encoding. Therefore, the secondary sequence encoding information needs to be hidden from the outside world during distribution.
  • the inventor constructed a coding database that stores a certain number of random codes and distinguishes them by numbers.
  • the secondary sequence generated by the corresponding code is identified by the number, and the correlation between the secondary sequence displayed in the coding information is masked. . Since the amount of encoded information can be much smaller than that of the secondary sequence, the required number of encodings can be stored in a small amount of storage space.
  • the difficulty of predicting the unused secondary sequence based on the used secondary sequence will be greatly increased.
  • N secondary sequences that determine both encoding and content are required to ensure that a complete set of secondary sequences is constructed through derivation, thereby turning the predicted unused secondary sequence into one and encoding, etc. Long traditional password brute force problem.
  • the possible number of secondary sequences is 256 M.
  • the theoretical combination type of randomly selected N secondary sequences is 256 N * M , and the required information amount is N * M bytes.
  • the inventor made the information of the seed sequence and the corresponding secondary sequence equal to the product of the number of seed sequences and the amount of encoded information N * M, and used it as a database design standard.
  • the above design standards unify the encoding database and the main database format.
  • An element of an undisclosed random number sequence in the same format as the seed sequence can be sequentially divided into random codes with the same number of seed sequences in the main database, numbered sequentially; the encoding database of the format contains an integer multiple of the number of seed sequences in the main database. Random encoding, carried by an undisclosed random sequence of the same format, to increase the standardization of the database design.
  • the database is generated using the secondary sequence that contains the main database and the coding database.
  • the system sequentially extracts codes composed of random information from the coding database. Based on the coding information, a set of seed sequences with corresponding numbers is selected from the main database and a secondary is generated by a suitable algorithm. The sequence number is used to realize the controlled and orderly generation of the secondary sequence number through its generation serial number identification.
  • the above secondary sequence cannot be effectively predicted by the outside world on the premise that the database remains unpredictable, but due to the limitation of the encoding length, the diversity cannot meet the randomness requirement.
  • the inventor can use the proliferative characteristics of the database to randomly select the secondary sequence as the next-generation seed sequence, and gradually expand the value range of the secondary sequence through the generational update of the main database, and finally reach its sequence space, thereby enabling random coding The resulting secondary sequence is unpredictable.
  • the inventor only needs to pass the database randomly once, and then can expand the value range of the secondary sequence to the entire sequence space of the corresponding format sequence, so that the secondary sequence generated by the random coding in order conforms to the methodology Absolute randomness.
  • the inventor expanded the coding database to add the coding used for database update on the basis of retaining the original coding used to generate the key.
  • the increased number of random codes is sufficient to generate the entire database. Updated secondary sequence.
  • the system sequentially extracts the encoding from the encoding database, relies on the current primary database to generate the secondary sequence, replaces the primary database information in an orderly manner, and encodes the database information to achieve an orderly and controllable entire database. regeneration.
  • the inventor can use fragments of the agreed position and encoding in the seed sequence, such as the front-end fragment, as the working encoding for key generation; the end and encoding are of equal length.
  • the fragment is used as the encoding for updating and is used for database update; the encoding number is the same as the seed sequence number in which it is located.
  • the encoding database is cancelled and the database design is simplified and standardized.
  • the inventors built a sustainable and unpredictable sequence controllable ordered generation system. This is achieved through, but not limited to:
  • a working code is sequentially extracted, a set of seed sequences is selected according to the corresponding information, and a suitable secondary sequence corresponding to the code is generated through a suitable operation, and a serial number identifier is generated using it, and the working code is not reused;
  • the system sequentially extracts the update code, generates a secondary sequence through the current main database, and sequentially replaces the current main database information to achieve the spontaneous regeneration of the database;
  • the probability of the same encoding appearing in the encoding database is greater than the probability of the same secondary sequence occurring randomly; to avoid this, the program can detect the generated encoding database each time to ensure that the same encoding does not appear. It only needs to be agreed upon by both programs to add a certain value, such as 1, to the code that appears later in the same code, to maintain the randomness of the code and effectively avoid the occurrence of the same secondary sequence above the random probability.
  • the above method provides a universal design framework of a sustainable and unpredictable sequence controllable and ordered generation device through a database design with a definite structure, compatible with different data formats and corresponding secondary sequence generation algorithms.
  • the amount of secondary sequence information output during each round of database update is not greater than the capacity of the main database.
  • the secondary sequence output from each round is unpredictable to outside observers, and
  • the spontaneously controllable and updated database is also unpredictable to outside observers, thereby achieving a controlled and orderly generation of sustainable unpredictable information.
  • the unpredictability of the information generated by the above methods can be proved strictly in theory, or the system can be improved by improving or adopting a specific method, a standard design scheme of the key generation device will be provided. Under this scheme, the theoretical security strength of the key generation system will be determined by the randomness of the database information and the database capacity, and ultimately depends on the database capacity.
  • the above-mentioned secondary sequence generation algorithm for generating keys and feedback information selects a modulo operation with irreversible unidirectional characteristics, uses random encoding, and makes the encoding length, sequence length, main database capacity, and secondary output during each update The number of sequences meets the requirements.
  • the above database evolves into an irreversible one-way evolution process, that is, the initial database can accurately evolve all descendant databases of a given algebra, but the previous generation database cannot be effectively detected based on the descendant database.
  • the irreversible one-way evolution characteristics of the above database allow us to rely on unpredictable information of limited capacity and to controllably and orderly generate more keys than the database capacity.
  • the above-mentioned standard key generation device can determine the basic type of the encryptor by the three basic parameters of sequence format, database capacity, and encoding length to meet different application requirements; at the same time, the algorithm, encoding form, database update method, cipher text organization format, and key distribution Diversity parameters such as form determine the diversity of the design of the cipher.
  • the invention also provides a method for generating high-quality random data.
  • a random number generator can be constructed by using the initialized undisclosed random database, running the database update randomly, and clearing the previous generation database in time. Run the database updates at random times during the program idle period or when the database is updated to improve the randomness of the system. Under long-term random operation of the system, even if the randomness of the initial sequence is not high, the generated sequence can gradually be completely random in the continuous operation.
  • the total amount of information of the unconditional security key generated by the basic mode is the same as the database capacity. It is used as a one-time key to encrypt the file information of the same amount of information to generate an unconditional secure ciphertext.
  • An exclusive shared encrypted database is used to establish a secure connection to establish an unconditional Safe information exchange system. Under the current technical conditions, the exclusive shared encrypted database with Tb capacity can meet the long-term security information exchange between the two parties in communication; using the 64Gb exclusive shared encrypted database that can be built in ordinary communication terminals, using high-quality audio or video communication with 1Mb information per minute, It can meet the 64000 minutes of secure communication. Combined with mobile storage technology, it can build an unconditionally secure communication network between certain "acquaintances" who exclusively share one-time encrypted databases in person. The application scope of the above-mentioned unconditional secure information exchange mode will be expanded with the rapid development of storage technology.
  • Basic mode key can control the basic parameters of the orderly generating device: key format, database capacity.
  • the amount of information that can be safely transmitted in the basic mode is not greater than the capacity of the encrypted database, and is a non-persistent mode.
  • the inventors used the unconditional security key generated by the basic mode as a one-time password, encrypting the required length of information larger than the amount of password information, increasing the amount of information that can be safely transmitted, and maintaining the one-time password generated by the system.
  • a surplus appears on the basis of the exclusive shared database update, so that correspondents can pass information through the surplus password to achieve sustainable secure information exchange.
  • the method is equivalent to reducing the information density of the unconditional key, increasing the amount of information that can be transmitted, and achieving sustainable information exchange.
  • the inventor divided the undisclosed random number sequence in the basic pattern database into equal-length fragments as the dilution sequence, so that the dilution sequence The number of expansions corresponds to multiples.
  • the system sequentially extracts the dilution sequence according to the requirements, and expands it in a certain way to determine the secondary sequence with the same format as the initial sequence from the extracted dilution sequence as a key, and generates a key with a larger amount of apparent information than the database capacity (dilution mode) ).
  • the information generated by the orderly generated keys in the dilution mode is independent of each other. You can achieve any level of security by setting a dilution sequence of any length.
  • the security of the encryption system is easy to control; its disadvantage is that it must be sacrificed. Key information density in exchange for sustainable communication.
  • the dilution mode key can control the basic parameters of the orderly generation device: key format, database capacity, dilution multiple; diversity parameters: sequence division method, expansion method or algorithm, etc.
  • the iterative method also provides a class of independent sustainable key controllable ordered generation schemes.
  • the significant numbers are extracted from the generated information without overlap, and a part of the iteration is generated.
  • Multi-digit numbers are used as the next input information, and part of them are used as the output sequence.
  • the unpredictability of the generated information is determined by the initial multi-bit value and various operation control parameters. These parameters are expressed in a formatted unpredictable sequence to form encrypted database information as the determining part of the key's unpredictability, and the rest as the public part of the encryptor.
  • the following methods are used, but not limited to the following methods. System-compatible and orderly generating device for sustainable unpredictable information.
  • the parameter database is composed of undisclosed random number sequences of the same format.
  • the sequence of elements in the number sequence constitutes parameter information that determines the number of groups.
  • Each group of parameter information includes input values, algorithm numbers, information allocation parameters, and dynamic iteration parameters.
  • the amount of information is N times the amount of input numerical information; set the amount of output information to be the same as the amount of input numerical information, and generate a secondary sequence from the parameter information in the N undisclosed random sequence;
  • step 3) Repeat step 3) to achieve unlimited and controlled and orderly generation of keys
  • Basic parameters of the iterative mode key controllable and ordered generation device key format, database capacity; diversity parameters: number of input values, length of output sequence, number of parameter information groups, etc .; when the number of parameter groups is 1, it is simple Iterative system.
  • a comprehensive sustainable key controllable and ordered generation system is constructed by, but not limited to, the following methods.
  • the keys can be generated in a controlled and orderly manner.
  • the keys generated by the above system have independent contents, and the quasi-keys generated by the combination method and the iterative method do not reduce the information density, so that the ones that are larger than the database information amount can be generated in an orderly manner and have independence from each other.
  • a securely distributable key for the content In addition to transmitting information, the system can safely share unpredictable information through cipher text, and regularly update the exclusive shared database, especially the dilution series database, to achieve sustainable security information exchange.
  • the above-mentioned key-controllable and orderly generating device securely shares new sources of unpredictable information through ciphertext into an open system, increasing the diversity of the database's controllable evolution, and can continuously introduce new information to correct possible systems caused by the initial database defect. Therefore, in the application, even if the method adopted can be proved to be absolutely reliable in methodology, the inventor still recommends constantly introducing new sources of unpredictable information to update the database, while effectively eliminating possible system defects, and avoiding long-term closed systems. Operation makes the initial shared database information of limited capacity a valuable target for brute force cracking.
  • Basic parameters of the integrated mode key controllable and orderly generating device key format, main database capacity, key generation mode, diluted database capacity; diversity parameters: algorithm, dilution sequence division method, dilution sequence expansion algorithm, database update method Wait.
  • Standard mode only the main database is selected; combined algorithm modules, sequence addition and multiplication are used;
  • Basic mode (unconditional security mode): only the main database is selected, and the algorithm is to directly extract the sequence;
  • Dilution mode only the dilution database is selected, and the dilution algorithm module is used;
  • Security mode a combination of standard mode and dilution mode, on which an algorithm and other modes are added.
  • the above-mentioned digitized and suitable type of key controllable and orderly generating device is written into a computer program, and information is sequentially retrieved from an encrypted database to generate a key.
  • the formatted unit coupled to the modem is used to convert the received information into a secret key.
  • the keyed format matches the formatted plaintext.
  • the key is used to encrypt the plaintext to generate a ciphertext that can be sent.
  • the ciphertext is decrypted and the decrypted plaintext is converted into outputtable decryption information through a formatting unit coupled to the modem to form an encryptor.
  • a dedicated encryptor is generated by initializing the encrypted database with unpredictable information to realize the information encryption-decryption; through the information security software constituted by public settings, the target correspondent can establish a secure connection only by exclusively sharing the encrypted database information, with the help of ordinary channels Passing cipher text that can only be identified between target correspondents, thereby establishing a universal information security system that meets different needs.
  • the amount of information carried in cipher text is close to the amount of file information.
  • Encryption-decryption is only performed at the communication terminal, and the formatting unit and the modem are coupled to realize the transmission and reception of information without delay, which is completely compatible with the current communication system.
  • the software can automatically complete the system maintenance and daily encryption, including the spontaneous update of the main database, the update of the diluted database by periodically exchanging unpredictable information (requires the system to connect a random information generator according to the present invention), and routine encryption.
  • Decryption work, at the same time convenient for users to update exclusive shared information at any time as needed.
  • Each of the above algorithms can convert ordinary input multiple digits into an operation result that can be determined by the input multiple digits and doubles the number of significant digits.
  • the effective number is extracted from the operation result according to the agreed rules; first, it is agreed that the extraction interval is 2 times the number of input digits. If the number of effective digits in the operation result is limited, the middle part is extracted. Continuous significant digits in the interval; for example, you can use 8-digit hexadecimal input values, select 4-19 digits of the 3rd power operation result, and 1 to 16 significant digits after the decimal point of the irrational operation result are used to extract the interval.
  • the odd sequence position element sequence generates an iterative value, and the even sequence position element sequence generates an output sequence.
  • the above-mentioned extracted sequence and template sequence together form an information distribution parameter, and the amount of information is the output sequence information. 4 times the amount;
  • the database uses a 4Kb information key and consists of 8192 elements with a value range of 16.
  • the parameter database contains 1024 sets of parameter information arranged in sequence; each set of parameter information includes an initial 8-digit hexadecimal input Value (4 bytes of information), an algorithm number (0.5 bytes), a group of information allocation parameters (16 bytes) consisting of 2 sequences of length and element value range 16 Dynamic iteration parameters of hexadecimal value (3.5 bytes of information); each group of parameters has 24 bytes of information and the parameter database capacity is 24Kb, which is composed of 6 undisclosed random number sequences with the same key format;
  • Key generation sequentially extract a set of parameter information from the parameter database, add the corresponding dynamic iteration parameters to the input value, generate an operation value through the corresponding numbered algorithm, and extract the parameter from the operation value according to the corresponding information distribution parameter Output sequence and iteration value, replace the input value in this group of parameter information with iteration value, and increase the dynamic iteration parameter value by 1 at the same time; complete the extraction, operation and update of 1024 groups of parameter information in sequence, and combine the output sequence order into one Key, used to generate serial number identification;
  • step 4) to achieve unlimited and controlled and orderly generation of keys
  • Basic parameters key format, database capacity; diversity parameters: number of input values, length of output sequence, algorithm library, number of parameter groups, etc .; when the number of parameter groups is 1, it is a simple iterative system.
  • the database consists of 256 undisclosed random number sequences with a length of 4096 (4K) and an element value range of 256.
  • the number of elements in the sequence is represented by 1 byte of information.
  • the amount of information in each sequence is 4Kb, which is called the seed sequence. Numbering up to 255, the numbering occupies 1 byte of information; using 16-byte encoding, the first 16 elements of the seed sequence constitute the working code, and the last 16 elements constitute the updating code.
  • the element values in the encoding correspond to the seed sequence number, and the encoding uses the seed to which it belongs. Consistent serial numbers; database capacity is 1Mb;
  • Algorithm according to the encoding information, extract a set of 16 seed sequences in sequence from the main database and number them from 0 to 15; multiply the selected seed sequence by the value 2n + 1, where n is the corresponding number of the seed sequence in this group , And then generate a secondary sequence by sequence addition;
  • the system sequentially extracts the update code, relies on the current database to generate 256 secondary sequence numbers, replaces the database in an orderly manner, automatically completes the orderly regeneration of the database, and then returns to step 3), generating less than the seed during each update.
  • the number of keys in the sequence makes it impossible for an illegal detector to construct a whole combination of possible equations through brute force cracking to crack the main database information (256 4096 in this example).
  • the number of attempts is 256 (4096x256) ;
  • Loops 3) and 4) continue to generate keys.
  • the above system becomes a random number sequence generator under random operation.
  • the database update is run randomly during the system output interval, so that the system sharing the initial database becomes unsynchronized after running for a period of time.
  • the system can adjust the parameters to generate a random sequence of the required length.
  • the system does not have high requirements for the randomness of the initial data. Under the correct design and standardized use, the system will gradually output randomness to a sequence that is absolutely random.
  • Basic parameters sequence format, database size, encoding length; diversity parameters: algorithm, database regeneration mode, etc.
  • Database including: the main database, composed of 65,536 undisclosed random numbers with a length of 4096 (4K) and an element value range of 256.
  • the number of elements in the sequence is represented by 1 byte of information, and the amount of information in each sequence is 4Kb.
  • the seed sequence number is numbered from 0 to 65535, and the number occupies 2 bytes of information; using 4Kb encoding, a secondary sequence is generated from 2048 seed sequences;
  • the encoding database has the same format as the main database, and contains 65536 codes, numbered from 0 to 65535; Another buffer database of the same format; the database capacity is 768Mb;
  • the algorithm extracts a set of 2048 seed sequences in sequence from the main database based on the encoded information and numbers them from 0 to 2047; multiplies the selected seed sequence by the value 2n + 1, where n is the corresponding number of the seed sequence in this group , And then generate a secondary sequence by sequence addition;
  • step 4 After the 65535 code in the coding database is used, the information in the coding database is emptied as a buffer database, the main database is changed to the coding database, the buffer database is changed to the main database, and the orderly regeneration of the database is automatically completed, and then returns to step 3);
  • Loops 3) and 4) continue to generate keys.
  • Basic parameters sequence format, database size, encoding length; diversity parameters: algorithm, database regeneration mode, etc.
  • the database consists of 1048576 (1M) undisclosed random number sequences with a length of 65536 (64K) and an element value range of 256.
  • the sequence elements are represented by 1 byte of information, and the amount of information in each sequence is 64Kb, which is defined as an information unit. Numbering from 0 to 1048575, each number occupies 2.5 bytes of information, and the database capacity is 64Gb;
  • the generated key information is independent of each other. It is an unconditional security key.
  • One-time use of encrypted equivalent file information can generate unconditional secure ciphertext.
  • the total amount of unconditionally secure file information that the system can transmit is equal to the database capacity.
  • the database consists of 1048576 (1M) undisclosed random number sequences with a length of 65536 (64K) and an element value range of 256.
  • the number of elements in the sequence is represented by 1 byte of information, and the amount of information in each sequence is 64Kb. It is defined as a seed. Number sequence; each seed sequence is sequentially divided into 16 dilution series with a length of 4096, the total number of dilution series is 16M, and the numbers are sequentially numbered, each number occupies 3 bytes of information; the database capacity is 64Gb;
  • the algorithm repeatedly arranges the dilution sequence 16 times to generate a 64Kb secondary sequence. It uses modular operation with an undisclosed random number sequence of the same format fixed in a system to cover the repeatability and generate a key;
  • the generated key information is independent of each other and the information density is reduced.
  • the same amount of encrypted file information is used at one time.
  • the ciphertext of the required key strength can be generated by adjusting the length of the diluted sequence.
  • the system can safely transfer files larger than the database capacity. Information, so that the way of exclusive shared database information can be updated in cipher text to achieve sustainable and secure communication.
  • Basic parameters sequence format, database size, dilution factor; diversity parameters: division method of dilution sequence, dispersion algorithm, etc.
  • database the format of the sequence is 65536 (64K), the element value range is 4096, and the amount of information is 96Kb; including: a) the main database, which contains 4096 seed sequences, numbered from 0 to 4095, and the number of information is 1.5 bytes; 24-byte combination coding, corresponding to 16 seed sequence numbers, the first 16 elements of each seed sequence form the working code, and the last 16 elements form the database update code, the number is consistent with the seed sequence; each group of 24 byte iteration parameters is used 6 elements are composed of 16 to 111 elements of each seed sequence, a total of 24,576 sets of iteration parameters; b) a dilution database containing 65536 sequences, each sequence is sequentially divided into 16 6Kb information-rich dilution sequences, the total number of which is 1048576 (1M), numbered from 0 to 1048575. Database capacity is about 6.4Gb;
  • each group of parameters includes an 8-digit hexadecimal initial input value (4 bytes of information), an algorithm number (0.5 bytes), and a group of 2 length and element values.
  • Iterative quasi-key generation extract a set of iteration parameters, add the corresponding dynamic iteration parameters to the input value, and generate an operation value through the corresponding numbering algorithm; select 4-19 digits of the third power operation, the 1 to 16 significant digits after the decimal point are the extraction interval to form a sequence; according to the extraction sequence in the information distribution parameter, the significant sequence corresponding to the element value is sequentially extracted from the extraction interval to form a sequence, and then a modular operation is performed with the template sequence to generate a sequence.
  • the first half of the elements generates an iterative value to replace the input value in the parameter information of the group, and the dynamic iteration parameter value is increased by 1, and the second half is used as the output sequence; 24576 groups of iteration parameter extraction and calculation are completed in order. And update, the output sequence is combined into an iterative quasi-key;
  • the system sequentially extracts the working code to generate a combined quasi-key, and the code is not reused; the diluted sequence is sequentially extracted, and it is repeatedly arranged 16 times to expand into a diluted quasi-key of 65536 in length and the diluted sequence Do not reuse; orderly generate iterative quasi-keys; use the modulo operation on the above 3 quasi-keys to generate a key, and use it to generate a serial number identifier;
  • the dilution database in the above system is a one-time database, and the number of one-time keys that can be generated is 1M, which can securely exchange 96Gb ciphertext information, which is greater than the amount of about 6.4Gb information in the database.
  • the communicating parties securely exchange the shared database updates through the undisclosed random sequence of 6.4Gb new sources in cipher text, and the remaining part is used to securely exchange file information to achieve sustainable and secure information exchange.
  • the system can automatically exchange database update information according to settings to achieve system self-maintenance.
  • Basic parameters sequence format, main database size, diluted database size; diversified parameters: key generation method, dilution factor, algorithm, database update method, etc.
  • the generated key is used as a one-time key to encrypt the file to generate the ciphertext, and the reverse process is used to decrypt the ciphertext to organize various elements
  • a computer program is generated to complete key generation, information encryption-decryption, transfer, and system maintenance spontaneously under the control of the computer, to achieve continuous and automated information security transfer, and to become an information security software; Personalize the design and initialize the database based on the input of unpredictable information, similar to the structure shown in Figure 7 above, and design an exclusive encryptor; it includes the following key units:
  • Algorithm library including various secondary sequence generation algorithms, key generation methods, encryption algorithms, etc., arrange the algorithms in order to form an algorithm library for the program to retrieve; as an option, a random number sequence generation program, using Generate random information from new sources for initialization or update of the encrypted database;
  • the control unit plans the structure of the encrypted database, connects the algorithm database and the database, and generates a one-time key in a controlled and orderly manner through the sequence control module. It automatically completes encryption-decryption and system maintenance updates to form a black box system. Users rely on only a few instructions and buttons to complete program initialization and automatic safety information transmission;
  • the user interface which prompts the user to select the key generation device type through the selection module.
  • the optional types include the above-mentioned standard mode, iterative mode, unconditional security mode, dilution mode, security mode, etc., and new device types can be developed;
  • Type of key generation device prompting the user to set basic parameters such as key format and main database size, as well as other diversity parameters; according to the selected parameters, the computer plans the database, prompts for input information, builds a database of corresponding structure and size, and completes data initialization Or update
  • the above software system combines the formatting unit and the input and output unit to form the public part of the encryptor.
  • the software parameters are set through the user interface, and the computer prompts the user to enter exclusive unpredictable information to complete the database initialization or update according to the parameter settings. Describe the exclusive encryptor of the structure shown in Figure 7;
  • Basic parameters key generation device type, sequence format, main database size, diluted database size; diversified parameters: key generation method, dilution multiple, algorithm, cipher text organization method, control process, database update method, key distribution method Wait.
  • the key to a secure data storage system is the long-term traceability of the key.
  • the system retains the initial encrypted database or the foremost updated database involved as the starting point for system synchronization and deduction; divides the key generation number by the number of key generations during each database update, and determines the number of database updates by the quotient.
  • the computer derives the corresponding database, determines the corresponding work code number from the remainder, and extracts the random code of the corresponding number to generate the corresponding serial key.
  • the maximum number of times that the computer can update the database can be set to 256 times.
  • the current conventional personal computer's memory and computing power can complete the above calculations within a reasonable time.
  • 5Gb encrypted files can be saved during the database backup; the interval is 256.
  • the encrypted file information that can be saved at the same time is 256 times the information of the encryptor database.
  • the encryption method is simple and straightforward. Generate the key sequentially, encrypt the formatted information to generate the main ciphertext, use the key generation serial number as the title and the main ciphertext to form the ciphertext, and store it securely through the public storage device; use the same encryption database according to the ciphertext title Generate the same key and decrypt the file.
  • the key to the safe transmission of intelligence is that the key information is not leaked.
  • the most secure way is that after the ciphertext is sent, the key is not traceable except for the target receiver, including the ciphertext sender himself.
  • the file owner generates a key in order, encrypts the file, organizes the ciphertext, deletes the encoding used, and sends the ciphertext; the target ciphertext receiver securely obtains the file information, deletes the corresponding encoding, and notifies the sender; if the database is synchronized, the two parties in the communication Update database information and erase irrelevant information in time to ensure that the history of the encryption process cannot be traced.
  • the 80-byte long encoding can ensure that even after the entire encryption system is hijacked, unauthorized persons cannot recover the key by brute-force cracking (the number of attempts is 256 80 ) within a reasonable time based on the existing information.
  • the key to real-time communication is the fast encryption-decryption process, which ensures that the exclusive shared database can be synchronized without requiring special traceability of the key. Shorter keys and codes are used, and smaller-scale databases are used.
  • a database of the above-mentioned size can be easily inserted into commonly used communication equipment.
  • Correspondents can share encrypted databases face-to-face exclusively, as additional information of contacts in the address book, to achieve secure communication through encrypted software.
  • Real-time communication requires application software to quickly and continuously encrypt and decrypt digital multimedia information such as text, audio and video. For example, processing 32 2Kb ciphertext per second can ensure high-quality multimedia real-time communication.
  • a modem coupled with a formatting unit is integrated with a multimedia digital signal conversion module of a communication terminal device, as a standard configuration of the communication terminal device, and realizes technically instantaneous and secure communication without delay.
  • Address book members use secure communication as the default communication mode.
  • the communication device automatically connects to the corresponding encrypted database to achieve real-time encrypted communication.
  • Correspondents can regularly and securely update the exclusive shared database when they meet to enhance their sense of security. According to the current portable communication device storage configuration, there can be thousands of secure communication partners on each communication device, and the number of secure communication partners can be considered unlimited.
  • the communication principals who establish a secure connection through an exclusive shared encrypted database also establish an undeniable direct authentication relationship. If the communication subject has different exclusive and secure communication partners, a network will be formed. The communication subject relies on network nodes, that is, "acquaintances" who know each other as a guarantee, to establish an indirect identity verification relationship.
  • a public "acquaintance” recognized by the public and having legal or administrative authority, that is, a certification center, can act as a guarantee intermediary to establish a legally valid digital identity verification system.
  • An individual becomes a registered user by exclusively sharing a digital signature database with a digital identity verification agency to obtain an identity identification number.
  • a total of 8 billion registered users worldwide need 2048Tb of storage;
  • the sender of the file uses his registration database information to generate a signature key, and multiply the corresponding sequence value by 2 and 1 to add the two ends of the binary number.
  • A as a divisor, divided by the file sequence value, and then taking the remainder to generate a sequence as a signature;
  • the signature information can be displayed in the corresponding physical document in the form of a multimedia signature such as two-dimensional code, audio and video noise, and the signature Information such as the serial number of the signing key, the name of the sender, the name of the certification center, the personal identification number, and the date are also marked for query confirmation; the marked information can be displayed using standard entities such as printed text and machine sounds, and the sender's Writing, recording or video signature, etc., together with the multimedia signature, form a physical signature;
  • the verifier sends the marked information to the certification center.
  • the certification center connects to the signer database to generate the corresponding signature key and sends it to the verifier.
  • the verifier uses the same rules to generate digital signature information, compares it with the corresponding signature information, and determines The legitimacy and data integrity of the information source;
  • the file owner provides both signature information and label information (signing key generation sequence number), and the recipient of the file decides whether to verify the legal source of the information, forming an asymmetric digital signature system dominated by the recipient of the file;
  • the owner can choose to use the signing key as a password to encrypt the file information.
  • the recipient of the file obtains the signing key from the certification center to decrypt the corresponding file according to the marked information, and then verifies the digital signature to form a symmetrical digital signature system that can be traced by both sending and receiving parties. .
  • the registrant can share the encrypted database information exclusively and securely with the certification center as a medium, establish a secure communication connection, and realize secure communication between non- "acquaintance" registered members;
  • the communication subject completes registration through a unique identification number, similar to a mobile phone number, and exclusively shares an encrypted database with the communication control center, becoming a registered user. 4096Tb storage can meet the needs of 8 billion users worldwide.
  • the communication control center generates the required shared encrypted database information, which is encrypted with the encrypted database shared by the applicant and the control center, and then transmitted to the applicant in cipher text to realize the encrypted database in the applicant. Exclusive sharing between them, establishing a secure communication connection.
  • the communication control center is only responsible for the transfer task, and the information transfer load carried by each transfer is only 512Kb, which is equivalent to a few seconds of call volume, which greatly reduces the workload of the communication control center.
  • all parties to the communication do not contact the encrypted database of the other party; the encrypted database of the parties to the communication remains secure in the absence of information leakage during the communication control center and transfer process.
  • the two parties of one-to-one communication can agree to retain the shared information and become "acquaintances". After that, they can directly conduct secure communication without transferring.
  • Changing the central control structure of the digital identity verification system or global network communication system into a branched structure can effectively decentralize the information transfer workload of the control agency in order to establish a secure communication directly between the branch control agency and registered users
  • a full-coverage network identity verification system that effectively traces all incoming information.
  • the communication subject shares the encrypted database with the nearest network management organization (network management), obtains the identification number, and becomes a registered user; the current network management backs up the shared information to the branch network management to which the registered user belongs, until Global Network Management Center.
  • network management network management organization
  • the above-mentioned encryptor including the registered encrypted database will become an Internet pass for registered users, which can be built into the network card as a standard plug-in for the modem.
  • the sender uses the network card to sequentially generate the key to encrypt the information in a set of 1Kb.
  • the key generation sequence number is used as the subtitle.
  • the 3-byte subtitle can hold 16M keys at the same time and cache 16Gb information.
  • the end network administrator connects the sender's encrypted database according to the packet header and subtitle, retrieves the corresponding key, and directly decrypts the ordinary information (the decrypted information can be cipher text).
  • the subtitle is replaced with the end network management identification number and converted into legal information. Release.
  • the header line of legal information contains the sender's and end network management identification numbers, so that the source of the information can be traced back; illegal information becomes garbled through the above conversion.
  • the end network administrator re-encrypts the information with its own encryptor after verifying the information, adds the sender and each level of network management identification number, and verifies, re-encrypts, and releases the information step by step until the receiver's end network management uses the accept
  • the network card key of the user is encrypted to complete the information transmission, ensuring that the information transmission chain is complete and traceable.
  • each branch network administrator allocates appropriate buffer storage space to store the encrypted database of users in different places; after the buffer storage is exhausted, free up space for new users in accordance with the first-in, first-out principle to avoid frequent data handling and reduce the cost of remote communication ;
  • the end network management of hot tourist areas can appropriately increase storage space and reasonably increase communication prices.
  • the above-mentioned entire information transfer process is automatically completed by the network card, and the user cannot feel it. Because the information processing is mainly completed by the end network management, and the effective information content in the information packet is close to 100%, under normal circumstances, it has little effect on the transmission speed of ordinary information, and the registered information may be congested when the upper-level network management is overloaded.
  • the above network identity verification system has both network communication and digital identity verification functions.
  • Security mode keys are generated by combining quasi-keys, iterative quasi-keys and diluted quasi-keys; 96Kb keys with element values ranging from 4096; 384Mb main database with 4096 seed sequences; 6Gb dilution database with dilution multiples 16; Encrypted database capacity is 6.4Gb.
  • the above-mentioned software and the encrypted database determined by the encrypted database are made into a USB military identification card.
  • a copy of the encrypted database is stored centrally in the headquarters, and one copy is stored in the headquarters of the military at all levels.
  • the identification tag is carried by soldiers as the final proof of their active status.
  • the headquarters regularly updates relevant information according to personnel changes to ensure information security and smooth communication. 2.56 million soldiers need 16Pb of headquarters storage capacity.
  • the identification card of the person in charge of the army's telecommunications When communicating, the identification card of the person in charge of the army's telecommunications will become the default encryptor for orders given by the higher-level organization to the army. Set different levels of security according to the confidentiality of the command.
  • Secret files marked AA, are encrypted and decrypted using the encrypted database of the person in charge of the telecommunications department.
  • the title of the cipher text includes the troop number and key generation serial number.
  • Top-secret documents defined as AAAA.
  • the combined quasi-key is generated using the encrypted database of the person in charge of the army telecommunications, and the iterator quasi-key is generated by the encryptor of the army leader.
  • the two soldiers of the affiliated army are randomly selected and ordered, and eight consecutive dilution series are selected from their dilution database.
  • a high-information-density sequence that is combined with a combination and iterative quasi-key to generate an unconditional security key.
  • the title of the cipher text is based on the AAA grade, adding the military identification number and the corresponding serial number of the first dilution.
  • High-class documents can ensure that even in extreme cases where military personnel's USB identification plate information is leaked in key locations and a small number of personnel in the army are held hostage or counter-insured, the command is still transmitted to the greatest extent possible.
  • the program also provides an irregular confirmation method under the witness of the core members of the army to ensure that in the army that is isolated from the headquarters to perform top-secret tasks, the military USB tag is held by a legal person.
  • the above scheme can also be used to build police and diplomatic security communication systems. After adjustment to ensure that the required security standards are met, banks, governments, and commercial security communication systems will be built by simplifying relevant procedures and improving efficiency.
  • the unconditional security key that is generated in a controlled and orderly manner is used to encrypt the file information with the same amount of information to generate an unconditional security ciphertext.
  • An exclusive shared encrypted database is used to establish a secure connection to achieve unconditional secure communication.
  • the shared encrypted database can meet the unconditional secure information exchange of a certain information exchange density for a long period of time between the communicating parties. For example, using high-quality audio or ordinary quality video communication with 1Mb of information per minute, 256Gb shared information can meet 250,000 minutes and about 4,000 hours of communication, which is equivalent to 2 years of uninterrupted working communication.
  • the above system is used for military security communication. It uses 10Pb central storage device to serve 40,000 end users, and promotes the unconditional and secure information security system to even the first-level grass-roots telecommunications institutions.
  • the one-time security keys with the same information volume are dispersed It is stored in the USB identification card of each soldier, for example, a 4Gb one-time security key is stored in each soldier's USB identification card, which can realize unconditional and secure command transmission and confidential information reporting in high-density communication.
  • the foregoing outlines different aspects of a method of providing information required by a key generation device, an encryption device, a key generation and distribution system, an information security delivery system, and / or a method of implementing other steps through a program.
  • the program part in the technology may be considered as a "product” or “article” in the form of executable code and / or related data, which is participated or realized through a computer-readable medium.
  • the tangible, permanent storage medium may include memory or storage used by any computer, processor, or similar device or related module. For example, various semiconductor memories, magnetic tape drives, magnetic disk drives or similar devices capable of providing storage functions for software.
  • All software or parts of it may sometimes communicate over a network, such as the Internet or other communication networks.
  • This type of communication can load software from one computer device or processor to another.
  • a hardware platform loaded from a server or host computer of an IoT system to a computer environment, or other computer environment that implements the system, or a system with similar functions related to providing information required by the IoT. Therefore, another medium capable of transmitting software elements can also be used as a physical connection between local devices, such as light waves, radio waves, electromagnetic waves, etc., and is transmitted through cables, optical cables, or air.
  • the physical medium used for carrier waves, such as electrical cables, wireless connections, or fiber optic cables, can also be considered as the medium that carries the software.
  • tangible “storage” media is restricted, other terms referring to computer or machine "readable media” refer to media that participates in the execution of any instruction by a processor.
  • a computer-readable medium may take many forms, including tangible storage media, carrier wave media, or physical transmission media.
  • Stable storage media may include: optical disks or disks, and storage systems used in other computers or similar devices that can implement the system components described in the figures.
  • the unstable storage medium may include dynamic memory, such as the main memory of a computer platform.
  • Tangible transmission media may include coaxial cables, copper cables, and optical fibers, such as the lines that form a bus inside a computer system.
  • the carrier wave transmission medium can transmit electrical signals, electromagnetic signals, acoustic signals or light signals. These signals can be generated by radio frequency or infrared, visible light, and acoustic data communication methods.
  • Common computer-readable media include hard disks, floppy disks, magnetic tapes, any other magnetic media; CD-ROM, DVD, DVD-ROM, any other optical media; punch cards, any other physical storage media containing a small hole pattern; RAM, PROM , EPROM, FLASH-EPROM, any other memory chip or tape; carrier wave for transmitting data or instructions, cable or connection device for transmitting carrier wave, any other program code and / or data that can be read by computer.
  • a processor executes instructions and passes one or more results.
  • Module in this application refers to logic or a set of software instructions stored in hardware, firmware.
  • the “module” referred to herein can be executed by software and / or hardware modules, or stored in any kind of computer-readable non-transitory medium or other storage device. Modules can be implemented by sub-circuits.
  • a software module can be compiled and linked into an executable program. Obviously, the software module here can respond to the information passed by itself or other modules, and / or can respond when certain events or interruptions are detected.
  • a software module may be provided on a computer-readable medium, and the software module may be configured to perform operations on a computing device (e.g., the processor 220).
  • the computer-readable medium herein may be an optical disk, a digital optical disk, a flash disk, a magnetic disk, or any other kind of tangible medium.
  • Software modules can also be obtained through the digital download mode (the digital download here also includes the data stored in the compressed package or installation package, which needs to be decompressed or decoded before execution).
  • the code of the software module herein may be partially or wholly stored in a storage device of a computing device that performs an operation, and applied to the operation of the computing device.
  • Software instructions can be embedded in firmware, such as erasable programmable read-only memory (EPROM).
  • a hardware module may contain logic units connected together, such as gates, flip-flops, and / or programmable units, such as a programmable gate array or processor.
  • modules or computing devices described herein are preferably implemented as software modules, but may also be represented in hardware or firmware.
  • the modules mentioned here are logical modules and are not limited by their specific physical form or memory.
  • a module can be combined with other modules or separated into a series of sub-modules.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Provided in the present invention are a key generation apparatus (100), an encryption and decryption apparatus (700), a key generation and distribution system, and an information secure transmission system. The key generation apparatus (100) comprises: a system information module (101) configured to store system information of the key generation apparatus; a key generation module (102) configured to orderly and controllably generate, according to the system information, unpredictable information as a key, and use same to generate a serial number as the corresponding key serial number; and a transmission module (103) configured to send the key serial number to a paired key generation apparatus (200), wherein the paired key generation apparatus (200) stores second system information corresponding to the system information.

Description

密钥生成装置、加密解密装置、密钥生成和分发系统以及信息安全传递系统Key generation device, encryption and decryption device, key generation and distribution system, and information security delivery system
本公开要求于2018年6月21日递交的中国专利申请第201810643471.2号的优先权,在此全文引用上述中国专利申请公开的内容以作为本申请的一部分。This disclosure claims priority from Chinese Patent Application No. 201810643471.2, filed on June 21, 2018, and the contents of the above-mentioned Chinese patent application disclosure are incorporated herein by reference in its entirety as part of this application.
技术领域Technical field
本发明涉及信息安全领域,更具体地,本发明涉及密钥生成装置、加密解密装置、密钥生成和分发系统以及信息安全传递系统。The present invention relates to the field of information security, and more particularly, the present invention relates to a key generation device, an encryption and decryption device, a key generation and distribution system, and an information security delivery system.
背景技术Background technique
信息安全的重要性毋庸置疑。在计算机和全球互联通讯技术高度发达的今天,信息的安全传递和存储至关重要。信息加密是实现信息安全的重要手段。通过信息加密技术将文件转化为密文,如果密文只能被授权方破解,确保其对于非法截获者没有意义,信息就可以通过密文形式,充分利用现有通讯技术便利,在目标通讯主体之间安全传递。因此,具有密文理论上不可破解的加密方法是信息安全的核心。满足安全性前提下,加密-解密和信息传递过程的便捷性以及方法的通用性也影响着具体信息安全系统的应用范围。The importance of information security is beyond doubt. Today, with the highly developed computer and global interconnected communication technology, the secure transmission and storage of information is of vital importance. Information encryption is an important means to achieve information security. Documents are converted into cipher text using information encryption technology. If the cipher text can only be cracked by the authorized party to ensure that it has no meaning to the illegal interceptor, the information can be in cipher text form, making full use of the existing communication technology to facilitate the targeted communication subject. Safely passed between. Therefore, having a ciphertext theoretically unbreakable encryption method is the core of information security. Under the premise of meeting security, the convenience of the encryption-decryption and information transfer process and the universality of the methods also affect the application scope of specific information security systems.
现代密码学的重要奠基者香农证明,采用不小于文件信息量的密钥加密文件,通过合适方法生成的密文可忠实承载文件信息,在确保密钥信息不泄露且同一密钥不重复使用的前提下,上述密文理论上不可破解。以上方式香农称之为One-time Pad方式(OTP),即,一次性乱码本方式。Shannon, an important founder of modern cryptography, proves that a file is encrypted with a key that is not less than the amount of file information, and the ciphertext generated by a suitable method can faithfully carry the file information, ensuring that key information is not leaked and the same key is not reused. Under the premise, the above ciphertext is theoretically unbreakable. The above method is called the One-time Pad method (OTP), that is, the one-time garbled book method.
OTP是目前唯一现实可行的理论上绝对安全的加密方案。量子加密方案理论上不可破解,但广泛应用前尚需技术突破。受限于密钥不能重复使用,OTP所能安全传递的信息量不能大于密钥本所含信息量,限制了其使用。因此,一种能产生大量安全密钥且能将其便捷、安全分发的方法将可在充分利用OTP方案理论上绝对安全的基础上,克服其固有局限性,解决信息安全的根本问题。OTP is currently the only realistic and absolutely secure encryption scheme in theory. Quantum encryption schemes are theoretically unbreakable, but technical breakthroughs are still needed before widespread application. Limited by the key cannot be reused, the amount of information that OTP can safely transmit cannot be greater than the amount of information contained in the key book, which limits its use. Therefore, a method that can generate a large number of security keys and distribute them conveniently and securely will overcome the inherent limitations and solve the fundamental problems of information security on the basis of making full use of the theoretically absolute security of the OTP scheme.
发明内容Summary of the Invention
本发明将着重解决作为安全密钥的不可预测信息的生成和安全分发问题,在此基础上建立信息安全传递方案和信息安全系统。The present invention will focus on solving the problem of generating and distributing unpredictable information as a security key, and based on this, establish an information security delivery scheme and an information security system.
在描述本发明的实施例之前,首先定义下列概念:Before describing the embodiments of the present invention, the following concepts are first defined:
信息:信息为某种符号或信号,可被特定主体探测、感知、识别,用于主体之间的相互作用和交流;用于交流的信息,其符号或信号还应该满足能被交流主体有目的的生成、发送、接收、识别、重现。物质层面上,信息是某种信号,包括声波、光波、电磁、电子、放射信号等,可通过合适方式被特定主体生成、发送、探测、感知、识别。技术层面上,可识别信号能被分解为由强度、时空分布以及其它可分辨的有限属性确定和区分的不同信号基元,信号可表示为信号基元的有序组合从而可被识别而成为信息。通过信号基元概念可实现信息的抽象化,将信号基元抽象化为符号,由统一格式的容易被感知和区分的信号,例如图形、间隔脉冲波等承载和表示,形成一个由相互独立的正交符号组成的集合,每种符号代表一种信息基元,最终将物理形式的信号转化为一一对应的抽象符号序列。符号序列可进一步由非负整数数列精确表示,数列元素的取值范围对应独立正交符号的数量N,数列元素取0到N-1之间的整数;数列最终可用二进制数列表示,由计算机接收、识别、存储、加工和发送,从而成为数字化信息。Information: Information is a certain kind of symbol or signal, which can be detected, perceived, and identified by specific subjects, and used for interaction and communication between subjects. For information used for communication, its symbols or signals should also satisfy the purpose of being able to be communicated by the subject. Generate, send, receive, identify, and reproduce. At the material level, information is some kind of signal, including sound waves, light waves, electromagnetic, electronic, radiation signals, etc., which can be generated, sent, detected, sensed, and identified by specific subjects in a suitable way. At the technical level, identifiable signals can be decomposed into different signal primitives determined and distinguished by intensity, spatiotemporal distribution, and other distinguishable finite attributes. Signals can be expressed as an ordered combination of signal primitives and can be identified as information . The concept of signal primitives can be used to abstract information. Signal primitives are abstracted into symbols. They are carried and represented by signals in a uniform format that can be easily perceived and distinguished, such as graphics and interval pulse waves. A set of orthogonal symbols, each symbol representing a kind of information primitive, and finally transforming the signal in physical form into a one-to-one corresponding sequence of abstract symbols. The sequence of symbols can be further accurately represented by a sequence of non-negative integers. The range of the number of elements in the sequence corresponds to the number N of independent orthogonal symbols. The number of elements in the sequence is an integer between 0 and N-1. The sequence can be represented by a binary sequence and received by the computer. , Identify, store, process, and send to become digital information.
不可预测信息:密码学上,任何已公开信息,或根据已知信息或易推测有限信息通过已知规律生成的信息,无论公开和对应规律所知范围多么有限,都可能被用于预测目的;因此,不可预测信息可定义为未公开且不通过已知规律生成的信息。方法学上,未公开纯随机信息,即未公开纯随机符号序列,或未被可沟通主体探测、识别、使用过的信号基元随机序列,符合不可预测要求,也是唯一符合不可预测要求的信息。密码学中,信息量为N字节的密钥,其密钥空间即不同可取值个数为256 N;类似地,定义信息空间,信息量为N字节信息的信息空间为256 N。方法学上,如果一个信息的随机性,即可能取值,无偏好地投射于其整个信息空间,则技术上认为该信息不可预测。本发明中,所述不可预测信息包括由上述所定义的符合密码学应用实际的不可预测信息,将满足上述不可预测要求的循环周期远大于对应密钥信息空间的伪随机信息看作不可预测信息,从而实现依靠有限容量的初始不可预测信息,生成数量可按需求扩大的不可预测信息作为密钥。密码学上,任何用过 的密钥都可能因其所承载信息日后被公开从而可通过被截获密文有效预测其中信息,因此,不可预测性隐含着密钥只能使用一次。因此,在本发明中,将未公开纯随机信息和不可预测信息作为同义词并根据不同语境相互替换。 Unpredictable information: In cryptography, any published information, or information generated by known rules based on known information or easily inferred limited information, may be used for prediction purposes no matter how limited the scope of public and corresponding laws is; Therefore, unpredictable information can be defined as information that is not disclosed and that is not generated by known rules. Methodologically, no purely random information is disclosed, that is, no purely random symbol sequence is disclosed, or a random sequence of signal primitives that has not been detected, identified, or used by a communicable subject, which meets the unpredictable requirements and is also the only information that meets the unpredictable requirements. . In cryptography, a key with an information volume of N bytes has a different key space of 256 N ; similarly, an information space is defined, and the information space with an information volume of N bytes is 256 N. Methodologically, if the randomness of an information, that is, its possible value, is projected onto its entire information space without preference, then the information is technically considered unpredictable. In the present invention, the unpredictable information includes the unpredictable information defined in accordance with the actual application of cryptography, and the pseudo-random information that meets the unpredictable requirements is much larger than the corresponding key information space is regarded as unpredictable information , So as to achieve the initial unpredictable information relying on a limited capacity, and generate an amount of unpredictable information that can be expanded as needed as a key. In cryptography, any used key may be disclosed in the future because of the information it carries, which can effectively predict the information by intercepting the ciphertext. Therefore, the unpredictability implies that the key can only be used once. Therefore, in the present invention, undisclosed pure random information and unpredictable information are used as synonyms and are replaced with each other according to different contexts.
数列:现代信息学中,可识别信息可通过非负整数数列表示,数列元素可取0到n-1之间的整数,将n定义为数列元素取值范围。由m个取值范围为n的元素组成的不同数列个数为n m,包含N字节信息量,N由n m=256 N确定;仿照信息空间定义,将n m定义为对应数列的序列空间。本发明描述中将数列限定为非负整数数列,由于任何数列均可与一个非负整数数列一一对应,上述限定不影响本发明叙述的代表性。数列由取值范围相同的元素顺序组成,将元素个数及元素取值范围定义为数列的格式,相同格式的数列承载相同的信息量,具有相同的序列空间。对应的,本发明论述中,将未公开纯随机数列和不可预测数列作为同义词并可根据不同语境相互替换。数列形式的信息可与二进制信息相互转化从而方便计算机处理。 Sequence: In modern informatics, identifiable information can be represented by a sequence of non-negative integers. The elements of the sequence can be integers between 0 and n-1, and n is defined as the value range of the sequence elements. The number of different sequences consisting of m elements with a value range of n is n m , containing N bytes of information, N is determined by n m = 256 N ; following the definition of the information space, n m is defined as the sequence of the corresponding sequence space. In the description of the present invention, the sequence is limited to a non-negative integer sequence. Since any sequence can correspond one-to-one with a non-negative integer sequence, the above limitation does not affect the representativeness of the description of the invention. A sequence consists of the same element sequence with the same value range. The number of elements and the range of element values are defined as the format of the sequence. Sequences of the same format carry the same amount of information and have the same sequence space. Correspondingly, in the discussion of the present invention, the undisclosed pure random number sequence and the unpredictable number sequence are used as synonyms and can be replaced with each other according to different contexts. Information in the form of numbers can be converted into binary information to facilitate computer processing.
在上述定义的基础上,本发明首先解决可用作安全密钥的不可预测信息的生成和安全分发问题。Based on the above definitions, the present invention first solves the problems of generating and distributing unpredictable information that can be used as a security key.
根据本发明的实施例,提供了一种密钥生成和发送装置,包括:According to an embodiment of the present invention, a key generation and sending device is provided, including:
系统信息模块,配置为存储所述密钥生成装置的系统信息;A system information module configured to store system information of the key generation device;
密钥生成模块,配置为根据所述系统信息,可控有序生成不可预测信息作为密钥,并用其生成序号作为对应密钥序号;以及A key generation module configured to controllably and orderly generate unpredictable information as a key and use the generated serial number as a corresponding key serial number according to the system information; and
传输模块,配置为将所述密钥序号发送给配对的密钥生成装置,其中所述配对的密钥生成装置存储有与所述系统信息相对应的第二系统信息。The transmission module is configured to send the key serial number to a paired key generation device, wherein the paired key generation device stores second system information corresponding to the system information.
具体地,本发明提出一个不可预测信息可控有序生成概念,在此基础上设计一个信息可控有序生成装置,使之可依靠系统信息通过序号控制有序生成可凭借生成序号追溯的不可预测信息。然后,将所述不可预测信息作为密钥,形成密钥可控有序生成装置。根据需求利用所述装置有序生成密钥并用其生成序号标记,通过生成序号在空间和时间上分离的相同或相对应的密钥生成装置之间同步生成或再现对应密钥,实现密钥在排他性共享相同或相对应的密钥生成装置的主体之间安全分发,构建一个密钥生成和安全分发系统。Specifically, the present invention proposes the concept of controllable and orderly generation of unpredictable information. Based on this, a controllable and orderly generation device for information is designed to enable the orderly generation of serial numbers through the serial number control based on system information. Forecast information. Then, the unpredictable information is used as a key to form a controllable and orderly key generation device. Use the device to sequentially generate keys according to requirements and use them to generate serial number tags, and generate or reproduce corresponding keys synchronously between the same or corresponding key generation devices that are separated in space and time by serial numbers, so that keys can be used in Exclusively share the same or corresponding key generation devices with secure distribution among the subjects, and build a key generation and secure distribution system.
可选地,所述系统信息模块进一步包括数据库模块,配置为存储不可预测信息,控制模块,配置为通过固定程序和参数控制密钥生成以及其他系统过程,并且所述密钥生成模块在控制模块控制下从数据库模块中有序提取存 储的不可预测信息作为密钥,并用其生成序号作为密钥序号,并反馈给控制模块更新其中的序号控制参数,且能根据配对的相同或相对应密钥生成装置生成的密钥序号,依靠所述数据库信息生成与所述序号对应的密钥。Optionally, the system information module further includes a database module configured to store unpredictable information, a control module configured to control key generation and other system processes through fixed programs and parameters, and the key generation module is in the control module Orderly extract the stored unpredictable information from the database module as the key under the control, and use its generated serial number as the key serial number, and feed it back to the control module to update the serial number control parameters, and can be based on the same or corresponding key paired The key serial number generated by the generating device depends on the database information to generate a key corresponding to the serial number.
可选地,配对的密钥生成装置及其系统信息与所述密钥生成装置及其系统信息完全相同。Optionally, the paired key generation device and its system information are completely the same as the key generation device and its system information.
在另一个实施例中,配对的密钥生成装置的数据库中存储的系统信息可以与所述密钥生成装置的数据库中存储的信息系统是镜像关系。In another embodiment, the system information stored in the database of the paired key generation device may be in a mirror relationship with the information system stored in the database of the key generation device.
另一个实施例中,配对的密钥生成装置的数据库中存储的系统信息可以与所述密钥生成装置的数据库中存储的信息系统是按照预定方式偏移的偏移关系。In another embodiment, the system information stored in the database of the paired key generation device may be offset from the information system stored in the database of the key generation device in a predetermined manner.
可选地,所述系统信息模块进一步包括:Optionally, the system information module further includes:
控制模块,配置为通过固定程序或参数控制不可预测信息的生成;A control module configured to control the generation of unpredictable information through a fixed program or parameter;
动态信息模块,配置为提供待处理的输入信息;Dynamic information module configured to provide pending input information;
信息处理模块,配置为根据控制模块的控制,通过预定算法将动态信息模块提供的输入信息转化为生成信息,并且从生成信息中提取部分信息作为不可预测信息以用于生成密钥,另外部分信息作为反馈信息提供给所述动态信息模块以保持其稳定更新。The information processing module is configured to convert the input information provided by the dynamic information module into generated information through a predetermined algorithm according to the control of the control module, and extract part of the information from the generated information as unpredictable information for generating a key, and other information The feedback information is provided to the dynamic information module to keep it updated steadily.
本申请另一实施例中初步证明了通过上述反馈机制可实现动态信息的不可逆单向演化,即通过选择合适信息处理方法,从初始动态信息出发可演化出后面的所有动态信息,但根据后面的动态信息以及所有的已公开密钥信息无法通过合理数量的步骤确定和推演出前面的动态信息。所述不可预测动态信息的不可逆单向演化特点为安全密钥的持续生成奠定了基础。In another embodiment of the present application, it has been initially proved that the irreversible one-way evolution of dynamic information can be achieved through the above feedback mechanism, that is, by selecting an appropriate information processing method, all subsequent dynamic information can be evolved from the initial dynamic information. Dynamic information and all public key information cannot be determined and derived from previous dynamic information in a reasonable number of steps. The irreversible one-way evolution characteristics of the unpredictable dynamic information lay the foundation for the continuous generation of security keys.
可选地,所述动态信息模块包括输入信息子模块,配置为接收不可预测信息作为初始的输入信息,Optionally, the dynamic information module includes an input information sub-module configured to receive unpredictable information as initial input information,
所述信息处理模块通过迭代信息处理方式,将输入信息转换为可由输入信息确定的信息量扩大的生成信息,按照预定方式从所述生成信息中提取相互不重叠部分的第一部分与输入信息等量的信息作为迭代信息反馈到输入信息子模块作为下一步的输入信息,并且提取相互不重叠部分的第二部分作为不可预测信息以用于生成密钥。The information processing module converts the input information into generated information that can be expanded by an amount of information determined by the input information through an iterative information processing method, and extracts a first portion of the non-overlapping portion from the generated information in an equal amount as the input information in a predetermined manner. The information is fed back to the input information sub-module as iterative information as input information for the next step, and the second part that does not overlap with each other is extracted as unpredictable information for generating a key.
可选的,所述动态信息模块包括数据库子模块,设置为存储预定数量的不可预测信息,所述信息处理模块根据控制模块的控制,依靠所述数据库子 模块中的信息可控有序生成预先确定数量的不可预测信息作为密钥,并用其生成序号作为对应密钥序号,然后生成另外的不可预测信息作为数据库再生信息反馈给数据库子模块用以更新数据库子模块中信息,信息处理模块依靠更新后的数据库子模块中信息继续生成密钥。Optionally, the dynamic information module includes a database sub-module configured to store a predetermined amount of unpredictable information, and the information processing module is controlled by the control module and relies on the information in the database sub-module to controllably and orderly generate the advance information. Determine a certain amount of unpredictable information as a key, and use its generated serial number as the corresponding key serial number, and then generate additional unpredictable information as database regeneration information and feed it back to the database submodule to update the information in the database submodule. The information processing module relies on the update The information in the subsequent database submodules continues to generate keys.
本申请的实施例中引入可增殖编码信息概念:通过数据库生成编码信息;编码信息的具体形式和内容由数据库中存储的信息决定,编码决定信息生成过程所对应的全部数据结构关系,通过编码可依靠相同数据库完全复原对应信息;编码与信息的具体形式和内容相互独立,可通过有限信息量的编码跟踪和操控形式和内容不受限制的信息,实现信息可控有序生成;The embodiment of the present application introduces the concept of proliferative encoding information: the encoding information is generated through a database; the specific form and content of the encoding information is determined by the information stored in the database, and all data structure relationships corresponding to the encoding determination information generation process can be obtained through encoding. Rely on the same database to completely restore the corresponding information; the specific form and content of the coding and information are independent of each other, and the information can be generated and controlled in an orderly manner through the limited information amount of coding tracking and manipulation of unrestricted form and content information;
进一步引入可增殖信息概念,通过数据库信息间的随机组合生成数量扩大的子代信息,使信息可通过数据库传代实现增殖成为可增殖信息,通过不断随机传代增殖扩大子代信息的取值空间,最终使所述取值空间达到对应格式信息的信息空间,从而使通过随机方式选出的子代信息不可预测,随机选取所述增殖后的子代信息替代原有数据库信息,实现数据库中不可预测信息的有效再生;Further introduce the concept of proliferative information, and generate an expanded number of progeny information through a random combination of database information, so that the information can be proliferated through the database to become proliferable information, and the value space of the progeny information can be expanded through continuous random passage of proliferation. Make the value space reach the information space of the corresponding format information, so that the child information selected in a random manner is unpredictable, and the proliferated child information is randomly selected to replace the original database information to achieve unpredictable information in the database Effective regeneration
在所述编码信息和可增殖信息概念基础上,引入可增殖编码信息概念,可增殖信息根据其生成时的数据库信息间组合及全部相关数据结构关系进行编码,成为可增殖编码信息;根据可增殖编码信息概念设计数据库,包括主数据库和编码数据库,主数据库提供待加工的具体格式的信息,通过编码跟踪和操控信息的生成和传代,实现不可预测信息的可控有序生成和不可预测数据库的自发可控再生。On the basis of the encoding information and the concept of breedable information, the concept of breedable coding information is introduced, and the breedable information is encoded according to the combination of database information and all related data structure relationships when it is generated, and becomes the breedable encoded information; The coding information concept design database includes a main database and a coding database. The main database provides information in a specific format to be processed. Through coding tracking and manipulation of information generation and generation, the controllable and orderly generation of unpredictable information and the unpredictable database are realized. Spontaneous controlled regeneration.
可选地,所述动态信息模块包括数据库子模块,所述数据库子模块包括存储预定数量的不可预测信息单元的主数据库,以及存储预定数量的不可预测信息编码形成的编码数据库,其中编码的数量大于数据库子模块中存储的不可预测信息单元的数量,Optionally, the dynamic information module includes a database submodule, the database submodule includes a main database storing a predetermined number of unpredictable information units, and a coding database formed by coding a predetermined number of unpredictable information, wherein the number of codes is Greater than the number of unpredictable information units stored in the database submodule,
所述控制模块从编码数据库中有序提取编码,根据编码信息从主数据库中提取多个不可预测信息单元作为一组输入信息传递给所述信息处理模块,编码不重复使用同时顺序更新序号控制信息,The control module sequentially extracts codes from the coding database, extracts a plurality of unpredictable information units from the main database according to the coding information, and passes them as a set of input information to the information processing module. The codes are not repeatedly used and the sequence number control information is sequentially updated. ,
信息处理模块将一组输入信息通过组合生成一个次生信息,The information processing module combines a group of input information to generate a secondary information.
信息处理模块可控有序生成预定数量的次生信息作为不可预测信息用于生成密钥,并且用每个不可预测信息的生成序号作为密钥序号,The information processing module can control the orderly generation of a predetermined number of secondary information as unpredictable information for generating a key, and use the generation sequence number of each unpredictable information as the key sequence number.
生成预定数量的密钥后,信息处理模块有序可控生成与数据库子模块中存储的不可预测信息数量相同的次生信息作为数据库再生信息反馈给数据库子模块以更新数据库子模块中信息。After the predetermined number of keys are generated, the information processing module generates the secondary information in the same amount as the unpredictable information stored in the database sub-module in an orderly and controllable manner as database regeneration information and feeds it back to the database sub-module to update the information in the database sub-module.
本申请另一实施例从理论上初步证明了正确利用所述可增殖编码信息概念,在保持数据库子模块中初始信息不可预测的情况下,所生成的每个次生信息对非初始信息拥有者而言不可预测,并且根据已公开的所有次生信息无法有效探测数据库子模块中的信息。Another embodiment of the present application preliminarily and theoretically proved the correct use of the concept of the proliferative coding information. When the initial information in the database submodule is kept unpredictable, each secondary information generated is for the non-initial information owner. It is unpredictable and cannot detect the information in the database submodule effectively based on all the published secondary information.
可选地,所述传输模块还配置为接收从所述配对的密钥生成装置发送的密钥序号,Optionally, the transmission module is further configured to receive a key sequence number sent from the paired key generation device,
所述密钥生成模块进一步配置为根据接收的密钥序号,通过所述系统信息,生成与所述序号对应的解密密钥。The key generation module is further configured to generate a decryption key corresponding to the serial number through the system information according to the received serial number of the key.
根据本申请另一实施例,提供了一种加密解密装置,包括:According to another embodiment of the present application, an encryption and decryption device is provided, including:
如前面实施例所述的密钥生成装置,配置为生成一次性密钥,其中所述控制模块增加功能同时作为整个加密装置的控制模块;The key generation device according to the previous embodiment is configured to generate a one-time key, wherein the control module adds functions and simultaneously functions as a control module of the entire encryption device;
输入端口,配置为读取或输入待加密数据;Input port, configured to read or enter data to be encrypted;
格式化单元,配置为将输入端口输入的待加密数据转换为与密钥格式匹配的格式化明文;A formatting unit configured to convert the data to be encrypted input from the input port into a formatted plain text that matches the key format;
加密模块,配置为用生成的一次性密钥将格式化单元生成的格式化明文转换为主密文,将所述一次性密钥的序号作为密文标题,合并主密文和密文标题以生成密文;The encryption module is configured to convert the formatted plain text generated by the formatting unit into a main cipher text using the generated one-time key, use the serial number of the one-time key as the cipher text title, and merge the main cipher text and the cipher text title to Generate ciphertext;
发送端口,配置为将生成的密文发送给配对的解密装置。The sending port is configured to send the generated ciphertext to a paired decryption device.
可选地,所述加密解密装置还包括:Optionally, the encryption and decryption device further includes:
接收端口,配置为接收从配对的加密装置发送的密文;A receiving port configured to receive a ciphertext sent from a paired encryption device;
解密模块,配置为解析接收的密文以提取密文标题中的密钥序号;A decryption module configured to parse the received ciphertext to extract the key sequence number in the ciphertext header;
其中,所述密钥生成装置根据所述系统信息,通过接收的密钥序号生成与所述序号对应解密密钥;Wherein, the key generation device generates a decryption key corresponding to the serial number by using the received key serial number according to the system information;
所述解密模块使用所述解密密钥解密密文以生成解密后明文;The decryption module uses the decryption key to decrypt the ciphertext to generate a decrypted plaintext;
所述格式化单元将解密后明文转换为复原数据;The formatting unit converts the plaintext after decryption into recovered data;
输出端口,配置为输出所述复原数据。An output port configured to output the restored data.
根据本申请另一实施例,提供了一种密钥生成和分发系统,包括配对的第一密钥生成装置和第二密钥生成装置,其中According to another embodiment of the present application, a key generation and distribution system is provided, including a paired first key generation device and a second key generation device, where
所述第一密钥生成装置,包括:The first key generation device includes:
第一系统信息模块,配置为存储所述第一密钥生成装置的第一系统信息;A first system information module configured to store first system information of the first key generation device;
第一密钥生成模块,配置为根据所述第一系统信息,可控有序生成不可预测信息作为第一密钥,并将其生成序号作为对应第一密钥序号;以及A first key generation module configured to controllably and orderly generate unpredictable information as the first key, and use a generation number thereof as a corresponding first key number according to the first system information; and
第一发送模块,配置为将所述第一密钥序号发送给第二密钥生成装置,A first sending module configured to send the first key serial number to a second key generating device,
所述第二密钥生成装置,包括:The second key generation device includes:
第二接收模块,配置为接收从所述第一发送模块发送的第一密钥序号,A second receiving module configured to receive a first key sequence number sent from the first sending module,
第二系统信息模块,配置为存储所述第二密钥生成装置的第二系统信息,所述第二系统信息与所述第一系统信息相同或相对应;A second system information module configured to store second system information of the second key generation device, the second system information being the same as or corresponding to the first system information;
第二密钥生成模块,配置为根据所述第二系统信息,根据接收到的所述第一密钥序号生成与所述第一密钥序号对应的第二解密密钥。The second key generation module is configured to generate a second decryption key corresponding to the first key number according to the received first key number according to the second system information.
可选地,Optionally,
所述第二密钥生成模块根据所述第二系统信息,可控有序生成不可预测信息作为第二密钥,并将其生成序号作为对应第二密钥序号,The second key generation module generates the unpredictable information as the second key in a controlled and orderly manner according to the second system information, and uses the generated serial number as the corresponding second key serial number,
所述第二密钥生成装置还包括第二发送模块,配置为将所述第二密钥序号发送给所述第一密钥生成装置,The second key generating device further includes a second sending module configured to send the second key serial number to the first key generating device,
所述第一密钥生成装置还包括第一接收模块,配置为接收从所述第二发送模块发送的第二密钥序号,The first key generating device further includes a first receiving module configured to receive a second key sequence number sent from the second sending module,
所述第一密钥生成模块根据所述系统信息,根据接受的所述第二密钥序号生成与所述第二密钥序号对应的第一解密密钥。The first key generation module generates a first decryption key corresponding to the second key number according to the accepted second key number according to the system information.
根据本申请另一实施例,提供了一种信息安全传递系统,包括第一通信设备和第二通信设备,其中According to another embodiment of the present application, an information security transfer system is provided, including a first communication device and a second communication device, wherein
所述第一通信设备包括:The first communication device includes:
如前面的实施例所述的第一密钥生成装置,配置为生成一次性第一密钥;The first key generating device according to the foregoing embodiment is configured to generate a one-time first key;
第一输入端口,配置为读取或输入待加密数据;A first input port configured to read or input data to be encrypted;
第一格式化单元,配置为将输入端口输入的待加密数据转换为与密钥格式匹配的第一格式化明文;A first formatting unit configured to convert the data to be encrypted input from the input port into a first formatted plain text that matches a key format;
第一加密模块,配置为用生成的一次性密钥将第一格式化单元生成的第一格式化明文转换为第一主密文,将所述第一密钥的第一密钥序号作为第一密文标题,合并主密文和密文标题以生成第一密文;A first encryption module configured to use a generated one-time key to convert a first formatted plain text generated by a first formatting unit into a first main cipher text, and use a first key sequence number of the first key as a first A ciphertext title, combining the main ciphertext and the ciphertext title to generate the first ciphertext;
第一发送端口,配置为将生成的第一密文发送给第二通信设备,A first sending port configured to send the generated first ciphertext to a second communication device,
所述第二通信设备包括:The second communication device includes:
第二接收端口,配置为接收所述第一发送端口发送的第一密文;A second receiving port configured to receive a first ciphertext sent by the first sending port;
第二解密模块,配置为解析接收的第一密文以提取第一密文标题中的第一密钥序号;A second decryption module configured to parse the received first ciphertext to extract a first key sequence number in the first ciphertext header;
如前面的实施例所述的第二密钥生成装置,配置为根据所述第二系统信息,根据第一密钥序号生成与所述序号对应的第二解密密钥;The second key generation device according to the foregoing embodiment is configured to generate a second decryption key corresponding to the serial number according to the first system serial number according to the second system information;
所述第二解密模块使用所述第二解密密钥解密接受到的所述第一密文以生成第二解密后明文;The second decryption module uses the second decryption key to decrypt the received first ciphertext to generate a second decrypted plaintext;
第二格式化单元,配置为将第二解密后明文转换为第二复原数据;A second formatting unit configured to convert the second decrypted plaintext into second restored data;
第二输出端口,配置为输出第二复原数据。The second output port is configured to output second restoration data.
可选地,所述第二通信设备包括:Optionally, the second communication device includes:
第二输入端口,配置为读取或输入第二待加密数据;A second input port configured to read or input a second data to be encrypted;
所述第二密钥生成装置根据所述第二系统信息,可控有序生成不可预测信息作为第二密钥,并将其生成序号作为第二密钥序号;The second key generating device may controllably and orderly generate unpredictable information as the second key, and use the generated serial number as the second key serial number according to the second system information;
所述第二格式化单元将第二输入端口输入的待加密数据转换为与密钥格式匹配的第二格式化明文;The second formatting unit converts the data to be encrypted input from the second input port into a second formatted plain text that matches the key format;
第二加密模块,配置为用生成的第二密钥将第二格式化单元生成的第二格式化明文转换为第二主密文,将所述第二密钥的第二密钥序号作为第二密文标题,合并第二主密文和第二密文标题以生成第二密文;A second encryption module configured to use the generated second key to convert the second formatted plain text generated by the second formatting unit into a second main cipher text, and use the second key sequence number of the second key as the first Second ciphertext title, combining the second main ciphertext and the second ciphertext title to generate a second ciphertext;
第二发送端口,配置为将生成的第二密文发送给第一通信设备,A second sending port configured to send the generated second ciphertext to the first communication device,
所述第一通信设备包括:The first communication device includes:
第一接收端口,配置为接收所述第二发送端口发送的第二密文;A first receiving port configured to receive a second ciphertext sent by the second sending port;
第一解密模块,配置为解析接收的第二密文以提取第二密文标题中的第二密钥序号;A first decryption module configured to parse the received second ciphertext to extract a second key sequence number in a second ciphertext header;
所述第一密钥生成装置根据所述系统信息,根据第二密钥序号生成与所述第二序号对应的第一解密密钥;The first key generation device generates a first decryption key corresponding to the second sequence number according to the second key sequence number according to the system information;
所述第一解密模块使用所述第一解密密钥解密所述第二密文以生成第一解密后明文;The first decryption module uses the first decryption key to decrypt the second ciphertext to generate a first decrypted plaintext;
所述第一格式化单元将第一解密后明文转换为第一复原数据;The first formatting unit converts the first decrypted plain text into first restored data;
第一输出端口,配置为输出所述第一复原数据。The first output port is configured to output the first restoration data.
根据本发明实施例的密钥生成装置、加密解密装置、密钥生成和分发系 统、信息安全传递系统,能够依靠有限的排他性共享的不可预测信息产生大量安全密钥并且能够将产生的密钥便捷、安全的分发,从而解决了信息安全的根本问题。The key generation device, encryption and decryption device, key generation and distribution system, and information security delivery system according to the embodiments of the present invention can generate a large number of security keys by relying on limited and unpredictable shared unpredictable information and can conveniently generate the generated keys And secure distribution, thereby solving the fundamental problem of information security.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是示出根据本发明实施例的密钥生成装置和密钥分发系统的示意图。FIG. 1 is a schematic diagram illustrating a key generation device and a key distribution system according to an embodiment of the present invention.
图2是示出数据库中存储的不可预测信息和序号的对应关系的示意图。FIG. 2 is a schematic diagram illustrating a correspondence relationship between unpredictable information and a serial number stored in a database.
图3是示出根据本发明实施例的密钥生成装置中的不可预测信息可控有序生成模块的一个实施例的示意图。FIG. 3 is a schematic diagram illustrating an embodiment of an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention.
图4是示出根据本发明实施例的密钥生成装置中的不可预测信息可控有序生成模块的另一个实施例的示意图。4 is a schematic diagram illustrating another embodiment of an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention.
图5是示出根据本发明实施例的密钥生成装置中的不可预测信息可控有序生成模块的另一个实施例的示意图。5 is a schematic diagram illustrating another embodiment of an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention.
图6是示出根据本发明实施例的密钥生成装置中的不可预测信息可控有序生成模块的另一个实施例的示意图。6 is a schematic diagram illustrating another embodiment of an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention.
图7是示出根据本发明实施例的加密解密装置的示意图。FIG. 7 is a schematic diagram illustrating an encryption and decryption apparatus according to an embodiment of the present invention.
图8是示出根据本发明实施例的信息安全传递系统的示意图。FIG. 8 is a schematic diagram illustrating an information security transfer system according to an embodiment of the present invention.
具体实施方式detailed description
下面,将结合附图详细描述根据本发明实施例的密钥生成装置、加密解密装置、密钥生成和分发系统、信息安全传递系统。Hereinafter, a key generation device, an encryption and decryption device, a key generation and distribution system, and an information security delivery system according to embodiments of the present invention will be described in detail with reference to the accompanying drawings.
<第一实施例><First Embodiment>
首先,图1是示出根据本发明实施例的密钥生成装置和密钥分发系统的示意图。如图1所示,根据本发明实施例的密钥分发系统1包括配对的密钥生成装置100和密钥生成装置200。First, FIG. 1 is a schematic diagram illustrating a key generation device and a key distribution system according to an embodiment of the present invention. As shown in FIG. 1, a key distribution system 1 according to an embodiment of the present invention includes a paired key generation device 100 and a key generation device 200.
密钥生成装置100可以包括:The key generation apparatus 100 may include:
系统信息模块101,配置为存储所述密钥生成装置的系统信息;A system information module 101 configured to store system information of the key generation device;
密钥生成模块102,配置为根据所述系统信息,可控有序生成不可预测信息作为密钥,用所述不可预测信息的生成序号作为对应密钥序号;以及The key generation module 102 is configured to controllably and orderly generate unpredictable information as a key based on the system information, and use a generation number of the unpredictable information as a corresponding key number; and
传输模块103,配置为将所述密钥序号发送给配对的密钥生成装置,其 中所述配对的密钥生成装置存储有与所述系统信息相对应的第二系统信息,其中相对应的系统信息之间可以完全相同、一一对应、也可以有限数量的一多对应或多一对应。The transmission module 103 is configured to send the key serial number to a paired key generation device, wherein the paired key generation device stores second system information corresponding to the system information, where the corresponding system The information can be completely identical, one-to-one correspondence, or a limited number of one-to-one correspondences or one-to-one correspondences.
密钥生成装置200与密钥生成装置100具有相同的结构。密钥生成装置也可以包括系统信息模块201、密钥生成模块202和传输模块203。The key generation device 200 has the same structure as the key generation device 100. The key generation device may also include a system information module 201, a key generation module 202, and a transmission module 203.
系统信息模块201、密钥生成模块202和传输模块203的配置和功能与系统信息模块101、密钥生成模块102和传输模块103的配置和功能相同,在此省略其详细描述。Configurations and functions of the system information module 201, the key generation module 202, and the transmission module 203 are the same as those of the system information module 101, the key generation module 102, and the transmission module 103, and detailed descriptions thereof are omitted here.
具体地,系统信息模块101存储所述密钥生成装置的系统信息,所述系统信息例如可以包括数据库、关于生成数据库的方法的信息、系统设置和控制信息等等。Specifically, the system information module 101 stores system information of the key generation device, and the system information may include, for example, a database, information about a method of generating a database, system settings and control information, and the like.
密钥生成模块102可以根据所述系统信息,可控有序生成不可预测信息作为密钥,并用其生成序号作为对应密钥序号,并且可以根据接收到的配对的密钥生成装置发送的密钥序号生成与所述序号对应的密钥。The key generation module 102 can controllably and orderly generate unpredictable information as a key based on the system information, and use its generated serial number as the corresponding key serial number, and can generate the key sent by the paired key generation device according to the received The serial number generates a key corresponding to the serial number.
在一个实施例中,系统信息模块101包括数据库,所述数据库存储不可预测信息。In one embodiment, the system information module 101 includes a database that stores unpredictable information.
密钥生成模块102从数据库中有序提取不可预测信息作为密钥,并用其生成序号作为对应密钥序号,并且可以根据接受到的配对密钥生成模块所产生密钥的密钥序号,依靠所述数据库生成与所述序号对应的密钥。The key generation module 102 sequentially extracts unpredictable information from the database as a key, and uses its generated serial number as the corresponding key serial number, and can rely on the key serial number of the key generated by the received paired key generation module, depending on the The database generates a key corresponding to the serial number.
具体地,图2是示出数据库中存储的不可预测信息和序号的对应关系的示意图。Specifically, FIG. 2 is a schematic diagram illustrating a correspondence relationship between unpredictable information and a serial number stored in a database.
如图2所示,数据库中序号1对应的不可预测信息是“1234abcd”,序号2对应的不可预测信息是“bcde2345”,序号3对应的不可预测信息是“ef34gh56”,序号4对应的不可预测信息是“78ab12cd”等等。需要注意的是,图2中的数据库仅示出了序号和不可预测信息,但是可以根据需要增加额外的信息。此外,图2中的数据库示出的不可预测信息仅仅作为例子,实际上不可预测信息可以是通过任意方式生成的不可预测信息。As shown in Figure 2, the unpredictable information corresponding to sequence number 1 in the database is "1234abcd", the unpredictable information corresponding to sequence number 2 is "bcde2345", the unpredictable information corresponding to sequence number 3 is "ef34gh56", and the unpredictable information corresponding to sequence number 4 The message is "78ab12cd" and so on. It should be noted that the database in Figure 2 only shows the serial number and unpredictable information, but additional information can be added as needed. In addition, the unpredictable information shown in the database in FIG. 2 is merely an example. Actually, the unpredictable information may be unpredictable information generated in any manner.
然后,密钥生成模块102可以选取任意已有序号,从数据库中提取与该序号对应的不可预测信息作为密钥。在本实施例中,假设密钥生成模块102随机选取序号1,从数据库中提取与该序号1对应的不可预测信息“1234abcd” 作为密钥,并将1作为对应密钥序号。Then, the key generation module 102 may select any existing serial number and extract unpredictable information corresponding to the serial number from the database as a key. In this embodiment, it is assumed that the key generation module 102 randomly selects a serial number 1, extracts unpredictable information “1234abcd” corresponding to the serial number 1 as a key, and uses 1 as a corresponding key serial number.
也就是说,与现有技术中通过特定算法生成密钥的方式不同,在本实施例中,不可预测信息不是依靠特定算法生成的,而是依靠预先存储在系统信息数据库中的信息,可通过通用方式有序生成,然后从生成信息中提取部分或全部信息作为秘钥,所述生成信息的最简单形式为从数据库信息中直接检索获取的不可预测信息,从中有序提取信息作为密钥;本实施例不排除通过特定算法将检索到的对应不可预测信息通过非简并变换后作为密钥。That is to say, unlike the way of generating a key by a specific algorithm in the prior art, in this embodiment, the unpredictable information is not generated by a specific algorithm, but by the information stored in the system information database in advance. Generating in an orderly manner in a general manner, and then extracting some or all of the information from the generated information as a secret key. The simplest form of the generated information is to retrieve the unpredictable information directly from the database information and orderly extract the information from it as a key; This embodiment does not exclude that the corresponding unpredictable information retrieved through a non-degenerate transformation is used as a key through a specific algorithm.
通过这样的方式,可以避免现有技术中因为生成不可预测信息的算法被破解而导致不可预测信息可以被获取的风险。In this way, the risk that the unpredictable information can be obtained in the prior art because the algorithm that generates the unpredictable information is cracked can be avoided.
然后,传输模块103可以将所述密钥序号1发送给配对的密钥生成装置200,其中所述配对的密钥生成装置200存储有与所述系统信息相对应的第二系统信息。Then, the transmission module 103 may send the key sequence number 1 to the paired key generation device 200, where the paired key generation device 200 stores second system information corresponding to the system information.
在一个实施例中,配对的密钥生成装置200的第二系统信息与密钥生成装置100的系统信息完全相同。例如,在密钥生成装置200的数据库中,数据库中序号1对应的不可预测信息是“1234abcd”,序号2对应的不可预测信息是“bcde2345”,序号3对应的不可预测信息是“ef34gh56”,序号4对应的不可预测信息是“78ab12cd”等等。In one embodiment, the second system information of the paired key generation device 200 and the system information of the key generation device 100 are completely the same. For example, in the database of the key generation device 200, the unpredictable information corresponding to sequence number 1 in the database is "1234abcd", the unpredictable information corresponding to sequence number 2 is "bcde2345", and the unpredictable information corresponding to sequence number 3 is "ef34gh56". The unpredictable information corresponding to the serial number 4 is "78ab12cd" and so on.
在另一个实施例中,配对的密钥生成装置200的第二系统信息与密钥生成装置100的系统信息可以按照预定的对应关系对应。例如,在密钥生成装置200的数据库中,数据库中各序号对应的不可预测信息相对应密钥生成装置100中的序号可以偏移预定个数。具体地,在密钥生成装置200的数据库中,数据库中序号1对应的不可预测信息是“bcde2345”,序号2对应的不可预测信息是“ef34gh56”,序号3对应的不可预测信息是“78ab12cd”,序号4对应的不可预测信息是“1234abcd”等等。In another embodiment, the second system information of the paired key generation device 200 and the system information of the key generation device 100 may correspond according to a predetermined correspondence relationship. For example, in the database of the key generation device 200, the unpredictable information corresponding to each serial number in the database may be offset by a predetermined number from the serial number in the key generation device 100. Specifically, in the database of the key generation device 200, the unpredictable information corresponding to sequence number 1 in the database is "bcde2345", the unpredictable information corresponding to sequence number 2 is "ef34gh56", and the unpredictable information corresponding to sequence number 3 is "78ab12cd" The unpredictable information corresponding to sequence number 4 is "1234abcd" and so on.
当然,密钥生成装置200的第二系统信息与密钥生成装置100的系统信息可以按照相反顺序的对应关系对应等等。Of course, the second system information of the key generation apparatus 200 and the system information of the key generation apparatus 100 may correspond in a corresponding relationship in the reverse order, and so on.
类似地,所述传输模块103还可以配置为接收从所述配对的密钥生成装置200发送的密钥序号。所述密钥生成模块102进一步配置为根据接收的密钥序号,通过所述系统信息,生成与所述序号对应的解密密钥。Similarly, the transmission module 103 may be further configured to receive a key sequence number sent from the paired key generation device 200. The key generation module 102 is further configured to generate a decryption key corresponding to the serial number through the system information according to the received serial number of the key.
再来参考图1,在进行密钥的分发时,与现有技术中直接将生成的不可 预测信息(即,密钥“1234abcd”)发送给接收设备不同的是,在本申请的实施例中,例如传输模块103可以将用于生成密钥的序号1发送给配对的密钥生成装置200。然后,配对的密钥生成装置200通过传输模块203在接收到由密钥生成装置100发送的序号1时,密钥生成模块202根据序号1从系统信息模块201的数据库中检索序号1对应的不可预测信息,由此获取与密钥生成装置100意图发送的同样的密钥信息,即,“1234abcd”。Referring again to FIG. 1, when the key is distributed, the unpredictable information (that is, the key “1234abcd”) is directly sent to the receiving device in the prior art. In the embodiment of the present application, For example, the transmission module 103 may send the serial number 1 used to generate the key to the paired key generation device 200. Then, when the paired key generation device 200 receives the serial number 1 sent by the key generation device 100 through the transmission module 203, the key generation module 202 searches the database corresponding to the serial number 1 from the database of the system information module 201 according to the serial number 1 Prediction information, thereby obtaining the same key information as the key generation device 100 intends to transmit, that is, "1234abcd".
通过这样的方式,因为密钥生成装置100发送给密钥生成装置200的信息只包括序号1,除此之外没有任何具体密钥信息,所以即使该信息在发送的过程中被截取,截取该信息的人也无法从该序号1获取密钥信息。In this way, because the information sent by the key generation device 100 to the key generation device 200 includes only the serial number 1, there is no specific key information other than this, so even if the information is intercepted during the transmission process, the information is intercepted. The information person cannot obtain the key information from the serial number 1.
通过这样的方式,可以避免现有技术中因为密钥信息在分发的过程中被截取而导致密钥信息泄露的风险。In this way, the risk of key information leakage in the prior art because the key information is intercepted during distribution can be avoided.
显而易见,上述举例中密钥发送方和接收方的角色完全可以互换,密钥生成装置200作为密钥信息发送方,密钥生成装置100作为密钥信息接收方。Obviously, in the above example, the roles of the key sender and receiver are completely interchangeable. The key generating device 200 is used as the key information sender, and the key generating device 100 is used as the key information receiver.
<第二实施例><Second Embodiment>
下面,将参考图3描述根据本发明实施例的密钥生成装置中的不可预测信息可控有序生成模块。Hereinafter, an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention will be described with reference to FIG. 3.
上面第一实施例中描述的密钥生成装置100中的系统信息模块101包括图3所示的不可预测信息可控有序生成模块300。The system information module 101 in the key generation device 100 described in the first embodiment above includes the unpredictable information controllable and ordered generation module 300 shown in FIG. 3.
如图3所示,该可控有序生成模块300包括:As shown in FIG. 3, the controllable and ordered generation module 300 includes:
控制模块301,配置为控制不可预测信息的生成;A control module 301 configured to control generation of unpredictable information;
数据库模块302,配置为存储不可预测信息,A database module 302 configured to store unpredictable information,
第一实施例中所述密钥生成模块102根据控制模块301的控制,从所述数据库模块302中可控有序提取不可预测信息作为密钥,并用其生成序号作为对应密钥序号。所述密钥生成装置通过接收到的发自配对的密钥生成装置的密钥序号,从所述数据库中提取对应的不可预测信息作为对应密钥。According to the control of the control module 301, the key generation module 102 in the first embodiment extracts the unpredictable information from the database module 302 in a controlled and orderly manner as a key, and uses its generated serial number as the corresponding key serial number. The key generation device extracts the corresponding unpredictable information from the database as the corresponding key by receiving the key serial number sent from the paired key generation device.
根据本实施例,如图3所示,可以设计该数据库为一个大容量数据库,其中有序存放不可预测信息。然后密钥生成模块102根据接收的序号,通过序列控制从数据库中可控有序提取互不重叠的信息片段作为相互独立、不可预测的一次性密钥,形成一个无条件安全密钥可控有序生成装置。According to this embodiment, as shown in FIG. 3, the database may be designed as a large-capacity database, in which unpredictable information is stored in an orderly manner. Then the key generation module 102 extracts non-overlapping pieces of information from the database in a controlled and orderly manner through sequence control according to the received serial number as mutually independent and unpredictable one-time keys to form an unconditional security key in a controlled and orderly manner Generate device.
<第三实施例><Third Embodiment>
下面,将参考图4描述根据本发明实施例的密钥生成装置中的不可预测信息可控有序生成模块。Hereinafter, an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention will be described with reference to FIG. 4.
上面第一实施例中描述的密钥生成装置100中的系统信息模块101包括图4所示的不可预测信息可控有序生成模块400。The system information module 101 in the key generation device 100 described in the first embodiment above includes the unpredictable information controllable and ordered generation module 400 shown in FIG. 4.
如图4所示,该可控有序生成模块400包括:As shown in FIG. 4, the controllable and ordered generation module 400 includes:
控制模块401,配置为控制不可预测信息的生成;A control module 401 configured to control generation of unpredictable information;
动态信息模块402,配置为提供待处理的输入信息;A dynamic information module 402 configured to provide input information to be processed;
信息处理模块403,配置为根据控制模块的控制,通过预定算法将动态信息模块提供的输入信息转化为生成信息,并且通过信息分配从生成信息中提取部分信息作为输出信息以用于生成密钥,另外部分信息作为反馈信息提供给所述动态信息模块以保持其稳定更新。The information processing module 403 is configured to convert the input information provided by the dynamic information module into generated information through a predetermined algorithm according to the control of the control module, and extract part of the information from the generated information as output information for generating a key through information distribution. Another part of the information is provided as feedback information to the dynamic information module to keep it stable and updated.
具体地,如图4所示,控制模块401根据需求,从动态信息模块402中有序调取输入信息传递给信息处理模块403,同时顺序更新序号控制信息。Specifically, as shown in FIG. 4, the control module 401 sequentially retrieves input information from the dynamic information module 402 and passes it to the information processing module 403 according to requirements, and sequentially updates serial number control information.
动态信息模块402可以提供待处理的输入信息。The dynamic information module 402 may provide input information to be processed.
信息处理模块403将动态信息模块402提供的输入信息转化为可由输入信息确定的信息量扩大的生成信息,然后按预定方式分配生成信息,例如从生成信息中有序选取与输入信息容量相同的反馈信息传递给动态信息模块402补偿所用信息以便保持其稳定更新,同时,有序选取与反馈信息互不重叠的输出信息用作密钥并为其生成序号作为密钥序号。The information processing module 403 converts the input information provided by the dynamic information module 402 into generated information that can be expanded by the amount of information determined by the input information, and then allocates the generated information in a predetermined manner, such as orderly selecting feedback from the generated information that has the same capacity as the input information The information is passed to the dynamic information module 402 to compensate the used information in order to keep it stable and updated. At the same time, the output information that does not overlap with the feedback information is sequentially selected as a key and a serial number is generated for it as the key serial number.
这样,通过合理设置使输出信息之间,以及输出信息和装置相关信息尤其是动态信息之间没有可预测的逻辑或数学关系,从而实现将输入信息通过信息处理模块不可逆单向转化为输出信息和反馈信息,形成一个不可预测动态信息的不可逆单向演化体系,可经由信息输入、信息处理、信息输出、信息反馈循环,依靠有限的初始不可预测动态信息,形成一个可持续密钥可控有序生成装置。In this way, through reasonable settings, there is no predictable logical or mathematical relationship between the output information, and between the output information and the device-related information, especially the dynamic information, so that the input information is irreversibly and unidirectionally converted into output information through the information processing module. The feedback information forms an irreversible one-way evolution system of unpredictable dynamic information. It can pass through the cycle of information input, information processing, information output, and information feedback, and rely on limited initial unpredictable dynamic information to form a sustainable key that can be controlled and ordered. Generate device.
<第四实施例><Fourth Embodiment>
下面,将参考图5描述根据本发明实施例的密钥生成装置中的不可预测信息可控有序生成模块。Hereinafter, an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention will be described with reference to FIG. 5.
上面第一实施例中描述的密钥生成装置100中的系统信息模块101包括图5所示的不可预测信息可控有序生成模块500。The system information module 101 in the key generation device 100 described in the first embodiment above includes the unpredictable information controllable and ordered generation module 500 shown in FIG. 5.
如图5所示,该可控有序生成模块500包括:As shown in FIG. 5, the controllable and ordered generation module 500 includes:
控制模块501,配置为控制不可预测信息的生成;A control module 501 configured to control generation of unpredictable information;
输入信息子模块502,配置为提供待处理的输入信息;An input information sub-module 502 configured to provide input information to be processed;
信息处理模块503,配置为通过迭代信息处理方式,将输入信息转换为可由输入信息确定的信息量扩大的生成信息,按照预定信息分配方式从所述生成信息中提取相互不重叠部分的第一部分与输入信息等量的信息作为迭代信息反馈到输入信息子模块作为下一步的输入信息,并且提取相互不重叠部分的第二部分作为不可预测信息以用于生成密钥。The information processing module 503 is configured to convert the input information into generated information whose information amount can be determined by the input information through an iterative information processing method, and extract a first part and a non-overlapping part of the generated information from the generated information according to a predetermined information distribution method. The input information is fed back to the input information sub-module as iterative information as input information for the next step, and the second part that does not overlap with each other is extracted as unpredictable information for generating a key.
在本实施例中,输入信息子模块502可以是图4所示的动态信息模块402的一部分,配置为接收不可预测信息作为初始的输入信息。In this embodiment, the input information sub-module 502 may be a part of the dynamic information module 402 shown in FIG. 4 and configured to receive unpredictable information as initial input information.
然后,所述信息处理模块503在控制模块501的控制下,通过迭代信息处理方式,将从输入信息子模块502输入的输入信息转换为可由输入信息确定的信息量扩大的生成信息,按照预定信息分配方式从所述生成信息中提取相互不重叠部分的第一部分与输入信息等量的信息作为迭代信息反馈到输入信息子模块作为下一步的输入信息,并且提取相互不重叠部分的第二部分作为输出信息以用于生成密钥。Then, under the control of the control module 501, the information processing module 503 converts the input information input from the input information submodule 502 into generated information with an expanded amount of information that can be determined by the input information through an iterative information processing method. The allocation method extracts from the generated information the first part of the non-overlapping part and the same amount of input information as iterative information and feeds it back to the input information sub-module as the next input information, and extracts the second part of the non-overlapping part as Outputs information for generating keys.
这样,通过合适设置使输出信息之间,以及输出信息和装置中相关信息之间没有可预测的逻辑和数学关系,从而通过信息输入、信息生成、密钥输出、迭代循环形成一个可持续密钥可控有序生成装置。In this way, through proper settings, there is no predictable logical and mathematical relationship between the output information, and between the output information and the relevant information in the device, so as to form a sustainable key through information input, information generation, key output, and iteration cycles. Controllable and orderly generating device.
例如,我们可以采取不同算法和分配方法将输入信息转化为可由输入信息确定的密钥信息和反馈信息,本示例中我们采用8位十进制数值作为输入,实际应用中,可采取其它进制并选取合适有效数字位数。For example, we can use different algorithms and distribution methods to convert the input information into key information and feedback information that can be determined by the input information. In this example, we use 8-digit decimal values as input. In actual applications, other base numbers can be used and selected. Suitable number of significant digits.
Figure PCTCN2019091899-appb-000001
Figure PCTCN2019091899-appb-000001
Figure PCTCN2019091899-appb-000002
Figure PCTCN2019091899-appb-000002
通过上表中所述流程实现了编码信息为“…1A2379D4…”的迭代法密钥生成示意图,密钥信息为…15254815870289282110919868440514…,其中的序号参数为“23758715”,上一步反馈信息作为下一步的输入信息,序号参数值在同一密钥生成过程中保持不变,在有序生成一个密钥后顺序增加1以避免出现过早的数据循环。Through the process described in the table above, the iterative method of key generation with encoding information "... 1A2379D4 ..." is achieved. The key information is ... 15254815870289282110919868440514 ..., where the serial number parameter is "23758715", and the feedback information from the previous step is used as the next Enter the information. The serial number parameter value remains the same during the same key generation process. After an orderly generation of a key, the sequence is increased by 1 to avoid premature data cycles.
所述信息处理模块503可将输入信息转化为确定的密钥信息和反馈信息,并且输出信息之间以及输出信息和输入信息以及装置其它信息之间没有可解析的数学关系以及可有限对应的逻辑关系;从而使上述信息转化成为一个不可逆单向过程,可通过信息输入、信息生成、密钥输出、迭代循环实现可持续密钥可控有序生成。The information processing module 503 can convert the input information into the determined key information and feedback information, and there is no analyzable mathematical relationship and limited corresponding logic between the output information and between the output information and the input information and other information of the device. Relationship; so that the above information is transformed into an irreversible one-way process, and sustainable key generation can be controlled and ordered through information input, information generation, key output, and iterative cycles.
上述示例提供一个基本的迭代流程,后面实施例中的迭代算法可以此作为参考,可在此基础上设置更加复杂的迭代流程,例如可将不同算法、分配参数、序号参数进行编码处理,体现在编码信息中,并对分配后信息进行不同转换等,提高系统的多样性和安全性。The above example provides a basic iterative process. The iterative algorithm in the following embodiments can be used as a reference. More complex iterative processes can be set up on this basis. For example, different algorithms, allocation parameters, and serial number parameters can be encoded and processed. Encoding information, and performing different conversions on the distributed information, etc., improve the diversity and security of the system.
上述算法和信息分配方式的种类可不受限制,且相互之间可通过不同参数设定而完全独立。The types of the above algorithms and information distribution methods can be unlimited, and can be completely independent of each other through different parameter settings.
上述迭代过程实现手段多种多样,除采用数学迭代算法输出数字化信息外,还可通过由脉冲信号控制的震荡电路输出脉冲信号等物理方法。The above iterative process is implemented in various ways. In addition to using mathematical iterative algorithms to output digitized information, physical methods such as pulse signals can be output through oscillator circuits controlled by pulse signals.
<第五实施例><Fifth Embodiment>
下面,将参考图6描述根据本发明实施例的密钥生成装置中的不可预测信息可控有序生成模块。In the following, an unpredictable information controllable and ordered generation module in a key generation device according to an embodiment of the present invention will be described with reference to FIG. 6.
上面第一实施例中描述的密钥生成装置100中的系统信息模块101包括图6所示的不可预测信息可控有序生成模块600。The system information module 101 in the key generation device 100 described in the first embodiment above includes the unpredictable information controllable and ordered generation module 600 shown in FIG. 6.
如图6所示,该可控有序生成模块600包括:As shown in FIG. 6, the controllable and ordered generation module 600 includes:
控制模块601,配置为控制不可预测信息的生成;A control module 601 configured to control generation of unpredictable information;
数据库模块602,配置为包括存储预定数量的不可预测信息单元的主数据库,以及存储预定数量的不可预测信息编码形成的编码数据库,其中编码的数量大于数据库子模块中存储的不可预测信息单元的数量,The database module 602 is configured to include a main database storing a predetermined number of unpredictable information units, and an encoding database formed by encoding a predetermined number of unpredictable information units, where the number of codes is greater than the number of unpredictable information units stored in the database submodule. ,
所述控制模块601从编码数据库中有序提取编码,根据编码信息从主数据库中提取多个不可预测信息单元作为一组输入信息传递给所述信息处理模块603,编码不重复使用同时顺序更新序号控制信息,The control module 601 sequentially extracts codes from the coding database, extracts a plurality of unpredictable information units from the main database according to the coding information, and passes them as a set of input information to the information processing module 603. The codes are not reused and the sequence numbers are sequentially updated. Control information,
信息处理模块603将一组输入信息通过组合生成一个次生信息,The information processing module 603 generates a secondary information by combining a set of input information,
信息处理模块603在控制模块601的控制下有序生成次生信息,并根据设定的信息分配方案选取预定数量的输出信息作为密钥,并且将输出信息的生成序号作为对应密钥序号,The information processing module 603 generates secondary information in an orderly manner under the control of the control module 601, and selects a predetermined number of output information as a key according to a set information distribution scheme, and uses a generation number of the output information as a corresponding key number.
生成预定数量密钥后,信息处理模块603根据所述控制模块601的指令顺序生成与数据库子模块602中存储的不可预测信息相同数量的次生信息作为数据库再生信息反馈给数据库子模块602以更新数据库子模块中信息。After generating a predetermined number of keys, the information processing module 603 generates secondary information with the same amount of unpredictable information stored in the database submodule 602 according to the instruction sequence of the control module 601 and feeds it back to the database submodule 602 as database regeneration information to update Information in the database submodule.
信息处理模块根据更新后的数据库子模块中信息继续生产密钥,The information processing module continues to produce keys based on the information in the updated database submodule,
循环数据库子模块更新和密钥生成过程。Cyclic database submodule update and key generation process.
在本实施例中,数据库602例如可以是图4所示的动态信息模块402的一部分,配置为存储预定数量的不可预测信息单元以及存储预定数量的不可预测信息编码。In this embodiment, the database 602 may be, for example, a part of the dynamic information module 402 shown in FIG. 4 and configured to store a predetermined number of unpredictable information units and store a predetermined number of unpredictable information codes.
下面,将利用一个具体的示例性示例来说明根据本实施例的可控有序生成模块。需要注意的是,本示例中所示的不可预测信息、编码等等仅仅作为例子,而不是对本实施例的限制性说明。In the following, a specific exemplary example will be used to explain the controllable and ordered generation module according to this embodiment. It should be noted that the unpredictable information, encoding, and the like shown in this example are merely examples, and are not restrictive descriptions of this embodiment.
例如,如图6所示,根据本实施例的数据库602中包括两个子数据库,即,存储预定数量的不可预测信息单元的主数据库和存储预定数量的不可预测信息编码形成的编码数据库。For example, as shown in FIG. 6, the database 602 according to this embodiment includes two sub-databases, that is, a main database storing a predetermined number of unpredictable information units and an encoding database formed by encoding a predetermined number of unpredictable information.
为了说明的目的,本示例中主数据库中存储的不可预测信息单元的长度为任意长度,数量为16个。For the purpose of illustration, the length of the unpredictable information unit stored in the main database in this example is an arbitrary length and the number is 16.
例如,下面的表1示出了主数据库存储的不可预测信息单元的例子。需要注意的是,下面表1中只示出了8位长度的不可预测信息,实际上不可预测信息的长度可以是任意长度。For example, Table 1 below shows examples of unpredictable information units stored in the main database. It should be noted that only 8-bit unpredictable information is shown in Table 1 below. Actually, the length of the unpredictable information can be any length.
Figure PCTCN2019091899-appb-000003
Figure PCTCN2019091899-appb-000003
此外,本示例中编码数据库中的存储的编码的长度为2个字节,数量为32个,编码信息的值以2进制表示。In addition, the length of the encoding stored in the encoding database in this example is 2 bytes, and the number is 32. The value of the encoding information is expressed in binary.
Figure PCTCN2019091899-appb-000004
Figure PCTCN2019091899-appb-000004
在生成密钥时,控制模块从编码数据库中有序提取编码,例如,在第一次生成密钥时,此时序号为1。因此,控制模块从编码数据库中提取序号1对应的编码,即,(0000 0111 1010 1111),其对应的十六进制值为07AF。When the key is generated, the control module sequentially extracts the code from the coding database. For example, when the key is generated for the first time, the serial number is 1. Therefore, the control module extracts the code corresponding to the serial number 1 from the coding database, that is, (0000 0111 1010 1111), and the corresponding hexadecimal value is 07AF.
此时,控制模块根据编码信息07AF,从主数据库中提取编码信息所对应的多个不可预测信息单元作为一组输入信息传递给所述信息处理模块。例如,控制模块从主数据库中提取与编码信息07AF对应的,主数据库中的第0个不可预测信息单元(13,8,2,1…),第7个不可预测信息单元(15,3,14,0…),第A个(即,第10个)不可预测信息单元(8,15,3,7…),第15个不可预测信息单元(12,10,6,15…)。At this time, the control module extracts a plurality of unpredictable information units corresponding to the coding information from the main database according to the coding information 07AF, and passes the information to the information processing module as a set of input information. For example, the control module extracts from the main database corresponding to the encoded information 07AF, the 0th unpredictable information unit (13, 8, 2, 1 ...) and the 7th unpredictable information unit (15, 3, 14, 0 ...), the Ath (ie, 10th) unpredictable information unit (8, 15, 3, 7 ...), and the 15th unpredictable information unit (12, 10, 6, 15 ...).
需要注意的是,在本实施例中,编码不重复使用。It should be noted that, in this embodiment, the encoding is not repeatedly used.
信息处理模块将该组输入信息通过组合生成一个次生信息。例如,信息 处理模块将这四组输入信息求和,然后用16进制取余数来生成次生信息。The information processing module combines the set of input information to generate a secondary information. For example, the information processing module sums the four sets of input information and then uses the hexadecimal to take the remainder to generate secondary information.
例如,生成的次生信息如下:For example, the secondary information generated is as follows:
Figure PCTCN2019091899-appb-000005
Figure PCTCN2019091899-appb-000005
因此,通过包括四条不可预测信息的该组输入信息生成的一条次生信息就是(0,4,9,7…)。此时,该条次生信息的生成序号1就是其对应的密钥序号。同时顺序更新控制模块中的序号控制信息。Therefore, a piece of secondary information generated by the set of input information including four pieces of unpredictable information is (0, 4, 9, 7 ...). At this time, the generation number 1 of the piece of secondary information is its corresponding key number. At the same time, the serial number control information in the control module is sequentially updated.
通过这样的方式,利用当前数据库子模块中的信息生成所述预定数量的密钥后,信息处理模块生成与数据库子模块中存储的不可预测信息的数量相同数量的次生信息作为数据库再生信息反馈给数据库子模块以更新数据库子模块中信息。In this way, after using the information in the current database submodule to generate the predetermined number of keys, the information processing module generates the same amount of secondary information as the database regeneration information feedback as the number of unpredictable information stored in the database submodule. Give the database submodule to update the information in the database submodule.
然后,信息处理模块根据更新后的数据库子模块中信息继续生产密钥,并且循环数据库子模块更新和密钥生成过程。The information processing module then continues to produce keys based on the information in the updated database submodule, and iterates through the database submodule update and key generation process.
上述示例提供一个通过组合法生成编码信息为07AF的次生数列的基本流程,后面实施例中的组合算法可以此作为参考,可在此基础上设置更加复杂的次生数列生成流程,例如采取不同的数列间组合算法、编码格式和数列提取模式、数据库更新模式等,提高系统的多样性和安全性。The above example provides a basic process for generating a secondary sequence with the encoding information of 07AF by a combination method. The combination algorithm in the following embodiments can be used as a reference, and a more complex secondary sequence generation process can be set on this basis, such as taking a different The combination algorithm, encoding format and sequence extraction mode, database update mode, etc. of the series can improve the diversity and security of the system.
上述采用的模运算为不可逆单向算法,即根据原始数列组合可以确定由其生成的次生数列,但根据由所述次生数列无法有效推测原有数列。由于根据每一个所述次生数列中元素推测的原有数列对应元素的可能取值无偏好的分布在数列元素的取值范围内,所述算法是一个数学上严格的不可逆单向算法。The modulo operation adopted above is an irreversible one-way algorithm, that is, the secondary sequence generated by the original sequence can be determined, but the original sequence cannot be effectively inferred from the secondary sequence. Since the possible values of the corresponding elements of the original sequence inferred from the elements in each of the secondary sequence are distributed without preference in the range of the sequence elements, the algorithm is a mathematically strict irreversible one-way algorithm.
选取具有不可逆单向特征的组合算法,采用未公开随机编码,并使编码长度、数列长度、主数据库容量,以及每次更新期间输出的次生数列数量符合要求,可保证上述输出信息之间,输出信息和系统信息之间没有可探测的逻辑和数学关系。Select a combination algorithm with irreversible unidirectional characteristics, use undisclosed random encoding, and make the encoding length, sequence length, main database capacity, and the number of secondary sequences output during each update meet the requirements, which can guarantee the above output information, There is no detectable logical and mathematical relationship between output information and system information.
本实施例通过利用元素间排列组合种类可远大于元素个数的基本数学原 理,采用组合方法生成信息量扩大的信息,通过信息生成和反馈循环实现可持续不可预测信息可控有序生成。This embodiment uses the basic mathematical principle that the type of the arrangement and combination between elements can be much larger than the number of elements, uses the combination method to generate information with an expanded amount of information, and realizes the controllable and orderly generation of sustainable unpredictable information through information generation and feedback loops.
数据库602设计为有序存放有限数量的不可预测信息单元,通过信息单元间组合生成一个次生信息的办法,使可生成的次生信息的信息量大于数据库信息量。此设计框架下,动态信息模块形式为数据库,控制模块根据需求从数据库中有序提取若干信息单元作为一组输入信息传递给信息处理模块,同时顺序更新序号控制信息;信息处理模块将一组输入信息单元通过组合生成一个可由输入信息确定的次生信息;所述方式生成的次生信息数量大于数据库中信息单元数量;系统有序生成一组约定数量的次生数列作为密钥并用其生成序号依次标记,然后自发可控生成与数据库容量相等的次生信息作为数据库再生信息有序更新数据库,数据库更新后继续下一轮密钥生成;通过合适设置使输出信息之间,以及输出信息和数据库信息之间没有可预测的逻辑和数学关系,从而可通过密钥生成、数据库更新循环形成一个可持续密钥可控有序生成装置。The database 602 is designed to store a limited number of unpredictable information units in an orderly manner. The method of generating a secondary information by combining the information units makes the amount of secondary information that can be generated greater than that of the database. Under this design framework, the dynamic information module is in the form of a database, and the control module sequentially extracts a number of information units from the database as a set of input information to pass to the information processing module, and at the same time sequentially updates the serial number control information; the information processing module sends a set of inputs The information unit combines to generate a secondary information that can be determined by the input information. The number of secondary information generated by the method is greater than the number of information units in the database. The system sequentially generates a set of agreed number of secondary sequence numbers as keys and uses them to generate serial numbers. Mark them in turn, and then spontaneously and controllably generate secondary information equal to the database capacity to update the database in an orderly manner as the database regeneration information. After the database is updated, the next round of key generation is performed; the output information is between the output information and the output information and the database through appropriate settings There is no predictable logical and mathematical relationship between the information, so a sustainable key controllable and ordered generation device can be formed through key generation and database update cycles.
进一步地,利用上述信息组合策略,可以通过可增殖编码信息概念,构建一个可普遍适用的可持续不可预测信息可控有序生成装置设计方案。Further, by using the above-mentioned information combination strategy, a universally applicable sustainable and unpredictable information controllable and orderly generation device design scheme can be constructed through the concept of multiplyable encoding information.
首先引入编码信息概念,通过数据库生成编码信息;数据库由确定的结构单元及单元中存放的信息决定,存储单元及相互间的结构关系构成数据库的固定框架并可通过参数调整,单元中存储的信息构成数据库的可变部分,数据库中信息通过其所属结构单元间的结构关系发生关联;编码信息的具体形式和内容由数据库结构单元中存储的信息决定,编码决定信息生成过程所对应的全部数据结构关系,通过编码可依靠相同数据库完全复原对应信息;编码与信息的具体形式和内容相互独立,可通过有限信息量的编码跟踪和操控形式和内容不受限制的信息,实现信息可控有序生成。First introduce the concept of coding information, and generate coding information through the database. The database is determined by the identified structural units and the information stored in the units. The storage unit and the structural relationship between them form the fixed frame of the database and can be adjusted by parameters. The information stored in the unit The variable part of the database, the information in the database is related through the structural relationship between the structural units to which it belongs; the specific form and content of the encoded information is determined by the information stored in the database structural unit, and the encoding determines all data structures corresponding to the information generation process The relationship can be completely restored through the same database through coding; the specific form and content of the coding and information are independent of each other, and the information can be tracked and manipulated with limited information and the form and content are not restricted to achieve the controlled and orderly generation of information .
进一步地,引入可增殖信息概念,通过数据库信息间的随机组合生成数量扩大的子代信息,使信息可通过数据库传代实现增殖成为可增殖信息,通过不断随机传代增殖扩大子代信息的取值空间,最终使取值空间达到对应格式信息的信息空间,从而使通过随机方式选出的子代信息不可预测,随机选取增殖后的子代信息替换数据库信息,实现数据库中不可预测信息的有效再生。Further, the concept of multiplication information is introduced, and the number of progeny information is generated by random combination of database information, so that the information can be multiplied through the database to become multiplication information, and the value space of the progeny information is expanded by continuous random passage and multiplication. Finally, the value space is made to the information space of the corresponding format information, so that the child information selected by a random method is unpredictable, and the proliferated child information is randomly selected to replace the database information, thereby achieving effective regeneration of unpredictable information in the database.
可增殖信息根据其生成时的数据库信息间组合及全部相关数据结构关系进行编码,成为可增殖编码信息;根据可增殖编码信息概念设计数据库,有组织存放有限容量的不可预测信息,包含主数据库和由随机编码组成的编码数据库;主数据库中有序存储信息单元,供信息生成装置根据编码数据库中编码有序调取对应信息单元组合生成次生信息,通过编码数据库中的随机编码跟踪和操控信息的生成和传代,实现不可预测数据库的自发可控再生。Enrichable information is encoded according to the combination of database information and all related data structure relationships at the time of its generation, and becomes an expandable coded information. The database is designed according to the concept of the augmentable coded information, and organized to store unpredictable information of limited capacity, including the main database and A coding database composed of random codes; the information units in the main database are stored in an orderly manner for the information generating device to retrieve the corresponding information units according to the coded order in the coding database to generate secondary information, and to track and manipulate the information through the random coding in the coding database Generation and generation, to achieve spontaneous and controllable regeneration of unpredictable databases.
在所述通过可增殖编码信息实现的信息可控有序生成和不可预测数据库自发可控再生的基础上,本发明可依靠有限容量的不可预测数据库,通过次生信息生成、数据库再生循环形成一个可持续的不可预测信息可控有序生成装置。On the basis of the controllable and orderly generation of information and the spontaneous and controllable regeneration of the unpredictable database achieved through the proliferation of encoded information, the present invention can rely on an unpredictable database with limited capacity to form a secondary information generation and database regeneration cycle. Sustainable and unpredictable information controllable and orderly generating device.
信息定义的普遍性使上述基于可增殖编码信息概念的可持续不可预测信息可控有序生成装置的设计具有普遍适用性。可将各种形式的不可预测信息和信号单元放入主数据库,借助由未公开随机编码组成的编码数据库,通过可增殖编码信息概念,借助合适的信息处理技术,实现可持续不可预测信息可控有序生成。The universality of the information definition makes the design of the above-mentioned sustainable and unpredictable information controllable and ordered generation device based on the concept of multiply-encoding information universally applicable. Various forms of unpredictable information and signal units can be put into the main database. With the help of a coding database composed of undisclosed random codes, the concept of multiplyable coding information and appropriate information processing technologies can be used to achieve sustainable and unpredictable information controllability. Ordered generation.
<第六实施例><Sixth Embodiment>
下面,将参考图7描述根据本发明实施例的加密解密装置。Hereinafter, an encryption and decryption apparatus according to an embodiment of the present invention will be described with reference to FIG. 7.
如图7所示,根据本实施例的加密解密装置700包括:As shown in FIG. 7, the encryption and decryption apparatus 700 according to this embodiment includes:
如第一实施例中所述的密钥生成装置100,配置为可控有序生成一次性密钥。此外,加密解密装置700中的控制模块701增加参数和功能,作为所述加密装置的控制模块。The key generation device 100 described in the first embodiment is configured to controllably and orderly generate a one-time key. In addition, the control module 701 in the encryption and decryption device 700 adds parameters and functions as a control module of the encryption device.
输入端口702,配置为读取或输入待加密数据; Input port 702 is configured to read or input data to be encrypted;
格式化单元703,配置为将输入端口输入的待加密数据转换为与密钥格式相匹配的格式化明文;A formatting unit 703 configured to convert the data to be encrypted input from the input port into a formatted plain text that matches the key format;
加密模块704,配置为用所述密钥生成装置100可控有序生成的一次性密钥将格式化单元703生成的格式化明文转换为主密文,将所述一次性密钥的序号作为密文标题,合并主密文和密文标题以生成密文;The encryption module 704 is configured to convert the formatted plain text generated by the formatting unit 703 into a main cipher text using the one-time key that is controlledly and orderly generated by the key generation device 100, and use the serial number of the one-time key as Ciphertext title, combining main ciphertext and ciphertext title to generate ciphertext;
发送端口705,配置为将生成的密文发送给配对的解密装置。The sending port 705 is configured to send the generated ciphertext to the paired decryption device.
此外,根据本实施例的加密解密装置700还包括:In addition, the encryption and decryption apparatus 700 according to this embodiment further includes:
接收端口706,配置为接收从配对的加密装置发送的密文;A receiving port 706 configured to receive a ciphertext sent from a paired encryption device;
解密模块707,配置为解析接收的密文以提取密文标题中的密钥序号,根据密钥序号,用所述密钥生成装置100生成与所述密钥序号对应的解密密钥,使用所述解密密钥解密密文以生成解密后明文;The decryption module 707 is configured to parse the received ciphertext to extract the key sequence number in the ciphertext header, and use the key generation device 100 to generate a decryption key corresponding to the key sequence number according to the key sequence number, and use the The decryption key decrypts the ciphertext to generate the decrypted plaintext;
所述格式化单元703进一步配置为将解密后明文转换为复原数据;The formatting unit 703 is further configured to convert the decrypted plain text into recovered data;
输出端口708,配置为输出所述复原数据。An output port 708 is configured to output the restored data.
根据本实施例的加密解密装置,发送方通过输入端口输入文件信息,通过格式化单元变为可通过加密模块处理的格式化明文,密钥生成装置从数据库中提取所需信息有序生成一次性密钥,与格式化明文组合成主密文,将密钥生成序号作为密文标题,生成一条密文,完成加密;密文通过发送端口进入常规信道;接受方从接受端口获取对方密文,从密文标题中提取密钥生成序号,生成对应解密密钥,解密主密文生成格式化明文,完成解密;格式化明文经格式化单元还原为原始文件,通过输出端口输出。According to the encryption and decryption device of this embodiment, the sender inputs file information through the input port, and becomes formatted plain text that can be processed by the encryption module through the formatting unit, and the key generation device extracts the required information from the database in order to generate one-time The key is combined with the formatted plain text to form the main cipher text, and the key generation sequence number is used as the cipher text title to generate a cipher text to complete the encryption; the cipher text enters the regular channel through the sending port; Extract the key generation sequence number from the ciphertext title, generate the corresponding decryption key, decrypt the main ciphertext to generate the formatted plaintext, and complete the decryption; the formatted plaintext is restored to the original file by the formatting unit and output through the output port.
本实施例中,伴随密文的解密线索为通用的序号数字,不包含任何密钥信息,完全避免了密文传递过程中的密钥信息泄露风险,因此,根据本实施例的加密解密装置能够实现文件的安全传输。In this embodiment, the decryption clue accompanying the ciphertext is a universal serial number and does not contain any key information, which completely avoids the risk of key information leakage during the ciphertext transfer process. Therefore, the encryption and decryption device according to this embodiment can Achieve secure file transfer.
本实施例的虚线部分显示可将外源性随机信息作为发送文件,通过密文形式在时间和空间上相互分离的配对的加密解密器之间安全共享不同来源的随机信息,同步更新排他性共享数据库和其它共享系统信息,形成一个开放型可演化的密钥生成和安全分发系统,有效消除和纠正封闭系统长期运行下由于初始系统信息不完善引起的系统缺陷的积累。The dashed part of this embodiment shows that exogenous random information can be used as a sending file, and random information from different sources can be securely shared between the paired encryption and decryption devices separated in time and space by cipher text, and the exclusive shared database can be updated synchronously. Share system information with others to form an open and evolvable key generation and secure distribution system, which effectively eliminates and corrects the accumulation of system defects caused by imperfect initial system information under long-term operation of a closed system.
<第七实施例><Seventh Embodiment>
下面,将参考图8描述根据本发明实施例的信息安全传递系统。Hereinafter, an information security transfer system according to an embodiment of the present invention will be described with reference to FIG. 8.
如图8所示,根据本实施例的信息安全传递系统包括配对的第一通信设备800和第二通信设备900,其中第一通信设备800和第二通信设备900可以具有相同的配置。第一通信设备800和第二通信设备900都可以包括如上面实施例中的加密解密装置。As shown in FIG. 8, the information security transfer system according to the present embodiment includes a paired first communication device 800 and a second communication device 900, where the first communication device 800 and the second communication device 900 may have the same configuration. Both the first communication device 800 and the second communication device 900 may include encryption and decryption means as in the above embodiment.
第一通信设备800例如由通信者A持有,并且第二通信设备900例如由通信者B持有。The first communication device 800 is held by the correspondent A, for example, and the second communication device 900 is held by the correspondent B, for example.
具体地,例如所述第一通信设备800包括:Specifically, for example, the first communication device 800 includes:
根据第一实施例的第一密钥生成装置100,配置为可控有序生成一次性密钥作为第一密钥;密钥生成装置100中的控制模块801增加参数和功能,作为所述加密装置的控制模块。The first key generation device 100 according to the first embodiment is configured to controllably and orderly generate a one-time key as the first key; the control module 801 in the key generation device 100 adds parameters and functions as the encryption Control module of the device.
第一输入端口802,配置为读取或输入第一待加密数据;A first input port 802 configured to read or input first data to be encrypted;
第一格式化单元803,配置为将输入端口输入的第一待加密数据转换为与密钥格式相同的第一格式化明文;A first formatting unit 803 configured to convert the first to-be-encrypted data input from the input port into a first formatted plaintext having the same key format;
第一加密模块804,配置为通过第一密钥生成装置生成的第一密钥将所述第一格式化明文转换为第一主密文,将所述第一密钥的生成序号作为第一密文标题,合并第一主密文和第一密文标题以生成第一密文;The first encryption module 804 is configured to convert the first formatted plain text into a first main cipher text by using a first key generated by a first key generation device, and use a generation number of the first key as a first Ciphertext title, combining the first main ciphertext and the first ciphertext title to generate the first ciphertext;
第一发送端口805,配置为将生成的第一密文发送给第二通信设备,A first sending port 805 configured to send the generated first ciphertext to a second communication device,
所述第二通信设备900包括:The second communication device 900 includes:
根据第一实施例的第二密钥生成装置100,配置为可控有序生成一次性密钥作为第二密钥;密钥生成装置100中的控制模块901增加参数和功能,作为所述加密装置的控制模块。The second key generation device 100 according to the first embodiment is configured to controllably and orderly generate a one-time key as the second key; the control module 901 in the key generation device 100 adds parameters and functions as the encryption Control module of the device.
第二接收端口906,配置为接收第一发送端口发送的第一密文;A second receiving port 906 configured to receive a first ciphertext sent by a first sending port;
第二解密模块907,配置为解析接收的所述第一密文以提取第一密文标题中的第一密钥序号,根据所述第一密钥序号,通过所述第二密钥生成装置生成对应第二解密密钥文,使用所述第二密钥解密所述第一密文以生成第二解密后明文;A second decryption module 907 is configured to parse the received first ciphertext to extract a first key sequence number in a first ciphertext header, and pass the second key generation device according to the first key sequence number. Generating a corresponding second decryption key text, and using the second key to decrypt the first cipher text to generate a second decrypted plain text;
第二格式化单元903,配置为将所述第二解密后明文转换为第二复原数据;A second formatting unit 903 configured to convert the second decrypted plain text into second restored data;
第二输出端口908,配置为输出所述第二复原数据。The second output port 908 is configured to output the second restoration data.
类似地,所述第二通信设备900包括:Similarly, the second communication device 900 includes:
第二输入端口902,配置为读取或输入第二待加密数据;The second input port 902 is configured to read or input the second data to be encrypted;
所述第二格式化单元同时配置将第二输入端口输入的第二待加密数据转换为与密钥格式匹配的第二格式化明文;The second formatting unit is also configured to convert the second to-be-encrypted data input from the second input port into a second formatted plain text that matches the key format;
第二加密模块904,配置为通过所述第二密钥生成装置可控有序生成的第二密钥将所述第二格式化明文转换为第二主密文,将所述第二密钥的第二密钥序号作为第二密文标题,合并第二主密文和第二密文标题以生成第二密 文;A second encryption module 904 configured to convert the second formatted plain text into a second main cipher text through a second key that is controllably and orderly generated by the second key generation device, and convert the second key The second key sequence number of the key is used as the second ciphertext title, and the second main ciphertext and the second ciphertext title are combined to generate a second ciphertext;
第二发送端口905,配置为将生成的第二密文发送给第一通信设备,A second sending port 905, configured to send the generated second ciphertext to the first communication device,
第一通信设备的第一接收端口806,配置为接收所述第二发送端口发送的第二密文;A first receiving port 806 of the first communication device, configured to receive a second ciphertext sent by the second sending port;
第一解密模块807,配置为解析接收的所述第二密文以提取所述第二密文标题中的第二密钥序号,根据第二密钥生成序号,通过所述第一密钥生成装置生成与所述第二密钥序号对应的第一解密密钥,使用所述第一密钥解密所述第二密文以生成第一解密后明文;A first decryption module 807, configured to parse the received second ciphertext to extract a second key sequence number in a header of the second ciphertext, generate a sequence number according to the second key, and generate the sequence by using the first key The device generates a first decryption key corresponding to the second key serial number, and uses the first key to decrypt the second ciphertext to generate a first decrypted plaintext;
所述第一格式化单元同时将第一解密后明文转换为第一复原数据;The first formatting unit simultaneously converts the first decrypted plaintext into the first restored data;
第一输出端口808,配置为输出所述第一复原数据。The first output port 808 is configured to output the first restoration data.
利用同类型的加密解密装置,目标通讯者通过排他性共享加密数据库信息建立安全连接;发送方通过加密装置有序生成一次性密钥加密文件生成以对应密钥序号为标题的密文,通过常规信道传递;密文接受方根据密文标题获取对应密钥生成序号,生成对应密钥解密密文,实现文件安全传递;通讯者之间可通过密文安全共享不同来源的随机信息,更新排他性共享数据库和相关系统信息,形成一个可演化的开放型密钥生成和安全分发系统。Using the same type of encryption and decryption device, the target correspondent establishes a secure connection by exclusively sharing the encrypted database information; the sender uses the encryption device to sequentially generate a one-time key to encrypt the file to generate a ciphertext with the corresponding key serial number as the title, through the regular channel Pass; the ciphertext receiver obtains the corresponding key generation sequence number according to the ciphertext title, generates the corresponding key to decrypt the ciphertext, and realizes the secure transmission of the file; the correspondent can securely share random information from different sources through the ciphertext and update the exclusive shared database And related system information to form an evolvable open key generation and secure distribution system.
本实施例中,伴随密文的解密线索为通用的序号数字,不包含任何密钥信息,完全避免了密文传递过程中的密钥信息泄露风险,因此,根据本实施例的信息安全传递系统能够实现信息的安全传输。In this embodiment, the decryption clue accompanying the ciphertext is a universal serial number and does not contain any key information, which completely avoids the risk of key information leakage during the ciphertext transmission process. Therefore, the information security transmission system according to this embodiment Enables secure transmission of information.
下面,将描述一些具体应用示例。In the following, some specific application examples will be described.
为结合当前计算机和信息技术建立通用的信息安全系统,本发明所述加密器的格式化单元与调制解调器耦合;密钥采用相同格式的数列,数列元素取值范围采用计算机二进制系统容易处理的数值,例如2、16(兼容计算机常用的十六进制数)、256(一个字节信息)等,并在需要时将数列作为一个以其元素取值范围值为进制的多位数处理,定义所述多位数为数列值。例如我们可将数列127,3,192,8(取值范围0-255,取值范围值256)作为多位数处理后,所对应数列值为127*256 3+3*256 2+192*256+8;同样道理,数列2,13,11,7,9,5(取值范围0-15,取值范围值16)的数列值为2*16 5+13*16 4+11*16 3+7*16 2+9*16+5。实际操作中,仅按照多位数运算规则进行进位处理, 而不必转化为常用进制数值,当然,也不排除将进制转换作为数据非退化性转换的方式用于信息加密和相关应用。通过采用与调制解调器耦合的格式化单元,相同格式的数列作为密钥,实现加密器的数字化。所述格式化单元将所有形式的输入信息通过模数转换生成与密钥格式相同的数列,即格式化明文;将加密器处理过的数字化信息,包括密文和解密后的格式化明文,通过数模转换生成合适形式的输出信息。数字化加密器中所处理的所有信息均为相同格式的数列;加密时,将格式化明文与密钥通过模运算生成密文;解密时,将密文与对应密钥通过模运算的逆过程恢复为格式化明文;加密-解密和整个信息处理过程均可直观地通过计算机实现。 In order to establish a universal information security system in combination with current computers and information technology, the formatting unit of the encryptor according to the present invention is coupled to a modem; the key uses a sequence of the same format, and the value range of the sequence element is a value that is easily processed by a computer binary system. For example, 2, 16 (compatible with hexadecimal numbers commonly used by computers), 256 (one byte of information), etc., and when necessary, treat the sequence as a multi-digit number with its element value range as the base value, and define The multi-digit number is a sequence value. For example, we can treat the sequence 127, 3, 192, 8 (value range 0-255, value range 256) as a multi-digit number, and the corresponding sequence value is 127 * 256 3 + 3 * 256 2 + 192 * 256 + 8; the same reason, the sequence of the sequence of 2, 13, 11, 7, 9, 5 (range 0-15, range 16) is 2 * 16 5 + 13 * 16 4 + 11 * 16 3 + 7 * 16 2 + 9 * 16 + 5. In actual operation, the carry processing is performed only in accordance with the multi-digit arithmetic rules, without having to be converted into a commonly used decimal value. Of course, it is not excluded that the base conversion is used as a non-degenerate data conversion method for information encryption and related applications. By using a formatting unit coupled with a modem and a sequence of the same format as the key, the digitization of the encryptor is realized. The formatting unit converts all forms of input information into analogue key sequences through analog-to-digital conversion, that is, formatting plaintext; digitizing information processed by the encryptor, including ciphertext and decrypted formatted plaintext, by Digital-to-analog conversion generates the appropriate form of output information. All information processed in the digital encryptor is a sequence of the same format; when encrypted, the formatted plaintext and key are generated by modulo operation; when decrypted, the ciphertext and corresponding key are recovered by the inverse process of modulo operation To format plain text; the encryption-decryption and the entire information processing process can be implemented intuitively by computer.
采取加密器数字化后,本发明所要解决的关键问题将变成作为密钥的不可预测数列的可控有序生成。After the digitalization of the encryptor is adopted, the key problem to be solved by the present invention will be the controlled and orderly generation of an unpredictable sequence as a key.
发明人采用组合策略,通过可增殖编码信息概念,发展一个可持续不可预测信息可控有序生成装置的通用设计策略。通过数据库生成编码信息,通过编码跟踪控制信息的生成和转换,实现信息可控有序生成;进一步,通过数据库信息间组合生成次生信息的方式实现数据库信息的传代增殖和不可预测数据库的再生;结合编码信息概念和可增殖信息概念,通过可增殖编码信息概念构建可更新数据库,循环次生数列输出和数据库更新,实现不可预测信息的可控、有序、无限生成。数据库结构和其中的信息形式可不受限制,组合策略提供了一个普遍的可持续不可预测数列可控有序生成策略。组合策略的关键是次生数列生成算法。The inventor adopts a combination strategy and develops a universal design strategy for a sustainable and unpredictable information controllable and ordered generation device through the concept of multiply-encoded information. Generate coded information through the database, and realize the controllable and orderly generation of information through the coding and tracking control information generation and conversion; further, the generation of secondary information through the combination of database information to achieve the generation and proliferation of database information and the regeneration of unpredictable databases; Combining the concept of coded information and the concept of multiplyable information, an updatable database is constructed through the concept of multiplyable coded information, and the secondary sequence output and database update are circulated to achieve the controllable, orderly and infinite generation of unpredictable information. The database structure and the form of information in it can be unlimited, and the combined strategy provides a universal sustainable unpredictable sequence controlled and orderly generation strategy. The key of the combination strategy is the secondary sequence generation algorithm.
发明人首先解决数列生成算法问题。The inventor first solved the problem of the sequence generation algorithm.
信息加密常用的模运算,即将相同格式数列的对应序号元素的值相加、之和除以元素取值范围后取余数,作为新数列对应序号元素,可生成一个确定的与原有数列格式相同的次生数列。通过模运算生成次生数列的算法为不可逆单向算法,即根据原始数列组合可以确定由其生成的次生数列,但根据由所述次生数列无法有效推测原有数列。由于根据每一个所述次生数列中元素推测的原有数列对应元素的可能取值无偏好的分布在数列元素的取值范围内,所述算法是一个数学上严格的不可逆单向算法。发明人在模运算的基础上引入进位,将数列元素值计算中出现的商值作为进位,加入到下个序号元素的计算中,删除末位进位,保持次生数列长度不变。根据前述数列值定义, 进位模运算相当于数列值之间以数列序列空间值为模的模运算,定义为数列加法。由所定义数列加法确定的算法通过所述组合生成次生数列的过程同样具有数学上的严格不可逆算法特征。根据相同数列间的加法,发明人定义数列与自然数的乘法。The common modulo operation of information encryption is to add the values of the corresponding sequence elements in the same format sequence, divide the sum by the value range of the element, and then take the remainder. As the corresponding sequence element of the new sequence, it can generate a certain format that is the same as the original sequence. Secondary sequence. The algorithm for generating the secondary sequence by modulo operation is an irreversible one-way algorithm, that is, the secondary sequence generated by the original sequence can be determined based on the combination of the original sequence, but the original sequence cannot be effectively inferred from the secondary sequence. Since the possible values of the corresponding elements of the original sequence inferred from the elements in each of the secondary sequence are distributed without preference in the range of the sequence elements, the algorithm is a mathematically strict irreversible one-way algorithm. The inventor introduced a carry on the basis of the modulo operation, taking the quotient appearing in the calculation of the sequence element value as a carry, adding it to the calculation of the next sequence element, deleting the carry of the last digit, and keeping the length of the secondary sequence unchanged. According to the definition of the sequence value, the carry modulo operation is equivalent to the modulo operation that takes the sequence sequence space value of the sequence between the sequence values and is defined as the sequence addition. The process of generating a secondary sequence by the algorithm determined by the defined sequence addition also has the mathematically irreversible algorithm characteristics. Based on the addition between the same sequence, the inventor defines the multiplication of the sequence and the natural number.
将上述定义的数列加法和数列乘法用于本发明中次生数列的生成运算。如果数据库中种子数列值之间没有大于1的公约数即互质,且在不断传代增殖过程中不出现过早循环,则理论上可将次生数列的可能数列值扩展到其整个序列空间,数学上可认为能确保通过随机方式从中挑选的次生数列不可预测。The sequence addition and sequence multiplication defined above are used for the generation operation of the secondary sequence in the present invention. If there is no common number greater than 1 between the seed sequence values in the database, that is, coprime, and there is no premature cycle in the process of continuous passage and proliferation, theoretically the possible sequence value of the secondary sequence can be extended to its entire sequence space. Mathematically, it can be considered to ensure that the secondary sequence selected from the random method is unpredictable.
除数值运算,还可采用逻辑或数学上的广义算法。发明人在此定义一种控制模板运算:将一个数列作为模板数列,另一个作为控制数列,将控制数列中序号为n的元素的值m作为序号,从模板数列中提取序号为m的元素,作为新数列序号为n的元素,得到一个次生数列。In addition to numerical operations, logical or mathematical generalized algorithms can also be used. The inventor defines a control template operation here: one sequence is used as the template sequence, the other is used as the control sequence, the value m of the element with the sequence number n in the control sequence is used as the sequence number, and the element with the sequence number m is extracted from the template sequence. As an element of the new sequence number n, a secondary sequence is obtained.
广义算法种类不受限制,例如可将元素值相加后再加上一个确定正数,然后进行开方、对数等运算,得到一个无理数,选取其小数点后约定范围内有效数字组成的数值,通过模运算得到次生数列元素。这些算法的种类和参数将是无限的,且算法之间相互独立,次生数列值和原有数列之间没有可解析的数学和逻辑关系。There are no restrictions on the types of generalized algorithms. For example, you can add element values and then add a positive number, and then perform square root and logarithmic operations to obtain an irrational number. Select the value of a valid number within the agreed range after selecting the decimal point. Elementary sequence elements are obtained by modulo operation. The types and parameters of these algorithms will be infinite, and the algorithms are independent of each other. There is no analytic mathematical and logical relationship between the value of the secondary sequence and the original sequence.
在上述组合策略和次生数列生成算法基础上,发明人通过以下方案,但不限于以下方案构建一个不可预测次生数列生成系统。Based on the above-mentioned combination strategy and the secondary sequence generation algorithm, the inventor constructed an unpredictable secondary sequence generation system through the following schemes, but not limited to the following schemes.
1)构建一个主数据库,包含有限个数、格式相同的未公开随机种子数列,将其从0到N-1编号区分,N为主数据库中种子数列个数;1) Construct a main database that contains a limited number of undisclosed random seed sequences of the same format, and number them from 0 to N-1, where N is the number of seed sequences in the main database;
2)组合m个种子数列生成1个次生数列,采用合适算法,使次生数列和所用的种子数列编号序列一一对应,并将编号序列作为对应次生数列编码;2) Combine the m seed sequences to generate a secondary sequence, and use a suitable algorithm to make the secondary sequence correspond to the seed sequence number sequence used, and encode the number sequence as the corresponding secondary sequence;
3)上述编码方式可生成N m个次生数列,用M字节信息编码,M由256 M=N m确定。 3) The above encoding method can generate N m secondary sequence of numbers, which is encoded with M bytes of information, where M is determined by 256 M = N m .
所述方式生成的每一个次生数列在主数据库保持不可预测情况下对外界观察者不可预测,根据任何单个次生数列不能有效预测数据库信息。但编码包含次生数列生成时所用种子数列组合信息,使次生数列之间通过编码及种子数列相互关联;可根据已公开次生数列的编码组合推导出特定编码的未用 次生数列,或通过解方程组破解整个数据库,从而确定所有给定编码的次生数列。因此,分发时需对外界隐藏次生数列编码信息。Each secondary sequence generated by the method is unpredictable to outside observers when the primary database remains unpredictable, and database information cannot be effectively predicted based on any single secondary sequence. However, the encoding contains the combination information of the seed sequence used in the generation of the secondary sequence, so that the secondary sequence is related to each other through the encoding and the seed sequence; the unused secondary sequence of the specific encoding can be derived based on the encoding combination of the published secondary sequence, or The entire database is solved by solving the system of equations to determine all secondary sequences of a given encoding. Therefore, the secondary sequence encoding information needs to be hidden from the outside world during distribution.
为隐藏次生数列编码信息,发明人构建一个编码数据库,存储一定数量的随机编码并编号区分,通过编号标识对应编码生成的次生数列,掩盖编码信息中展示的次生数列之间的相关性。由于编码信息量可远小于次生数列信息量,可通过少量存储空间存储所需数量的编码。In order to hide the encoding information of the secondary sequence, the inventor constructed a coding database that stores a certain number of random codes and distinguishes them by numbers. The secondary sequence generated by the corresponding code is identified by the number, and the correlation between the secondary sequence displayed in the coding information is masked. . Since the amount of encoded information can be much smaller than that of the secondary sequence, the required number of encodings can be stored in a small amount of storage space.
掩盖编码信息下,根据已用次生数列预测未用次生数列的难度将大大增加。包含N个种子数列的数列生成系统中,需要至少N个同时确定编码和内容的次生数列才能确保通过推导构建完整的次生数列集合,从而将预测未用次生数列变成一个与编码等长的传统密码的暴力破解问题。上述M字节编码下,次生数列的可能数量为256 M,随机选取N个次生数列的理论组合种类为256 N*M,所需信息量为N*M字节。 Under the cover of the coding information, the difficulty of predicting the unused secondary sequence based on the used secondary sequence will be greatly increased. In a sequence generation system that includes N seed sequences, at least N secondary sequences that determine both encoding and content are required to ensure that a complete set of secondary sequences is constructed through derivation, thereby turning the predicted unused secondary sequence into one and encoding, etc. Long traditional password brute force problem. Under the above M-byte encoding, the possible number of secondary sequences is 256 M. The theoretical combination type of randomly selected N secondary sequences is 256 N * M , and the required information amount is N * M bytes.
当预测一个数列所需信息量与数列自身信息量相当时,预测将失去意义,方法学上可认为数列不可预测。因此,设计次生数列生成系统时,发明人使种子数列以及对应次生数列的信息量等于种子数列个数与编码信息量的乘积N*M,并将其作为数据库设计标准。When the amount of information required to predict a sequence is equivalent to the amount of information in the sequence itself, the prediction will be meaningless, and the methodology can be considered to be unpredictable. Therefore, when designing a secondary sequence generation system, the inventor made the information of the seed sequence and the corresponding secondary sequence equal to the product of the number of seed sequences and the amount of encoded information N * M, and used it as a database design standard.
上述设计标准将编码数据库和主数据库格式统一起来。一个与种子数列格式相同的未公开随机数列的元素可顺序分割成与主数据库中种子数列个数相同的随机编码,按顺序编号;所述格式的编码数据库包含主数据库中种子数列整数倍数量的随机编码,由同样格式的未公开随机数列承载,以增加数据库设计的规范性。The above design standards unify the encoding database and the main database format. An element of an undisclosed random number sequence in the same format as the seed sequence can be sequentially divided into random codes with the same number of seed sequences in the main database, numbered sequentially; the encoding database of the format contains an integer multiple of the number of seed sequences in the main database. Random encoding, carried by an undisclosed random sequence of the same format, to increase the standardization of the database design.
利用包含主数据库、编码数据库的次生数列生成数据库,系统从编码数据库中顺序提取随机信息组成的编码,根据编码信息从主数据库中选取对应编号的一组种子数列,通过合适算法生成一个次生数列,通过其生成序号标识,实现次生数列可控有序生成。The database is generated using the secondary sequence that contains the main database and the coding database. The system sequentially extracts codes composed of random information from the coding database. Based on the coding information, a set of seed sequences with corresponding numbers is selected from the main database and a secondary is generated by a suitable algorithm. The sequence number is used to realize the controlled and orderly generation of the secondary sequence number through its generation serial number identification.
上述次生数列在数据库保持不可预测前提下不能被外界有效预测,但由于受编码长度限制,多样性达不到随机性要求。发明人可利用所述数据库的可增殖特性,随机选取次生数列作为下一代种子数列,通过主数据库的传代更新逐步扩展次生数列的取值范围,最终达到其序列空间,从而使通过随机编码生成的次生数列不可预测。The above secondary sequence cannot be effectively predicted by the outside world on the premise that the database remains unpredictable, but due to the limitation of the encoding length, the diversity cannot meet the randomness requirement. The inventor can use the proliferative characteristics of the database to randomly select the secondary sequence as the next-generation seed sequence, and gradually expand the value range of the secondary sequence through the generational update of the main database, and finally reach its sequence space, thereby enabling random coding The resulting secondary sequence is unpredictable.
采取标准数据库设计下,发明人只需将数据库随机传代一次,就可将次生数列的取值范围扩大到对应格式数列的整个序列空间,使通过随机编码有序生成的次生数列符合方法学上的绝对随机性。With the standard database design, the inventor only needs to pass the database randomly once, and then can expand the value range of the secondary sequence to the entire sequence space of the corresponding format sequence, so that the secondary sequence generated by the random coding in order conforms to the methodology Absolute randomness.
为实现数据库自发可控传代,发明人将编码数据库扩充,使其在保留原有用以生成密钥的编码基础上,增加用于数据库更新的编码,所增加的随机编码数量足以生成可供整个数据库更新的次生数列。In order to realize the spontaneous and controllable passage of the database, the inventor expanded the coding database to add the coding used for database update on the basis of retaining the original coding used to generate the key. The increased number of random codes is sufficient to generate the entire database. Updated secondary sequence.
根据设定,系统在生成约定数量的密钥后,从编码数据库有序提取编码,依靠当前主数据库生成次生数列,有序替换主数据库信息,编码数据库信息,实现整个数据库的有序可控再生。According to the setting, after generating the agreed number of keys, the system sequentially extracts the encoding from the encoding database, relies on the current primary database to generate the secondary sequence, replaces the primary database information in an orderly manner, and encodes the database information to achieve an orderly and controllable entire database. regeneration.
在采用相同格式数列的规范化密钥生成装置设计下,发明人可利用种子数列中约定位置与编码等长的片段,例如前端片段,作为工作编码,用于密钥生成;末端与编码等长的片段作为更新用编码,用于数据库更新;编码的编号与其所在种子数列编号一致,取消编码数据库,简化和规范数据库设计。Under the design of a standardized key generation device that uses the same format sequence, the inventor can use fragments of the agreed position and encoding in the seed sequence, such as the front-end fragment, as the working encoding for key generation; the end and encoding are of equal length. The fragment is used as the encoding for updating and is used for database update; the encoding number is the same as the seed sequence number in which it is located. The encoding database is cancelled and the database design is simplified and standardized.
基于上述策略,发明人构建一个可持续不可预测数列可控有序生成系统。通过但不限于以下方式实现:Based on the above strategy, the inventors built a sustainable and unpredictable sequence controllable ordered generation system. This is achieved through, but not limited to:
1)构建一个由相同格式的未公开随机数列组成的主数据库,包含确定数量的种子数列,通过编号相区分;确定次生数列编码格式,取种子数列前端片段构成工作编码,末端片段构成更新用编码,对应编码的编号与其所属种子数列编号一致;1) Construct a master database composed of undisclosed random number sequences of the same format, containing a certain number of seed sequences, distinguished by number; determine the secondary sequence encoding format, take the front-end fragments of the seed sequence to form the working code, and the end fragments to constitute the update Code, the number corresponding to the code is consistent with the number of the seed sequence to which it belongs;
2)顺序提取一个工作编码,根据对应信息选取一组种子数列,通过合适运算,生成一个与编码一一对应的确定的次生数列,用其生成序号标识,工作编码不重复使用;2) a working code is sequentially extracted, a set of seed sequences is selected according to the corresponding information, and a suitable secondary sequence corresponding to the code is generated through a suitable operation, and a serial number identifier is generated using it, and the working code is not reused;
3)工作编码用尽前,系统顺序提取更新用编码,通过当前主数据库生成次生数列,有序替代当前主数据库信息,实现数据库自发再生;3) Before the work code is exhausted, the system sequentially extracts the update code, generates a secondary sequence through the current main database, and sequentially replaces the current main database information to achieve the spontaneous regeneration of the database;
4)数据库再生后,继续有序生成次生数列,通过次生数列生成和数据库自发再生循环实现可持续不可预测数列可控有序生成。4) After the database regeneration, continue to generate the secondary sequence in an orderly manner. Through the secondary sequence generation and the database spontaneous regeneration cycle, a sustainable and unpredictable sequence generation can be achieved.
由于编码长度小于数列长度,编码数据库中出现相同编码的概率大于随机出现相同次生数列的概率;为避免这种情况,程序可对每次生成的编码数据库进行检测,确保不出现相同编码,如果出现只需双方程序约定将相同编码中后出现的编码值加一个确定值,例如1,即可既维持了编码的随机性,又有效避免出现随机概率之上的相同次生数列。Because the encoding length is less than the length of the sequence, the probability of the same encoding appearing in the encoding database is greater than the probability of the same secondary sequence occurring randomly; to avoid this, the program can detect the generated encoding database each time to ensure that the same encoding does not appear. It only needs to be agreed upon by both programs to add a certain value, such as 1, to the code that appears later in the same code, to maintain the randomness of the code and effectively avoid the occurrence of the same secondary sequence above the random probability.
上述方式通过具有确定结构的数据库设计,兼容不同数据格式和对应次生数列生成算法,提供了一个可持续不可预测数列可控有序生成装置的普遍设计框架。上述设计中,每一轮数据库更新期间输出的次生数列信息量不大于主数据库的容量,在保持数据库信息不可预测的前提下,每一轮输出的次生数列对外界观测者不可预测,且自发可控更新后的数据库也对外界观测者不可预测,从而实现可持续不可预测信息可控有序生成。The above method provides a universal design framework of a sustainable and unpredictable sequence controllable and ordered generation device through a database design with a definite structure, compatible with different data formats and corresponding secondary sequence generation algorithms. In the above design, the amount of secondary sequence information output during each round of database update is not greater than the capacity of the main database. Under the premise that the database information is unpredictable, the secondary sequence output from each round is unpredictable to outside observers, and The spontaneously controllable and updated database is also unpredictable to outside observers, thereby achieving a controlled and orderly generation of sustainable unpredictable information.
如果能从理论上严格证明上述方式生成信息的不可预测性,或通过改进或采用特定方式使系统得到完善,将提供一个密钥生成装置的标准设计方案。此方案下,密钥生成系统的理论安全强度将由数据库信息的随机性和数据库容量决定,并最终取决于数据库容量。If the unpredictability of the information generated by the above methods can be proved strictly in theory, or the system can be improved by improving or adopting a specific method, a standard design scheme of the key generation device will be provided. Under this scheme, the theoretical security strength of the key generation system will be determined by the randomness of the database information and the database capacity, and ultimately depends on the database capacity.
上述用于生成密钥和反馈信息的次生数列生成算法选取具有不可逆单向特征的模运算,采用随机编码,并使编码长度、数列长度、主数据库容量,以及每次更新期间输出的次生数列数量符合要求,上述数据库演化成为一个不可逆单向演化过程,即通过初始数据库可精确演化出所有给定代数的子代数据库,但根据子代数据库不能有效探测上代数据库。上述数据库的不可逆单向演化特征使我们可依靠有限容量的不可预测信息,可控有序生成大于数据库容量的满足所需数量的密钥。The above-mentioned secondary sequence generation algorithm for generating keys and feedback information selects a modulo operation with irreversible unidirectional characteristics, uses random encoding, and makes the encoding length, sequence length, main database capacity, and secondary output during each update The number of sequences meets the requirements. The above database evolves into an irreversible one-way evolution process, that is, the initial database can accurately evolve all descendant databases of a given algebra, but the previous generation database cannot be effectively detected based on the descendant database. The irreversible one-way evolution characteristics of the above database allow us to rely on unpredictable information of limited capacity and to controllably and orderly generate more keys than the database capacity.
上述标准密钥生成装置可由数列格式、数据库容量,编码长度三个基本参数确定加密器的基本类型以满足不同应用需求;同时由算法、编码形式、数据库更新方式、密文组织格式和密钥分发形式等多样性参数确定加密器设计的多样性。The above-mentioned standard key generation device can determine the basic type of the encryptor by the three basic parameters of sequence format, database capacity, and encoding length to meet different application requirements; at the same time, the algorithm, encoding form, database update method, cipher text organization format, and key distribution Diversity parameters such as form determine the diversity of the design of the cipher.
本发明同时提供一个高质量随机数据的生成方式。利用上述初始化的未公开随机数据库,随机运行数据库更新,并及时清除上一代数据库,即可构建一个随机数列发生器。程序空闲期间或数据库更新时不定期运行随机次数的数据库更新,以提高系统的随机性。系统长期随机运行下,即使初始数列的随机性不高,也可在不断运行中使生成的数列逐步趋向完全随机。The invention also provides a method for generating high-quality random data. A random number generator can be constructed by using the initialized undisclosed random database, running the database update randomly, and clearing the previous generation database in time. Run the database updates at random times during the program idle period or when the database is updated to improve the randomness of the system. Under long-term random operation of the system, even if the randomness of the initial sequence is not high, the generated sequence can gradually be completely random in the continuous operation.
在尚未从理论上严格证明采用特定方式的次生数列生成系统和分发模式绝对安全时,将不同算法整合在一个系统,可提高系统的复杂程度,增强非法入侵者根据已知次生数列预测新生次生数列和探测数据库的难度。发明人可将上述标准密钥生成装置作为基本框架,同时引入其它不可预测信息生成 方式及其相关元素,构建所需安全要求的密钥生成装置。When it is not theoretically strictly proven that the secondary sequence generation system and distribution mode using specific methods are absolutely safe, integrating different algorithms into one system can increase the complexity of the system and enhance the intruder's prediction of new births based on the known secondary sequence Secondary sequence and difficulty of detecting the database. The inventor can use the above-mentioned standard key generation device as a basic framework, while introducing other unpredictable information generation methods and related elements to construct a key generation device with required security requirements.
下面将构建与标准模式互补的不可预测信息可控有序生成装置。In the following, a controllable and orderly generation device of unpredictable information complementary to the standard model will be constructed.
利用编码信息概念,设计一个数据库,有序存放相同格式的未公开随机数列,根据需求从数据库中顺序提取数列,生成所含信息不可预测、相互独立的无条件安全密钥,构建一个无条件安全密钥可控有序生成装置(基础模式)。Utilize the concept of coded information to design a database to store undisclosed random number sequences in the same format in an orderly manner, and sequentially extract the number sequences from the database according to requirements to generate unconditional and independent unconditional security keys containing information, and build an unconditional security key Controllable ordered generation device (basic mode).
基础模式生成的无条件安全密钥的总信息量与数据库容量相同,将其作为一次性密钥加密相同信息量的文件信息,生成无条件安全密文,通过排他性共享加密数据库建立安全连接,可建立无条件安全的信息交流系统。当前技术条件下,Tb容量的排他性共享加密数据库可满足通讯双方长期的安全信息交流;利用可内置于普通通讯终端的64Gb排他性共享加密数据库,采用每分钟1Mb信息量的高清音质通话或视频通讯,可满足64000分钟的安全交流,结合移动存储技术,可构建一个一定规模的通过当面排他性共享一次性加密数据库的“熟人”间的无条件安全的通讯网络。上述无条件安全信息交流模式的应用范围将随着存储技术的快速发展得到扩展。The total amount of information of the unconditional security key generated by the basic mode is the same as the database capacity. It is used as a one-time key to encrypt the file information of the same amount of information to generate an unconditional secure ciphertext. An exclusive shared encrypted database is used to establish a secure connection to establish an unconditional Safe information exchange system. Under the current technical conditions, the exclusive shared encrypted database with Tb capacity can meet the long-term security information exchange between the two parties in communication; using the 64Gb exclusive shared encrypted database that can be built in ordinary communication terminals, using high-quality audio or video communication with 1Mb information per minute, It can meet the 64000 minutes of secure communication. Combined with mobile storage technology, it can build an unconditionally secure communication network between certain "acquaintances" who exclusively share one-time encrypted databases in person. The application scope of the above-mentioned unconditional secure information exchange mode will be expanded with the rapid development of storage technology.
基础模式密钥可控有序生成装置的基本参数:密钥格式、数据库容量。Basic mode key can control the basic parameters of the orderly generating device: key format, database capacity.
作为一次性密钥加密信息量相同的密文,基础模式所能安全传递的信息量不大于加密数据库容量,为非持续模式。为突破这个限制,发明人将基础模式生成的无条件安全密钥作为一次性密码,加密所需长度的大于密码信息量的信息,增加可安全传递的信息量,使系统产生的一次性密码在维持排他性共享数据库更新的基础上出现盈余,从而使通讯者之间通过盈余密码传递信息,实现可持续的安全信息交流。所述方式等同于通过降低无条件密钥的信息密度,增大可传递信息量,实现可持续信息交流。As a one-time key encrypted ciphertext with the same amount of information, the amount of information that can be safely transmitted in the basic mode is not greater than the capacity of the encrypted database, and is a non-persistent mode. In order to overcome this limitation, the inventors used the unconditional security key generated by the basic mode as a one-time password, encrypting the required length of information larger than the amount of password information, increasing the amount of information that can be safely transmitted, and maintaining the one-time password generated by the system. A surplus appears on the basis of the exclusive shared database update, so that correspondents can pass information through the surplus password to achieve sustainable secure information exchange. The method is equivalent to reducing the information density of the unconditional key, increasing the amount of information that can be transmitted, and achieving sustainable information exchange.
为保持加密方案的统一性,即利用一次性密钥加密与密钥等长的文件信息,发明人将基础模式数据库中的未公开随机数列分割成等长的若干片段作为稀释数列,使稀释数列的个数扩大对应倍数。系统根据需求有序提取稀释数列,将其按一定方式扩展成可由所提取的稀释数列确定与初始数列格式相同的次生数列作为密钥,生成表观信息量大于数据库容量的密钥(稀释模式)。In order to maintain the uniformity of the encryption scheme, that is, to use one-time key encryption to encrypt file information of the same length as the key, the inventor divided the undisclosed random number sequence in the basic pattern database into equal-length fragments as the dilution sequence, so that the dilution sequence The number of expansions corresponds to multiples. The system sequentially extracts the dilution sequence according to the requirements, and expands it in a certain way to determine the secondary sequence with the same format as the initial sequence from the extracted dilution sequence as a key, and generates a key with a larger amount of apparent information than the database capacity (dilution mode) ).
与组合模式相比,稀释模式有序产生的密钥之间信息相互独立,可以通过设定任意长度的稀释数列达到任意密级的安全信息传递,加密系统的安全 性容易控制;其缺点是须牺牲密钥信息密度换取可持续通讯。Compared with the combination mode, the information generated by the orderly generated keys in the dilution mode is independent of each other. You can achieve any level of security by setting a dilution sequence of any length. The security of the encryption system is easy to control; its disadvantage is that it must be sacrificed. Key information density in exchange for sustainable communication.
稀释模式密钥可控有序生成装置的基本参数:密钥格式、数据库容量、稀释倍数;多样性参数:数列分割方式,扩展方式或算法等。The dilution mode key can control the basic parameters of the orderly generation device: key format, database capacity, dilution multiple; diversity parameters: sequence division method, expansion method or algorithm, etc.
编码信息策略外,迭代法也提供了一类独立的可持续密钥可控有序生成方案。可选用数学迭代算法,输入一个多位数,通过运算生成一个有效数字位数多于所输入的多位数位数的生成信息,按照约定规则从生成信息中无重叠地提取有效数字,一部分生成迭代多位数作为下一步输入信息,一部分作为输出数列,通过多位数输入、运算、有效数字提取、数列输出、迭代多位数输入循环,建立一个可持续数列可控有序生成系统。通过不同系统设置,例如初始多位数值、多种独立算法例如乘法运算、开方运算、对数运算等,以及不同有效数字提取规则,并通过将所生成信息的序号数值加入运算中以避免输出信息的周期性重复等方式,增加输出数列的不可预测性,实现可持续不可预测数列的可控有序生成。In addition to the coding information strategy, the iterative method also provides a class of independent sustainable key controllable ordered generation schemes. You can choose a mathematical iterative algorithm, input a multi-digit number, and generate a generation information with more significant digits than the entered multi-digit number through the operation. According to the agreed rules, the significant numbers are extracted from the generated information without overlap, and a part of the iteration is generated. Multi-digit numbers are used as the next input information, and part of them are used as the output sequence. Through the multi-digit input, operation, effective number extraction, sequence output, and iterative multi-digit input cycle, a sustainable sequence-controlled and orderly generation system is established. Through different system settings, such as initial multi-digit value, multiple independent algorithms such as multiplication, square operation, logarithmic operation, etc., and different effective digit extraction rules, and avoid the output by adding the serial number value of the generated information to the operation The periodic repetition of information and other methods increase the unpredictability of the output sequence and achieve a controlled and orderly generation of a sustainable unpredictable sequence.
上述迭代装置在算法确定的情况下,所生成信息的不可预测性由初始多位数值和各种运算控制参数决定。将这些参数用格式化的不可预测数列表示,形成加密数据库信息,作为密钥不可预测性的决定部分,其余部分作为加密器的公共部分,通过以下方式,但不限于以下方式构建一个可与其它系统兼容的可持续不可预测信息可控有序生成装置。When the above iterative device is determined by an algorithm, the unpredictability of the generated information is determined by the initial multi-bit value and various operation control parameters. These parameters are expressed in a formatted unpredictable sequence to form encrypted database information as the determining part of the key's unpredictability, and the rest as the public part of the encryptor. The following methods are used, but not limited to the following methods. System-compatible and orderly generating device for sustainable unpredictable information.
1)确定算法,选择若干种相互独立的算法,每种算法赋予一个确定编号;1) Determine the algorithm, select several independent algorithms, each algorithm is assigned a certain number;
2)参数数据库,由格式相同的未公开随机数列组成,数列中元素顺序组成确定组数的参数信息;每组参数信息依次包括输入数值、算法编号、信息分配参数、动态迭代参数,信息量为输入数值信息量的N倍;设定输出信息量与输入数值信息量相同,通过N个未公开随机数列中的参数信息顺序生成一个次生数列;2) The parameter database is composed of undisclosed random number sequences of the same format. The sequence of elements in the number sequence constitutes parameter information that determines the number of groups. Each group of parameter information includes input values, algorithm numbers, information allocation parameters, and dynamic iteration parameters. The amount of information is N times the amount of input numerical information; set the amount of output information to be the same as the amount of input numerical information, and generate a secondary sequence from the parameter information in the N undisclosed random sequence;
3)信息处理,从参数数据库中顺序提取一组参数信息,将其中的动态迭代参数与输入数值相加后,通过对应编号的算法生成一个生成信息;根据对应的信息分配参数信息,从生成信息中提取输出数列和迭代数值,用迭代数值替换本组参数信息中的输入数值,同时将其中的动态迭代参数值增加1;顺序完成参数数据库信息的提取、运算和更新,将输出数列顺序组合成一条密钥,用其生成序号标识;3) Information processing, sequentially extracting a set of parameter information from the parameter database, adding the dynamic iteration parameters and the input value, and generating a generated information through a corresponding numbered algorithm; assigning parameter information according to the corresponding information, and generating information from Extract the output sequence and iteration value in the parameter, replace the input value in the parameter information with the iteration value, and increase the dynamic iteration parameter value by 1 at the same time; complete the extraction, operation and update of the parameter database information in sequence, and combine the output sequence order into A key, which is used to generate a serial number identifier;
4)重复步骤3),实现密钥的无限制可控有序生成;4) Repeat step 3) to achieve unlimited and controlled and orderly generation of keys;
迭代模式密钥可控有序生成装置的基本参数:密钥格式、数据库容量;多样性参数:输入数值位数、输出数列长度、参数信息组数等;当参数组数为1时,为简单迭代系统。Basic parameters of the iterative mode key controllable and ordered generation device: key format, database capacity; diversity parameters: number of input values, length of output sequence, number of parameter information groups, etc .; when the number of parameter groups is 1, it is simple Iterative system.
在从理论上证明密钥生成和分发方式绝对安全前,可组合不同策略,通过互补弥补单一策略的可能缺陷,构建高安全级别的密钥生成装置。Before theoretically proving that the key generation and distribution methods are absolutely secure, different policies can be combined, and the possible shortcomings of a single policy can be complemented by complementarity to construct a high-security level key generation device.
组合上述不同系统中的元素,通过但不限于以下方式构建一个综合型的可持续密钥可控有序生成系统。By combining the elements in the different systems mentioned above, a comprehensive sustainable key controllable and ordered generation system is constructed by, but not limited to, the following methods.
1)构建一个由相同格式的未公开随机数列组成的数据库,包括:a)主数据库,含有确定数量的数列,通过编号相区分;确定组合编码格式,从种子数列中约定互不交叉的片段分别构成一个工作编码和更新用编码,对应编码的编号与其所属种子数列编号一致;另外元素片段构成一组迭代参数;b)稀释数据库,含有确定数量的数列,将每个数列分割成相等个数的稀释数列,通过编号相区分;1) Construct a database consisting of undisclosed random number sequences of the same format, including: a) the main database, which contains a certain number of sequences, distinguished by number; determine the combined encoding format, and agree non-intersecting fragments from the seed sequence Form a work code and update code, the corresponding code number is the same as the seed sequence number to which it belongs; in addition, the element fragments constitute a set of iteration parameters; b) dilute the database, containing a certain number of sequences, and divide each sequence into equal numbers of Dilution series, distinguished by number;
2)确定不同的算法,包括数列加法和乘法、控制模板算法等用于组合算法,依靠主数据库,有序提取工作编码或更新用编码,有序生成数列用于输出或数据库自发可控更新;一系列通过编号相区分的可用于迭代的算法,有序提取迭代参数,生成输出数列和迭代数列;稀释算法,从稀释数列库中顺序提取稀释数列,通过合适方式将其扩展为与密钥格式相同的数列;2) Determine different algorithms, including sequence addition and multiplication, and control template algorithms for combined algorithms, relying on the main database, orderly extracting work codes or updating codes, and orderly generating sequence numbers for output or spontaneously controlled update of the database; A series of iterable algorithms that can be distinguished by numbering. Iteratively extracts iteration parameters to generate output sequences and iteration sequences. Dilution algorithm, sequentially extracts dilution sequences from the dilution sequence library, and expands them to the key format by appropriate methods. The same sequence
3)生成准密钥,利用数据库,根据设定有序提取信息,通过设定的不同次生数列生成模式生成对应的与密钥格式相同的次生数列,作为准密钥;3) Generate a quasi-key, use the database to extract information according to the set order, and generate a corresponding secondary sequence with the same key format as the quasi-key by using different secondary sequence generation modes.
4)将所述准密钥通过模运算生成一条密钥,并用其生成序号标识;4) Generate a key by the quasi-key through modulo operation, and use it to generate a serial number identifier;
5)主数据库中工作编码用尽前,通过更新用编码,利用当前主数据库信息,通过组合法生成次生数列更新主数据库;主数据库更新后,继续密钥生成;5) Before the working code in the main database is exhausted, update the main database by combining the update code with the current main database information and update the main database by combining the methods; after the main database is updated, continue to generate the key;
6)循环密钥生成及主数据库自发可控更新;在稀释数据库中编号用尽前,通过密文共享新来源的不可预测信息更新稀释数据库信息,或者同时更新整个数据库信息;6) Cyclic key generation and autonomous controllable update of the main database; before the number in the diluted database runs out, update the diluted database information through ciphertext sharing of unpredictable information from new sources, or update the entire database information at the same time;
7)数据库更新后,继续可控有序生成密钥。7) After the database is updated, the keys can be generated in a controlled and orderly manner.
上述系统生成的密钥由于引入稀释数列,具有相互独立的内容,并借助 组合法和迭代法生成的准密钥使其信息密度不致降低,从而可有序生成大于数据库信息量的,具有相互独立内容的可安全分发的密钥。传递信息之余,系统间可通过密文安全共享不可预测信息,定期更新排他性共享数据库,尤其是稀释数列库,实现永续的安全信息交流。Due to the introduction of the dilution series, the keys generated by the above system have independent contents, and the quasi-keys generated by the combination method and the iterative method do not reduce the information density, so that the ones that are larger than the database information amount can be generated in an orderly manner and have independence from each other. A securely distributable key for the content. In addition to transmitting information, the system can safely share unpredictable information through cipher text, and regularly update the exclusive shared database, especially the dilution series database, to achieve sustainable security information exchange.
上述密钥可控有序生成装置通过密文安全共享新来源的不可预测信息变成一个开放系统,增加了数据库可控演化的多样性,可通过不断引入新信息纠正由初始数据库导致的可能系统缺陷。因此,应用中,即使可通过理论证明所采用方案在方法学上绝对可靠,发明人仍建议不断引入新来源的不可预测信息更新数据库,在有效消除系统可能缺陷的同时,避免由于系统长期封闭式运行,使有限容量的初始共享数据库信息成为有价值的暴力破解目标。The above-mentioned key-controllable and orderly generating device securely shares new sources of unpredictable information through ciphertext into an open system, increasing the diversity of the database's controllable evolution, and can continuously introduce new information to correct possible systems caused by the initial database defect. Therefore, in the application, even if the method adopted can be proved to be absolutely reliable in methodology, the inventor still recommends constantly introducing new sources of unpredictable information to update the database, while effectively eliminating possible system defects, and avoiding long-term closed systems. Operation makes the initial shared database information of limited capacity a valuable target for brute force cracking.
综合模式密钥可控有序生成装置的基本参数:密钥格式、主数据库容量、密钥生成模式、稀释数据库容量;多样性参数:算法、稀释数列分割方式、稀释数列扩展算法、数据库更新方式等。Basic parameters of the integrated mode key controllable and orderly generating device: key format, main database capacity, key generation mode, diluted database capacity; diversity parameters: algorithm, dilution sequence division method, dilution sequence expansion algorithm, database update method Wait.
作为一个可普遍适用的标准框架,可通过选择上述综合型密钥生成装置中不同的功能单元,设计不同类型的密钥生成装置。As a generally applicable standard framework, different types of key generation devices can be designed by selecting different functional units in the integrated key generation device described above.
1)标准模式:仅选取主数据库;采用组合算法模块、数列加法和乘法;1) Standard mode: only the main database is selected; combined algorithm modules, sequence addition and multiplication are used;
2)迭代模式:仅选取主数据库,采用迭代算法模块;2) Iterative mode: only the main database is selected, and iterative algorithm modules are used;
3)基础模式(无条件安全模式):仅选取主数据库,算法为直接顺序提取数列;3) Basic mode (unconditional security mode): only the main database is selected, and the algorithm is to directly extract the sequence;
4)稀释模式:仅选取稀释数据库,采用稀释算法模块;4) Dilution mode: only the dilution database is selected, and the dilution algorithm module is used;
5)安全模式:标准模式和稀释模式组合,在此基础上增加算法和其他模式。5) Security mode: a combination of standard mode and dilution mode, on which an algorithm and other modes are added.
将上述数字化的合适类型的密钥可控有序生成装置编写成计算机程序,从加密数据库中有序调取信息生成密钥,采用与调制解调器相耦合的格式化单元将接受的信息转化为与密钥格式匹配的格式化明文,用密钥加密明文生成可发送的密文,解密密文并将解密后明文通过与调制解调器相耦合的格式化单元转换成可输出的解密信息,形成一个加密器。The above-mentioned digitized and suitable type of key controllable and orderly generating device is written into a computer program, and information is sequentially retrieved from an encrypted database to generate a key. The formatted unit coupled to the modem is used to convert the received information into a secret key. The keyed format matches the formatted plaintext. The key is used to encrypt the plaintext to generate a ciphertext that can be sent. The ciphertext is decrypted and the decrypted plaintext is converted into outputtable decryption information through a formatting unit coupled to the modem to form an encryptor.
通过用不可预测信息初始化加密数据库生成专属加密器,实现信息加密-解密;通过公共设置构成的信息安全软件,使目标通讯者之间仅仅通过排他性共享加密数据库信息即可建立安全连接,借助普通信道传递只有目标通讯者之间才能识别的密文,从而建立可通用的满足不同需求的信息安全系统。A dedicated encryptor is generated by initializing the encrypted database with unpredictable information to realize the information encryption-decryption; through the information security software constituted by public settings, the target correspondent can establish a secure connection only by exclusively sharing the encrypted database information, with the help of ordinary channels Passing cipher text that can only be identified between target correspondents, thereby establishing a universal information security system that meets different needs.
上述信息安全系统中,密文承载的信息量接近文件信息量,加密-解密仅在通讯终端完成,并通过将格式化单元与调制解调器耦合实现无延迟信息发送和接受,与当前通讯系统完全兼容。建立安全连接后,软件无须使用者参与即可自动完成包括主数据库自发更新,通过定期交换不可预测信息更新稀释数据库(需要系统连接一个本发明所述随机信息发生器)等系统维护和日常加密-解密工作,同时方便使用者根据需要随时更新排他性共享信息。In the above information security system, the amount of information carried in cipher text is close to the amount of file information. Encryption-decryption is only performed at the communication terminal, and the formatting unit and the modem are coupled to realize the transmission and reception of information without delay, which is completely compatible with the current communication system. After the secure connection is established, the software can automatically complete the system maintenance and daily encryption, including the spontaneous update of the main database, the update of the diluted database by periodically exchanging unpredictable information (requires the system to connect a random information generator according to the present invention), and routine encryption. Decryption work, at the same time convenient for users to update exclusive shared information at any time as needed.
将加密数据库通过不同方式的排他性共享形成配对的加密器,可构建不同的信息安全系统,满足多种需要,包括但不限于文件保存、文件传递、即时通讯、数字身份验证、网络通讯系统等。By encrypting the encrypted database in different ways to form a paired encryptor, different information security systems can be constructed to meet a variety of needs, including but not limited to file preservation, file transfer, instant messaging, digital identity verification, and network communication systems.
下面提供具体应用实施例,说明典型的信息安全系统及其应用,不作为对发明内容的限制。Specific application examples are provided below to describe a typical information security system and its applications, and should not be taken as a limitation on the content of the invention.
1.一个迭代模式的可持续密钥可控有序生成系统。1. An iterative mode of sustainable key controllable ordered generation system.
1)算法,选择16组相互独立的算法:y=x 3、log 2(x)、x 1/3、x 1/2、x 2/3、x 3/4、log 3(x)、x 4/3、x 3/2、x 5/3、x 7/4、log 10(x)、x 7/3、x 5/2、Ln(x)、x 11/4、其中x为输入多位数值,y为计算结果,每种算法从0到15编号区分;上述算法均能够将普通输入多位数转化为有效数字位数扩大2倍以上的可由输入多位数确定的运算结果;设定动态迭代参数,将其与输入多位数相加后运行对应算法,使上述同组算法在不同动态迭代参数的参与下成为独立算法;每次运算后将动态迭代参数值增加1,避免运算结果出现循环; 1) Algorithm, choose 16 groups of independent algorithms: y = x 3 , log 2 (x), x 1/3 , x 1/2 , x 2/3 , x 3/4 , log 3 (x), x 4/3 , x 3/2 , x 5/3 , x 7/4 , log 10 (x), x 7/3 , x 5/2 , Ln (x), x 11/4 , where x is the number of inputs Digit value, y is the calculation result, and each algorithm is numbered from 0 to 15. Each of the above algorithms can convert ordinary input multiple digits into an operation result that can be determined by the input multiple digits and doubles the number of significant digits. Determine the dynamic iteration parameters, add them to the input multi-digit number and run the corresponding algorithm, so that the same group of algorithms becomes independent algorithms with the participation of different dynamic iteration parameters; increase the dynamic iteration parameter value by 1 after each operation to avoid calculation Results in a cycle;
2)信息提取和分配,从运算结果中根据约定规则提取有效数字;首先约定提取区间为2倍输入数字位数,如运算结果有效数字个数有限则提取中间部分,如为无理数取小数点后约定区间连续的有效数字;例如可采取8位十六进制输入数值,选取3次方运算结果的4-19位数字,无理数运算结果的小数点后1到16位有效数字为提取区间,形成元素取值范围和长度均为16的数列;确定2个同样格式的随机数列,一个为提取数列,一个为模板数列;通过提取数列从提取区间依次提取数列值对应位置的有效数字组成一个数列,再与模板数列进行模运算,生成同样格式的数列,其奇数序号位置元素顺序生成迭代数值,偶数序号位置元素顺序生成输出数列;上述提取数列 和模板数列共同构成信息分配参数,其信息量为输出数列信息量的4倍;2) Information extraction and distribution, the effective number is extracted from the operation result according to the agreed rules; first, it is agreed that the extraction interval is 2 times the number of input digits. If the number of effective digits in the operation result is limited, the middle part is extracted. Continuous significant digits in the interval; for example, you can use 8-digit hexadecimal input values, select 4-19 digits of the 3rd power operation result, and 1 to 16 significant digits after the decimal point of the irrational operation result are used to extract the interval. A sequence with a value range and a length of 16; two random number sequences with the same format are determined, one is an extraction sequence, and the other is a template sequence; the significant digits corresponding to the sequence values are sequentially extracted from the extraction interval through the extraction sequence to form a sequence, and then The template sequence is subjected to modulo operation to generate a sequence with the same format. The odd sequence position element sequence generates an iterative value, and the even sequence position element sequence generates an output sequence. The above-mentioned extracted sequence and template sequence together form an information distribution parameter, and the amount of information is the output sequence information. 4 times the amount;
3)数据库,采用4Kb信息量密钥,由8192个取值范围为16的元素组成;参数数据库中包含顺序排列的1024组参数信息;每组参数信息包括一个8位十六进制的初始输入数值(4字节信息量)、一个算法编号(0.5字节)、一组由2个长度和元素取值范围均为16的数列组成的信息分配参数(16字节),一个7位十六进制数值(3.5字节信息量)的动态迭代参数;每组参数24字节信息量,参数数据库容量24Kb,由6个与密钥格式相同的未公开随机数列组成;3) The database uses a 4Kb information key and consists of 8192 elements with a value range of 16. The parameter database contains 1024 sets of parameter information arranged in sequence; each set of parameter information includes an initial 8-digit hexadecimal input Value (4 bytes of information), an algorithm number (0.5 bytes), a group of information allocation parameters (16 bytes) consisting of 2 sequences of length and element value range 16 Dynamic iteration parameters of hexadecimal value (3.5 bytes of information); each group of parameters has 24 bytes of information and the parameter database capacity is 24Kb, which is composed of 6 undisclosed random number sequences with the same key format;
4)密钥生成,从参数数据库中顺序提取一组参数信息,将对应的动态迭代参数与输入数值相加,通过对应编号的算法生成一个运算值,根据对应的信息分配参数从运算数值中提取输出数列和迭代数值,用迭代数值替换本组参数信息中的输入数值,同时将其中的动态迭代参数值增加1;顺序完成1024组参数信息的提取、运算和更新,将输出数列顺序组合成一条密钥,用其生成序号标识;4) Key generation, sequentially extract a set of parameter information from the parameter database, add the corresponding dynamic iteration parameters to the input value, generate an operation value through the corresponding numbered algorithm, and extract the parameter from the operation value according to the corresponding information distribution parameter Output sequence and iteration value, replace the input value in this group of parameter information with iteration value, and increase the dynamic iteration parameter value by 1 at the same time; complete the extraction, operation and update of 1024 groups of parameter information in sequence, and combine the output sequence order into one Key, used to generate serial number identification;
5)重复步骤4),实现密钥的无限制可控有序生成;5) Repeat step 4) to achieve unlimited and controlled and orderly generation of keys;
基本参数:密钥格式、数据库容量;多样性参数:输入数值位数、输出数列长度、算法库、参数组数等;当参数组数为1时,为简单迭代系统。Basic parameters: key format, database capacity; diversity parameters: number of input values, length of output sequence, algorithm library, number of parameter groups, etc .; when the number of parameter groups is 1, it is a simple iterative system.
2.一个标准模式的可持续密钥可控有序生成装置。2. A standard mode sustainable key controllable and ordered generation device.
1)数据库,由256个长度为4096(4K)、元素取值范围为256的未公开随机数列组成,数列元素由1字节信息表示,每个数列信息量4Kb,称为种子数列,从0到255编号,编号占用1字节信息;采用16字节编码,种子数列前端16个元素构成工作编码,末端16个元素构成更新用编码,编码中元素值对应种子数列编号,编码采用与其所属种子数列一致的编号;数据库容量为1Mb;1) The database consists of 256 undisclosed random number sequences with a length of 4096 (4K) and an element value range of 256. The number of elements in the sequence is represented by 1 byte of information. The amount of information in each sequence is 4Kb, which is called the seed sequence. Numbering up to 255, the numbering occupies 1 byte of information; using 16-byte encoding, the first 16 elements of the seed sequence constitute the working code, and the last 16 elements constitute the updating code. The element values in the encoding correspond to the seed sequence number, and the encoding uses the seed to which it belongs. Consistent serial numbers; database capacity is 1Mb;
2)算法,根据编码信息从主数据库中依次提取一组16个种子数列,用0到15编号;将所选种子数列乘以数值2n+1,其中n为种子数列在本组中的对应编号,然后通过数列加法生成次生数列;2) Algorithm, according to the encoding information, extract a set of 16 seed sequences in sequence from the main database and number them from 0 to 15; multiply the selected seed sequence by the value 2n + 1, where n is the corresponding number of the seed sequence in this group , And then generate a secondary sequence by sequence addition;
3)顺序提取工作编码,生成次生数列作为密钥,用生成序号标记,编码不重复使用;3) Sequentially extract the working code, generate the secondary sequence as the key, mark it with the generated serial number, and the code is not reused;
4)239号编码使用后,系统顺序提取更新用编码,依靠当前数据库生256个次生数列,有序替换数据库,自动完成数据库有序再生,然后返回步骤3),每次更新期间生成小于种子数列个数的密钥,使非法探测者无法通过暴力破解方式构建整个可能方程组组合从而通过密钥空间值数量的尝试(本示例中为256 4096)破解主数据库信息(暴力破解主数据库所需尝试次数为256 (4096x256)4) After the No. 239 code is used, the system sequentially extracts the update code, relies on the current database to generate 256 secondary sequence numbers, replaces the database in an orderly manner, automatically completes the orderly regeneration of the database, and then returns to step 3), generating less than the seed during each update. The number of keys in the sequence makes it impossible for an illegal detector to construct a whole combination of possible equations through brute force cracking to crack the main database information (256 4096 in this example). The number of attempts is 256 (4096x256) ;
5)循环3)和4)持续产生密钥。5) Loops 3) and 4) continue to generate keys.
上述系统在随机运行下成为随机数列发生器。通过将数据库更新设定为随机模式,在系统输出间隙随机运行数据库更新,使共享初始数据库的系统在运行一段时间后变得无法同步。系统可通过调整参数产生所需长度的随机数列。系统对初始数据的随机性要求不高,在正确设计和规范使用下,系统将逐渐输出随机性趋向绝对随机的数列。The above system becomes a random number sequence generator under random operation. By setting the database update to random mode, the database update is run randomly during the system output interval, so that the system sharing the initial database becomes unsynchronized after running for a period of time. The system can adjust the parameters to generate a random sequence of the required length. The system does not have high requirements for the randomness of the initial data. Under the correct design and standardized use, the system will gradually output randomness to a sequence that is absolutely random.
基本参数:数列格式、数据库规模、编码长度;多样性参数:算法、数据库再生模式等。Basic parameters: sequence format, database size, encoding length; diversity parameters: algorithm, database regeneration mode, etc.
3.一个完全替换型标准模式的密钥可控有序生成系统。3. A fully replaceable standard mode key controllable and ordered generation system.
1)数据库,包括:主数据库,由65536个长度为4096(4K)、元素取值范围为256的未公开随机数列组成,数列元素由1字节信息表示,每个数列信息量4Kb,称为种子数列,从0到65535编号,编号占用2字节信息;采用4Kb编码,由2048个种子数列生成一个次生数列;编码数据库与主数据库格式相同,包含65536个编码,从0到65535编号;另外一个相同格式的缓冲数据库;数据库容量为768Mb;1) Database, including: the main database, composed of 65,536 undisclosed random numbers with a length of 4096 (4K) and an element value range of 256. The number of elements in the sequence is represented by 1 byte of information, and the amount of information in each sequence is 4Kb. The seed sequence number is numbered from 0 to 65535, and the number occupies 2 bytes of information; using 4Kb encoding, a secondary sequence is generated from 2048 seed sequences; the encoding database has the same format as the main database, and contains 65536 codes, numbered from 0 to 65535; Another buffer database of the same format; the database capacity is 768Mb;
2)算法,根据编码信息从主数据库中依次提取一组2048个种子数列,用0到2047编号;将所选种子数列乘以数值2n+1,其中n为种子数列在本组中的对应编号,然后通过数列加法生成次生数列;2) The algorithm extracts a set of 2048 seed sequences in sequence from the main database based on the encoded information and numbers them from 0 to 2047; multiplies the selected seed sequence by the value 2n + 1, where n is the corresponding number of the seed sequence in this group , And then generate a secondary sequence by sequence addition;
3)从编码数据库中顺序提取编码,生成次生数列1;将主数据中数列作为编码,顺序提取编码,将编码数据库中数列作为种子数列,生成次生数列2,编码不重复使用,将所述2个次生数列的奇数序号的元素组合成一个数列作为密钥,用生成序号标记,偶数序号的元素组合成一个数列,顺序存入缓冲数据库;3) Extract the codes sequentially from the encoding database to generate the secondary sequence 1; use the sequence in the main data as the code, extract the codes sequentially, use the sequence in the encoding database as the seed sequence, and generate the secondary sequence 2. The code is not reused. The elements of the odd sequence numbers of the two secondary sequences are combined into a sequence number as a key, and the generated sequence number is used to mark, and the elements of the even sequence numbers are combined into a number sequence, which are sequentially stored in the buffer database;
4)编码数据库中65535号编码使用后,将编码数据库中信息清空作为缓 冲数据库,将主数据库变为编码数据库,缓冲数据库变为主数据库,自动完成数据库有序再生,然后返回步骤3);4) After the 65535 code in the coding database is used, the information in the coding database is emptied as a buffer database, the main database is changed to the coding database, the buffer database is changed to the main database, and the orderly regeneration of the database is automatically completed, and then returns to step 3);
5)循环3)和4)持续产生密钥。5) Loops 3) and 4) continue to generate keys.
基本参数:数列格式、数据库规模、编码长度;多样性参数:算法、数据库再生模式等。Basic parameters: sequence format, database size, encoding length; diversity parameters: algorithm, database regeneration mode, etc.
4.一个无条件安全模式的密钥可控有序生成系统。4. A controlled and orderly generation system of keys in an unconditional security mode.
1)数据库由1048576(1M)个长度为65536(64K)、元素取值范围为256的未公开随机数列组成,数列元素由1字节信息表示,每个数列信息量64Kb,定义为信息单元,从0到1048575编号,每个编号占用2.5字节信息,数据库容量64Gb;1) The database consists of 1048576 (1M) undisclosed random number sequences with a length of 65536 (64K) and an element value range of 256. The sequence elements are represented by 1 byte of information, and the amount of information in each sequence is 64Kb, which is defined as an information unit. Numbering from 0 to 1048575, each number occupies 2.5 bytes of information, and the database capacity is 64Gb;
2)从数据库中顺序提取一个信息单元作为密钥,用其生成序号或编号标识。2) sequentially extract an information unit from the database as a key, and use it to generate a serial number or number identification.
所生成密钥信息之间相互独立,为无条件安全密钥,一次性使用加密等量文件信息,可生成无条件安全密文,系统可传递的无条件安全的文件信息总量等于数据库容量。The generated key information is independent of each other. It is an unconditional security key. One-time use of encrypted equivalent file information can generate unconditional secure ciphertext. The total amount of unconditionally secure file information that the system can transmit is equal to the database capacity.
基本参数:数列格式、数据库规模。Basic parameters: sequence format, database size.
5.一个稀释模式的密钥可控有序生成系统。5. A controllable and ordered generation system of keys in dilution mode.
1)数据库,数据库由1048576(1M)个长度为65536(64K)、元素取值范围为256的未公开随机数列组成,数列元素由1字节信息表示,每个数列信息量64Kb,定义为种子数列;将每个种子数列顺序分割为16个长度为4096的稀释数列,稀释数列总数共16M个,顺序编号,每个编号占用3字节信息;数据库容量64Gb;1) Database. The database consists of 1048576 (1M) undisclosed random number sequences with a length of 65536 (64K) and an element value range of 256. The number of elements in the sequence is represented by 1 byte of information, and the amount of information in each sequence is 64Kb. It is defined as a seed. Number sequence; each seed sequence is sequentially divided into 16 dilution series with a length of 4096, the total number of dilution series is 16M, and the numbers are sequentially numbered, each number occupies 3 bytes of information; the database capacity is 64Gb;
2)算法,将稀释数列重复排列16次,生成一个64Kb的次生数列,与一个系统中固定的同样格式的未公开随机数列通过模运算,掩盖重复性,生成密钥;2) The algorithm repeatedly arranges the dilution sequence 16 times to generate a 64Kb secondary sequence. It uses modular operation with an undisclosed random number sequence of the same format fixed in a system to cover the repeatability and generate a key;
3)从数据库中顺序提取稀释数列,生成密钥,用其生成序号标识,稀释数列不重复使用;3) Extract the dilution series in sequence from the database, generate the key, use it to generate the serial number identification, and the dilution series is not reused;
所生成密钥信息之间相互独立,信息密度有所降低,一次性使用加密等量文件信息,通过调节稀释数列长度可生成所需密钥强度的密文,系统可安 全传递大于数据库容量的文件信息,从而可通过密文形式更新排他性共享数据库信息的方式,实现可持续安全通讯。The generated key information is independent of each other and the information density is reduced. The same amount of encrypted file information is used at one time. The ciphertext of the required key strength can be generated by adjusting the length of the diluted sequence. The system can safely transfer files larger than the database capacity. Information, so that the way of exclusive shared database information can be updated in cipher text to achieve sustainable and secure communication.
基本参数:数列格式、数据库规模、稀释倍数;多样性参数:稀释数列分割方式,分散算法等。Basic parameters: sequence format, database size, dilution factor; diversity parameters: division method of dilution sequence, dispersion algorithm, etc.
6.一个安全模式的不可预测次生数列有序生成系统。6. An orderly generation system of unpredictable secondary sequence of security mode.
1)数据库,数列格式为长度65536(64K)、元素取值范围4096、信息量96Kb;包括:a)主数据库,含4096个种子数列,从0到4095编号,编号信息量1.5字节;采用24字节组合编码,对应16个种子数列编号,每个种子数列前16个元素形成工作编码,后16个元素形成数据库更新用编码,编号与种子数列保持一致;采用每组24字节迭代参数,由每个种子数列编号16到111的元素顺序组成6组,共24576组迭代参数;b)稀释数据库,含65536个数列,每个数列顺序分割成16个6Kb信息量的稀释数列,数目共1048576(1M),从0到1048575编号。数据库容量约6.4Gb;1) database, the format of the sequence is 65536 (64K), the element value range is 4096, and the amount of information is 96Kb; including: a) the main database, which contains 4096 seed sequences, numbered from 0 to 4095, and the number of information is 1.5 bytes; 24-byte combination coding, corresponding to 16 seed sequence numbers, the first 16 elements of each seed sequence form the working code, and the last 16 elements form the database update code, the number is consistent with the seed sequence; each group of 24 byte iteration parameters is used 6 elements are composed of 16 to 111 elements of each seed sequence, a total of 24,576 sets of iteration parameters; b) a dilution database containing 65536 sequences, each sequence is sequentially divided into 16 6Kb information-rich dilution sequences, the total number of which is 1048576 (1M), numbered from 0 to 1048575. Database capacity is about 6.4Gb;
2)定义一种控制模板算法,由控制数列和模板数列参与运算,以控制数列n号元素的值m为序号,提取模板数列m号元素,作为新生数列n号的元素,生成一个与模板数列格式相同的新生数列;2) Define a control template algorithm. The control sequence and the template sequence are involved in the operation. The value m of the n element in the control sequence is used as the sequence number. The m element in the template sequence is extracted and used as the element n in the new sequence to generate a template sequence. Freshman sequence of the same format;
3)定义组合准密钥生成算法。由16个种子数列生成1个准密钥;根据编码信息从主数据库中依次提取一组4个种子数列,将第一个数列乘以常数15后与第二个数列相加生成一个模板数列;将第三和第四个数列中相同序号的元素各取1字节信息顺序组合成一个元素,生成一个数列长度和元素取值范围均为65536的控制数列;上述数列通过控制模板运算生成一个临时数列;用同样方式从1个编码中生成4个临时数列,循环上述过程,最终生成1个组合准密钥;3) Define the combined quasi-key generation algorithm. Generate a quasi-key from 16 seed sequences; extract a set of 4 seed sequences from the main database in sequence according to the encoded information, multiply the first sequence by a constant 15 and add it to the second sequence to generate a template sequence; Combine the elements of the same sequence number in the third and fourth sequence with 1 byte each in order to form an element to generate a control sequence with a sequence length and element value range of 65536; the above sequence generates a temporary through the control template operation Sequence; generate 4 temporary sequence from 1 encoding in the same way, cycle through the above process, and finally generate a combined quasi-key;
4)迭代算法库,选择16组相互独立的算法:y=x 3、log 2(x)、x 1/3、x 1/2、x 2/3、x 3/4、log 3(x)、x 4/3、x 3/2、x 5/3、x 7/4、log 10(x)、x 7/3、x 5/2、x 8/3、x 11/4、其中x为输入值,y为计算结果,每种算法赋予一个0到15的确定编号; 4) Iterative algorithm library, select 16 groups of independent algorithms: y = x 3 , log 2 (x), x 1/3 , x 1/2 , x 2/3 , x 3/4 , log 3 (x) , X 4/3 , x 3/2 , x 5/3 , x 7/4 , log 10 (x), x 7/3 , x 5/2 , x 8/3 , x 11/4 , where x is Enter the value, y is the calculation result, each algorithm is assigned a certain number from 0 to 15;
5)迭代参数,每组参数包括一个8位十六进制的初始输入数值(4字节信息量)、一个算法编号(0.5字节)、一组由2个长度和元素取 值范围均为16的数列组成的信息分配参数(16字节),一个7位十六进制数值(3.5字节信息量)的动态迭代参数;参数信息量24字节,每次迭代输出4字节信息;5) Iteration parameters, each group of parameters includes an 8-digit hexadecimal initial input value (4 bytes of information), an algorithm number (0.5 bytes), and a group of 2 length and element values. A 16-number sequence of information distribution parameters (16 bytes), a 7-digit hexadecimal value (3.5 bytes of information) of a dynamic iteration parameter; the parameter information amount of 24 bytes, each iteration outputs 4 bytes of information;
6)迭代准密钥生成,提取一组迭代参数,将对应动态迭代参数与输入数值相加,通过对应编号算法生成一个运算值;选取3次方运算的4-19位数字,无理数运算中的小数点后1到16位有效数字为提取区间,形成一个数列;根据信息分配参数中的提取数列从提取区间依次提取元素值对应位置的有效数字组成数列,再与其中模板数列进行模运算,生成一个同样格式的数列,其前半部分元素生成一个迭代数值替换本组参数信息中的输入数值,同时将其中的动态迭代参数值增加1,后半部分作为输出数列;顺序完成24576组迭代参数提取、运算和更新,输出数列顺序组合成一条迭代准密钥;6) Iterative quasi-key generation, extract a set of iteration parameters, add the corresponding dynamic iteration parameters to the input value, and generate an operation value through the corresponding numbering algorithm; select 4-19 digits of the third power operation, the 1 to 16 significant digits after the decimal point are the extraction interval to form a sequence; according to the extraction sequence in the information distribution parameter, the significant sequence corresponding to the element value is sequentially extracted from the extraction interval to form a sequence, and then a modular operation is performed with the template sequence to generate a sequence. For the sequence of the same format, the first half of the elements generates an iterative value to replace the input value in the parameter information of the group, and the dynamic iteration parameter value is increased by 1, and the second half is used as the output sequence; 24576 groups of iteration parameter extraction and calculation are completed in order. And update, the output sequence is combined into an iterative quasi-key;
7)密钥生成,系统有序提取工作编码生成组合准密钥,编码不重复使用;有序提取稀释数列,将其重复排列16次扩展为1个长度为65536的稀释准密钥,稀释数列不重复使用;有序生成迭代准密钥;将上述3个准密钥通过模运算,生成一条密钥,用其生成序号标识;7) Key generation, the system sequentially extracts the working code to generate a combined quasi-key, and the code is not reused; the diluted sequence is sequentially extracted, and it is repeatedly arranged 16 times to expand into a diluted quasi-key of 65536 in length and the diluted sequence Do not reuse; orderly generate iterative quasi-keys; use the modulo operation on the above 3 quasi-keys to generate a key, and use it to generate a serial number identifier;
8)4095号工作编码使用后,系统开始顺序提取数据库更新用编码,通过当前主数据库生成4096个次生数列,有序替换原有主数据库,自发完成主数据库更新;8) After the working code No. 4095 is used, the system starts to sequentially extract the database update code, generate 4096 secondary sequence numbers from the current main database, replace the original main database in an orderly manner, and complete the main database update spontaneously;
9)完成主数据库更新后,系统继续生成次生数列,直到稀释数据库中编号用尽,整个过程中主数据库自发更新255次。9) After the update of the main database is completed, the system continues to generate the secondary sequence until the number in the diluted database is exhausted, and the main database is automatically updated 255 times throughout the process.
上述系统中稀释数据库为一次性数据库,可生成一次性密钥的数量为1M个,可安全交换96Gb密文信息,大于数据库中约6.4Gb信息量。通讯双方通过密文安全交换6.4Gb新来源的未公开随机数列维护共享数据库更新,剩余部分用于安全交换文件信息,实现可持续安全信息交流。系统可在运行中,根据设定自动交换数据库更新信息实现系统自我维护。The dilution database in the above system is a one-time database, and the number of one-time keys that can be generated is 1M, which can securely exchange 96Gb ciphertext information, which is greater than the amount of about 6.4Gb information in the database. The communicating parties securely exchange the shared database updates through the undisclosed random sequence of 6.4Gb new sources in cipher text, and the remaining part is used to securely exchange file information to achieve sustainable and secure information exchange. During operation, the system can automatically exchange database update information according to settings to achieve system self-maintenance.
基本参数:数列格式、主数据库规模、稀释数据库规模;多样化参数:密钥生成方式、稀释倍数、算法、数据库更新方式等。Basic parameters: sequence format, main database size, diluted database size; diversified parameters: key generation method, dilution factor, algorithm, database update method, etc.
7.一个信息安全软件和加密器设计示例7. An Information Security Software and Encryptor Design Example
根据应用实施例1-6中数字化的密钥可控有序生成装置设计方案,用生 成的密钥作为一次性密钥加密文件生成密文,并用相反的过程解密密文,将各种要素组织起来,生成一个计算机程序,以便在计算机控制下自发完成密钥生成、信息加密-解密、传递和系统维护,实现连续、自动化的信息安全传递,成为一个信息安全软件;将信息安全软件根据参数进行个性化设计,并根据设计输入不可预测信息初始化数据库,类似于前面描述的图7中结构,设计一个专属加密器;包含以下关键单元:According to the digital key controllable and orderly generating device design scheme in Application Examples 1-6, the generated key is used as a one-time key to encrypt the file to generate the ciphertext, and the reverse process is used to decrypt the ciphertext to organize various elements Together, a computer program is generated to complete key generation, information encryption-decryption, transfer, and system maintenance spontaneously under the control of the computer, to achieve continuous and automated information security transfer, and to become an information security software; Personalize the design and initialize the database based on the input of unpredictable information, similar to the structure shown in Figure 7 above, and design an exclusive encryptor; it includes the following key units:
1)算法库,包括各种次生数列生成算法、密钥生成方法,加密算法等,将各种算法有序排列形成算法库,供程序调取;作为可选项,一个随机数列生成程序,用于生成新来源的随机信息用于加密数据库的初始化或更新;1) Algorithm library, including various secondary sequence generation algorithms, key generation methods, encryption algorithms, etc., arrange the algorithms in order to form an algorithm library for the program to retrieve; as an option, a random number sequence generation program, using Generate random information from new sources for initialization or update of the encrypted database;
2)控制单元,规划加密数据库结构,连接算法库和数据库,通过序列控制模块,根据需求可控有序生成一次性密钥,自动完成加密-解密及系统维护更新,形成一个黑箱式系统,使使用者仅靠若干指令和按钮完成程序初始化和自动安全信息传递;2) The control unit plans the structure of the encrypted database, connects the algorithm database and the database, and generates a one-time key in a controlled and orderly manner through the sequence control module. It automatically completes encryption-decryption and system maintenance updates to form a black box system. Users rely on only a few instructions and buttons to complete program initialization and automatic safety information transmission;
3)用户界面,通过选择模块提示用户选择密钥生成装置类型,可选类型包括上述标准模式、迭代模式、无条件安全模式、稀释模式、安全模式等,并可开发新的装置类型;针对所选密钥生成装置类型,提示用户设置密钥格式和主数据库规模等基本参数,以及其它多样性参数;根据所选参数通过计算机规划数据库,提示输入信息,构建对应结构和规模的数据库,完成数据初始化或更新;3) The user interface, which prompts the user to select the key generation device type through the selection module. The optional types include the above-mentioned standard mode, iterative mode, unconditional security mode, dilution mode, security mode, etc., and new device types can be developed; Type of key generation device, prompting the user to set basic parameters such as key format and main database size, as well as other diversity parameters; according to the selected parameters, the computer plans the database, prompts for input information, builds a database of corresponding structure and size, and completes data initialization Or update
上述软件系统结合格式化单元、输入输出单元构成加密器的公共部分;根据具体需求,通过用户界面设置软件参数,计算机根据参数设置提示用户输入专属的不可预测信息完成数据库初始化或更新,生成类似前面描述的图7中所示结构的专属加密器;The above software system combines the formatting unit and the input and output unit to form the public part of the encryptor. According to specific requirements, the software parameters are set through the user interface, and the computer prompts the user to enter exclusive unpredictable information to complete the database initialization or update according to the parameter settings. Describe the exclusive encryptor of the structure shown in Figure 7;
基本参数:密钥生成装置类型、数列格式、主数据库规模、稀释数据库规模;多样化参数:密钥生成方式、稀释倍数、算法、密文组织方式、控制流程、数据库更新方式、密钥分发方式等。Basic parameters: key generation device type, sequence format, main database size, diluted database size; diversified parameters: key generation method, dilution multiple, algorithm, cipher text organization method, control process, database update method, key distribution method Wait.
利用上述软件和加密器,通过合适参数设置,构建下列典型信息安全系统。With the above software and encryptor, and through appropriate parameter settings, the following typical information security systems are constructed.
8.一个数据安全存储系统。8. A data security storage system.
数据安全存储系统的关键是密钥的长期可追溯性。系统保留初始加密数据库或所涉及的最前代更新数据库,作为系统同步和推演的起点;将密钥生成序号除以每次数据库更新期间的密钥生成个数,由商值确定数据库更新次数,通过计算机推演出对应数据库,由余数确定对应工作编码编号,提取对应编号的随机编码生成对应序号密钥。The key to a secure data storage system is the long-term traceability of the key. The system retains the initial encrypted database or the foremost updated database involved as the starting point for system synchronization and deduction; divides the key generation number by the number of key generations during each database update, and determines the number of database updates by the quotient. The computer derives the corresponding database, determines the corresponding work code number from the remainder, and extracts the random code of the corresponding number to generate the corresponding serial key.
软件参数:标准模式;20Kb密钥,元素取值范围1024;20Mb主数据库,1024个种子数列;16个种子数列生成一个次生数列,20字节编码。Software parameters: standard mode; 20Kb key, element value range 1024; 20Mb main database, 1024 seed sequences; 16 seed sequences generate a secondary sequence, 20-byte encoding.
例如可设定计算机将数据库更新推演的最大次数为256次,当前常规个人电脑的内存和运算能力可在合理时间内完成上述计算,则在数据库备份期间可同时保存5Gb的加密文件;将间隔256代的更新数据库备份并标注代数以提高推演效率,则可同时保存的加密文件信息为加密器数据库信息的256倍;在计算时间容许的情况下,上述可同时保存的密文信息容量将不受限制。For example, the maximum number of times that the computer can update the database can be set to 256 times. The current conventional personal computer's memory and computing power can complete the above calculations within a reasonable time. Then, 5Gb encrypted files can be saved during the database backup; the interval is 256. Update the database backup of the generation and label the algebra to improve the deduction efficiency. The encrypted file information that can be saved at the same time is 256 times the information of the encryptor database. When the calculation time allows, the capacity of the ciphertext information that can be saved at the same time will not be affected. limit.
加密方式简单直接,顺序生成密钥、加密格式化信息生成主密文、将密钥生成序号作为标题与主密文组成密文,通过公共存储设备安全存储;利用相同的加密数据库根据密文标题生成相同密钥,解密文件。The encryption method is simple and straightforward. Generate the key sequentially, encrypt the formatted information to generate the main ciphertext, use the key generation serial number as the title and the main ciphertext to form the ciphertext, and store it securely through the public storage device; use the same encryption database according to the ciphertext title Generate the same key and decrypt the file.
通过信息安全存储系统,可充分利用多种存储系统,包括互联网存储平台,将文件以密文形式进行安全备份,根据需要存取。Through the information security storage system, you can make full use of a variety of storage systems, including Internet storage platforms, to securely back up files in cipher text and access them as needed.
9.一个情报安全传递系统。9. An information security transmission system.
情报安全传递的关键是密钥信息不泄露,最安全的方式是密文发出后密钥除了目标接收者其它主体均不可追溯,包括密文发送者本人。The key to the safe transmission of intelligence is that the key information is not leaked. The most secure way is that after the ciphertext is sent, the key is not traceable except for the target receiver, including the ciphertext sender himself.
软件参数:标准模式;80Kb密钥,元素取值范围1024;80Mb主数据库,含1024个种子数列;64个种子数列生成一个次生数列,80字节编码。Software parameters: standard mode; 80Kb key, element value range 1024; 80Mb main database, containing 1024 seed sequences; 64 seed sequences generate a secondary sequence, 80-byte encoding.
文件所有者依次生成密钥,加密文件,组织密文,删除所用编码,发送密文;目标密文接收者安全获取文件信息后删除对应编码,通知发送方;确保数据库同步的情况下,通讯双方及时更新数据库信息并擦除不相关信息,确保加密过程的历史记录无法追溯。The file owner generates a key in order, encrypts the file, organizes the ciphertext, deletes the encoding used, and sends the ciphertext; the target ciphertext receiver securely obtains the file information, deletes the corresponding encoding, and notifies the sender; if the database is synchronized, the two parties in the communication Update database information and erase irrelevant information in time to ensure that the history of the encryption process cannot be traced.
采用80字节的长编码可确保即使整个加密系统被劫持后,根据已有信息非授权者也无法在合理时间内通过暴力破解(尝试次数为256 80)还原密钥。 The 80-byte long encoding can ensure that even after the entire encryption system is hijacked, unauthorized persons cannot recover the key by brute-force cracking (the number of attempts is 256 80 ) within a reasonable time based on the existing information.
10.一个实时安全通讯系统。10. A real-time secure communication system.
实时通讯的关键是加密-解密过程快速,确保排他性共享数据库可同步基础上对密钥的可追溯性无特别要求,采用较短密钥和编码,较小规模数据库。The key to real-time communication is the fast encryption-decryption process, which ensures that the exclusive shared database can be synchronized without requiring special traceability of the key. Shorter keys and codes are used, and smaller-scale databases are used.
软件参数:标准模式;2Kb密钥,元素取值范围256;512Kb主数据库,256个种子数列;8个种子数列生成一个次生数列,8字节编码。Software parameters: standard mode; 2Kb key, element value range 256; 512Kb main database, 256 seed sequences; 8 seed sequences generate a secondary sequence, 8-byte encoding.
上述规模的数据库可方便植入常用通讯设备中。通讯者通过面对面排他性共享加密数据库,作为通讯录中联系人的附加信息,即可通过加密软件实现安全通讯。A database of the above-mentioned size can be easily inserted into commonly used communication equipment. Correspondents can share encrypted databases face-to-face exclusively, as additional information of contacts in the address book, to achieve secure communication through encrypted software.
实时通讯要求应用软件能迅速将数字化的文字、音像等多媒体信息快速、连续、自动加密-解密,例如每秒处理32条2Kb密文可保证较高质量的多媒体实时通讯。实时通讯加密器中,将与格式化单元耦合的调制解调器与通讯终端设备的多媒体数字化信号转换模块嵌合,作为通讯终端设备的标准配置,实现技术上无延迟的即时安全通讯。Real-time communication requires application software to quickly and continuously encrypt and decrypt digital multimedia information such as text, audio and video. For example, processing 32 2Kb ciphertext per second can ensure high-quality multimedia real-time communication. In the real-time communication encryptor, a modem coupled with a formatting unit is integrated with a multimedia digital signal conversion module of a communication terminal device, as a standard configuration of the communication terminal device, and realizes technically instantaneous and secure communication without delay.
通讯录成员间将安全通讯作为的默认通讯模式,在拨通电话的同时,通讯设备自动连接到对应的加密数据库,实现实时加密通讯。通讯者可在见面时定期安全更新排他性共享数据库,增强安全感。根据当前可携带通讯设备存储配置,每个通讯设备上可设置成千上万个安全通讯伙伴,可认为安全通讯伙伴数目不受限制。Address book members use secure communication as the default communication mode. When a call is made, the communication device automatically connects to the corresponding encrypted database to achieve real-time encrypted communication. Correspondents can regularly and securely update the exclusive shared database when they meet to enhance their sense of security. According to the current portable communication device storage configuration, there can be thousands of secure communication partners on each communication device, and the number of secure communication partners can be considered unlimited.
11.一种数字签名和信息完整性验证系统。11. A digital signature and information integrity verification system.
通过排他性共享加密数据库建立安全连接的通讯主体之间同时建立了不可否认的直接身份验证关系。如果通讯主体拥有不同的排他性安全通讯伙伴,将形成一个网络,通讯主体依靠网络节点,即共同认识的“熟人”作为担保,可建立间接的身份验证关系。The communication principals who establish a secure connection through an exclusive shared encrypted database also establish an undeniable direct authentication relationship. If the communication subject has different exclusive and secure communication partners, a network will be formed. The communication subject relies on network nodes, that is, "acquaintances" who know each other as a guarantee, to establish an indirect identity verification relationship.
根据“熟人”概念,可通过一个公众认可从而具有法律或管理权限的公共“熟人”,即认证中心,作为担保中介,建立具有法律效力的数字身份验证系统。According to the concept of "acquaintance", a public "acquaintance" recognized by the public and having legal or administrative authority, that is, a certification center, can act as a guarantee intermediary to establish a legally valid digital identity verification system.
1)设立一个公众认可并且具有法律或管理权限的数字身份认证中心;1) Establish a digital identity authentication center that is publicly recognized and has legal or administrative authority;
2)软件参数:标准模式;1Kb密钥,元素取值范围256;256Kb主数据库,256个种子数列;4个种子数列生成一个次生数列,4字节编码;数字签名密钥空间256 10242) Software parameters: standard mode; 1Kb key, element value range 256; 256Kb main database, 256 seed sequences; 4 seed sequences generate a secondary sequence, 4 byte encoding; digital signature key space 256 1024 ;
3)个人通过与数字身份验证机构排他性共享数字签名数据库成为注册 用户,获取身份识别号。全球80亿注册用户共需2048Tb存储;3) An individual becomes a registered user by exclusively sharing a digital signature database with a digital identity verification agency to obtain an identity identification number. A total of 8 billion registered users worldwide need 2048Tb of storage;
4)将整个数字化文件信息作为一个数字,即对应数列值;文件发送者利用自己的注册数据库信息生成签名密钥,将对应数列值乘2加1,即在二进制数的首尾两端均加上一个1,作为除数,除以文件数列值,然后取余数,生成一个数列作为签名;签名信息可以多媒体印签,如二维码、音频和视频噪声等形式展示在对应的实体文件中,印签旁边同时标注本次签名密钥序号、发送者姓名、认证中心名称、本人识别号、日期等信息,供查询确认;标注信息可采用打印文字、机器声音等标准实体展示,同时附上发送者的书写、录音或视频签名等,与多媒体印签共同组成实体签名;4) Use the entire digitized file information as a number, that is, the corresponding sequence value; the sender of the file uses his registration database information to generate a signature key, and multiply the corresponding sequence value by 2 and 1 to add the two ends of the binary number. A 1, as a divisor, divided by the file sequence value, and then taking the remainder to generate a sequence as a signature; the signature information can be displayed in the corresponding physical document in the form of a multimedia signature such as two-dimensional code, audio and video noise, and the signature Information such as the serial number of the signing key, the name of the sender, the name of the certification center, the personal identification number, and the date are also marked for query confirmation; the marked information can be displayed using standard entities such as printed text and machine sounds, and the sender's Writing, recording or video signature, etc., together with the multimedia signature, form a physical signature;
5)验证者将标注信息发往认证中心,认证中心连接签名者数据库,生成对应签名密钥发送给验证者;验证者根据密钥,采用相同规则生成数字签名信息,与对应签名信息比较,确定信息来源的合法性和数据完整性;5) The verifier sends the marked information to the certification center. The certification center connects to the signer database to generate the corresponding signature key and sends it to the verifier. The verifier uses the same rules to generate digital signature information, compares it with the corresponding signature information, and determines The legitimacy and data integrity of the information source;
6)约定最大数据库推演次数,例如256次推演可使注册用户保持65536个待验证数字签名,确保系统同步基础上定期自发更新共享数据库。6) Agree on the maximum number of database deductions. For example, 256 deductions will allow registered users to maintain 65536 digital signatures to be verified, and ensure that the shared database is updated on a regular basis on a synchronized basis.
上述数字身份验证系统中,文件所有者同时提供签名信息和标注信息(签名密钥生成序号),由文件接受者决定是否验证信息合法来源,形成一个文件接受者主导的不对称数字签名系统;文件所有者可选择将签名密钥作为密码加密文件信息,文件接受者根据标注信息向认证中心获取签名密钥解密对应文件,然后验证数字签名,形成一个发送和接受双方均可追溯的对称数字签名系统。In the above digital identity verification system, the file owner provides both signature information and label information (signing key generation sequence number), and the recipient of the file decides whether to verify the legal source of the information, forming an asymmetric digital signature system dominated by the recipient of the file; The owner can choose to use the signing key as a password to encrypt the file information. The recipient of the file obtains the signing key from the certification center to decrypt the corresponding file according to the marked information, and then verifies the digital signature to form a symmetrical digital signature system that can be traced by both sending and receiving parties. .
12.一个全球安全通讯系统。12. A global security communications system.
利用数字签名系统中的点对点信息传递功能,注册者可以认证中心为媒介排他性安全共享加密数据库信息,建立安全通讯连接,实现非“熟人”注册会员间的安全通讯;Using the peer-to-peer information transfer function in the digital signature system, the registrant can share the encrypted database information exclusively and securely with the certification center as a medium, establish a secure communication connection, and realize secure communication between non- "acquaintance" registered members;
软件参数:标准模式;2Kb密钥,元素取值范围256;512Kb主数据库,256个种子数列;8个种子数列生成一个次生数列,8字节编码。Software parameters: standard mode; 2Kb key, element value range 256; 512Kb main database, 256 seed sequences; 8 seed sequences generate a secondary sequence, 8-byte encoding.
通讯主体通过唯一识别号,类似手机号,与通讯控制中心排他性共享加密数据库完成注册,成为注册用户。4096Tb存储量可满足全球80亿用户需 要。The communication subject completes registration through a unique identification number, similar to a mobile phone number, and exclusively shares an encrypted database with the communication control center, becoming a registered user. 4096Tb storage can meet the needs of 8 billion users worldwide.
注册用户向通讯控制中心提出申请,通讯控制中心生成所需共享加密数据库信息,通过申请方各自与控制中心共享的加密数据库加密后,以密文形式分别传送给申请者,实现加密数据库在申请者之间排他性共享,建立安全通讯连接。通讯控制中心仅担负转接任务,每次转接承担的信息传递载荷仅512Kb,相当于数秒通话量,大大减少通讯控制中心的工作负荷。整个过程中,通讯各方均不接触对方加密数据库;在通讯控制中心和转接过程中不发生信息泄密的情况下,通讯各方的加密数据库保持安全。Registered users apply to the communication control center. The communication control center generates the required shared encrypted database information, which is encrypted with the encrypted database shared by the applicant and the control center, and then transmitted to the applicant in cipher text to realize the encrypted database in the applicant. Exclusive sharing between them, establishing a secure communication connection. The communication control center is only responsible for the transfer task, and the information transfer load carried by each transfer is only 512Kb, which is equivalent to a few seconds of call volume, which greatly reduces the workload of the communication control center. During the whole process, all parties to the communication do not contact the encrypted database of the other party; the encrypted database of the parties to the communication remains secure in the absence of information leakage during the communication control center and transfer process.
安全通讯后,一对一通讯双方可约定保留本次共享信息,成为“熟人”,此后不必再经转接可直接进行安全通讯。After the secure communication, the two parties of one-to-one communication can agree to retain the shared information and become "acquaintances". After that, they can directly conduct secure communication without transferring.
13.一个网络身份验证系统。13. A network authentication system.
将数字身份验证系统或全球网络通讯系统的中心控制结构变为枝状结构,可有效分散控制机构的信息转接工作量,以便通过分支控制机构和注册用户之间进行直接安全信息交流,建立一个可对所有入网信息进行有效追溯的全覆盖的网络身份验证系统。Changing the central control structure of the digital identity verification system or global network communication system into a branched structure can effectively decentralize the information transfer workload of the control agency in order to establish a secure communication directly between the branch control agency and registered users A full-coverage network identity verification system that effectively traces all incoming information.
软件参数:标准模式;1Kb密钥,元素取值范围256;256Kb主数据库,256个种子数列;4个种子数列生成一个次生数列,4字节编码。Software parameters: standard mode; 1Kb key, element value range 256; 256Kb main database, 256 seed sequences; 4 seed sequences generate a secondary sequence, 4 bytes encoding.
利用现有的网络枝状结构,通讯主体将上述加密数据库与就近的网络管理机构(网管)共享,获取身份识别号,成为注册用户;当前网管将共享信息备份到注册用户所属各分支网管,直至全球网管中心。上述包含注册加密数据库的加密器将成为注册用户的上网通行证,可将其内置于网卡中,作为调制解调器的标准插件。Using the existing network branch structure, the communication subject shares the encrypted database with the nearest network management organization (network management), obtains the identification number, and becomes a registered user; the current network management backs up the shared information to the branch network management to which the registered user belongs, until Global Network Management Center. The above-mentioned encryptor including the registered encrypted database will become an Internet pass for registered users, which can be built into the network card as a standard plug-in for the modem.
发送者通过网卡顺序生成密钥将信息以1Kb一组加密,将密钥生成序号作为副标题,3字节副标题可同时保留16M个密钥,缓存16Gb信息;将5字节发送者身份识别号作为标题,生成一条稍大于1Kb的信息包。末端网管根据信息包标题和副标题,连接发送者加密数据库,调取对应密钥,将普通信息直接解密(解密后信息可为密文),将副标题换成末端网管识别号,转变为合法信息予以放行。合法信息的标题行包含发送人和末端网管识别号,使信息来源可以追溯;非法信息经上述转化变成乱码。如果信息包标记为挂号,末端网管将信息验证后用自己的加密器重新加密,加上发送者及各级网管标 识号,逐级验证、重新加密、放行,直到接受者的末端网管,用接受者的网卡密钥加密,完成信息传递,确保信息传递链条完整可溯。The sender uses the network card to sequentially generate the key to encrypt the information in a set of 1Kb. The key generation sequence number is used as the subtitle. The 3-byte subtitle can hold 16M keys at the same time and cache 16Gb information. Header to generate a packet slightly larger than 1Kb. The end network administrator connects the sender's encrypted database according to the packet header and subtitle, retrieves the corresponding key, and directly decrypts the ordinary information (the decrypted information can be cipher text). The subtitle is replaced with the end network management identification number and converted into legal information. Release. The header line of legal information contains the sender's and end network management identification numbers, so that the source of the information can be traced back; illegal information becomes garbled through the above conversion. If the information packet is marked as registered, the end network administrator re-encrypts the information with its own encryptor after verifying the information, adds the sender and each level of network management identification number, and verifies, re-encrypts, and releases the information step by step until the receiver's end network management uses the accept The network card key of the user is encrypted to complete the information transmission, ensuring that the information transmission chain is complete and traceable.
为支持异地上网,除在注册通讯地址的末端网管起一直到全球网管中心的各级网管永久保存注册用户的加密数据库外,末端网管初次收到异地用户请求时,通过全球网管中心,依次从本网管所属各级网管备份该用户的加密数据库,建立临时连接,使异地通讯和本地通讯一样便捷,可合理收取一次性转接费用。作为公约,各分支网管分出适当缓冲存储空间,存储异地用户的加密数据库;缓冲存储用尽后,按照先进先出的原则给新的用户腾出空间,避免频繁的数据搬运,减轻异地通讯成本;热点旅游区的末端网管可适当增加存储空间,并合理提高通讯价格。In order to support remote Internet access, except at the end of the registered communication address, all levels of network administrators from the end to the global network management center will permanently store the encrypted database of registered users. When the end network administrator receives a request from a remote user for the first time, he will use the global network management center to sequentially The network managers at all levels of the network management back up the user's encrypted database and establish temporary connections, making remote communication as convenient as local communication, and can reasonably charge a one-time transfer fee. As a convention, each branch network administrator allocates appropriate buffer storage space to store the encrypted database of users in different places; after the buffer storage is exhausted, free up space for new users in accordance with the first-in, first-out principle to avoid frequent data handling and reduce the cost of remote communication ; The end network management of hot tourist areas can appropriately increase storage space and reasonably increase communication prices.
上述整个信息传递过程均通过网卡自动完成,用户感觉不到。由于信息处理主要通过末端网管完成,并且信息包中的有效信息含量接近100%,正常情况下对普通信息的传输速度影响不大,挂号信息可能在上级网管超负荷运转的情况下发生拥堵。The above-mentioned entire information transfer process is automatically completed by the network card, and the user cannot feel it. Because the information processing is mainly completed by the end network management, and the effective information content in the information packet is close to 100%, under normal circumstances, it has little effect on the transmission speed of ordinary information, and the registered information may be congested when the upper-level network management is overloaded.
上述网络身份验证系统同时具备网络通讯和数字身份验证的功能。The above network identity verification system has both network communication and digital identity verification functions.
14.一个军用安全通讯系统。14. A military security communication system.
软件参数:安全模式,由组合准密钥、迭代准密钥和稀释准密钥生成密钥;96Kb密钥,元素取值范围4096;384Mb主数据库,4096个种子数列;6Gb稀释数据库,稀释倍数16;加密数据库容量6.4Gb。Software parameters: security mode, keys are generated by combining quasi-keys, iterative quasi-keys and diluted quasi-keys; 96Kb keys with element values ranging from 4096; 384Mb main database with 4096 seed sequences; 6Gb dilution database with dilution multiples 16; Encrypted database capacity is 6.4Gb.
将上述软件和加密数据库确定的加密器做成USB军人标识牌,其中加密数据库拷贝在总部集中存放,并在军人所属各级指挥部存放1份拷贝,建立军人和总部及其所属各级指挥部的安全连接;标识牌由军人随身携带,作为其现役状态的最终凭证,总部根据人员变动定期更新相关信息,以确保信息安全和通讯畅通。256万名军人需16Pb的总部存储容量。The above-mentioned software and the encrypted database determined by the encrypted database are made into a USB military identification card. A copy of the encrypted database is stored centrally in the headquarters, and one copy is stored in the headquarters of the military at all levels. The identification tag is carried by soldiers as the final proof of their active status. The headquarters regularly updates relevant information according to personnel changes to ensure information security and smooth communication. 2.56 million soldiers need 16Pb of headquarters storage capacity.
通讯时,部队电讯负责人的标识牌将成为上级机构给所属部队下达命令的默认加密器。根据命令的机密程度,设定不同密级。When communicating, the identification card of the person in charge of the army's telecommunications will become the default encryptor for orders given by the higher-level organization to the army. Set different levels of security according to the confidentiality of the command.
秘密文件,标记为AA级,使用部队电讯负责人的加密数据库进行文件加密解密,密文标题包括部队编号和密钥生成序号,由电讯室负责收发,用于常规命令传达和汇报。Secret files, marked AA, are encrypted and decrypted using the encrypted database of the person in charge of the telecommunications department. The title of the cipher text includes the troop number and key generation serial number.
机密文件,标记为AAA级。由部队电讯负责人和首长的加密数据库分别 提供组合和迭代准密钥、稀释准密钥,生成密钥,加密文件。密文标题在AA级基础上,加上部队首长稀释准密钥编号作为副标题。收发员收到AAA级密文时,报告首长,共同见证下,生成密钥,解密密文;利用同样程序上报AAA级密文。AAA级密文也可依照组织程序,经部队电讯室以类似方式向部队特定军人直接传达命令。类似地,可通过AA级密文实现上级和所属部队每个军人的直接命令传达或汇报。Confidential documents, marked as AAA. The encrypted database of the person in charge of the army telecommunications and the head provides the combination and iteration of quasi-keys, dilution of quasi-keys, generation of keys, and encryption of files. The cipher text title is based on AA grade, and the head of the unit is diluted with the quasi-key number as the subtitle. When the transceiver receives the AAA-level ciphertext, it reports to the head, and under common witness, generates a key and decrypts the ciphertext; using the same procedure to report the AAA-level ciphertext. AAA-grade ciphertexts can also be used to direct orders directly to specific soldiers in the troop's telecommunications room in a similar manner in accordance with organizational procedures. Similarly, AA-level cipher text can be used to communicate or report direct orders of superiors and each soldier of the affiliated army.
绝密文件,定义为AAAA级。利用部队电讯负责人的加密数据库生成组合准密钥,部队首长的加密器生成迭代准密钥,随机选取命令所属部队两名军人,从其稀释数据库中各选取连续的8个稀释数列,组合成一个高信息密度数列,与组合和迭代准密钥相加生成无条件安全密钥。密文标题在AAA级基础上,加入军人识别号及对应首个稀释数列编号。收发员收到AAAA级密文时,报告部队首长,召集对应军人,共同见证下,生成密钥,解密密文。Top-secret documents, defined as AAAA. The combined quasi-key is generated using the encrypted database of the person in charge of the army telecommunications, and the iterator quasi-key is generated by the encryptor of the army leader. The two soldiers of the affiliated army are randomly selected and ordered, and eight consecutive dilution series are selected from their dilution database. A high-information-density sequence that is combined with a combination and iterative quasi-key to generate an unconditional security key. The title of the cipher text is based on the AAA grade, adding the military identification number and the corresponding serial number of the first dilution. When the transceiver received the AAAA ciphertext, it reported to the head of the army, convened the corresponding soldiers, and collectively witnessed to generate a key and decrypt the ciphertext.
高密级文件可保证即使在关键位置军人USB标识牌信息泄露且部队中少数人员被挟持或策反的极端情况下,仍最大限度确保命令安全传达。该方案也提供了一个在部队核心成员见证下,不定期确认的方式,确保在与总部隔绝执行绝密任务的部队中,军人USB标识牌由合法者持有。High-class documents can ensure that even in extreme cases where military personnel's USB identification plate information is leaked in key locations and a small number of personnel in the army are held hostage or counter-insured, the command is still transmitted to the greatest extent possible. The program also provides an irregular confirmation method under the witness of the core members of the army to ensure that in the army that is isolated from the headquarters to perform top-secret tasks, the military USB tag is held by a legal person.
上述方案也可用于构建警用和外交安全通讯系统。经调整,确保达到所需安全标准前提下,通过简化相关程序,提高效率,构建银行、政府、和商用安全通讯系统。The above scheme can also be used to build police and diplomatic security communication systems. After adjustment to ensure that the required security standards are met, banks, governments, and commercial security communication systems will be built by simplifying relevant procedures and improving efficiency.
15.一个无条件安全的信息交流系统。15. An unconditional and secure information exchange system.
软件参数:基础模式;16Kb密钥,元素取值范围256;256Gb主数据库,16M信息单元。Software parameters: basic mode; 16Kb key, element value range 256; 256Gb main database, 16M information unit.
用可控有序生成的无条件安全密钥加密信息量相同的文件信息生成无条件安全密文,通过排他性共享加密数据库建立安全连接,实现无条件安全通讯。The unconditional security key that is generated in a controlled and orderly manner is used to encrypt the file information with the same amount of information to generate an unconditional security ciphertext. An exclusive shared encrypted database is used to establish a secure connection to achieve unconditional secure communication.
上述共享加密数据库可满足通讯双方较长时期内一定信息交换密度的无条件安全信息交流。例如采用1分钟1Mb信息量的高品质音频或普通品质的视频通讯,256Gb共享信息可满足25万分钟,约4000小时的交流,相当于2年的不间断工作交流。The shared encrypted database can meet the unconditional secure information exchange of a certain information exchange density for a long period of time between the communicating parties. For example, using high-quality audio or ordinary quality video communication with 1Mb of information per minute, 256Gb shared information can meet 250,000 minutes and about 4,000 hours of communication, which is equivalent to 2 years of uninterrupted working communication.
上述存储需求可在常规移动硬盘中实现,高密度数据存储技术的快速发 展将会给上述无条件安全信息交流带来更大的便利和更多的应用空间。The above storage requirements can be realized in conventional mobile hard disks. The rapid development of high-density data storage technology will bring greater convenience and more application space to the above-mentioned unconditional security information exchange.
将上述系统用于军用安全通讯,采用10Pb中央存储设备,可服务40000个终端用户,将无条件安全的信息安全系统推广到连一级基层电讯机构;同时将同样信息量的一次性安全密钥分散存储在每个军人的USB识别牌中,例如每个军人USB识别牌中存储4Gb一次性安全密钥,可在高密级通讯中实现无条件安全的命令传达和机密信息汇报。The above system is used for military security communication. It uses 10Pb central storage device to serve 40,000 end users, and promotes the unconditional and secure information security system to even the first-level grass-roots telecommunications institutions. At the same time, the one-time security keys with the same information volume are dispersed It is stored in the USB identification card of each soldier, for example, a 4Gb one-time security key is stored in each soldier's USB identification card, which can realize unconditional and secure command transmission and confidential information reporting in high-density communication.
以上概述了提供密钥生成装置、加密装置、密钥生成和分发系统、信息安全传递系统所需要的信息的方法的不同方面和/或通过程序实现其他步骤的方法。技术中的程序部分可以被认为是以可执行的代码和/或相关数据的形式而存在的“产品”或“制品”,通过计算机可读的介质所参与或实现。有形的、永久的储存介质可以包括任何计算机、处理器、或类似设备或相关的模块所用到的内存或存储器。例如,各种半导体存储器、磁带驱动器、磁盘驱动器或者类似任何能够为软件提供存储功能的设备。The foregoing outlines different aspects of a method of providing information required by a key generation device, an encryption device, a key generation and distribution system, an information security delivery system, and / or a method of implementing other steps through a program. The program part in the technology may be considered as a "product" or "article" in the form of executable code and / or related data, which is participated or realized through a computer-readable medium. The tangible, permanent storage medium may include memory or storage used by any computer, processor, or similar device or related module. For example, various semiconductor memories, magnetic tape drives, magnetic disk drives or similar devices capable of providing storage functions for software.
所有软件或其中的一部分有时可能会通过网络进行通信,如互联网或其他通信网络。此类通信可以将软件从一个计算机设备或处理器加载到另一个。例如:从物联网系统的一个服务器或主机计算机加载至一个计算机环境的硬件平台,或其他实现系统的计算机环境,或与提供物联网所需要的信息相关的类似功能的系统。因此,另一种能够传递软件元素的介质也可以被用作局部设备之间的物理连接,例如光波、电波、电磁波等,通过电缆、光缆或者空气等实现传播。用来载波的物理介质如电缆、无线连接或光缆等类似设备,也可以被认为是承载软件的介质。在这里的用法除非限制了有形的“储存”介质,其他表示计算机或机器“可读介质”的术语都表示在处理器执行任何指令的过程中参与的介质。All software or parts of it may sometimes communicate over a network, such as the Internet or other communication networks. This type of communication can load software from one computer device or processor to another. For example: a hardware platform loaded from a server or host computer of an IoT system to a computer environment, or other computer environment that implements the system, or a system with similar functions related to providing information required by the IoT. Therefore, another medium capable of transmitting software elements can also be used as a physical connection between local devices, such as light waves, radio waves, electromagnetic waves, etc., and is transmitted through cables, optical cables, or air. The physical medium used for carrier waves, such as electrical cables, wireless connections, or fiber optic cables, can also be considered as the medium that carries the software. As used herein, unless tangible "storage" media is restricted, other terms referring to computer or machine "readable media" refer to media that participates in the execution of any instruction by a processor.
一个计算机可读的介质可能有多种形式,包括有形的存储介质,载波介质或物理传输介质等。稳定的储存介质可以包括:光盘或磁盘,以及其他计算机或类似设备中使用的,能够实现图中所描述的系统组件的存储系统。不稳定的存储介质可以包括动态内存,例如计算机平台的主内存等。有形的传输介质可以包括同轴电缆、铜电缆以及光纤,例如计算机系统内部形成总线的线路。载波传输介质可以传递电信号、电磁信号、声波信号或光波信号等。这些信号可以由无线电频率或红外、可见光波、声波数据通信的方法所产生。 通常的计算机可读介质包括硬盘、软盘、磁带、任何其他磁性介质;CD-ROM、DVD、DVD-ROM、任何其他光学介质;穿孔卡、任何其他包含小孔模式的物理存储介质;RAM、PROM、EPROM、FLASH-EPROM,任何其他存储器片或磁带;传输数据或指令的载波、电缆或传输载波的连接装置、任何其他可以利用计算机读取的程序代码和/或数据。这些计算机可读介质的形式中,会有很多种出现在处理器在执行指令、传递一个或更多结果的过程之中。A computer-readable medium may take many forms, including tangible storage media, carrier wave media, or physical transmission media. Stable storage media may include: optical disks or disks, and storage systems used in other computers or similar devices that can implement the system components described in the figures. The unstable storage medium may include dynamic memory, such as the main memory of a computer platform. Tangible transmission media may include coaxial cables, copper cables, and optical fibers, such as the lines that form a bus inside a computer system. The carrier wave transmission medium can transmit electrical signals, electromagnetic signals, acoustic signals or light signals. These signals can be generated by radio frequency or infrared, visible light, and acoustic data communication methods. Common computer-readable media include hard disks, floppy disks, magnetic tapes, any other magnetic media; CD-ROM, DVD, DVD-ROM, any other optical media; punch cards, any other physical storage media containing a small hole pattern; RAM, PROM , EPROM, FLASH-EPROM, any other memory chip or tape; carrier wave for transmitting data or instructions, cable or connection device for transmitting carrier wave, any other program code and / or data that can be read by computer. In the form of these computer-readable media, there are many ways in which a processor executes instructions and passes one or more results.
本申请中的“模块”指的是存储在硬件、固件中的逻辑或一组软件指令。这里所指的“模块”能够通过软件和/或硬件模块执行,或被存储于任何一种计算机可读的非临时媒介或其他存储设备中。模块可以由子电路实现。在一些实施例中,一个软件模块可以被编译并连接到一个可执行的程序中。显然,这里的软件模块可以对自身或其他模块传递的信息做出回应,并且/或者可以在检测到某些事件或中断时做出回应。可以在一个计算机可读媒介上提供软件模块,该软件模块可以被设置为在计算设备上(例如处理器220)执行操作。这里的计算机可读媒介可以是光盘、数字光盘、闪存盘、磁盘或任何其他种类的有形媒介。也可以通过数字下载的模式获取软件模块(这里的数字下载也包括存储在压缩包或安装包内的数据,在执行之前需要经过解压或解码操作)。这里的软件模块的代码可以被部分的或全部的储存在执行操作的计算设备的存储设备中,并应用在计算设备的操作之中。软件指令可以被植入在固件中,例如可擦可编程只读存储器(EPROM)。显然,硬件模块可以包含连接在一起的逻辑单元,例如门、触发器,以及/或包含可编程的单元,例如可编程的门阵列或处理器。这里所述的模块或计算设备的功能优选的作为软件模块实施,但是也可以被表示在硬件或固件中。一般情况下,这里所说的模块是逻辑模块,不受其具体的物理形态或存储器的限制。一个模块能够与其他的模块组合在一起,或被分隔成为一系列子模块。"Module" in this application refers to logic or a set of software instructions stored in hardware, firmware. The "module" referred to herein can be executed by software and / or hardware modules, or stored in any kind of computer-readable non-transitory medium or other storage device. Modules can be implemented by sub-circuits. In some embodiments, a software module can be compiled and linked into an executable program. Obviously, the software module here can respond to the information passed by itself or other modules, and / or can respond when certain events or interruptions are detected. A software module may be provided on a computer-readable medium, and the software module may be configured to perform operations on a computing device (e.g., the processor 220). The computer-readable medium herein may be an optical disk, a digital optical disk, a flash disk, a magnetic disk, or any other kind of tangible medium. Software modules can also be obtained through the digital download mode (the digital download here also includes the data stored in the compressed package or installation package, which needs to be decompressed or decoded before execution). The code of the software module herein may be partially or wholly stored in a storage device of a computing device that performs an operation, and applied to the operation of the computing device. Software instructions can be embedded in firmware, such as erasable programmable read-only memory (EPROM). Obviously, a hardware module may contain logic units connected together, such as gates, flip-flops, and / or programmable units, such as a programmable gate array or processor. The functions of the modules or computing devices described herein are preferably implemented as software modules, but may also be represented in hardware or firmware. In general, the modules mentioned here are logical modules and are not limited by their specific physical form or memory. A module can be combined with other modules or separated into a series of sub-modules.
除非另有定义,这里使用的所有术语(包括技术和科学术语)具有与本公开所属领域的普通技术人员共同理解的相同含义。还应当理解,诸如在通常字典里定义的那些术语应当被解释为具有与它们在相关技术的上下文中的含义相一致的含义,而不应用理想化或极度形式化的意义来解释,除非这里明确地这样定义。Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. It should also be understood that terms such as those defined in ordinary dictionaries should be interpreted as having meanings consistent with their meaning in the context of the relevant technology, and should not be interpreted in an idealized or extremely formal sense unless explicitly stated here Land is so defined.
上面是对本公开的说明,而不应被认为是对其的限制。尽管描述了本公开的若干示例性实施例,但本领域技术人员将容易地理解,在不背离本公开 的新颖教学和优点的前提下可以对示例性实施例进行许多修改。因此,所有这些修改都意图包含在权利要求书所限定的本公开范围内。应当理解,上面是对本公开的说明,而不应被认为是限于所公开的特定实施例,并且对所公开的实施例以及其他实施例的修改意图包含在所附权利要求书的范围内。本公开由权利要求书及其等效物限定。The above is a description of the disclosure and should not be considered as limiting it. Although several exemplary embodiments of the present disclosure have been described, those skilled in the art will readily understand that many modifications can be made to the exemplary embodiments without departing from the novel teachings and advantages of the present disclosure. Accordingly, all such modifications are intended to be included within the scope of this disclosure as defined by the claims. It should be understood that the above is a description of the present disclosure and should not be considered to be limited to the specific embodiments disclosed, and modifications to the disclosed embodiments and other embodiments are intended to be included within the scope of the appended claims. This disclosure is defined by the claims and their equivalents.

Claims (14)

  1. 一种密钥生成装置,包括:A key generation device includes:
    系统信息模块,配置为存储所述密钥生成装置的系统信息;A system information module configured to store system information of the key generation device;
    密钥生成模块,配置为根据所述系统信息,有序可控生成不可预测信息作为密钥,并用其生成序号作为对应密钥序号;以及A key generation module configured to sequentially and controllably generate unpredictable information as a key based on the system information, and use its generated serial number as the corresponding key serial number; and
    传输模块,配置为将所述密钥序号发送给配对的密钥生成装置,其中所述配对的密钥生成装置存储有与所述系统信息相对应的第二系统信息。The transmission module is configured to send the key serial number to a paired key generation device, wherein the paired key generation device stores second system information corresponding to the system information.
  2. 如权利要求1所述的密钥生成装置,其中,所述系统信息模块进一步包括:The key generation device according to claim 1, wherein the system information module further comprises:
    控制模块,配置为控制不可预测信息的生成;A control module configured to control the generation of unpredictable information;
    数据库模块,配置为存储不可预测信息;Database module configured to store unpredictable information;
    所述密钥生成模块根据控制模块的控制,依靠所述数据库模块中的信息可控有序生成不可预测信息作为密钥,并用其生成序号作为对应密钥序号。According to the control of the control module, the key generation module relies on the information in the database module to controllably and orderly generate unpredictable information as a key, and uses its generated serial number as the corresponding key serial number.
  3. 如权利要求1所述的密钥生成装置,其中,所述系统信息模块进一步包括:The key generation device according to claim 1, wherein the system information module further comprises:
    控制模块,配置为控制不可预测信息的生成;A control module configured to control the generation of unpredictable information;
    动态信息模块,配置为提供待处理的输入信息;Dynamic information module configured to provide pending input information;
    信息处理模块,配置为根据控制模块的控制,通过预定算法将动态信息模块提供的输入信息转化为信息量扩大的生成信息,并且从所述生成信息中提取部分信息作为不可预测信息以用于生成密钥,另外部分不可预测信息作为反馈信息提供给所述动态信息模块以保持其稳定更新。An information processing module configured to convert input information provided by the dynamic information module into generated information with an expanded amount of information through a predetermined algorithm according to the control of the control module, and extract part of the information from the generated information as unpredictable information for generating The key and other unpredictable information are provided as feedback information to the dynamic information module to keep it stable and updated.
  4. 如权利要求3所述的密钥生成装置,其中,所述动态信息模块包括输入信息子模块,配置为接收不可预测信息作为初始的输入信息,The key generation device according to claim 3, wherein the dynamic information module includes an input information sub-module configured to receive unpredictable information as initial input information,
    所述信息处理模块通过迭代信息处理方式,将输入信息转换为可由输入信息确定的信息量扩大的生成信息,按照预定方式从所述生成信息中提取相互不重叠部分的第一部分与输入信息等量的信息作为迭代信息反馈到输入信息子模块作为下一步的输入信息,并且提取相互不重叠部分的第二部分作为 不可预测信息以用于生成密钥。The information processing module converts the input information into generated information that can be expanded by an amount of information determined by the input information through an iterative information processing method, and extracts a first portion of the non-overlapping portion from the generated information in an equal amount as the input information in a predetermined manner. The information is fed back to the input information sub-module as iterative information as input information for the next step, and the second part that does not overlap with each other is extracted as unpredictable information for generating a key.
  5. 如权利要求3所述的密钥生成装置,其中,所述动态信息模块包括数据库子模块,设置为存储预定数量的不可预测信息,The key generation device according to claim 3, wherein the dynamic information module includes a database submodule configured to store a predetermined amount of unpredictable information,
    所述信息处理模块根据控制模块的控制,依靠所述数据库子模块中的信息可控有序生成预先确定数量的不可预测信息作为密钥,并用其生成序号作为对应密钥序号,然后生成另外的不可预测信息作为数据库再生信息反馈到所述数据库子模块用以更新数据库子模块中信息,According to the control of the control module, the information processing module relies on the information in the database submodule to controllably and orderly generate a predetermined amount of unpredictable information as a key, and uses its generated serial number as the corresponding key serial number, and then generates another The unpredictable information is fed back to the database submodule as database regeneration information to update the information in the database submodule,
    信息处理模块依靠更新后的数据库子模块中信息继续生成密钥,The information processing module continues to generate keys based on the information in the updated database submodule.
    所述控制模块控制数据库子模块和信息处理模块的信息输入、生成、分配,输出和数据库再生,以循环数据库子模块信息更新和密钥生成过程。The control module controls the information input, generation, distribution, output, and database regeneration of the database sub-module and the information processing module to cycle the database sub-module information update and key generation process.
  6. 如权利要求5所述的密钥生成装置,其中,所述数据库子模块包括存储预定数量的不可预测信息单元的主数据库,以及存储预定数量的不可预测信息编码形成的编码数据库,其中编码的数量大于数据库子模块中存储的不可预测信息单元的数量,The key generation device according to claim 5, wherein the database submodule comprises a main database storing a predetermined number of unpredictable information units, and a coding database formed by coding a predetermined number of unpredictable information, wherein the number of codes is Greater than the number of unpredictable information units stored in the database submodule,
    所述控制模块从编码数据库中有序提取编码,根据编码中信息从所述主数据库中提取编码信息所对应的多个所述信息单元作为一组输入信息传递给所述信息处理模块,编码不重复使用,The control module sequentially extracts the encoding from the encoding database, and extracts the multiple information units corresponding to the encoded information from the main database according to the information in the encoding, and passes the information to the information processing module as a set of input information. reuse,
    信息处理模块将一组输入信息通过组合生成一个次生信息,The information processing module combines a group of input information to generate a secondary information.
    信息处理模块根据当前数据库子模块中信息,生成预定数量的次生信息作为不可预测信息用于生成密钥,并且用每个不可预测信息的生成序号作为对应密钥序号,同时顺序更新控制模块中的序号控制信息,The information processing module generates a predetermined number of secondary information as unpredictable information for generating keys according to the information in the current database submodule, and uses the generation number of each unpredictable information as the corresponding key number, and sequentially updates the control module Serial number control information,
    利用当前数据库子模块中的信息生成所述预定数量的密钥后,信息处理模块生成与数据库子模块中存储的不可预测信息的数量相同数量的次生信息作为数据库再生信息反馈给数据库子模块以更新数据库子模块中信息,After using the information in the current database sub-module to generate the predetermined number of keys, the information processing module generates the same amount of secondary information as the number of unpredictable information stored in the database sub-module as database regeneration information and feeds it back to the database sub-module to Update the information in the database submodule,
    信息处理模块根据更新后的数据库子模块中信息继续生产密钥,The information processing module continues to produce keys based on the information in the updated database submodule,
    循环数据库子模块更新和密钥生成过程。Cyclic database submodule update and key generation process.
  7. 如权利要求3-6的任一所述的密钥生成装置,其中,在信息处理过程中采用不可逆单向算法,所述不可逆单向算法根据输入信息生成确定的密钥 信息和反馈信息,但根据所述密钥信息或反馈信息推算的合理输入信息的可能取值个数与密钥的信息空间相当,从而不能确定或探测所述输入信息和动态信息。The key generation device according to any one of claims 3 to 6, wherein an irreversible one-way algorithm is used in the information processing process, and the irreversible one-way algorithm generates the determined key information and feedback information according to the input information, but The number of possible values of the reasonable input information calculated according to the key information or the feedback information is equivalent to the information space of the key, so the input information and dynamic information cannot be determined or detected.
  8. 如权利要求1所述的密钥生成装置,其中,所述传输模块还配置为从所述配对的密钥生成装置接收密钥序号,The key generation device according to claim 1, wherein the transmission module is further configured to receive a key sequence number from the paired key generation device,
    所述密钥生成模块进一步配置为根据从配对的密钥生成装置接收的第二密钥序号,依靠所述系统信息,生成与所述第二密钥序号对应的解密密钥。The key generation module is further configured to generate a decryption key corresponding to the second key number based on the system information based on the second key number received from the paired key generation device.
  9. 一种加密解密装置,包括:An encryption and decryption device includes:
    如权利要求1-8的任一所述的密钥生成装置,配置为可控有序生成一次性密钥,其中所述控制模块增加参数和功能,作为所述加密装置的控制模块;The key generation device according to any one of claims 1-8, configured to controllably and orderly generate a one-time key, wherein the control module adds parameters and functions as a control module of the encryption device;
    输入端口,配置为读取或输入待加密数据;Input port, configured to read or enter data to be encrypted;
    格式化单元,配置为将输入端口输入的待加密数据转换为与密钥格式相匹配的格式化明文;A formatting unit configured to convert the data to be encrypted input from the input port into a formatted plain text that matches the key format;
    加密模块,配置为用所述密钥生成装置可控有序生成的一次性密钥将格式化单元生成的格式化明文转换为主密文,将所述一次性密钥的序号作为密文标题,合并主密文和密文标题以生成密文;An encryption module configured to convert the formatted plain text generated by the formatting unit into a main cipher text using the one-time key that is controllably and orderly generated by the key generation device, and use the serial number of the one-time key as the cipher text title To merge the main ciphertext and the ciphertext title to generate the ciphertext;
    发送端口,配置为将生成的密文发送给配对的解密装置。The sending port is configured to send the generated ciphertext to a paired decryption device.
  10. 如权利要求9所述的加密解密装置,还包括:The encryption and decryption device according to claim 9, further comprising:
    接收端口,配置为接收从配对的加密装置发送的密文;A receiving port configured to receive a ciphertext sent from a paired encryption device;
    解密模块,配置为解析接收的密文以提取密文标题中的密钥序号,根据密钥序号,用所述密钥生成装置生成与所述密钥序号对应的解密密钥,使用所述解密密钥解密密文以生成解密后明文;A decryption module configured to parse the received ciphertext to extract the key sequence number in the ciphertext title, and use the key generation device to generate a decryption key corresponding to the key sequence number according to the key sequence number, and use the decryption The key is used to decrypt the ciphertext to generate the decrypted plaintext;
    所述格式化单元进一步配置为将解密后明文转换为复原数据;The formatting unit is further configured to convert the decrypted plain text into restored data;
    输出端口,配置为输出所述复原数据。An output port configured to output the restored data.
  11. 一种密钥生成和分发系统,包括配对的如权利要求1-8的任一所述的第一密钥生成装置和第二密钥生成装置,其中A key generation and distribution system, comprising a paired first key generation device and a second key generation device according to any one of claims 1-8, wherein
    所述第一密钥生成装置,包括:The first key generation device includes:
    第一系统信息模块,配置为存储所述第一密钥生成装置的第一系统信息;A first system information module configured to store first system information of the first key generation device;
    第一密钥生成模块,配置为根据所述第一系统信息,可控有序生成不可预测信息作为第一密钥,并将其生成序号作为对应的第一密钥序号;A first key generation module configured to controllably and orderly generate unpredictable information as the first key, and use the generated serial number as the corresponding first key serial number according to the first system information;
    第一发送模块,配置为将所述第一密钥序号发送给第二密钥生成装置,A first sending module configured to send the first key serial number to a second key generating device,
    所述第二密钥生成装置,包括:The second key generation device includes:
    第二系统信息模块,配置为存储所述第二密钥生成装置的第二系统信息,所述第二系统信息与所述第一系统信息相同或相对应;A second system information module configured to store second system information of the second key generation device, the second system information being the same as or corresponding to the first system information;
    第二接收模块,配置为接收从第一发送模块发送的第一密钥序号;A second receiving module configured to receive a first key sequence number sent from the first sending module;
    第二密钥生成模块,配置为根据从所述第二接收模块收到的所述第一密钥序号,依靠第二系统信息,生成与所述第一密钥序号对应的第二解密密钥。A second key generation module configured to generate a second decryption key corresponding to the first key number according to the second system information according to the first key number received from the second receiving module .
  12. 如权利要求11所述的密钥生成和分发系统,其中,The key generation and distribution system according to claim 11, wherein:
    所述第二密钥生成模块进一步根据所述第二系统信息,可控有序生成不可预测信息作为第二密钥,并用其生成序号作为对应第二密钥序号;The second key generation module further controls the orderly generation of unpredictable information as the second key according to the second system information, and uses its generated serial number as the corresponding second key serial number;
    第二发送模块,配置为将所述第二密钥序号发送给所述第一密钥生成装置,A second sending module configured to send the second key sequence number to the first key generating device,
    所述第一密钥生成装置还包括第一接收模块,配置为接收从所述第二发送模块发送的第二密钥序号,The first key generating device further includes a first receiving module configured to receive a second key sequence number sent from the second sending module,
    所述第一密钥生成模块进一步根据从所述第一接收模块收到的所述第二密钥序号,通过所述第一系统信息,生成与所述第二密钥序号对应的第一解密密钥。The first key generation module further generates a first decryption corresponding to the second key sequence number through the first system information according to the second key sequence number received from the first receiving module. Key.
  13. 一种信息安全传递系统,包括配对的第一通信设备和第二通信设备,其中An information security transfer system includes a paired first communication device and a second communication device, wherein
    所述第一通信设备包括:The first communication device includes:
    如权利要求1-8的任一所述的第一密钥生成装置,配置为可控有序生成一次性密钥作为第一密钥;The first key generation device according to any one of claims 1 to 8, configured to controllably and orderly generate a one-time key as the first key;
    第一输入端口,配置为读取或输入第一待加密数据;A first input port configured to read or input first data to be encrypted;
    第一格式化单元,配置为将输入端口输入的第一待加密数据转换为与密钥格式相同的第一格式化明文;A first formatting unit configured to convert the first to-be-encrypted data input from the input port into a first formatted plaintext having the same key format;
    第一加密模块,配置为通过第一密钥生成装置生成的第一密钥将所述第 一格式化明文转换为第一主密文,将所述第一密钥的生成序号作为第一密文标题,合并第一主密文和第一密文标题以生成第一密文;A first encryption module configured to convert the first formatted plain text into a first main cipher text by using a first key generated by a first key generation device, and using a generation number of the first key as a first secret Text title, combining the first main ciphertext and the first ciphertext title to generate the first ciphertext;
    第一发送端口,配置为将生成的第一密文发送给第二通信设备,A first sending port configured to send the generated first ciphertext to a second communication device,
    所述第二通信设备包括:The second communication device includes:
    如权利要求1-8的任一所述的第二密钥生成装置,配置为可控有序生成一次性密钥作为第二密钥;The second key generation device according to any one of claims 1-8, configured to controllably and orderly generate a one-time key as the second key;
    第二接收端口,配置为接收第一发送端口发送的第一密文;A second receiving port configured to receive a first ciphertext sent by a first sending port;
    第二解密模块,配置为解析接收的所述第一密文以提取第一密文标题中的第一密钥序号,根据所述第一密钥序号,通过所述第二密钥生成装置生成对应第二解密密钥,使用所述第二密钥解密所述第一密文以生成第二解密后明文;A second decryption module configured to parse the received first ciphertext to extract a first key sequence number in a first ciphertext header, and generate the first key sequence number according to the first key sequence number by the second key generation device Corresponding to the second decryption key, using the second key to decrypt the first ciphertext to generate a second decrypted plaintext;
    第二格式化单元,配置为将所述第二解密后明文转换为第二复原数据;A second formatting unit configured to convert the second decrypted plaintext into second restored data;
    第二输出端口,配置为输出所述第二复原数据。The second output port is configured to output the second restoration data.
  14. 如权利要求13所述的信息安全传递系统,其中The information security transfer system according to claim 13, wherein
    所述第二通信设备包括:The second communication device includes:
    第二输入端口,配置为读取或输入第二待加密数据;A second input port configured to read or input a second data to be encrypted;
    所述第二格式化单元同时配置将第二输入端口输入的第二待加密数据转换为与密钥格式匹配的第二格式化明文;The second formatting unit is also configured to convert the second to-be-encrypted data input from the second input port into a second formatted plain text that matches the key format;
    第二加密模块,配置为通过所述第二密钥生成装置可控有序生成的第二密钥将所述第二格式化明文转换为第二主密文,将所述第二密钥的第二密钥序号作为第二密文标题,合并第二主密文和第二密文标题以生成第二密文;A second encryption module configured to convert the second formatted plain text into a second main cipher text by a second key that is controllably and orderly generated by the second key generation device, and convert the second key The second key sequence number is used as the second ciphertext title, and the second main ciphertext and the second ciphertext title are combined to generate a second ciphertext;
    第二发送端口,配置为将生成的第二密文发送给第一通信设备,A second sending port configured to send the generated second ciphertext to the first communication device,
    第一接收端口,配置为接收所述第二发送端口发送的第二密文;A first receiving port configured to receive a second ciphertext sent by the second sending port;
    第一解密模块,配置为解析接收的所述第二密文以提取所述第二密文标题中的第二密钥序号,根据第二密钥生成序号,通过所述第一密钥生成装置生成与所述第二密钥序号对应的第一解密密钥,使用所述第一密钥解密所述第二密文以生成第一解密后明文;A first decryption module configured to parse the received second ciphertext to extract a second key sequence number in the second ciphertext header, generate a sequence number based on the second key, and pass the first key generation device Generating a first decryption key corresponding to the second key sequence number, and using the first key to decrypt the second ciphertext to generate a first decrypted plaintext;
    所述第一格式化单元同时配置将第一解密后明文转换为第一复原数据;The first formatting unit is simultaneously configured to convert the first decrypted plain text into the first restored data;
    第一输出端口,配置为输出所述第一复原数据。The first output port is configured to output the first restoration data.
PCT/CN2019/091899 2018-06-21 2019-06-19 Key generation apparatus, encryption and decryption apparatus, key generation and distribution system and information secure transmission system WO2019242645A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810643471.2A CN110636028B (en) 2018-06-21 2018-06-21 Key generation device, encryption device, key generation and distribution system
CN201810643471.2 2018-06-21

Publications (1)

Publication Number Publication Date
WO2019242645A1 true WO2019242645A1 (en) 2019-12-26

Family

ID=68966410

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/091899 WO2019242645A1 (en) 2018-06-21 2019-06-19 Key generation apparatus, encryption and decryption apparatus, key generation and distribution system and information secure transmission system

Country Status (2)

Country Link
CN (1) CN110636028B (en)
WO (1) WO2019242645A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112202709A (en) * 2020-08-25 2021-01-08 中国电力科学研究院有限公司 Security management system and method for full scene networking equipment
CN117978364A (en) * 2024-02-22 2024-05-03 广州鼎盛商业保理有限公司 Block chain-based warranty information processing system

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113726512A (en) * 2021-08-31 2021-11-30 蔡利锋 Key generation and distribution method, key generation device, and key management system
TWI796885B (en) * 2021-12-21 2023-03-21 龍華科技大學 Industrial internet of things and safe communication method thereof
CN114629706B (en) * 2022-03-16 2024-01-23 平安国际智慧城市科技股份有限公司 File encryption method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090279688A1 (en) * 2008-05-06 2009-11-12 Harris Corporation Closed galois field cryptographic system
JP2012147341A (en) * 2011-01-14 2012-08-02 Seiko Epson Corp Common key exchange method, common key generation method, common key exchange system, common key exchange device, and program of the same
CN107113608A (en) * 2014-10-29 2017-08-29 阿尔卡特朗讯公司 By user equipment and base station generate multiple shared keys using cipher key spreading multiplier
WO2018050293A1 (en) * 2016-09-15 2018-03-22 Gurulogic Microsystems Oy User sign-in and authentication without passwords

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9450749B2 (en) * 2000-03-29 2016-09-20 Wolfgang S. Hammersmith One-time-pad encryption with central key service
CN101355422B (en) * 2008-07-16 2014-01-08 冯振周 Novel authentication mechanism for encrypting vector
JP5374752B2 (en) * 2009-01-19 2013-12-25 株式会社東芝 Protection control measurement system and apparatus, and data transmission method
CN101986663A (en) * 2010-11-29 2011-03-16 北京卓微天成科技咨询有限公司 OTP-based cloud storage data storing method, device and system
WO2015188277A1 (en) * 2014-06-13 2015-12-17 BicDroid Inc. Methods, systems and computer program product for providing encryption on a plurality of devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090279688A1 (en) * 2008-05-06 2009-11-12 Harris Corporation Closed galois field cryptographic system
JP2012147341A (en) * 2011-01-14 2012-08-02 Seiko Epson Corp Common key exchange method, common key generation method, common key exchange system, common key exchange device, and program of the same
CN107113608A (en) * 2014-10-29 2017-08-29 阿尔卡特朗讯公司 By user equipment and base station generate multiple shared keys using cipher key spreading multiplier
WO2018050293A1 (en) * 2016-09-15 2018-03-22 Gurulogic Microsystems Oy User sign-in and authentication without passwords

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112202709A (en) * 2020-08-25 2021-01-08 中国电力科学研究院有限公司 Security management system and method for full scene networking equipment
CN112202709B (en) * 2020-08-25 2023-03-24 中国电力科学研究院有限公司 Security management system and method for full scene networking equipment
CN117978364A (en) * 2024-02-22 2024-05-03 广州鼎盛商业保理有限公司 Block chain-based warranty information processing system

Also Published As

Publication number Publication date
CN110636028A (en) 2019-12-31
CN110636028B (en) 2021-07-27

Similar Documents

Publication Publication Date Title
WO2019242645A1 (en) Key generation apparatus, encryption and decryption apparatus, key generation and distribution system and information secure transmission system
CN108292402B (en) Determination of a common secret and hierarchical deterministic keys for the secure exchange of information
US10320765B2 (en) Method and system for securing communication
CN109274503A (en) Distributed collaboration endorsement method and distributed collaboration signature apparatus, soft shield system
US10880100B2 (en) Apparatus and method for certificate enrollment
CN105306194B (en) For encrypted file and/or the multiple encryption method and system of communications protocol
CN108650080B (en) A kind of tagged keys management method and system
CN111222645B (en) Management system and method based on Internet of things block chain quantum algorithm artificial intelligence
WO2020212796A1 (en) Computer implemented method and system for encrypting data
CN109474616B (en) Multi-platform data sharing method and device and computer readable storage medium
US20210144002A1 (en) Secondary Channel Authentication of Public Keys
KR20210063378A (en) Computer-implemented systems and methods that share common secrets
WO2021098152A1 (en) Blockchain-based data processing method, device, and computer apparatus
CN112100144A (en) Block chain file sharing method and device, storage medium and electronic equipment
CN107733936B (en) Encryption method for mobile data
Saidov et al. Hardware Interlocking Security System with Secure Key Update Mechanisms In IoT Environments
WO2023030316A1 (en) Key generation and distribution method, key generation apparatus, and key management system
CN102957534A (en) Method and system for uniform identification of multiple terminals
CN111953487A (en) Key management system
Navajothi et al. An efficient, dynamic, privacy preserving public auditing method on untrusted cloud storage
Gong [Retracted] Application Research of Data Encryption Algorithm in Computer Security Management
Kebede et al. Reshaping IOT Through Blockchain
KR102304831B1 (en) Encryption systems and method using permutaion group based cryptographic techniques
Du et al. The applications of blockchain in the covert communication
Zhu Research on secure storage of network data based on cloud computing technology

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19823297

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19823297

Country of ref document: EP

Kind code of ref document: A1