CN112769543A

Movatterモバイル変換

Info

Publication number: CN112769543A
Application number: CN201911002410.9A
Authority: CN
Inventors: 刘涛; 刘云飞; 金纯嘉
Original assignee: Chihiro Location Network Co Ltd
Current assignee: Chihiro Location Network Co Ltd
Priority date: 2019-10-21
Filing date: 2019-10-21
Publication date: 2021-05-07
Anticipated expiration: 2039-10-21
Also published as: CN112769543B

Abstract

The application discloses a method and a system for protecting a dynamic secret key. The method comprises the following steps: generating a character string of a first length according to one or more custom variables; performing a logical operation on the character string and a static character string to generate a dynamic character string of the first length, wherein the static character string is configured to be of a second length and comprises a first segment and a second segment; performing left shift operation of one or more bits on the first segment, performing right shift operation of one or more bits on the second segment, and combining to generate a static character string after shift operation; and combining the dynamic character string and the static character string after the shift operation to generate a transmission key with a third length.

Description

Method and system for protecting dynamic secret key

Technical Field

The present specification relates to the technical field of data encryption, and in particular, to a method and a system for protecting a dynamic key.

Background

With the rapid development of the internet, the information security problem is more and more concerned, and the information security technology based on the data encryption technology is rapidly developed. In the data transmission process, especially when sensitive key information needs to be transmitted, special processing needs to be performed on the key information to improve the transmission security. However, some transmission channels cannot support channel encryption such as a secure transport layer protocol (TLS), or the client and the server agree a fixed transmission key (a key for encrypting the transmitted key) for protecting the transmitted key (the key itself to be transmitted), and the security of the fixed transmission key itself is questioned. Therefore, a key transmission method with higher security is required.

Disclosure of Invention

The present specification provides a method and system for dynamic key protection, which enhances the protection of keys during transmission.

The application discloses a dynamic key protection method, which comprises the following steps:

generating a character string of a first length according to one or more custom variables;

performing a logical operation on the character string and a static character string to generate a dynamic character string of the first length, wherein the static character string is configured to be of a second length and comprises a first segment and a second segment;

performing left shift operation of one or more bits on the first segment, performing right shift operation of one or more bits on the second segment, and combining to generate a static character string after shift operation;

and combining the dynamic character string and the static character string after the shift operation to generate a transmission key with a third length.

In a preferred embodiment, the custom variables are filled or deleted to generate the character string of the first length.

In a preferred embodiment, one or more zeros are complemented at the lowest or highest or middle bits of the custom variable to generate the string of the first length.

In a preferred embodiment, the custom variable includes a time stamp of the header of the data packet, a random value generated by a server, or a cyclic redundancy check value of the data packet.

In a preferred embodiment, the string is XOR-ed with the static string to generate the dynamic string of the first length.

In a preferred embodiment, the first segment is left-shifted by 3 to 7 bits, and the second segment is right-shifted by 3 to 7 bits.

In a preferred embodiment, the static character string after the shift operation is inserted into the middle bit of the dynamic character string to generate the transmission key.

In a preferred embodiment, the first length is greater than or equal to the second length.

In a preferred embodiment, when the first length is greater than the second length, the static character string is filled up to the first length.

In a preferred embodiment, the third length is equal to the sum of the first length and the second length.

In a preferred embodiment, the first segment and the second segment have the same length

The application also discloses a dynamic key protection system comprising:

the character string acquisition unit is configured to generate a character string with a first length according to one or more custom variables;

a logic operation unit configured to perform a logic operation on the character string and a static character string to generate a dynamic character string of the first length, wherein the static character string is configured to be of a second length and comprises a first segment and a second segment;

the shift operation unit is configured to perform left shift operation of one or more bits on the first segment, perform right shift operation of one or more bits on the second segment, and combine the left shift operation and the right shift operation to generate a static character string after shift operation;

a key generating unit configured to combine the dynamic string and the static string after the shift operation to generate a transmission key of a third length.

The application also discloses a dynamic key protection system comprising:

a memory for storing computer executable instructions; and

a processor, coupled with the memory, for implementing the steps in the method as described above when executing the computer-executable instructions.

The present application also discloses a computer-readable storage medium having stored thereon computer-executable instructions which, when executed by a processor, implement the steps in the method as described above.

Compared with the prior art, the method has the following beneficial effects:

in the embodiment of the present specification, a user-defined variable recognized by both the server and the client is used as a transmission factor, a dynamic string is generated by performing a logical operation on a static string agreed by the server and the client according to the user-defined variable, and the dynamic string is combined with the static string subjected to the shift operation to generate a transmission key. Compared with the key transmission method in the prior art, the embodiment can strengthen the protection of the key in the transmission process.

A large number of technical features are described in the specification, and are distributed in various technical solutions, so that the specification is too long if all possible combinations of the technical features (namely, the technical solutions) in the application are listed. In order to avoid this problem, the respective technical features disclosed in the above summary of the invention of the present specification, the respective technical features disclosed in the following embodiments and examples, and the respective technical features disclosed in the drawings may be freely combined with each other to constitute various new technical solutions (which should be regarded as having been described in the present specification) unless such a combination of the technical features is technically impossible. For example, in one example, the feature a + B + C is disclosed, in another example, the feature a + B + D + E is disclosed, and the features C and D are equivalent technical means for the same purpose, and technically only one feature is used, but not simultaneously employed, and the feature E can be technically combined with the feature C, then the solution of a + B + C + D should not be considered as being described because the technology is not feasible, and the solution of a + B + C + E should be considered as being described.

Drawings

Non-limiting and non-exhaustive embodiments of the present application are described with reference to the following figures, wherein like reference numerals refer to like parts throughout the various views unless otherwise specified.

Fig. 1 is a flow chart of a dynamic key protection method according to an embodiment of the present disclosure.

FIG. 2 is a diagram of a dynamic string according to an embodiment of the present disclosure.

FIG. 3 is a diagram illustrating a shift operation performed on a static string according to an embodiment of the present disclosure.

Fig. 4 is a schematic diagram of generating a transport key according to an embodiment of the present disclosure.

Fig. 5 is a block diagram of a dynamic key protection system in accordance with an embodiment of the present description.

Detailed Description

Various aspects and examples of the present application will now be described. The following description provides specific details for a thorough understanding and enabling description of these examples. However, it will be understood by those skilled in the art that the present application may be practiced without many of these details.

Additionally, some well-known structures or functions may not be shown or described in detail to facilitate brevity and avoid unnecessarily obscuring the relevant description.

Even though the terminology used in the description presented below is used in conjunction with the detailed description of certain specific examples of the present application, it should be interpreted in its broadest reasonable manner. Certain terms may even be emphasized below, however, any term that is intended to be interpreted in any restricted manner will be explicitly and specifically defined in this detailed description section.

Without loss of generality, the illustrative embodiments will be referenced by taking as an example methods and systems employing dynamic key protection. It will be understood by those of ordinary skill in the art that this is done merely for purposes of clarity and a full description of the present application and is not intended to limit the scope of the present application, which is defined by the claims which follow.

Embodiments of the present description will be described in further detail below with reference to the accompanying drawings.

A first embodiment of the present specification relates to a method for dynamic key protection, a flowchart of which is shown in fig. 1, and the method includes the following steps:

instep 101, a string of a first length is generated according to one or more custom variables.

In a preferred embodiment, the custom variable includes a time stamp of the data packet header, a server-generated random value, or a cyclic redundancy check value (CRC) of the data packet, and the string is generated according to one or more of the time stamp of the data packet header, the server-generated random value, and the cyclic redundancy check value of the data packet. For example, the first length string is generated according to a time stamp of a data packet header, or the first length string is generated according to a random value generated by a server, or the first length string is generated according to the time stamp of the data packet header and a cyclic redundancy check value of the data packet.

In a preferred embodiment, the custom variables are filled or deleted to generate the character string of the first length. When the length of the custom variable is smaller than the first length, in a preferred embodiment, one or more zeros are complemented at the lowest bit or the highest bit or the middle bit of the custom variable according to the difference between the length of the custom variable and the first length to generate the character string of the first length. It will be understood by those skilled in the art that the present embodiment is not limited to zero padding in the custom variable, and other values may be substituted. When the length of the custom variable is greater than the first length, in a preferred embodiment, one or more bits are deleted at the lowest bit or the highest bit or the middle bit of the custom variable according to the difference between the custom variable and the first length to generate the character string of the first length.

Instep 102, the character string is logically operated with a static character string to generate a dynamic character string of the first length, wherein the static character string is configured to be of the second length and includes a first segment and a second segment. The static character string may be any character string agreed between the server and the client.

In a preferred embodiment, the string is XOR-ed with the static string to generate the dynamic string of the first length. In another embodiment of this embodiment, the dynamic string may be generated by performing other logical operations on the static string and the character string.

In a preferred embodiment, the first length is greater than or equal to the second length. For example. The first length is 16 bytes, and the second length may be 8 bytes to 16 bytes.

In a preferred embodiment, when the first length is greater than the second length, the static character string is filled up to the first length. In a preferred embodiment, one or more zeros are complemented in the lowest or highest or middle position of the static string according to the difference between the second length and the first length to make the static string the first length. It will be understood by those skilled in the art that the present embodiment is not limited to zero padding in the static string, and other values may be substituted.

In a preferred embodiment of this embodiment, the length of the first segment is the same as the length of the second segment. For example, when the static string is 16 bytes, the first segment is 8 bytes and the second segment is 8 bytes. In other embodiments, the length of the first segment and the length of the second segment may not be the same. For example, when the static string is 16 bytes, the length of the first segment is 12 bytes, and the length of the second segment is 4 bytes.

Instep 103, the first segment is left-shifted by one or more bits, the second segment is right-shifted by one or more bits, and the shift operations are combined to generate a static string after the shift operation. In the present embodiment, the first stage and the second stage after the shift operation may be combined in order or may not be combined in order.

In a preferred embodiment, the first segment is left-shifted by 3 to 127 bits, and the second segment is right-shifted by 3 to 127 bits. Preferably, the first segment is left-shifted by 3 to 7 bits, and the second segment is right-shifted by 3 to 7 bits.

In other embodiments in this embodiment, the following may also be implemented: performing a right shift operation of one or more bits on the first segment, performing a left shift operation of one or more bits on the second segment, and combining the two segments to generate a static string after the shift operation, which is not limited in this embodiment.

Instep 104, the dynamic string and the static string after the shift operation are combined to generate a transmission key of a third length.

In a preferred embodiment, the static character string after the shift operation is inserted into a middle bit of the dynamic character string to generate the transmission key. In another optional implementation manner of this embodiment, the static character strings after the shift operation are sequentially inserted into the dynamic character strings to generate the transmission key.

In a preferred embodiment, the third length is equal to the sum of the first length and the second length. In this embodiment, the third length may be 16 bytes, 24 bytes, or 32 bytes for different encryption schemes.

In this embodiment, the user-defined variable recognized by both the server and the client is used as a transmission factor, a dynamic string is generated by performing logical operation on the static string agreed by the server and the client according to the user-defined variable, and the dynamic string is combined with the static string subjected to shift operation to generate a transmission key. Compared with the key transmission method in the prior art, the embodiment can strengthen the protection of the key in the transmission process.

In order to better understand the technical solutions of the present description, the following description is given with reference to a specific example, in which the listed details are mainly for the sake of understanding, and are not intended to limit the scope of the present application.

In this embodiment, an AES-256 encryption scheme in AES (advanced encryption Standard) is taken as an example, and the key length of the AES-256 encryption scheme is 32 bytes.

The server and the client have fixed information such as transmission headers during data interaction, and can generate a transmission key by using variables in the transmission headers as seeds. Referring to fig. 2, assume that the time stamp S in the transport header, e.g., S is a 13-bit time stamp "1234567890123", is filled with a 16-byte string S'. The client and server then agree on a fixed static string T, for example, T "ksalier 9! D 3% is @ which XOR-S the string S' with the static string T to obtain a 16-byte dynamic string DS.

Referring to FIG. 3, a shift operation is performed on a static string. The first 8 bytes of the static string T are taken as the first segment T ', and the first segment T' is left-shifted by 3 bits. And taking the last 8 bytes of the static character string T as a second segment T ', and right-shifting the second segment T' by 3 bits. Then, the first segment and the second segment after the shift operation are combined to generate a new 16-byte static character string T1.

Referring to fig. 4, the dynamic string DS and the static string T1 after the shift operation are combined into a 32-byte string TK as the transmission key. For example, the static string T1 after the shift operation is inserted into the middle bit of the dynamic string DS.

In another embodiment of this embodiment, the AES-128 or AES-192 is taken as an example to explain, and the key length of the AES-128 is 16 bytes, and the key length of the AES-192 is 24 bytes. And performing logic operation on the static character strings agreed by the server and the client according to the user-defined variable to generate a dynamic character string, and combining the dynamic character string with the static character string subjected to shift operation to generate a transmission secret key. Compared with the key transmission method in the prior art, the embodiment can strengthen the protection of the key in the transmission process.

A second embodiment of the present specification relates to a system for protecting a dynamic key, and a system block diagram thereof is shown in fig. 5, which specifically includes:

a character string obtaining unit 10 configured to generate a character string of a first length according to one or more custom variables;

a logic operation unit 20 configured to perform a logic operation on the character string and a static character string to generate a dynamic character string of the first length, wherein the static character string is configured to be of a second length and comprises a first segment and a second segment;

a shift operation unit 30 configured to perform a left shift operation of one or more bits on the first segment, perform a right shift operation of one or more bits on the second segment, and combine the left shift operation and the right shift operation to generate a static character string after the shift operation;

a key generating unit 40 configured to combine the dynamic string and the static string after the shift operation to generate a transmission key of a third length.

In a preferred example, when the length of the custom variable is not equal to the first length, the character string obtaining unit 10 performs padding or deletion on the custom variable to generate the character string of the first length.

In a preferred example, the character string obtaining unit 10 complements one or more zeros in the lowest order or the highest order or the middle order of the custom variable to generate the character string of the first length.

In a preferred embodiment, the logic unit 20 performs an exclusive or calculation on the character string and the static character string to generate the dynamic character string of the first length.

In a preferred embodiment, the shift operation unit 30 performs a left shift operation of 3 to 7 bits on the first segment, and performs a right shift operation of 3 to 7 bits on the second segment.

In a preferred embodiment, the key generating unit 40 inserts the static string after the shift operation into the middle bits of the dynamic string to generate the transmission key.

In a preferred embodiment, the first segment and the second segment are the same length.

The first embodiment is a method embodiment corresponding to the present embodiment, and the technical details in the first embodiment may be applied to the present embodiment, and the technical details in the present embodiment may also be applied to the first embodiment.

It should be noted that, as will be understood by those skilled in the art, the implementation functions of each unit shown in the embodiment of the dynamic key protection system described above can be understood by referring to the related description of the foregoing dynamic key protection method. The functions of the units shown in the embodiments of the dynamic key protection system described above may be implemented by a program (executable instructions) running on a processor, or may be implemented by specific logic circuits. The above dynamic key protection system in the embodiments of the present specification may also be stored in a computer-readable storage medium if it is implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solutions of the embodiments of the present specification may be essentially or partially implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present specification. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, or an optical disk. Thus, embodiments of the present description are not limited to any specific combination of hardware and software.

Accordingly, the present specification embodiments also provide a computer-readable storage medium having stored therein computer-executable instructions that, when executed by a processor, implement the method embodiments of the present specification. Computer-readable storage media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. Information may be computer readable instructions, data structures, units of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable storage medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

In addition, embodiments of the present specification also provide a system for dynamic key protection, which includes a memory for storing computer-executable instructions, and a processor; the processor is configured to implement the steps of the method embodiments described above when executing the computer-executable instructions in the memory.

In one embodiment, the computer-executable instructions may be for:

In one embodiment, the Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), or the like. The aforementioned memory may be a read-only memory (ROM), a Random Access Memory (RAM), a Flash memory (Flash), a hard disk, or a solid state disk. The steps of the method disclosed in the embodiments of the present invention may be directly implemented by a hardware processor, or implemented by a combination of hardware and software elements in a processor. In one embodiment, the dynamic key protection system further comprises a bus and a communication interface. The processor, memory and communication interface are all interconnected by a bus. The communication interface may be a wireless communication interface or a wired communication interface for enabling the processor to communicate with other systems.

It is noted that, in the present patent application, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the use of the verb "comprise a" to define an element does not exclude the presence of another, same element in a process, method, article, or apparatus that comprises the element. In the present patent application, if it is mentioned that a certain action is executed according to a certain element, it means that the action is executed according to at least the element, and two cases are included: performing the action based only on the element, and performing the action based on the element and other elements. The expression of a plurality of, a plurality of and the like includes 2, 2 and more than 2, more than 2 and more than 2.

All documents mentioned in this specification are to be considered as being incorporated in their entirety into the disclosure of this specification so as to be subject to modification as necessary. It should be understood that the above description is only a preferred embodiment of the present disclosure, and is not intended to limit the scope of the present disclosure. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of one or more embodiments of the present disclosure should be included in the scope of protection of one or more embodiments of the present disclosure.

In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

Claims

1. A method for dynamic key protection, comprising:

2. The dynamic key protection method of claim 1, wherein the custom variables are padded or pruned to generate the string of the first length.

3. The dynamic key protection method of claim 1, wherein one or more zeros are complemented in the lowest or highest bits or intermediate bits of the custom variable to generate the string of the first length.

4. The dynamic key protection method of claim 1, wherein the custom variable comprises a time stamp of the data packet header, a server-generated random value, or a cyclic redundancy check value of the data packet.

5. The dynamic key protection method of claim 1, wherein the string is xored with the static string to generate the dynamic string of the first length.

6. The method of claim 1, wherein the first segment is left-shifted by 3 to 7 bits, and the second segment is right-shifted by 3 to 7 bits.

7. The method of dynamic key protection according to claim 1, wherein the static string after the shift operation is inserted into middle bits of the dynamic string to generate the transport key.

8. The method of dynamic key protection according to claim 1, wherein the first length is greater than or equal to the second length.

9. The method of dynamic key protection according to claim 8, wherein the static string is padded to the first length when the first length is greater than the second length.

10. The method of dynamic key protection according to claim 1, wherein the third length is equal to a sum of the first length and the second length.

11. The method of dynamic key protection according to claim 1, wherein the first segment and the second segment are the same length.

12. A dynamic key protection system, comprising:

13. A dynamic key protection system, comprising:

a memory for storing computer executable instructions; and

a processor, coupled with the memory, for implementing the steps in the method of any of claims 1 to 11 when executing the computer-executable instructions.

14. A computer-readable storage medium having stored thereon computer-executable instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 11.