技术领域technical field
本发明属于数据加密安全技术领域,具体是一种自动检索密钥和选择算法的加解密方法。The invention belongs to the technical field of data encryption security, in particular to an encryption and decryption method for automatically retrieving keys and selecting algorithms.
背景技术Background technique
现有的常用加密算法,有DES(全称为:Data Encryption Standard)、AES(全称为:Advanced Encryption Standard)、RC4(也称为ARC4,Alleged RC4)和RSA,其中RSA公钥加密算法是1977年由罗纳德·李维斯特(Ron Rivest)、阿迪·萨莫尔(Adi Shamir)和伦纳德·阿德曼(Leonard Adleman)一起提出的,RSA是他们三人姓氏开头字母拼在一起组成的。The existing commonly used encryption algorithms include DES (full name: Data Encryption Standard), AES (full name: Advanced Encryption Standard), RC4 (also known as ARC4, Alleged RC4) and RSA, among which the RSA public key encryption algorithm was established in 1977. Proposed by Ronald Rivest (Ron Rivest), Adi Shamir (Adi Shamir) and Leonard Adleman (Leonard Adleman), RSA is composed of the initial letters of their three surnames .
现有的常用加密算法各有各的优劣点,DES和AES算法复杂度高,安全级别虽然能够保障,但其基于数据块的特点,使它存在盲区:无法对长度小于数据块单元大小的数据直接进行加密,DES算法的数据块单元大小为64bit、AES算法的数据块单元大小为128bit;且当数据长度不是数据块单元大小的整数倍时,需要借助填充和附加信息来完成加密;The existing commonly used encryption algorithms each have their own advantages and disadvantages. The DES and AES algorithms have high complexity, and although the security level can be guaranteed, they are based on the characteristics of data blocks, which makes them have blind spots: it is impossible to encrypt data whose length is smaller than the size of the data block unit. The data is directly encrypted, the data block unit size of the DES algorithm is 64bit, and the data block unit size of the AES algorithm is 128bit; and when the data length is not an integer multiple of the data block unit size, padding and additional information are required to complete the encryption;
RC4算法复杂度低,可以适用于任意长度的数据进行加密,且数据越长,安全级别越高,但其基于异或加密的特点,使得它在加密少量数据时安全系数很低;The RC4 algorithm has low complexity and can be applied to encrypt data of any length, and the longer the data, the higher the security level, but it is based on the characteristics of XOR encryption, which makes it very low in security when encrypting a small amount of data;
RSA算法是非对称加密算法,他的优点是加密和解密的密钥分离,可以有效的提高安全级别,但其基于大数分解的原理,使它只能用于少量数据的加解密,当数据长度足够大时,运算速度将成指数增长。The RSA algorithm is an asymmetric encryption algorithm. Its advantage is that the encryption and decryption keys are separated, which can effectively improve the security level, but it is based on the principle of large number decomposition, so that it can only be used for encryption and decryption of a small amount of data. When the data length When it is large enough, the computing speed will increase exponentially.
同时,以上加密算法均使用单一的密钥,适用于数据在传输过程中加密,加密频率少且即时解密,无需长时间保存密钥的情况。At the same time, the above encryption algorithms all use a single key, which is suitable for data encryption during transmission, with less encryption frequency and immediate decryption, without the need to store the key for a long time.
然而,当大量数据需要加密后存储时,加密对象的数据结构复杂多变,且延时解密,需要长时间保存密钥。单一的加密算法就无法满足多变的数据结构,采用唯一的密钥加密,将使得长时间存储该密钥存在安全隐患。因此如何有效的选择加密算法并管理密钥成为一个亟待解决的难题。However, when a large amount of data needs to be encrypted and stored, the data structure of the encrypted object is complex and changeable, and the decryption is delayed, and the key needs to be stored for a long time. A single encryption algorithm cannot satisfy the variable data structure, and using a unique key to encrypt will cause security risks in storing the key for a long time. Therefore, how to effectively select encryption algorithms and manage keys has become an urgent problem to be solved.
发明内容Contents of the invention
本发明针对如何将有效的检索密钥和选择算法结合到对存储的数据加密的问题,提供了一种自动检索密钥和选择算法的加解密方法。Aiming at the problem of how to combine effective retrieval keys and selection algorithms to encrypt stored data, the invention provides an encryption and decryption method for automatic retrieval keys and selection algorithms.
具体步骤包括生成密钥库,提取数据特征,自动检索密钥库,选择加密算法,增订扩充方案和加解密运算。The specific steps include generating a key storehouse, extracting data features, automatically retrieving the key storehouse, selecting an encryption algorithm, adding and updating an expansion scheme, and encryption and decryption operations.
步骤一、生成加密对象所使用的密钥库;Step 1. Generate the keystore used by the encrypted object;
密钥库是将所有用于加密、解密的密钥,通过特殊的抽号算法将钥头和钥齿有机的整合在一起,形成一个易于检索的密钥库整体,用于根据数据的特征来检索密钥。The key store is to use all the keys used for encryption and decryption to organically integrate the key head and the key tooth through a special number drawing algorithm to form an easy-to-retrieve key store as a whole, which is used to identify data according to the characteristics of the data. Retrieve the key.
生成密钥库的处理方法是:密钥按序号有序排列,将加密密钥和解密密钥设定成一对密钥,将一定数量的成对密钥,依照特定的映射关系,组合在一起形成密钥库,密钥库的容量依照实际需要设定大小。The processing method of generating the key store is: the keys are arranged in order according to the serial number, the encryption key and the decryption key are set as a pair of keys, and a certain number of pair keys are combined according to a specific mapping relationship. A key store is formed, and the capacity of the key store is set according to actual needs.
步骤二、提取被加密对象的数据特征,得到经过处理后的数据首字节;Step 2, extracting the data characteristics of the encrypted object, and obtaining the first byte of the processed data;
被加密对象的数据采用比特位乱序的方法,对数据内容实施部分乱序,将散布的多字节位的数据特征集中到首字节,形成该数据的特征码。The data of the encrypted object adopts the method of bit scrambling, implements partial scrambling of the data content, concentrates the scattered multi-byte data characteristics into the first byte, and forms the characteristic code of the data.
步骤三、依据提取的数据特征自动检索密钥库;Step 3, automatically searching the key store according to the extracted data characteristics;
依据提取数据特征后的首字节和密钥库的序号是一一对应的关系,用首字节的值作为检索密钥库的序号,去自动检索密钥库中该序号的密钥,从而选定密钥,作为加解密所使用的密钥。According to the one-to-one relationship between the first byte after extracting data features and the serial number of the key store, the value of the first byte is used as the serial number of the key store to automatically retrieve the key of the serial number in the key store, thus Select the key as the key used for encryption and decryption.
步骤四、依据数据特性选择加密算法;Step 4. Select an encryption algorithm according to the data characteristics;
根据实际的加密场景和加密对象的数据特征来选择适当的加密算法。Select an appropriate encryption algorithm according to the actual encryption scenario and the data characteristics of the encrypted object.
步骤五、依据不同的加密场景自定义增订扩充方案;Step 5. Customize the expansion plan according to different encryption scenarios;
针对数据加密前后等长和可变长两种适用场景设计了两种扩充方案;Two expansion schemes are designed for the two applicable scenarios of equal length and variable length before and after data encryption;
当加密场景要求加密后的密文,保持原有的数据长度时,采用RC4算法或者AES算法,对AES算法来说,当加密数据不是128bit的整数倍时,加密方法为:先对加密数据前面长度是128bit整数倍的明文做AES加密后,从明文的前边密文的末尾,取适当长度,和明文不足128bit的部分补齐128bit,再做一次AES加密。When the encryption scenario requires the encrypted ciphertext to keep the original data length, the RC4 algorithm or AES algorithm is used. For the AES algorithm, when the encrypted data is not an integer multiple of 128bit, the encryption method is: first encrypt the encrypted data After the plaintext whose length is an integer multiple of 128bit is encrypted by AES, take an appropriate length from the end of the ciphertext in front of the plaintext, fill in 128bit with the part of the plaintext less than 128bit, and then perform AES encryption again.
当加密场景允许加密后的密文,长度可变时,对于AES算法,则对明文末尾进行填充,补齐128bit的整数倍,填充的内容为缺少长度的值。When the encryption scenario allows the encrypted ciphertext to have a variable length, for the AES algorithm, the end of the plaintext is padded to an integer multiple of 128 bits, and the padded content is the value of the missing length.
步骤六、对被加密对象进行加解密运算;Step 6, performing encryption and decryption operations on the encrypted object;
所述的加密运算采用自动检索到的密钥和自动选择的加密算法,对被加密对象进行提取数据特征和增订扩充方案操作后的数据进行加密运算;The encryption operation adopts the automatically retrieved key and the automatically selected encryption algorithm, and performs encryption operation on the data after extracting the data characteristics of the encrypted object and the operation of updating and expanding the scheme;
对密文进行解密运算,再对解密后的数据执行增订扩充方案和提取数据特征的逆操作,还原出原始数据的解密运行。Perform decryption operation on the ciphertext, and then perform the inverse operation of updating and expanding the scheme and extracting data features on the decrypted data, and restore the decryption operation of the original data.
根据步骤二提取的加密对象的数据特征,作为检索密钥库序号的首字节,在加解密运算中,和被检索得到的密钥的钥头,进行异或运算,得到加解密后的首字节。其余部分字节,在加解密运算中,将被检索得到的密钥的钥齿作为运算密钥,采用被选择的算法,进行加解密运算,得到加解密后的其余部分字节。According to the data characteristics of the encrypted object extracted in step 2, as the first byte of the serial number of the retrieval key store, in the encryption and decryption operation, XOR operation is performed with the key head of the retrieved key to obtain the first byte after encryption and decryption byte. For the rest of the bytes, in the encryption and decryption operation, the tooth of the retrieved key is used as the operation key, and the selected algorithm is used to perform encryption and decryption operations to obtain the rest of the bytes after encryption and decryption.
本发明的优点在于:The advantages of the present invention are:
(1)一种自动检索密钥和选择算法的加解密方法,涉及对敏感信息的加解密,并具备良好的扩展性,可以适用于任意长度的各类数据结构的敏感信息。(1) An encryption and decryption method for automatically retrieving keys and selecting algorithms, which involves encryption and decryption of sensitive information, and has good scalability, and can be applied to sensitive information of various data structures of any length.
(2)一种自动检索密钥和选择算法的加解密方法,可以结合多种加密算法及其扩展,提高安全性。(2) An encryption and decryption method for automatically retrieving keys and selecting algorithms, which can combine multiple encryption algorithms and their extensions to improve security.
(3)一种自动检索密钥和选择算法的加解密方法,在已有的著名加密算法上,引入了密钥库,替代传统的唯一密钥,提高了数据加密的安全性;(3) An encryption and decryption method for automatically retrieving keys and selecting an algorithm. On the existing famous encryption algorithm, a key store is introduced to replace the traditional unique key, which improves the security of data encryption;
(4)一种自动检索密钥和选择算法的加解密方法,根据数据的结构特征,自动选择不同的加密算法,以发挥算法的优势达到最佳的加密性能和安全级别。(4) An encryption and decryption method for automatically retrieving keys and selecting algorithms. According to the structural characteristics of data, different encryption algorithms are automatically selected to give full play to the advantages of the algorithms to achieve the best encryption performance and security level.
(5)一种自动检索密钥和选择算法的加解密方法,基于本方法的设计依据,可以有效的进行扩展,能够适用于诸多有特殊要求的加解密场景,具备良好的可移植性。(5) An encryption and decryption method for automatically retrieving keys and selecting an algorithm. Based on the design basis of this method, it can be effectively expanded, applicable to many encryption and decryption scenarios with special requirements, and has good portability.
附图说明Description of drawings
图1为本发明一种自动检索密钥和选择算法的加解密方法流程图;Fig. 1 is a kind of flow chart of the encryption and decryption method of automatic retrieval key and selection algorithm of the present invention;
图2为本发明生成具有映射关系的密钥库序号采取的方法示意图;Fig. 2 is the schematic diagram of the method that the present invention generates the key storehouse sequence number that has mapping relation to take;
图3为本发明依据密钥库序号生成密钥的示意图;Fig. 3 is the schematic diagram that the present invention generates key according to the serial number of key storehouse;
图4为本发明提取数据特征的比特位乱序方法示意图;Fig. 4 is a schematic diagram of a bit out-of-sequence method for extracting data features in the present invention;
图5为本发明加密运算的示意图;Fig. 5 is the schematic diagram of encryption operation of the present invention;
图6为本发明解密运算的示意图。Fig. 6 is a schematic diagram of the decryption operation of the present invention.
具体实施方式detailed description
下面将结合附图和实施例对本发明作进一步的详细说明。The present invention will be further described in detail with reference to the accompanying drawings and embodiments.
本发明一种自动检索密钥和选择算法的加解密方法,具体是一种根据敏感信息特征检索密钥库中的密钥并选择加密算法来进行加解密的方法。The invention relates to an encryption and decryption method for automatically retrieving a key and selecting an algorithm, in particular to a method for retrieving a key in a key store according to characteristics of sensitive information and selecting an encryption algorithm for encryption and decryption.
具体步骤如下:如图1所示,包括生成密钥库,提取数据特征,自动检索密钥库,选择加密算法,增定扩充方案以及相对应的加解密运算。The specific steps are as follows: As shown in Figure 1, it includes generating a key storehouse, extracting data features, automatically retrieving the key storehouse, selecting an encryption algorithm, adding an expansion scheme, and corresponding encryption and decryption operations.
步骤一、生成加密对象所使用的密钥库,Step 1. Generate the keystore used by the encrypted object,
单独的一把密钥由钥头和钥齿两部分组成,钥头是依据映射关系,抽象出的一个标记,钥齿部分是加解密算法的有效密钥部分,随机生成或者人为设定;钥齿的长度和值依据所用算法决定:对称算法成对的钥齿相同,非对称算法成对的钥齿分别为公钥和私钥。A single key consists of two parts: the key head and the key tooth. The key head is a mark abstracted based on the mapping relationship. The key tooth part is the effective key part of the encryption and decryption algorithm, which is randomly generated or artificially set; The length and value of the tooth are determined according to the algorithm used: the paired key teeth of the symmetric algorithm are the same, and the paired key teeth of the asymmetric algorithm are the public key and the private key respectively.
密钥库是将所有用于加密、解密的密钥,通过特殊的抽号算法将钥头和钥齿有机的整合在一起,形成一个易于检索的密钥库整体,用于根据数据的特征来检索密钥。数据特征主要指数据类型、长度、数据值和意义。The key store is to use all the keys used for encryption and decryption to organically integrate the key head and the key tooth through a special number drawing algorithm to form an easy-to-retrieve key store as a whole, which is used to identify data according to the characteristics of the data. Retrieve the key. Data characteristics mainly refer to data type, length, data value and meaning.
密钥库本身为人工设定或者随机生成。The keystore itself is manually set or randomly generated.
具体的密钥库生成的方法是:将加密密钥和解密密钥设定成一对密钥,在对称加密算法中,加密和解密的密钥是相同的,在非对称加密算法中,加密和解密的密钥则不相同。将一定数量的成对密钥,依照特定的映射关系,组合在一起形成密钥库,密钥库的容量依照实际需要设定大小。最终生成的密钥库,密钥按序号有序排列,且不重复的两两互为一对密钥,呈一一对应的满射关系。The specific key store generation method is: set the encryption key and the decryption key as a pair of keys. In the symmetric encryption algorithm, the encryption and decryption keys are the same. In the asymmetric encryption algorithm, the encryption and decryption keys are the same The decryption key is different. A certain number of paired keys are combined according to a specific mapping relationship to form a key store, and the capacity of the key store is set according to actual needs. In the finally generated keystore, the keys are arranged in an orderly manner according to the serial number, and the non-repeating pairs are a pair of keys, showing a one-to-one correspondence surjective relationship.
本发明以数据库容量为128对密钥为例,采用的映射关系基于异或的原理,具体提供了一种能够随机生成包含映射关系的密钥库的方法,将256把密钥设定成是有序排列的一系列密钥,每把密钥都有唯一的一个序号;成对密钥的两个序号异或的值,作为这对密钥的钥头,通过钥头相互映射,任意一把密钥的序号和它的钥头异或,结果为另一把密钥的序号。The present invention takes the database capacity as 128 pairs of keys as an example, the mapping relationship adopted is based on the principle of XOR, specifically provides a method that can randomly generate a key storehouse containing the mapping relationship, and sets 256 keys to be A series of keys arranged in an orderly manner, each key has a unique serial number; the XOR value of the two serial numbers of a pair of keys, as the key head of the pair of keys, is mapped to each other through the key head, any one XOR the serial number of a key with its key header, and the result is the serial number of another key.
具体的步骤如下:The specific steps are as follows:
步骤101:为加密对象预创建一个大小为256*17字节的二维数组的密钥库;Step 101: Pre-create a key store of a two-dimensional array with a size of 256*17 bytes for the encrypted object;
如图2所示,256为密钥库的容量,17为密钥长度,包含1个字节的钥头和16字节的钥齿。As shown in Figure 2, 256 is the capacity of the key store, and 17 is the key length, including a 1-byte key head and a 16-byte key tooth.
步骤102:生成密钥库中第一对密钥的序号;Step 102: generate the serial number of the first pair of keys in the key store;
在一个以序号为元素的数组S中,数组S初始大小为256,初始值依次为0到255,首先随机抽取一对密钥的一个序号:抽取的方法为生成一个随机数Random,对当前数组大小256取模,例如取模后值为0x02,则将S数组中下标为0x02的元素,作为第一个序号,标记为序号0x02。然后将该序号从序号数组S中剔除,数组大小变为255。In an array S with serial numbers as elements, the initial size of the array S is 256, and the initial values are in turn 0 to 255. First, a serial number of a pair of keys is randomly extracted: the extraction method is to generate a random number Random, and for the current array The size is 256 to take the modulus, for example, the value after the modulus is 0x02, then the element with the subscript 0x02 in the S array is used as the first serial number and marked as the serial number 0x02. Then the serial number is removed from the serial number array S, and the size of the array becomes 255.
抽取该对密钥的另一个序号,抽取的方法为再生成一个随机数Random,对当前数组大小255取模,例如取模后值为0x90,则将S数组中下标为0x90的元素,作为另一个序号,标记为序号0x91,因为序号0x02已经被抽掉了,并将序号0x91从序号数组S中剔除,数组大小变为254。Extract another serial number of the pair of keys. The extraction method is to generate a random number Random again, and take the modulus of the current array size of 255. For example, the value after the modulus is 0x90, then the element with the subscript 0x90 in the S array is used as Another serial number, marked as the serial number 0x91, because the serial number 0x02 has been removed, and the serial number 0x91 is removed from the serial number array S, and the array size becomes 254.
步骤103:将第一对密钥序号生成一对密钥;Step 103: Generate a pair of keys with the first pair of key serial numbers;
如图3所示,步骤102中已经生成一对序号0x02和0x91,则序号作异或运算后的结果0x93,作为序号为0x02和0x91的密钥的钥头,再随机生成一个长度为128bit的密钥128bit_randomkeys作为0x02和0x91的密钥的钥齿,本发明选择对称加密算法RC4和AES,且共用一个密钥库,故该对密钥的钥齿是相同的,也即加密和解密使用相同的密钥,如果选择RSA非对称加密算法,则序号为0x02和0x91的钥齿部分,分别为公钥和私钥。As shown in Figure 3, a pair of serial numbers 0x02 and 0x91 have been generated in step 102, and the result of the XOR operation on the serial numbers is 0x93, which is used as the key header of the keys with serial numbers 0x02 and 0x91, and then a 128-bit key with a length of 128 bits is randomly generated. The key 128bit_randomkeys is used as the key tooth of the key of 0x02 and 0x91. The present invention selects the symmetric encryption algorithm RC4 and AES, and shares a key store, so the key tooth of the pair of keys is the same, that is, the encryption and decryption use the same If the RSA asymmetric encryption algorithm is selected, the key prongs with serial numbers 0x02 and 0x91 are the public key and private key respectively.
步骤104:重复步骤102和103,随机生成剩余的密钥,总计生成128对密钥。Step 104: Repeat steps 102 and 103 to randomly generate the remaining keys, and generate 128 pairs of keys in total.
步骤二、提取被加密对象的数据特征,得到经过处理后的数据首字节;Step 2, extracting the data characteristics of the encrypted object, and obtaining the first byte of the processed data;
自动检索密钥的依据是基于数据特征的数据值,数据特征的数据值是指数据的二进制形式。对于数据内容为可见字符的形式,数据特征局限于可见字符的ACK(Acknowledgement)码,其特征不明显,因此需要采取某种方法,让该数据更具有个性化。The basis for automatically retrieving the key is based on the data value of the data characteristic, and the data value of the data characteristic refers to the binary form of the data. For the data content in the form of visible characters, the data feature is limited to the ACK (Acknowledgment) code of the visible character, and its feature is not obvious, so some method needs to be adopted to make the data more personalized.
本发明采取的方法是对数据内容实施部分乱序,将散布的多字节位的数据特征集中到首字节,形成该数据的特征码来检索密钥。The method adopted by the present invention is to partially reorder the data content, gather the scattered multi-byte data features into the first byte, and form the feature code of the data to retrieve the key.
提取数据特征的处理方法是比特位乱序方法,包含但不局限于比特位的乱序,如图4所示,该方法的步骤为:The processing method for extracting data features is a bit out-of-order method, including but not limited to bit out-of-order, as shown in Figure 4, the steps of this method are:
步骤201:对数据长度大于4字节的数据,作比特位乱序处理,本方法以数字1963xxxx为例,结合ASCII码表可得,前四个字节十六进制表示为0x31393633。Step 201: For the data whose data length is greater than 4 bytes, perform bit disorder processing. This method takes the number 1963xxxx as an example, combined with the ASCII code table, the hexadecimal representation of the first four bytes is 0x31393633.
步骤202:将第一字节的第1、2比特位00和第二字节的第5、6比特位10互换;将第一字节的第3、4比特位11和第三字节的第6、7比特位10互换;将第一字节的第5、6比特位00和第四字节的第7、8比特位11互换;保留第一字节的第7、8比特位01不变。Step 202: Exchange the 1st and 2nd bits 00 of the first byte with the 5th and 6th bits 10 of the second byte; exchange the 3rd and 4th bits 11 of the first byte with the third byte The 6th and 7th bits 10 of the first byte are interchanged; the 5th and 6th bits 00 of the first byte are exchanged with the 7th and 8th bits 11 of the fourth byte; the 7th and 8th bits of the first byte are reserved Bit 01 is unchanged.
步骤203:互换后的数据十六进制表示为0xad313730,乱序后的数据首字节0xad即为提取被加密对象的数据特征,更能表现该数据1963xxxx的特征,从而在检索密钥时,能够检索到序号为0xad的密钥。Step 203: The hexadecimal representation of the exchanged data is 0xad313730, and the first byte 0xad of the out-of-order data is to extract the data characteristics of the encrypted object, which can better express the characteristics of the data 1963xxxx, so that when retrieving the key , the key with the serial number 0xad can be retrieved.
若不作数据特征提取,则以数字开头的数据,只可能检索到序号为0x30到0x39的密钥。If no data feature extraction is performed, the data starting with a number can only retrieve keys with serial numbers from 0x30 to 0x39.
综上,被加密对象的数据特征,结果为乱序后的数据首字节;In summary, the data characteristics of the encrypted object result in the first byte of the data after being out of order;
步骤三、依据提取的数据特征自动检索密钥库;Step 3, automatically searching the key store according to the extracted data characteristics;
依据提取数据特征后的首字节和密钥库的序号是一一对应的关系,用首字节的值作为序号去自动检索密钥库的序号,从而选定密钥。According to the one-to-one correspondence between the first byte after extracting data features and the serial number of the key store, the value of the first byte is used as the serial number to automatically retrieve the serial number of the key store, thereby selecting the key.
步骤四、依据数据特性选择加密算法;Step 4. Select an encryption algorithm according to the data characteristics;
根据实际的加密场景来选择适当的加密算法,本发明选择的加密对象的数据特征是数据长度,采取的方法是依据数据的长度来自动选择加密算法。Select an appropriate encryption algorithm according to the actual encryption scene. The data characteristic of the encryption object selected in the present invention is the data length, and the method adopted is to automatically select the encryption algorithm according to the length of the data.
本发明以AES算法和RC4算法进行说明,AES算法加密强度高,但不能适用于长度小于128bit的数据,因此当数据长度小于128bit时,采用RC4算法,当数据长度大于128bit时,采用AES算法加密,AES算法和RC4算法共用一组密钥库或者分别使用一组密钥库。本发明中RC4算法,不能反推密钥,因此共用同一组密钥即可。The present invention uses the AES algorithm and the RC4 algorithm for illustration. The AES algorithm has high encryption strength, but it cannot be applied to data whose length is less than 128 bits. Therefore, when the data length is less than 128 bits, the RC4 algorithm is used. When the data length is greater than 128 bits, the AES algorithm is used for encryption. , AES algorithm and RC4 algorithm share a set of key stores or use a set of key stores separately. In the present invention, the RC4 algorithm cannot invert the key, so it is enough to share the same group of keys.
由于不同的加密算法各有利弊,因此根据数据的特性来选择加密算法,从而发挥最佳的加密性能;Since different encryption algorithms have their own advantages and disadvantages, the encryption algorithm is selected according to the characteristics of the data, so as to exert the best encryption performance;
步骤五、依据不同的加密场景自定义增订扩充方案;Step 5. Customize the expansion plan according to different encryption scenarios;
某些特殊的加密场景对加密过程有特殊的要求,为了适应不同的加密场景,自定义扩充方法满足加密需要。Some special encryption scenarios have special requirements for the encryption process. In order to adapt to different encryption scenarios, the custom extension method meets the encryption needs.
本发明分别针对数据加密前后等长和可变长两种适用场景,分别设计了两种扩充方案。The present invention respectively designs two expansion schemes for two applicable scenarios of equal length before and after data encryption and variable length.
当加密场景要求加密后的密文,保持原有的数据长度时,对于RC4算法来说,本身就是等长加密,对于AES算法,要求加密长度是128bit的整数倍,因此当加密数据不是128bit的整数倍时,加密方法为:先对加密数据前面长度是128bit整数倍的明文做AES加密后,从明文的前边密文的末尾,取适当长度,和明文不足128bit的部分补齐128bit,再做一次AES加密。When the encryption scenario requires the encrypted ciphertext to keep the original data length, for the RC4 algorithm, it is equal-length encryption. For the AES algorithm, the encryption length is required to be an integer multiple of 128bit, so when the encrypted data is not 128bit When it is an integer multiple, the encryption method is as follows: firstly perform AES encryption on the plaintext whose length is an integer multiple of 128bit in front of the encrypted data, then take an appropriate length from the end of the ciphertext in front of the plaintext, and fill in 128bit with the part of the plaintext that is less than 128bit, and then do One time AES encryption.
当加密场景允许加密后的密文,长度可变时,对于AES算法,则对明文末尾进行填充,补齐128bit的整数倍,填充的内容为缺少长度的值,例如缺少8Byte则填充8个0x08,这样即便数据小于128bit,也无需采用低强度的RC4算法,提高整体的安全性能。When the encryption scene allows the encrypted ciphertext to be variable in length, for the AES algorithm, the end of the plaintext is padded to an integer multiple of 128bit, and the padded content is the value of the missing length. For example, if 8Byte is missing, 8 0x08 will be filled. , so that even if the data is less than 128bit, there is no need to use the low-strength RC4 algorithm to improve the overall security performance.
步骤六、对被加密对象进行加解密运算;Step 6, performing encryption and decryption operations on the encrypted object;
加解密运算包括加密运算和解密运算;Encryption and decryption operations include encryption operations and decryption operations;
所述的加密运算采用自动检索到的密钥和自动选择的加密算法,对被加密对象进行提取数据特征和增订扩充方案操作后的数据进行加密运算;The encryption operation adopts the automatically retrieved key and the automatically selected encryption algorithm, and performs encryption operation on the data after extracting the data characteristics of the encrypted object and the operation of updating and expanding the scheme;
对密文进行解密运算,是对解密后的数据执行增订扩充方案和提取数据特征的逆操作,还原出原始数据的解密运行。The decryption operation on the ciphertext is to execute the reverse operation of adding and expanding the scheme and extracting the data features to the decrypted data, and restore the decryption operation of the original data.
以原始数据为1963xxx...共24字节等长加解密为例,该方法的步骤为:Taking the original data as 1963xxx... a total of 24 bytes of equal-length encryption and decryption as an example, the steps of this method are:
步骤601:进行加密运算,如图5所示,被加密对象的原始数据长度大于4字节,先进行提取数据特征,采用比特位乱序方法,乱序后数据变为0xad313730xxxx...共24字节。Step 601: Perform encryption operation, as shown in Figure 5, the length of the original data of the encrypted object is greater than 4 bytes, first extract the data features, adopt the bit out of order method, after the out of order data becomes 0xad313730xxxx...24 in total byte.
步骤602:根据首字节的值0xad,检索密钥库中序号为0xad的密钥,假定密钥库中,序号0xad和序号0x01为一对密钥,将两个序号转换成二进制后进行异或运算,得到异或值0xac,作为钥头,钥齿为预先生成的随机数128bit_randomkeys。Step 602: According to the value 0xad of the first byte, retrieve the key with the serial number 0xad in the key storehouse, assuming that in the key storehouse, the serial number 0xad and the serial number 0x01 are a pair of keys, convert the two serial numbers into binary and perform an IR Or operation to get the XOR value 0xac, which is used as the key head, and the key tooth is the pre-generated random number 128bit_randomkeys.
步骤603:数据长度为24字节,大于16字节,选择AES加密算法,将数据的首字节0xad和密钥的钥头0xac异或,得到密文的首字节0x01,将数据除首字节外的16字节的整数倍,用钥齿128bit_randomkeys作为AES密钥,进行AES算法加密。Step 603: The length of the data is 24 bytes, greater than 16 bytes, select the AES encryption algorithm, XOR the first byte 0xad of the data and the key head 0xac of the key to obtain the first byte 0x01 of the ciphertext, and divide the data Integer multiples of 16 bytes outside the byte, use the key tooth 128bit_randomkeys as the AES key, and perform AES algorithm encryption.
步骤604:原始数据末尾还有7个字节未被加密,属于明文;从步骤603进行加密后的数据末尾,取出9字节密文,和原始数据的7个字节明文,补齐16字节,再一次使用钥齿128bit_randomkeys做AES加密,得到最终的24字节密文;加密运算完成。Step 604: There are still 7 bytes at the end of the original data that are not encrypted and belong to plaintext; from the end of the encrypted data in step 603, take out 9 bytes of ciphertext and 7 bytes of plaintext of the original data, and fill in 16 characters Section, use the key tooth 128bit_randomkeys to do AES encryption again, and get the final 24-byte ciphertext; the encryption operation is completed.
步骤605:进行解密运算,如图6所示,加密后的数据密文为24字节的密文,首先根据密文的首字节0x01,在密钥库中检索到序号为0x01的密钥,则钥头为0xac,钥齿为预先随机生成的128bit_randomkeys。Step 605: Perform decryption operation, as shown in Figure 6, the encrypted data ciphertext is a 24-byte ciphertext, first, according to the first byte 0x01 of the ciphertext, retrieve the key with the serial number 0x01 in the key store , the key head is 0xac, and the key tooth is 128bit_randomkeys randomly generated in advance.
步骤606:密文长度为24字节,选择AES算法进行解密,除首字节外其他23字节不是16的整数倍,则首先对密文最末尾16字节,用钥齿128bit_randomkeys进行AES解密,得到末尾9字节密文和7字节的原始数据。Step 606: The length of the ciphertext is 24 bytes, and the AES algorithm is selected for decryption. Except for the first byte, the other 23 bytes are not an integer multiple of 16. First, the last 16 bytes of the ciphertext are decrypted by AES using key tooth 128bit_randomkeys , get the 9-byte ciphertext and 7-byte original data at the end.
步骤607:将加密后的数据密文首字节0x01和钥头0xac异或,得到原始数据的首字节0xad,将加密后的数据密文除首字节0x01外的16字节的整数倍,用钥齿128bit_randomkeys作为AES密钥,进行AES算法解密,得到中间段16字节的原始数据。Step 607: XOR the first byte 0x01 of the encrypted data ciphertext with the key head 0xac to obtain the first byte 0xad of the original data, and convert the encrypted data ciphertext to an integer multiple of 16 bytes except the first byte 0x01 , use the key tooth 128bit_randomkeys as the AES key, perform AES algorithm decryption, and obtain the original data of 16 bytes in the middle section.
步骤608:数据长度大于4字节,还需执行提取数据特征的逆操作,对前4个字节0xad313730作逆比特位乱序,得到原始数据的前4个字节0x31393633。得到最终的24字节原始数据。Step 608: If the length of the data is greater than 4 bytes, the inverse operation of extracting the data features needs to be performed, and the reverse bit sequence of the first 4 bytes 0xad313730 is performed to obtain the first 4 bytes 0x31393633 of the original data. Get the final 24-byte raw data.
本发明提供的自动检索密钥和选择算法的加解密方法,在现行加密算法的基础上,采用密钥库替代传统的单一密钥,增强了密钥管理的安全性,依据数据特征选取密钥,并选择适当的加密算法发挥最佳的加密性能,能够支持增订扩充方案以满足特定的加密场景,因此,该方法具有很强的实用性和适应性,具有很广泛的应用场景。The encryption and decryption method of automatically retrieving keys and selecting algorithms provided by the present invention, on the basis of current encryption algorithms, uses a key storehouse instead of a traditional single key, which enhances the security of key management, and selects keys according to data characteristics , and select the appropriate encryption algorithm to achieve the best encryption performance, and can support the addition and expansion of the scheme to meet specific encryption scenarios. Therefore, this method has strong practicability and adaptability, and has a wide range of application scenarios.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410717255.XACN104363091B (en) | 2014-12-01 | 2014-12-01 | A kind of encipher-decipher method of automatically retrieval key and selection algorithm |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410717255.XACN104363091B (en) | 2014-12-01 | 2014-12-01 | A kind of encipher-decipher method of automatically retrieval key and selection algorithm |
| Publication Number | Publication Date |
|---|---|
| CN104363091A CN104363091A (en) | 2015-02-18 |
| CN104363091Btrue CN104363091B (en) | 2017-09-12 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410717255.XAExpired - Fee RelatedCN104363091B (en) | 2014-12-01 | 2014-12-01 | A kind of encipher-decipher method of automatically retrieval key and selection algorithm |
| Country | Link |
|---|---|
| CN (1) | CN104363091B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105025036B (en)* | 2015-08-07 | 2018-08-17 | 北京环度智慧智能技术研究所有限公司 | A kind of Cognitive Aptitude Test value Internet-based encryption and transmission method |
| CN105429749A (en)* | 2015-10-28 | 2016-03-23 | 袁超 | Separated feature data encryption and decryption method and system |
| CN105426445A (en)* | 2015-11-06 | 2016-03-23 | 天津佳宁坤祥科技有限公司 | Format-preserving data desensitization method |
| CN105760765B (en)* | 2016-02-04 | 2019-03-26 | 北京致远互联软件股份有限公司 | Data ciphering method, device and data decryption method, device |
| CN105897406B (en)* | 2016-06-02 | 2019-04-12 | 北京赛思信安技术股份有限公司 | A kind of device for the AES encryption and decryption that bright ciphertext is isometric |
| CN106973044B (en)* | 2017-03-15 | 2020-09-18 | 成都比特信安科技有限公司 | Method for identifying data owner in big data transaction |
| CN108304740B (en)* | 2017-06-02 | 2021-01-08 | 深圳三诺信息科技有限公司 | Method for burning digital product key |
| CN107332661A (en)* | 2017-06-29 | 2017-11-07 | 环球智达科技(北京)有限公司 | The method of data encryption |
| CN109391607B (en)* | 2017-08-14 | 2022-04-26 | 北京京东尚科信息技术有限公司 | Data encryption and decryption method, device and system |
| CN109714291A (en)* | 2017-10-25 | 2019-05-03 | 普天信息技术有限公司 | A kind of data transmission method and device |
| CN112637161B (en)* | 2018-09-12 | 2022-07-08 | 宁德时代新能源科技股份有限公司 | Data transmission method and storage medium |
| CN109474429B (en)* | 2018-12-24 | 2022-02-15 | 无锡市同威科技有限公司 | Key configuration strategy method facing FC storage encryption gateway |
| CN109885769A (en)* | 2019-02-22 | 2019-06-14 | 内蒙古大学 | An active recommendation system and device based on differential privacy algorithm |
| CN110611568B (en)* | 2019-09-20 | 2022-10-28 | 天翼电子商务有限公司 | Dynamic encryption and decryption method, device and equipment based on multiple encryption and decryption algorithms |
| CN110650148B (en)* | 2019-09-30 | 2021-09-21 | 广西科技大学 | Information security transmission system based on random encryption |
| CN112953705B (en)* | 2019-12-10 | 2022-12-30 | 中国电信股份有限公司 | Key selection method and device and computer storage medium |
| CN113505377A (en)* | 2021-05-25 | 2021-10-15 | 重庆沄析工业互联网有限公司 | Method for integrating SM4 data encryption and decryption technology based on software framework |
| CN113792305B (en)* | 2021-08-18 | 2023-11-14 | 广州城建职业学院 | Encryption and decryption method, system, equipment and computer readable storage medium |
| CN114554486B (en)* | 2022-01-06 | 2024-04-30 | 北京全路通信信号研究设计院集团有限公司 | Secret key management method and system for information security transmission |
| CN115834025A (en)* | 2022-11-17 | 2023-03-21 | 北京一雄信息科技有限公司 | Data encryption method, equipment and storage medium for automobile diagnosis platform |
| CN115987487B (en)* | 2022-12-22 | 2025-07-15 | 中国能源建设集团广西电力设计研究院有限公司 | Modbus RTU message encryption method and device |
| CN116455884B (en)* | 2023-04-04 | 2023-12-29 | 河南驰诚电气股份有限公司 | Remote debugging and upgrading method in wireless cascading mode |
| CN117454397B (en)* | 2023-10-25 | 2024-06-07 | 金田产业发展(山东)集团有限公司 | File secure transmission interactive system based on cloud computing |
| CN117857078B (en)* | 2023-11-23 | 2024-06-11 | 烟台新韦达智慧科技有限公司 | Variable-length hybrid dynamic transmission encryption and decryption method and device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080104417A1 (en)* | 2006-10-25 | 2008-05-01 | Nachtigall Ernest H | System and method for file encryption and decryption |
| CN101183419A (en)* | 2007-12-07 | 2008-05-21 | 武汉达梦数据库有限公司 | Data-base storage ciphering method based on conversation |
| CN102307096B (en)* | 2011-08-26 | 2013-10-16 | 武汉理工大学 | Data cryption system for Pseudo-Rivest, Shamir and Adleman (RSA)-key-based recently public key cryptography algorithm |
| CN104022872B (en)* | 2014-04-09 | 2015-03-25 | 广州赛意信息科技有限公司 | Data encryption method |
| CN103927357B (en)* | 2014-04-15 | 2017-05-17 | 上海新炬网络技术有限公司 | Data encryption and retrieval method for database |
| Publication number | Publication date |
|---|---|
| CN104363091A (en) | 2015-02-18 |
| Publication | Publication Date | Title |
|---|---|---|
| CN104363091B (en) | A kind of encipher-decipher method of automatically retrieval key and selection algorithm | |
| US10984052B2 (en) | System and method for multiple-character wildcard search over encrypted data | |
| CN109660696B (en) | New image encryption method | |
| US10009170B2 (en) | Apparatus and method for providing Feistel-based variable length block cipher | |
| ES2247109T3 (en) | GENERATOR OF PSEUDOALEATORIAL NUMBERS. | |
| CN115276989B (en) | Serialized data encryption method based on directional scrambling | |
| KR101516574B1 (en) | Variable length block cipher apparatus for providing the format preserving encryption, and the method thereof | |
| US20140270165A1 (en) | Cryptographic system based on reproducible random sequences | |
| CN106209358A (en) | A kind of SM4 key schedule based on long key realize system and method | |
| EP3382929B1 (en) | Technique to generate symmetric encryption algorithms | |
| CN101237321A (en) | Encryption Method Based on Circular Queue Shifting Rule | |
| CN109302280A (en) | An AES key extension method | |
| Kumar et al. | A cryptographic model based on logistic map and a 3-D matrix | |
| CN107078900B (en) | Cryptographic system based on reproducible random sequences | |
| CN119449308B (en) | Encryption method based on RSA algorithm | |
| CN101237322A (en) | An Encryption Method Based on Double Circular Queue Shift and Transposition Rules | |
| CN115664827A (en) | Data encryption method, device and medium based on front-bit key | |
| CN107835070B (en) | Simple embedded encryption method | |
| CN102542070A (en) | Method for structuring one-way Hash function based on random function | |
| CN102546159B (en) | Random one-way hash function construction method capable of preventing table check-up attack | |
| Sokouti et al. | An approach in improving transposition cipher system | |
| CN111314052A (en) | A Data Encryption and Decryption Method Based on Uniformly Distributed Symmetric Compression Algorithm | |
| EP1716663A1 (en) | Methods for generating identification values for identifying electronic messages | |
| US11038668B2 (en) | Transposition encryption alphabet method (TEAM) | |
| KR20110031822A (en) | Encryption / decryption method and apparatus for random access through hierarchical tree structure of stream module |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | Granted publication date:20170912 | |
| CF01 | Termination of patent right due to non-payment of annual fee |