CN1697374A - Key data transceiving method and key data distribution device and receiving device thereof - Google Patents

Abstract

Party of sanding cipher key data generates first cipher key data including first public key data and first private key data, and second cipher key data including second public key data and second private key data. Encrypting transform is carried out for first public key data by using second private key data so as to obtain first distribution cipher key data. Encrypting transform is carried out for second public key data by using first private key data so as to obtain second distribution cipher key data. The said first distribution cipher key data and second distribution cipher key data are sent to party of receiving cipher key data. Meanwhile, one from first public key data and second public key data is selected to send to party of receiving cipher key data. The invention reduces complexity of cipher key distribution step in cipher key management procedure, and raises difficulty of cipher key data to be attacked in procedure of distributing cipher key.

Description

Translated fromChinese

密钥数据收发方法及其密钥数据分发装置和接收装置Key data transceiving method and key data distribution device and receiving device thereof

技术领域technical field

本发明涉及信息安全领域，尤其涉及一种密钥数据收发方法及其装置。The invention relates to the field of information security, in particular to a key data sending and receiving method and device thereof.

背景技术Background technique

密钥管理是密钥安全系统中的关键环节，其中密钥管理过程的整个生命周期可以包括下述过程：Key management is a key link in the key security system, and the entire life cycle of the key management process may include the following processes:

密钥注册，网络节点通过安全措施获得或者创建初始密钥材料，成为安全域的一个授权成员；Key registration, the network node obtains or creates initial key material through security measures, and becomes an authorized member of the security domain;

密钥创建，网络节点通过自己产生或者从密钥管理中心的可信系统组件中获取密钥材料，其中密钥材料中一般包括密钥数据和相应的算法信息等；Key creation, the network node generates key material by itself or obtains key material from the trusted system components of the key management center, where the key material generally includes key data and corresponding algorithm information, etc.;

密钥存储，网络节点将得到的密钥材料存储在自身的硬盘、ROM设备、芯片卡、硬件令牌等相关存储介质中；Key storage, the network node stores the obtained key material in its own hard disk, ROM device, chip card, hardware token and other related storage media;

密钥分发，网络节点将得到的密钥数据分别发送给其他网络节点的过程，其中密钥分发过程必须保证密钥数据的完整性和保密性；Key distribution, the process in which network nodes send the obtained key data to other network nodes, in which the key distribution process must ensure the integrity and confidentiality of the key data;

密钥备份，网络节点将得到的密钥材料在独立、安全的存储介质上进行再次存储备份，以作为后续提供用于密钥恢复过程的数据源；Key backup, the network node will store and back up the obtained key material on an independent and secure storage medium, as a subsequent data source for the key recovery process;

密钥更新，网络节点在密钥材料生存周期终止前使用新的密钥材料替换正在使用的原始密钥材料；Key update, the network node replaces the original key material being used with new key material before the life cycle of the key material expires;

密钥注销，网络节点一旦不再需要使密钥数据和自身维持关联，就可以注销密钥数据，清除所有密钥材料的正式记录；Key cancellation, once the network node no longer needs to keep the key data associated with itself, it can cancel the key data and clear the official records of all key materials;

密钥销毁，网络节点对所有存储和备份的密钥材料进行销毁；Key destruction, network nodes destroy all stored and backed up key materials;

密钥恢复，如果密钥材料丢失但并未泄漏(如网络节点的硬件故障或者用户遗忘了密码的情况)，网络节点可以通过密钥备份过程中的备份密钥材料进行恢复密钥数据。Key recovery, if the key material is lost but not leaked (such as the hardware failure of the network node or the user forgets the password), the network node can restore the key data through the backup key material in the key backup process.

而目前，在现有技术存在的各种密钥管理方式中，其密钥分发过程主要采取以下两种方式：At present, among the various key management methods existing in the prior art, the key distribution process mainly adopts the following two methods:

1)Diffie-Hellman密钥分发机制(以下简称DH密钥分发)1) Diffie-Hellman key distribution mechanism (hereinafter referred to as DH key distribution)

举例说明DH密钥分发的原理：An example to illustrate the principle of DH key distribution:

假设需要进行密钥分发和交换的两个网络节点分别为A和B，网络节点A在密钥创建过程中产生自身的密钥数据X_A，网络节点B在密钥创建过程中产生自身的密钥数据X_B；Assuming that the two network nodes that need to distribute and exchange keys are A and B, network node A generates its own key data X_A during the key creation process, and network node B generates its own key data X A during the key creation process. Key data X_B ;

网络节点A对密钥数据X_A进行模幂运算，得到分发密钥数据Y_A，其中$Y_A={\mathrm{\α}}^{X_A}\mathrm{mod}q$；网络节点B对密钥数据X_B进行模幂运算，得到分发密钥数据Y_B，其中$Y_B={\mathrm{\α}}^{X_B}\mathrm{mod}q$；其中上面两式中素数q和整数a是网络节点A和B双方事先已知的参数；Network node A performs modular exponentiation on the key data X_A to obtain the distribution key data Y_A , where$Y_A={\mathrm{\α}}^{x_A}\mathrm{mod}q$ ;Network node B performs modular exponentiation on the key data X_B to obtain the distribution key data Y_B , where$Y_B={\mathrm{\α}}^{x_B}\mathrm{mod}q$ ; Wherein the prime number q and the integer a in the above two formulas are parameters known in advance by both network nodes A and B;

网络节点A和B分别将分发密钥数据Y_A和Y_B分发给对方，这样网络节点A将得到分发密钥数据Y_B，网络节点B将得到分发密钥数据Y_A；Network nodes A and B respectively distribute the distribution key data Y_A and Y_B to each other, so that network node A will obtain distribution key data Y_B , and network node B will obtain distribution key data Y_A ;

随后网络节点A和B分别执行以下运算：$K_A={Y_B}^{X_A}\mathrm{mod}q,$$K_B={Y_A}^{X_B}\mathrm{mod}q,$经数学推导证明，K_A＝K_B；由此，网络节点A和B双方就建立了一个相互共享的密钥数据，完成了密钥分发的目的。Then network nodes A and B perform the following operations respectively:$K_A={Y_B}^{x_A}\mathrm{mod}q,$$K_B={Y_A}^{x_B}\mathrm{mod}q,$ It is proved by mathematical derivation that K_A =K_B ; thus, both network nodes A and B establish a mutually shared key data, and complete the purpose of key distribution.

综上，DH密钥分发可以实现任意两个网络节点在不安全的传输介质上实现安全的密钥分发和密钥交换，其网络节点对密钥数据进行加密运算的算法的有效性主要依赖于在运算过程中计算离散对数的难度，即在对密钥数据进行加密运算的过程中模幂运算相对容易，但计算离散对数的过程却相对困难较多；特别对于大素数的情况，在现有技术条件下，通常认为对其计算离散对数是不可行的。To sum up, DH key distribution can realize secure key distribution and key exchange between any two network nodes on an insecure transmission medium. The difficulty of calculating discrete logarithms in the operation process, that is, the modular exponentiation operation is relatively easy in the process of encrypting the key data, but the process of calculating discrete logarithms is relatively difficult; especially for the case of large prime numbers, in Under the current technical conditions, it is generally considered that it is not feasible to calculate the discrete logarithm.

同时DH密钥分发适用于实时的动态密钥分发，其加密处理后的密钥数据和密钥数据算法不需要同时传递。At the same time, DH key distribution is suitable for real-time dynamic key distribution, and the encrypted key data and key data algorithm do not need to be transmitted at the same time.

2)根密钥保护机制的密钥分发2) Key distribution of the root key protection mechanism

密钥数据提供方和密钥数据请求方事先约定共享一组密钥数据，定义这组密钥数据为根密钥。在密钥数据请求过程中，密钥数据提供方采用根密钥对实际传输的密钥数据进行加密处理后，再发送给密钥数据请求方，密钥数据请求方采用该根密钥对接收到的加密密钥数据实施解密处理后获得密钥数据。The key data provider and the key data requester agree in advance to share a set of key data, and define this set of key data as the root key. In the key data request process, the key data provider uses the root key to encrypt the actually transmitted key data, and then sends it to the key data requester, and the key data requester uses the root key to receive The obtained encrypted key data is decrypted to obtain the key data.

因此，上述基于根密钥保护机制的密钥分发方案中，需要对根密钥进行妥善保护，一般需要将根密钥存储在某种安全存储介质中(如智能卡)。Therefore, in the above-mentioned key distribution scheme based on the root key protection mechanism, the root key needs to be properly protected, and generally the root key needs to be stored in some kind of secure storage medium (such as a smart card).

在由软件程序实现的密钥分发过程中，为保证机密信息(如授权信息)的安全传输，机密信息发送方需要对机密信息实施数字签名或加密保护，数字签名或加密保护过程就是使用密钥数据Key对机密信息进行加密处理的过程。这样在确保软件程序不依靠密钥数据提供设备而实现独立运行的前提下，密钥数据应随软件程序设置的加密算法信息一起分发出去，此时的密钥数据分发过程就不是通过实时分发方式完成的，因此不可能使用DH密钥分发机制的密钥分发方法。In the key distribution process implemented by software programs, in order to ensure the safe transmission of confidential information (such as authorization information), the sender of confidential information needs to implement digital signature or encryption protection for the confidential information. The process of digital signature or encryption protection is to use the key Data Key is the process of encrypting confidential information. In this way, under the premise of ensuring that the software program does not rely on the key data providing device to achieve independent operation, the key data should be distributed together with the encryption algorithm information set by the software program. At this time, the key data distribution process is not through real-time distribution. Done, so it is not possible to use the key distribution method of the DH key distribution mechanism.

同时如果事先为每个网络节点建立根密钥KeyRoot，采用根密钥KeyRoot去加密用于保护机密信息的密钥数据Key，则同样面临根密钥KeyRoot的保护问题，对于由软件程序实现的密钥分发方案，该根密钥KeyRoot的保护问题与保护密钥数据Key的问题性质基本一样，可以采用硬件智能卡来存储根密钥KeyRoot，但这样却加大了密钥管理系统安全部署的难度。At the same time, if the root key KeyRoot is established for each network node in advance, and the root key KeyRoot is used to encrypt the key data Key used to protect confidential information, then the protection problem of the root key KeyRoot is also faced. Key distribution scheme, the nature of the protection of the root key KeyRoot is basically the same as that of protecting the key data Key, hardware smart cards can be used to store the root key KeyRoot, but this increases the difficulty of secure deployment of the key management system.

发明内容Contents of the invention

本发明要解决的技术问题是提出一种密钥数据收发方法及其密钥数据分发装置和接收装置，以使在由软件程序实现的密钥分发方案中，降低密钥管理过程中密钥分发环节的复杂度，并提高密钥分发过程中密钥被攻击的难度。The technical problem to be solved by the present invention is to propose a method for sending and receiving key data and its key data distribution device and receiving device, so that in the key distribution scheme realized by software programs, the key distribution during the key management process can be reduced. The complexity of the link, and increase the difficulty of the key being attacked during the key distribution process.

为解决上述问题，本发明提出了一种密钥数据收发方法，包括步骤：In order to solve the above problems, the present invention proposes a method for sending and receiving key data, comprising steps:

密钥数据发送方生成包括第一公钥数据和第一私钥数据的第一密钥数据和包括第二公钥数据和第二私钥数据的第二密钥数据；The key data sender generates first key data including first public key data and first private key data and second key data including second public key data and second private key data;

用所述第二私钥数据对第一公钥数据进行加密变换，得到第一分发密钥数据；并Encrypting and transforming the first public key data with the second private key data to obtain the first distribution key data; and

用所述第一私钥数据对第二公钥数据进行加密变换，得到第二分发密钥数据；Encrypting and transforming the second public key data with the first private key data to obtain the second distribution key data;

将所述第一分发密钥数据和第二分发密钥数据发送给密钥数据接收方接收，同时选择第一公钥数据和第二公钥数据的其中之一发送给密钥数据接收方接收。Send the first distribution key data and the second distribution key data to the key data recipient for reception, and select one of the first public key data and the second public key data to send to the key data recipient for reception .

所述方法还包括步骤：The method also includes the steps of:

密钥数据接收方用接收到的第一公钥数据对第二分发密钥数据进行解密变换，得到第二公钥数据；并The key data receiver uses the received first public key data to decrypt and transform the second distribution key data to obtain the second public key data; and

用解密得到的第二公钥数据对第一分发密钥数据进行解密变换，得到第一公钥数据；Using the decrypted second public key data to decrypt and transform the first distribution key data to obtain the first public key data;

比较解密得到的第一公钥数据和接收到的第一公钥数据是否一致，如果是，确认所述第一公钥数据为可用密钥数据；否则确认所述第一公钥数据为不可用密钥数据。Compare whether the decrypted first public key data is consistent with the received first public key data, if yes, confirm that the first public key data is usable key data; otherwise confirm that the first public key data is unusable key data.

所述方法还包括步骤：The method also includes the steps of:

密钥数据接收方用接收到的第二公钥数据对第一分发密钥数据进行解密变换，得到第一公钥数据；并The key data receiver uses the received second public key data to decrypt and transform the first distributed key data to obtain the first public key data; and

用解密得到的第一公钥数据对第二分发密钥数据进行解密变换，得到第二公钥数据；Using the decrypted first public key data to decrypt and transform the second distribution key data to obtain the second public key data;

比较解密得到的第二公钥数据和接收到的第二公钥数据是否一致，如果是，确认所述第二公钥数据为可用密钥数据；否则确认所述第二公钥数据为不可用密钥数据。Compare whether the decrypted second public key data is consistent with the received second public key data, if yes, confirm that the second public key data is usable key data; otherwise, confirm that the second public key data is unusable key data.

其中所述用私钥数据对公钥数据进行加密变换，得到对应的分发密钥数据的过程包括：The process of encrypting and transforming the public key data with the private key data to obtain the corresponding distribution key data includes:

将公钥数据转换为二进制形式；Convert the public key data into binary form;

将公钥数据的二进制形式划分为等长的分组形式；Divide the binary form of the public key data into equal-length packets;

用私钥数据分别对公钥数据的每个分组进行加密处理；Encrypt each packet of the public key data with the private key data;

由每个加密处理后的分组所构成的整数集合作为分发密钥数据。An integer set composed of each encrypted packet is used as distribution key data.

其中所述用公钥数据对分发密钥数据进行解密变换，得到另一公钥数据的过程包括：Wherein, the process of decrypting and transforming the distribution key data with the public key data to obtain another public key data includes:

用公钥数据分别对构成分发密钥数据的每个分组进行解密处理；Using the public key data to decrypt each packet constituting the distribution key data;

对解密处理后的所有分组进行合并处理，恢复出原始的公钥数据。Combine all the decrypted packets to recover the original public key data.

相应的，本发明还提出了一种密钥数据分发装置，包括：Correspondingly, the present invention also proposes a key data distribution device, including:

密钥数据生成单元，用于生成包括公钥数据和私钥数据的密钥数据；a key data generating unit, configured to generate key data including public key data and private key data;

加密变换单元，用于使用一个密钥数据的私钥数据对另一密钥数据的公钥数据进行加密变换，得到对应的分发密钥数据；An encryption transformation unit, configured to use the private key data of one key data to encrypt and transform the public key data of another key data to obtain corresponding distribution key data;

密钥数据发送单元，用于发送分发密钥数据和公钥数据。The key data sending unit is used for sending distribution key data and public key data.

其中所述加密变换单元进一步包括：Wherein said encryption transformation unit further includes:

二进制转换子单元，用于将公钥数据转换为二进制形式；a binary conversion subunit for converting the public key data into binary form;

分组处理子单元，用于将公钥数据的二进制形式划分为等长的分组形式；The packet processing subunit is used to divide the binary form of the public key data into equal-length packet forms;

加密处理子单元，用于使用私钥数据分别对公钥数据的每个分组进行加密处理；An encryption processing subunit, configured to use the private key data to encrypt each group of the public key data;

整数集合形成子单元，用于将加密处理后的所有分组构成一个整数集合作为分发密钥数据。The integer set forms a subunit, which is used to form an integer set of all encrypted packets as distribution key data.

相应的，本发明还提出了一种密钥数据接收装置，包括：Correspondingly, the present invention also proposes a key data receiving device, including:

密钥数据接收单元，用于接收分发密钥数据和公钥数据；a key data receiving unit, configured to receive distribution key data and public key data;

解密变换单元，用于使用公钥数据对分发密钥数据进行解密变换，得到和分发密钥数据对应的公钥数据；A decryption transformation unit, configured to use the public key data to decrypt and transform the distribution key data to obtain public key data corresponding to the distribution key data;

公钥数据比较单元，用于比较解密得到的公钥数据和接收的公钥数据之间的一致性。The public key data comparing unit is used for comparing the consistency between the public key data obtained by decryption and the received public key data.

其中所述解密变换单元进一步包括：Wherein the decryption transformation unit further includes:

解密处理子单元，用于使用公钥数据分别对构成分发密钥数据的每个分组进行解密处理；A decryption processing subunit, configured to use the public key data to decrypt each packet constituting the distribution key data;

分组合并子单元，用于对分发密钥数据中解密处理后的所有分组进行合并处理，恢复出和分发密钥数据对应的公钥数据。The packet merging subunit is used for merging all the decrypted packets in the distribution key data to recover the public key data corresponding to the distribution key data.

本发明能够达到的有益效果：The beneficial effect that the present invention can reach:

本发明在密钥分发环节中，在两个密钥数据之间，分别使用每个密钥数据中的私钥数据分别对对方的公钥数据进行加密，得到对应的分发密钥数据，再将得到的分发密钥数据和其中一个密钥数据的公钥数据发送。这样，在密钥传输过程中，密钥窃取者妄图攻击或窃取密钥时，要分别找到明文传输的公钥数据和分发密钥数据，还要找到对应的加密变换算法信息，才能经过两次解密变换过程，能得到两个公钥数据，从而使密钥攻击难度加大，攻击需要的资源开销也比较大。同时基于本发明密钥传输机制，不用考虑根密钥的安全存储问题，降低了密钥管理过程中密钥分发环节的管理复杂度。In the key distribution link of the present invention, between two key data, the private key data in each key data are respectively used to encrypt the public key data of the other party to obtain the corresponding distribution key data, and then The obtained distribution key data and the public key data of one of the key data are sent. In this way, during the key transmission process, when the key thief attempts to attack or steal the key, he must find the public key data and distribution key data transmitted in plain text, and find the corresponding encryption transformation algorithm information, so that he can go through two During the decryption transformation process, two public key data can be obtained, which makes the key attack more difficult and the resource overhead required for the attack is relatively large. At the same time, based on the key transmission mechanism of the present invention, the problem of safe storage of the root key is not considered, which reduces the management complexity of the key distribution link in the key management process.

附图说明Description of drawings

图1是本发明密钥数据收发方法的加密变换处理流程图；Fig. 1 is the encryption conversion process flowchart of key data transmission and reception method of the present invention;

图2是本发明密钥数据收发方法的解密变换处理流程图；Fig. 2 is a flow chart of the decryption conversion processing of the key data transceiving method of the present invention;

图3是本发明密钥数据分发装置中密钥数据发送部分的组成结构示意图；Fig. 3 is a schematic diagram of the composition and structure of the key data sending part in the key data distribution device of the present invention;

图4是本发明密钥数据接收装置中密钥数据接收部分的组成结构示意图；4 is a schematic diagram of the composition and structure of the key data receiving part in the key data receiving device of the present invention;

图5是本发明密钥数据分发装置中加密变换单元的进一步组成结构示意图；Fig. 5 is a schematic diagram of the further composition and structure of the encryption conversion unit in the key data distribution device of the present invention;

图6是本发明密钥数据接收装置中解密变换单元的进一步组成结构示意图。Fig. 6 is a schematic diagram of the further composition and structure of the decryption transformation unit in the key data receiving device of the present invention.

具体实施方式Detailed ways

在现代密钥管理体制中，密钥数据的安全性是保障系统安全的关键环节。为保障密钥数据在分发过程中的机密性和完整性，抵抗密钥数据的替换和攻击，在由纯软件设计实现的密钥分发方案中，本发明密钥数据收发方法及其密钥数据分发装置和接收装置这里采取给用户分发算法库的方式来实现，在算法库中集成密钥保护算法和相关的密钥数据。In the modern key management system, the security of key data is the key link to ensure the security of the system. In order to ensure the confidentiality and integrity of the key data in the distribution process, and resist the replacement and attack of the key data, in the key distribution scheme realized by pure software design, the key data sending and receiving method and the key data of the present invention The distributing device and the receiving device are implemented here by distributing an algorithm library to users, and the key protection algorithm and related key data are integrated in the algorithm library.

本发明密钥收发方法及其密钥数据分发装置和接收装置在由相应的密钥保护算法对相关的密钥数据进行加密变换后，再进行发送的加密过程主要采用产生两个密钥数据，用每个密钥数据中包括的私钥数据对对方的公钥数据进行加密变换而得到对应的分发密钥数据进行发送。下面首先描述本发明的密钥分发方法。The key data sending and receiving method of the present invention and its key data distributing device and receiving device are encrypted and converted by the corresponding key protection algorithm to the relevant key data, and then the encryption process of sending is mainly used to generate two key data, Use the private key data included in each key data to encrypt and transform the other party's public key data to obtain corresponding distribution key data for transmission. Firstly, the key distribution method of the present invention will be described below.

参照图1，该图是本发明密钥数据收发方法的加密变换处理流程图；其中密钥数据发送方对密钥数据进行加密变换后再进行发送的处理过程如下：With reference to Fig. 1, this figure is the encryption conversion processing flowchart of key data transceiving method of the present invention; Wherein the key data sender carries out the processing procedure of sending after encryption conversion to key data again as follows:

步骤S10至步骤S20，作为密钥数据发送方的网络节点首先生成两个密钥数据，分别定义为第一密钥数据和第二密钥数据，其中密钥数据采用非对称密钥体制，则第一密钥数据包括一个公钥数据和一个私钥数据的数据对，定义为该第一密钥数据的第一公钥数据和第一私钥数据；同理，第二密钥数据中也包含第二公钥数据和第二私钥数据。From step S10 to step S20, the network node as the key data sender first generates two key data, which are respectively defined as the first key data and the second key data, where the key data adopts an asymmetric key system, then The first key data includes a data pair of public key data and a private key data, defined as the first public key data and the first private key data of the first key data; similarly, the second key data also Contains the second public key data and the second private key data.

步骤S30，使用所产生的第二私钥数据对第一公钥数据进行加密变换，得到对应的第一分发密钥数据，其中加密变换使用的算法可以根据具体情况进行选择，如可以采用非对称密钥体制RSA算法进行加密变换操作。Step S30, use the generated second private key data to encrypt and transform the first public key data to obtain the corresponding first distribution key data, wherein the algorithm used for the encryption transformation can be selected according to the specific situation, for example, an asymmetric The key system RSA algorithm performs encryption transformation operation.

步骤S40，继续使用所产生的第一私钥数据对第二公钥数据进行加密变换，得到对应的第二分发密钥数据。Step S40, continue to use the generated first private key data to encrypt and transform the second public key data to obtain corresponding second distribution key data.

步骤S50，将步骤S30产生的第一分发密钥数据和步骤S40产生的第二分发密钥数据分别进行发送，同时选择产生的第一公钥数据和第二公钥数据的其中之一进行发送，即选择发送第一公钥数据或选择发送第二公钥数据。其中所发送的数据可以集成在密钥算法中进行集中发送，即作为密钥数据发送方的网络节点生成一个算法库，该算法库中集成有密钥加密算法和相关的密钥数据。Step S50, send the first distribution key data generated in step S30 and the second distribution key data generated in step S40 respectively, and at the same time select one of the generated first public key data and the second public key data to send , that is, choose to send the first public key data or choose to send the second public key data. The sent data can be integrated in the key algorithm for centralized transmission, that is, the network node as the sender of the key data generates an algorithm library, which integrates the key encryption algorithm and related key data.

接收到密钥数据的接收方为获得原始的密钥数据还要进行相应的解密变换处理，参照图2，该图是本发明密钥数据收发方法的解密变换处理流程图；这里以密钥数据发送方发送的密钥数据除第一分发密钥数据和第二分发密钥数据之外，还同时发送第一公钥数据为例进行说明，其中作为密钥数据接收方的网络节点接收到这些密钥数据之后的处理过程如下：The receiving party that has received key data also will carry out corresponding deciphering conversion process for obtaining original key data, with reference to Fig. 2, this figure is the deciphering conversion processing flowchart of key data transceiving method of the present invention; Here with key data In addition to the first distribution key data and the second distribution key data, the key data sent by the sender also sends the first public key data at the same time as an example, where the network node as the receiver of the key data receives these The processing after the key data is as follows:

步骤S60，作为密钥数据接收方的网络节点通过调用相应的接口函数调用接收到的算法库，得到算法库中包含的第一分发密钥数据、第二分发密钥数据和第一公钥数据及其算法信息，并用第一公钥数据对第二分发密钥数据进行解密变换，通过用第一公钥数据对第二分发密钥数据解密变换处理，将得到第二公钥数据；Step S60, the network node as the recipient of the key data calls the received algorithm library by calling the corresponding interface function, and obtains the first distribution key data, the second distribution key data and the first public key data contained in the algorithm library and its algorithm information, and use the first public key data to decrypt and transform the second distribution key data, and use the first public key data to decrypt and transform the second distribution key data to obtain the second public key data;

步骤S70，用步骤S60中解密得到的第二公钥数据对接收到的第一分发密钥数据进行相同方式的解密变换处理，将得到第一公钥数据；Step S70, using the second public key data decrypted in step S60 to perform decryption and transformation processing on the received first distribution key data in the same manner, to obtain the first public key data;

步骤S80，比较步骤S70中解密得到的第一公钥数据和步骤S60中接收到的第一公钥数据是否一致，如果是，转至步骤S90，否则转至步骤S100；Step S80, comparing whether the first public key data decrypted in step S70 is consistent with the first public key data received in step S60, if yes, go to step S90, otherwise go to step S100;

步骤S90，表明步骤S60中接收到的第一公钥数据为可用密钥数据，证明密钥数据在分发传输过程中没有遭到替换攻击；Step S90, indicating that the first public key data received in step S60 is usable key data, proving that the key data has not been subjected to a replacement attack during the distribution and transmission process;

步骤S100，表明步骤S60中接收到的第一公钥数据为不可用密钥数据，证明密钥数据在分发传输过程中可能遭到窃取者的替换攻击，此时的密钥数据可能已经外泄，所以不利于文件信息的安全保护。Step S100, indicating that the first public key data received in step S60 is unusable key data, proving that the key data may be replaced by a thief during the distribution and transmission process, and the key data at this time may have been leaked , so it is not conducive to the security protection of file information.

另外，当密钥数据接收方接收到第一分发密钥数据、第二分发密钥数据和第二公钥数据时，其解密变换过程同上述过程，为：In addition, when the receiver of the key data receives the first distribution key data, the second distribution key data and the second public key data, the decryption transformation process is the same as the above process, which is:

用接收到的第二公钥数据对第一分发密钥数据进行解密变换，得到第一公钥数据；并Using the received second public key data to decrypt and transform the first distribution key data to obtain the first public key data; and

用解密得到的第一公钥数据对第二分发密钥数据进行解密变换，得到第二公钥数据；Using the decrypted first public key data to decrypt and transform the second distribution key data to obtain the second public key data;

比较解密得到的第二公钥数据和接收到的第二公钥数据是否一致，如果是，所述第二公钥数据为可用密钥数据，密钥数据在分发传输过程中没有遭到替换攻击；否则所述第二公钥数据为不可用密钥数据，密钥数据在分发传输过程中可能遭到窃取者的替换攻击。Compare whether the decrypted second public key data is consistent with the received second public key data, if yes, the second public key data is usable key data, and the key data has not been subjected to a replacement attack during distribution and transmission ; Otherwise, the second public key data is unusable key data, and the key data may be replaced by stealers during distribution and transmission.

其中上述用私钥数据对公钥数据进行加密变换，得到对应的分发密钥数据可以具体采取如下的加密变换方式：Among them, the private key data is used to encrypt and transform the public key data, and the corresponding distribution key data can be obtained by using the following encryption and transformation methods:

将公钥数据转换为二进制形式；Convert the public key data into binary form;

将公钥数据的二进制形式划分为等长的分组形式；Divide the binary form of the public key data into equal-length packets;

用私钥数据分别对公钥数据的每个分组进行加密处理；Encrypt each packet of the public key data with the private key data;

由每个加密处理后的分组所构成的整数集合作为分发密钥数据。An integer set composed of each encrypted packet is used as distribution key data.

相应的，上述用公钥数据对分发密钥数据进行解密变换，得到另一公钥数据可以具体采取如下的解密变换方式：Correspondingly, the above public key data is used to decrypt and transform the distribution key data to obtain another public key data. The following decryption and transformation methods can be specifically adopted:

用公钥数据分别对构成分发密钥数据的每个分组进行解密处理；Using the public key data to decrypt each packet constituting the distribution key data;

对解密处理后的所有分组进行合并处理，恢复出原始的公钥数据。Combine all the decrypted packets to recover the original public key data.

下面以非对称密码体制RSA算法为例，举例说明本发明密钥分发方法的详细处理过程，具体如下：Taking the asymmetric cryptographic system RSA algorithm as an example below, the detailed processing process of the key distribution method of the present invention is illustrated, specifically as follows:

其中类RSA算法的非对称密码体制中，一组完整的密钥数据包括一个公钥/私钥数据对，密钥数据具有良好的对称性。In the asymmetric cryptosystem like RSA algorithm, a complete set of key data includes a public key/private key data pair, and the key data has good symmetry.

以下以RSA算法为例，假设定义明文分组为M，密文分组为C，公钥数据为(e，n)，私钥数据为(d，n)；The following takes the RSA algorithm as an example, assuming that the plaintext group is M, the ciphertext group is C, the public key data is (e, n), and the private key data is (d, n);

n为两个素数p和q的乘积，p和q是通过私有程序选择产生的，即p和q是不能公开的数据；n is the product of two prime numbers p and q, p and q are selected through private programs, that is, p and q are data that cannot be made public;

φ(n)是欧拉函数，它表示不超过n且与n互素的整数的个数；φ(n) is an Euler function, which represents the number of integers not exceeding n and mutually prime with n;

e是由公开选择程序选取出来的整数，即e为能够公开的数据，其中e满足gcd(φ(n)，e)＝1，1＜e＜φ(n)，上式中gcd()为求最大公约数的函数，所以这样e与φ(n)互素；e is an integer selected by the public selection program, that is, e is data that can be made public, where e satisfies gcd(φ(n), e)=1, 1<e<φ(n), and gcd() in the above formula is Find the function of the greatest common divisor, so e and φ(n) are mutually prime;

e和d满足公式ed≡1modφ(n)。(表示ed和1模φ(n)同余)。e and d satisfy the formula ed≡1modφ(n). (Denotes ed and 1 modulo φ(n) congruence).

根据上述的参数设置，则有下列加密、解密变换运算处理：According to the above parameter settings, there are the following encryption and decryption transformation operations:

加密运算：C＝M^emodn，——(1)Encryption operation: C=M^e modn,——(1)

解密运算：M＝C^dmodn＝(M^e)^dmodn＝M^edmodn＝M modn——(2)Decryption operation: M=C^d modn=(M^e )^d modn=M^ed modn=M modn——(2)

其中关系式(2)的推导过程是根据欧拉定理给出的数学证明得出的。The derivation process of relational formula (2) is obtained according to the mathematical proof given by Euler's theorem.

(1)和(2)式体现了类RSA算法具有良好的对称性，公钥数据和私钥数据可以分别相应承担加密运算处理和解密运算处理。Equations (1) and (2) reflect that the RSA-like algorithm has good symmetry, and the public key data and private key data can respectively undertake encryption operation processing and decryption operation processing.

而在本发明密钥数据收发方案中，使用密钥数据中包含的私钥数据进行加密运算，使用密钥数据中包含的公钥数据进行解密运算(而上述基于现有技术RSA算法的运算过程中，加密运算一般定义为由公开的公钥数据参与实施，而解密运算一般定义为由保密的私钥数据参与实施，在本发明密钥分发方案描述中，这里调换了公钥数据和私钥数据在加密运算过程中和解密运算过程中的实施位置，其依据的原因是因为类RSA算法具有良好的对称性)。And in the key data transmission and reception scheme of the present invention, use the private key data contained in the key data to carry out encryption operation, use the public key data contained in the key data to carry out decryption operation (and the above-mentioned operation process based on the prior art RSA algorithm Among them, the encryption operation is generally defined as being implemented by the public key data, and the decryption operation is generally defined as being implemented by the confidential private key data. In the description of the key distribution scheme of the present invention, the public key data and the private key data are exchanged here. The implementation position of the data in the encryption operation process and the decryption operation process is based on the fact that the RSA-like algorithm has good symmetry).

这样，基于上述现有技术的RSA算法，举例说明本发明密钥数据收发方法的具体处理过程：Like this, based on the RSA algorithm of above-mentioned prior art, illustrate the specific processing procedure of key data transceiving method of the present invention:

针对每个密钥数据请求方发起的密钥数据获取请求，密钥数据提供方同时为每个用户产生两对密钥数据Kc和Kp，其中密钥数据Kc包括公钥数据PubKc(KcE，KcN)和私钥数据PriKc(KcD，KcN)，密钥数据Kp包括公钥数据PubKp(KpE，KpN)和私钥数据PriKp(KpD，KpN)；For the key data acquisition request initiated by each key data requester, the key data provider generates two pairs of key data Kc and Kp for each user at the same time, where the key data Kc includes public key data PubKc(KcE, KcN ) and private key data PriKc (KcD, KcN), key data Kp includes public key data PubKp (KpE, KpN) and private key data PriKp (KpD, KpN);

密钥提供方在向用户程序分发公钥数据PubKc和PubKp之前，需要使用RSA加密变换程序对密钥数据进行如下加密变换处理：Before the key provider distributes the public key data PubKc and PubKp to the user program, it needs to use the RSA encryption transformation program to perform the following encryption transformation processing on the key data:

F1(PubKp，PriKc，Randoml)——>S_PubKp，其中函数F1()的作用是利用私钥数据PriKc和随机数Randoml将公钥数据PubKp变换为分发密钥数据S_PubKp，具体转换过程如下，F1(PubKp, PriKc, Randoml)——>S_PubKp, the function of function F1() is to use the private key data PriKc and random number Randoml to transform the public key data PubKp into the distribution key data S_PubKp, the specific conversion process is as follows,

1)将公钥数据PubKp转换为长度为Len的二进制形式PubKp’，假设长度为Len的二进制形式PubKp’的最高有效位在L1bit，则定义公钥数据PubKp的长度为L1(其中长度L1＜Len>；并这里假设RSA密码体制的加密强度为BlockLen(其中BlockLen＜Len，并确保0＝(Len)mod(BlockLen))，则该长度BlockLen也就是加密变换处理的分组长度；1) Convert the public key data PubKp into the binary form PubKp' with a length of Len, assuming that the most significant bit of the binary form PubKp' with a length of Len is at L1bit, then define the length of the public key data PubKp as L1 (wherein the length L1<Len >; and here assume that the encryption strength of the RSA cryptosystem is BlockLen (wherein BlockLen<Len, and ensure that 0=(Len) mod (BlockLen)), then the length BlockLen is also the packet length of the encryption transformation process;

2)按BlockLen长度对长为L1的二进制形式PubKp’进行分组处理，确保每个二进制分组表示的整数小于KcN，随后在每个二进制分组前面的最高有效位前的高位填充0以充满长度Len；其中对于由最高有效位所限定的有效bit所组成的二进制分组，要求每个分组表示的整数小于KcN，同时按BlockLen对高位填充0以满足分组长度要求；对于BlockLen＜Len，且0＝(Len)mod(BlockLen)，则对于有效bit不能填充的分组，填充随机数Random1，同时确保填充后的数据小于KcN。2) According to the length of BlockLen, the binary form PubKp' of length L1 is grouped to ensure that the integer represented by each binary group is less than KcN, and then the high bits before the most significant bit in front of each binary group are filled with 0 to fill the length Len; Wherein for the binary grouping that is formed by the effective bit limited by the most significant bit, require that the integer that each grouping represents is less than KcN, press BlockLen to fill 0 to satisfy the grouping length requirement to the high bit simultaneously; For BlockLen＜Len, and 0=(Len )mod(BlockLen), then for the group whose effective bits cannot be filled, fill the random number Random1, and at the same time ensure that the filled data is less than KcN.

3)此时PubKp已经由所有的二进制分组转换为整数集合(PubKp1’，PubKp2’，...，PubKpi’)，其中i＝Len/BlockLen，以私钥数据PriKc(KcD，KcN)作为加密密钥对该整数集合中的每个整数分别进行RSA加密变换处理，即其中S_PubKp1′＝(PubKp1′)^KCD modKcN，...，S_PubKpi′＝(PubKpi′)^KcD modKcN；3) At this time, PubKp has been converted from all binary groups into integer sets (PubKp1', PubKp2', ..., PubKpi'), where i=Len/BlockLen, with private key data PriKc(KcD, KcN) as the encryption key The key performs RSA encryption transformation processing on each integer in the integer set, that is, S_PubKp1'=(PubKp1')^KCD modKcN, ..., S_PubKpi'=(PubKpi')^KcD modKcN;

4)而由S_PubKp1’，S_PubKp2’，...，S_PubKpi’所构成的整数集合(S_PubKp1’，S_PubKp2’，...，S_PubKpi’)就形成了分发密钥数据S_PubKp。4) The integer set (S_PubKp1', S_PubKp2', ..., S_PubKpi') composed of S_PubKp1', S_PubKp2', ..., S_PubKpi' forms the distribution key data S_PubKp.

F2(PubKc，PriKp，Random2)——>S_PubKc，函数F2()的作用是利用私钥数据PriKp和随机数Random2将公钥数据PubKc变换为分发密钥数据S_PubKc，过程与上述类似，但需要注意在3)的加密环节中，需要使用私钥数据PriKp中的(KpD，KpN)作为加密变换密钥。F2(PubKc, PriKp, Random2) --> S_PubKc, function F2() is to use private key data PriKp and random number Random2 to transform public key data PubKc into distribution key data S_PubKc, the process is similar to the above, but attention should be paid In the encryption link of 3), it is necessary to use (KpD, KpN) in the private key data PriKp as the encryption transformation key.

密钥数据发送方(即密钥数据提供方)再经过上述的密钥数据加密处理后，将得到的分发密钥数据S_PubKp、S_PubKc及其公钥数据PubKc集成并封装在统一的算法库中提供密钥数据请求方(即密钥数据接收方)，密钥请求方可以将算法库集成在应用环境中，用户应用程序只有通过集成算法库并调用特定接口才能使用密钥数据。After the key data sender (that is, the key data provider) undergoes the above key data encryption processing, the obtained distribution key data S_PubKp, S_PubKc and their public key data PubKc are integrated and packaged in a unified algorithm library to provide The key data requester (that is, the key data receiver), the key requester can integrate the algorithm library in the application environment, and the user application can only use the key data by integrating the algorithm library and calling a specific interface.

密钥数据接收方的密钥数据恢复还原处理过程如下：The key data recovery process of the key data receiver is as follows:

10)接收方用户程序调用算法库接口函数，算法库在使用密钥数据之前需要进行验证和解密操作；算法库函数在执行解密过程中首先需要获取接收到的分发密钥数据S_PubKp、S_PubKc和公钥数据PubKc；10) The receiver user program calls the algorithm library interface function, and the algorithm library needs to perform verification and decryption operations before using the key data; the algorithm library function first needs to obtain the received distribution key data S_PubKp, S_PubKc and public key data during the decryption process. key data PubKc;

20)首先以接收到的公钥数据PubKc作为解密密钥对分发密钥数据S_PubKp进行解密变换处理，按RSA算法规定，S_PubKp是整数组合(S_PubKp1’，S_PubKp2’，...，S_PubKpi’)，分别使用公钥数据PubKc(KcE，KcN)对每个分组执行解密变换操作，即PubKp1′＝(S_PubKp1′)^KcEmod KcN，...，PubKpi′＝(S_PubKpi′)^KcEmodKcN，得到整数组合(PubKp1，PubKp2，...，PubKpi)20) First, use the received public key data PubKc as the decryption key to decrypt and transform the distribution key data S_PubKp. According to the RSA algorithm, S_PubKp is an integer combination (S_PubKp1', S_PubKp2', ..., S_PubKpi'), Use the public key data PubKc (KcE, KcN) to perform the decryption transformation operation on each packet respectively, that is, PubKp1'=(S_PubKp1')^KcE mod KcN, ..., PubKpi'=(S_PubKpi')^KcE modKcN, to obtain the integer combination ( PubKp1, PubKp2, ..., PubKpi)

30)若公钥数据PubKp所对应的类RSA密码体制加密强度为BlockLen，则按整数表示方式恢复得到公钥数据PubKc；30) If the encryption strength of the RSA-like cryptosystem corresponding to the public key data PubKp is BlockLen, the public key data PubKc is obtained by recovering the public key data in an integer representation;

40)以恢复得到的公钥数据PubKc作为解密密钥对另外一个分发密钥数据S_PubKc进行解密变换处理，得到另一公钥数据PubKc；其中解密变换处理过程同上述步骤10)至步骤30)的处理过程；40) Use the recovered public key data PubKc as the decryption key to perform decryption transformation processing on another distribution key data S_PubKc to obtain another public key data PubKc; wherein the decryption transformation processing process is the same as that of the above-mentioned step 10) to step 30). process;

50)比较验证步骤40)中解密得到的公钥数据PubKc与接收到的明文传输的公钥数据PubKc是否相等，若相等，则表明密钥数据完整性没有受到破坏，公钥数据PubKc可以使用。50) Compare whether the public key data PubKc decrypted in the verification step 40) is equal to the received public key data PubKc transmitted in plain text, if they are equal, it indicates that the integrity of the key data has not been damaged, and the public key data PubKc can be used.

其中上述密钥数据Kc和密钥数据Kp是密钥提供方产生的两对彼此独立的密钥数据，本发明密钥分发方法中，其分发加密运算过程就是利用密钥数据Kc和Kp中的一个密钥数据保护另外一个密钥数据。根据类RSA密码体制算法的数学特点，在密钥请求方的用户程序执行解密运算过程中，是通过计算分发密钥数据S_PubKp或S_PubKc的公钥数据，并与明文传递并集成在算法程序中相对应的公钥数据进行比较，来判断密钥数据在传输过程中是否遭到攻击。The above-mentioned key data Kc and key data Kp are two pairs of independent key data generated by the key provider. In the key distribution method of the present invention, the distribution encryption operation process is to use the key data Kc and Kp One key data protects another key data. According to the mathematical characteristics of the RSA-like cryptosystem algorithm, during the decryption operation process of the user program of the key requesting party, the public key data of the key data S_PubKp or S_PubKc is calculated and distributed, and the plaintext is transmitted and integrated into the algorithm program. The corresponding public key data are compared to determine whether the key data is attacked during transmission.

在执行本发明密钥数据收发方法的情况下，假设需要使用的实际公开的公钥数据为PubKc，则传输的算法程序中只需集成该公钥数据PubKc，和该公钥数据PubKc的密文分发密钥数据S_PubKc以及公钥数据PubKp的密文分发密钥数据S_PubKp，这样就保证了密钥数据的机密性。而在接收方的解密变换过程中，就可以确保密钥数据在分发过程中的完整性。In the case of implementing the method for sending and receiving key data of the present invention, assuming that the actual public key data to be used is PubKc, the algorithm program for transmission only needs to integrate the public key data PubKc and the ciphertext of the public key data PubKc The distribution key data S_PubKc and the ciphertext of the public key data PubKp distribute the key data S_PubKp, thus ensuring the confidentiality of the key data. And in the decryption transformation process of the receiver, the integrity of the key data in the distribution process can be ensured.

本发明密钥数据收发方法在实施过程中，其攻击实施难度较大，主要是因为窃取者首先需要在算法程序中寻找相应的密钥数据，并确定密钥数据的数据结构，同时找到明文传输的公钥数据；然后实施密钥数据替换攻击。由于实际传输的密钥数据已经被隐藏，发起此类的攻击需要的资源开销将异常巨大，从而为密钥分发过程提供了有效的安全保障。In the implementation process of the key data sending and receiving method of the present invention, the attack implementation is relatively difficult, mainly because the thief first needs to find the corresponding key data in the algorithm program, determine the data structure of the key data, and at the same time find the key data transmitted in plain text. public key data; and then implement key data replacement attacks. Since the actual key data transmitted has been hidden, the resource overhead required to launch such an attack will be extremely huge, thus providing an effective security guarantee for the key distribution process.

相应的，本发明还对应密钥数据收发方法，提出了一种密钥数据分发装置，其装置的具体组成参照图3，该图是本发明密钥数据分发装置中密钥数据发送部分的组成结构示意图；其发送部分的组成结构中包括密钥数据生成单元10、加密变换单元20和密钥数据发送单元30三个部分，各个组成部分的功能和联系具体叙述如下：Correspondingly, the present invention also corresponds to the key data sending and receiving method, and proposes a key data distribution device. For the specific composition of the device, refer to FIG. 3 , which is the composition of the key data sending part in the key data distribution device of the present invention. Schematic diagram of structure; the composition structure of its sending part comprises three parts of key data generation unit 10, encryption conversion unit 20 and key data transmission unit 30, and the function and connection of each component are specifically described as follows:

密钥数据生成单元10，用于密钥数据发送方生成包括公钥数据和私钥数据的密钥数据；Key data generating unit 10, used for the key data sender to generate key data including public key data and private key data;

加密变换单元20，与密钥数据生成单元10逻辑连接，用于使用密钥数据生成单元10产生的一个密钥数据的私钥数据对另一密钥数据的公钥数据进行加密变换，得到对应的分发密钥数据；The encryption transformation unit 20 is logically connected with the key data generation unit 10, and is used to encrypt and transform the public key data of another key data using the private key data of one key data generated by the key data generation unit 10 to obtain the corresponding distribution key data;

密钥数据发送单元30，与加密变换单元20逻辑连接，用于发送加密处理后的分发密钥数据和密钥数据生成单元10生成的公钥数据。The key data sending unit 30 is logically connected with the encryption transformation unit 20 and is used for sending the encrypted distribution key data and the public key data generated by the key data generation unit 10 .

参照图4，该图是本发明密钥数据接收装置中密钥数据接收部分的组成结构示意图；其接收部分的组成结构中包括密钥数据接收单元40、解密变换单元50和公钥数据比较单元60三个部分，各个组成部分的功能和联系具体叙述如下：With reference to Fig. 4, this figure is the composition structure schematic diagram of key data receiving part in the key data receiving device of the present invention; In the composition structure of its receiving part, comprise key data receiving unit 40, decryption conversion unit 50 and public key data comparing unit 60 has three parts, and the functions and connections of each component are described in detail as follows:

密钥数据接收单元40，用于接收密钥数据发送方发送来的分发密钥数据和公钥数据；A key data receiving unit 40, configured to receive the distribution key data and public key data sent by the key data sender;

解密变换单元50，与密钥数据接收单元40逻辑连接，用于使用密钥数据接收单元40接收到的公钥数据对分发密钥数据进行解密变换处理，得到和分发密钥数据对应的公钥数据；The decryption transformation unit 50 is logically connected with the key data receiving unit 40, and is used to perform decryption and transformation processing on the distribution key data using the public key data received by the key data reception unit 40, to obtain the public key corresponding to the distribution key data data;

公钥数据比较单元60，与解密变换单元50逻辑连接，用于比较由解密变换单元50解密得到的公钥数据和密钥数据接收单元40接收的公钥数据之间的一致性。如果一致，则密钥数据在分发过程中没有遭到攻击；如果不一致，则密钥数据在分发过程中可能遭到攻击。The public key data comparison unit 60 is logically connected with the decryption transformation unit 50 and used for comparing the consistency between the public key data decrypted by the decryption transformation unit 50 and the public key data received by the key data receiving unit 40 . If they are consistent, the key data has not been attacked during the distribution process; if not, the key data may have been attacked during the distribution process.

上述，加密变换单元20和解密变换单元30又都包含有下一层的处理子单元，才能完成自身单元的处理机能。As mentioned above, both the encryption transformation unit 20 and the decryption transformation unit 30 include the processing subunits of the next layer, so as to complete the processing functions of their own units.

参照图5，该图是本发明密钥数据收发装置中加密变换单元的进一步组成结构示意图；其中加密变换单元20进一步包括二进制转换子单元21、分组处理子单元22、加密处理子单元23和整数集合形成子单元24，各部分的功能如下：With reference to Fig. 5, this figure is the further composition structure diagram of encryption conversion unit in the key data transceiving device of the present invention; Wherein encryption conversion unit 20 further comprisesbinary conversion subunit 21,packet processing subunit 22,encryption processing subunit 23 and integer The assembly forms asubunit 24, and the functions of each part are as follows:

二进制转换子单元21，用于将密钥数据发送方产生的公钥数据转换为二进制形式；Thebinary conversion subunit 21 is used to convert the public key data generated by the key data sender into binary form;

分组处理子单元22，与二进制转换子单元21逻辑连接，用于将二进制转换子单元21处理后的公钥数据的二进制形式划分为等长的分组形式；Thegrouping processing subunit 22 is logically connected with thebinary conversion subunit 21, and is used to divide the binary form of the public key data processed by thebinary conversion subunit 21 into equal-length grouping forms;

加密处理子单元23，与分组处理子单元22逻辑连接，用于使用私钥数据分别对经过分组处理子单元22处理后的公钥数据的每个分组进行加密处理；Theencryption processing subunit 23 is logically connected with thepacket processing subunit 22, and is used to encrypt each packet of the public key data processed by thepacket processing subunit 22 using the private key data;

整数集合形成子单元24，与加密处理子单元23逻辑连接，用于将加密处理子单元23加密处理后的所有分组构成一个整数集合作为分发密钥数据。The integerset forming subunit 24 is logically connected with theencryption processing subunit 23, and is used to form an integer set of all packets encrypted by theencryption processing subunit 23 as distribution key data.

参照图6，该图是本发明密钥数据接收装置中解密变换单元的进一步组成结构示意图；其中解密变换单元50进一步包括解密处理子单元51和分组合并子单元52，各部分的功能如下：With reference to Fig. 6, this figure is a schematic diagram of the further composition structure of the decryption transformation unit in the key data receiving device of the present invention; wherein the decryption transformation unit 50 further includes adecryption processing subunit 51 and apacket merging subunit 52, and the functions of each part are as follows:

解密处理子单元51，用于使用接收到的明文传输的公钥数据分别对构成分发密钥数据的每个分组进行解密处理；Adecryption processing subunit 51, configured to use the received public key data transmitted in plaintext to decrypt each packet constituting the distribution key data;

分组合并子单元52，与解密处理子单元51逻辑连接，用于对经过解密处理子单元51处理后的分发密钥数据中解密处理后的所有分组进行合并处理，恢复出和分发密钥数据对应的公钥数据。Thepacket merging subunit 52 is logically connected with thedecryption processing subunit 51, and is used for merging all the decrypted packets in the distribution key data processed by thedecryption processing subunit 51, and recovering the data corresponding to the distribution key data. public key data.

以上所述仅是本发明的优选实施方式，应当指出，对于本技术领域的普通技术人员来说，在不脱离本发明技术原理的前提下，还可以作出若干改进和润饰，这些改进和润饰也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that for those of ordinary skill in the art, without departing from the technical principle of the present invention, some improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.

Claims (9)

1, a kind of key data receiving/transmission method is characterized in that, comprises step:

The key data transmit leg generates first key data that comprises first public key data and first private key data and second key data that comprises second public key data and second private key data;

With described second private key data first public key data is carried out enciphering transformation, obtain the first distributed key data; And

With described first private key data second public key data is carried out enciphering transformation, obtain the second distributed key data;

The described first distributed key data and the second distributed key data are sent to the key data recipient receive, one of them that select first public key data and second public key data simultaneously sends to the key data recipient and receives.

2, key data receiving/transmission method according to claim 1 is characterized in that, also comprises step:

The key data recipient is decrypted conversion with first public key data that receives to the second distributed key data, obtains second public key data; And

Second public key data that obtains with deciphering is decrypted conversion to the first distributed key data, obtains first public key data;

Whether with first public key data that receive consistent, if confirm that described first public key data is the available key data if relatively deciphering first public key data that obtains; Otherwise confirm that described first public key data is unavailable key data.

3, key data receiving/transmission method according to claim 1 is characterized in that, also comprises step:

The key data recipient is decrypted conversion with second public key data that receives to the first distributed key data, obtains first public key data; And

First public key data that obtains with deciphering is decrypted conversion to the second distributed key data, obtains second public key data;

Whether with second public key data that receive consistent, if confirm that described second public key data is the available key data if relatively deciphering second public key data that obtains; Otherwise confirm that described second public key data is unavailable key data.

4, key data receiving/transmission method according to claim 1 is characterized in that, describedly with private key data public key data is carried out enciphering transformation, and the process that obtains corresponding distributed key data comprises:

Public key data is converted to binary form;

The binary form of public key data is divided into isometric block form;

Respectively encryption is carried out in each grouping of public key data with private key data;

By the set of integers cooperation that grouping constituted after each encryption is the distributed key data.

According to claim 2 or 3 described key data receiving/transmission methods, it is characterized in that 5, describedly with public key data the distributed key data are decrypted conversion, the process that obtains another public key data comprises:

Respectively each grouping that constitutes the distributed key data is decrypted processing with public key data;

All groupings after the decryption processing are merged processing, recover original public key data.

6, a kind of key data dispensing device is characterized in that, comprising:

The key data generation unit is used to generate the key data that comprises public key data and private key data;

The enciphering transformation unit is used to use the private key data of a key data that the public key data of another key data is carried out enciphering transformation, obtains corresponding distributed key data;

The key data transmitting element is used to send distributed key data and public key data.

7, key data dispensing device according to claim 6 is characterized in that, described enciphering transformation unit further comprises:

The Binary Conversion subelement is used for public key data is converted to binary form;

The packet transaction subelement is used for the binary form of public key data is divided into isometric block form;

The encryption subelement is used to use private key data respectively encryption to be carried out in each grouping of public key data;

The integer set forms subelement, and being used for all groupings after the encryption are constituted a set of integers cooperation is the distributed key data.

8, a kind of key data receiving system is characterized in that, comprising:

The key data receiving element is used to receive distributed key data and public key data;

The deciphering converter unit, the data that are used to use public-key are decrypted conversion to the distributed key data, obtain the public key data with distributed key data correspondence;

The public key data comparing unit is used for relatively deciphering the consistency between the public key data of the public key data that obtains and reception.

9, key data receiving system according to claim 8 is characterized in that, described deciphering converter unit further comprises:

The decryption processing subelement, the data that are used to use public-key are decrypted processing to each grouping that constitutes the distributed key data respectively;

Grouping merges subelement, is used for all groupings after the distributed key data decryption processing are merged processing, recovers the public key data with distributed key data correspondence.

Images