CN116208327A - End-to-end communication method and system based on national encryption and PGP trust network - Google Patents
End-to-end communication method and system based on national encryption and PGP trust network Download PDFInfo
- Publication number
- CN116208327A CN116208327A CN202310175454.1A CN202310175454A CN116208327A CN 116208327 A CN116208327 A CN 116208327A CN 202310175454 A CN202310175454 A CN 202310175454A CN 116208327 A CN116208327 A CN 116208327A
- Authority
- CN
- China
- Prior art keywords
- session
- key
- trust
- receiving end
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an end-to-end communication method and system based on national encryption and a PGP trust network, belongs to the technical field of end-to-end communication, and aims to solve the technical problem of providing a convenient end-to-end safety communication mechanism based on the PGP trust network. The sending end encrypts the session key and the session period respectively through a public key of the receiving end based on a national encryption method; splicing the obtained ciphertext, the encrypted session key and the session period into a message; the receiving end analyzes the received message, decrypts the encrypted private key by the key encryption key, decrypts the encrypted session key and session period by the private key, decrypts the ciphertext by the session key, and obtains the message sent for the first time in the session; and for the messages subsequently sent in the session period, the sending end encrypts the messages through the session key, and the receiving end decrypts the ciphertext through the session key after receiving the ciphertext.
Description
Technical Field
The invention relates to the field of end-to-end communication, in particular to an end-to-end communication method and system based on national encryption and PGP trust network.
Background
The traditional communication from end to end equipment is generally realized by taking a cloud server as a management and transfer node, and the main reasons are from two aspects, namely, the end to end communication needs to be regulated by a management department, and the requirements of data content regulation, management of the end equipment, statistics and other business aspects are included. Secondly, the network of the ipv4 cannot provide a unique IP address for the end device, so that it can be seen that the traditional end-to-end communication is actually three-party two-by-two communication, and thus the overhead in terms of network bandwidth, storage, calculation power and the like can be additionally increased.
The PGP encryption and decryption is an encryption mechanism formed by combining a plurality of algorithms such as a hash function, butt encryption, asymmetric encryption and the like. The main processing flow is shown in fig. 1 and 2, the message is encrypted and decrypted by a symmetric encryption and decryption algorithm, so that the operation speed can be ensured (compared with the asymmetric operation speed, the operation speed is higher), the encryption key is generated by a mode of a random number and a user password, and the encryption key is spliced with the message ciphertext after being encrypted by the public key of the receiver and then is sent to the receiver.
The key management of PGP includes the generation of encryption keys (KEKs) (shown in fig. 3), the private key management of PGP (shown in fig. 4), and the public key management in three parts. The encryption key is generated by one-way hash after the random number and the password, and the private key is protected by encryption and decryption by the KEK. The public key of the PGP is trust-network-dependent, which is different from the general way of using the PKI system to perform public key authentication by means of the CA institution, the PGP trust-network establishes a trust level, and determines whether the public key is valid or not by the signature of each user and the trust level of the user.
The conventional end-to-end communication has the following problems:
(1) The communication efficiency is low: as shown in fig. 5, in general, two end devices want to implement secure communication by using a server to complete transfer, and devices a and B need secure communication, so that a secure channel is required to be established between each of devices a and B and a server C, and data is transferred from device a to server C and then from C to device B;
(2) Rely on a bulky PKI security system: the public key legitimacy problem exists in the secure communication realized based on asymmetric encryption, and the traditional scheme is mostly guaranteed through a PKI system, for example, RA in PKI is responsible for registering and issuing certificates, CA is responsible for authenticating digital certificates, and CRL and OCSP are responsible for inquiring the certificates when offline and online.
The traditional end-to-end communication has low communication efficiency, privacy is easy to leak, and a huge PKI security system is relied on, so that the deployment cost is high and the maintenance is complex.
Based on a mechanism how the PGP trust network provides convenient end-to-end secure communication, the mechanism does not depend on any third party equipment or service, and the implementation of secure communication is guaranteed as far as possible by utilizing resources on the end equipment, so that the technical problem to be solved is solved.
Disclosure of Invention
The technical task of the invention is to provide the end-to-end communication method and the end-to-end communication system based on the national encryption and PGP trust network to solve the technical problem that how to provide a convenient end-to-end safety communication mechanism based on the PGP trust network, the mechanism does not depend on any third party equipment or service, and the implementation of safety communication is guaranteed to the greatest extent by utilizing resources on the end equipment.
In a first aspect, in the end-to-end communication method based on the national encryption and PGP trust network, each device end is configured with a security chip, a random number generator for generating a session key is configured in the security chip, and a key encryption key, an encrypted private key and public keys of other device ends communicating with the device end are stored in the security chip, where the encrypted private key is a private key encrypted by a key encryption key based on the national encryption method;
for two device ends performing end-to-end communication, one is used as a sending end and the other is used as a receiving end, and the session between the sending end and the receiving end is performed based on the following communication mechanism:
the method comprises the steps that a sending end generates a session key, configures a session period for the session key, and encrypts the session key and the session period respectively through a public key of a receiving end based on a national encryption method;
encrypting the message sent for the first time in the session by a sending end through a session key based on a national encryption method, splicing the obtained ciphertext, the encrypted session key and the session period into a message, and sending the message to a receiving end; the receiving end analyzes the received message to obtain a ciphertext, an encrypted session key and a session period, decrypts the encrypted private key stored by the encrypted session key by the key encryption key, decrypts the encrypted session key and session period by the private key to obtain the session key and session period, and decrypts the ciphertext by the session key to obtain a message sent for the first time in the session;
and for the subsequently transmitted message in the session period, the transmitting end encrypts the message through the session key, then transmits the obtained ciphertext to the receiving end, and the receiving end receives the ciphertext and decrypts the ciphertext through the session key to obtain the corresponding message.
Preferably, each equipment end is configured with a session timer, the session timer is provided with a door closing time, the timer is used for realizing synchronization of the sending end and the receiving end, and the door closing time is used for increasing delay time of receiving data of the receiving end based on a session period so as to avoid information loss between the sending end and the receiving end;
after the sending end sends the message to the receiving end, the session timer is started, and the receiving end starts the session timer after obtaining the session period;
setting a session period as T, closing time as T, and for a receiving end, setting the effective time of the session period as T+t.
Preferably, for each device side, its public key is configured with a trust level, which is classified into the following categories:
i trust ultimately, the I trust ultimately is absolute trust, and the device end itself holding the private key;
i trust full, wherein the I trust full is completely trusted;
i trust marginally, said I trust marginally being of limited trust;
i do Not trust, which is Not trusted;
a unknown key;
an outstanding, which is unset;
for each sender, the public key satisfying the following conditions is a valid public key:
a public key that is validated by a receiver-side signature, or a public key that is validated by a fully trusted device-side signature, or a public key that is validated by a plurality of limited trusted device signatures.
Preferably, in the IPV4 environment, each device end joining the PGP trust network registers its network address to an address negotiation server, and for each device end joining the PGP network, the address negotiation server stores the device ID and the network address of the device end;
for two device ends performing end-to-end communication, a transmitting end requests a network address of a receiving end to an address negotiation server, the address negotiation server returns the network address of the receiving end to the transmitting end based on the device ID specified in the request, and the transmitting end initiates a session to the receiving end based on the network address returned by the address negotiation server.
In a second aspect, the present invention provides an end-to-end communication system based on a national encryption and PGP trust network, including a plurality of device ends configured with a security chip, where the security chip is configured with a random number generator for generating a session key, and stores a key encryption key, an encrypted private key, and public keys of other device ends that communicate with the device ends, where the encrypted private key is a private key encrypted by a key encryption key based on a national encryption method;
for two equipment ends for end-to-end communication, one is used as a transmitting end and the other is used as a receiving end;
the transmitting end is used for executing the following steps:
generating a session key, configuring a session period for the session key, and encrypting the session key and the session period respectively through a public key of a receiving end based on a national encryption method;
encrypting the message sent for the first time in the session based on a national encryption method through a session key, splicing the obtained ciphertext, the encrypted session key and the session period into a message, and sending the message to a receiving end;
correspondingly, the receiving end is configured to perform the following:
analyzing the received message to obtain a ciphertext, and an encrypted session key and a session period;
decrypting the encrypted private key by the key encryption key, decrypting the encrypted session key and session period by the private key to obtain the session key and session period;
decrypting the ciphertext through the session key to obtain a message which is sent for the first time in the session;
for the message subsequently sent in the session period, the sending end is configured to perform the following: after encrypting the message through the session key, sending the obtained ciphertext to a receiving end;
correspondingly, the receiving end is configured to perform the following: after receiving the ciphertext, the receiving end decrypts the ciphertext through the session key to obtain the corresponding message.
Preferably, each equipment end is configured with a session timer, the session timer is provided with a door closing time, the timer is used for realizing synchronization of the sending end and the receiving end, and the door closing time is used for increasing delay time of receiving data of the receiving end based on a session period so as to avoid information loss between the sending end and the receiving end;
the sending end sends the message to the receiving end and then is used for starting the session timer, and the receiving end is used for starting the session timer after obtaining the session period correspondingly;
setting a session period as T, closing time as T, and for a receiving end, setting the effective time of the session period as T+t.
Preferably, for each device side, its public key is configured with a trust level, which is classified into the following categories:
i trust ultimately, the I trust ultimately is absolute trust, and the device end itself holding the private key;
i trust full, wherein the I trust full is completely trusted;
i trust marginally, said I trust marginally being of limited trust;
i do Not trust, which is Not trusted;
a unknown key;
an outstanding, which is unset;
for each sender, the public key satisfying the following conditions is a valid public key:
a public key that is validated by a receiver-side signature, or a public key that is validated by a fully trusted device-side signature, or a public key that is validated by a plurality of limited trusted device signatures.
Preferably, the system further comprises an address negotiation server;
in an IPV4 environment, each device end joining the PGP trust network is used for registering the network address thereof to an address negotiation server, and for each device end joining the PGP network, the address negotiation server stores the device ID and the network address of the device end;
for two device ends performing end-to-end communication, the transmitting end is configured to request the address negotiation server for the network address of the receiving end, the address negotiation server is configured to return the network address of the receiving end to the transmitting end based on the device ID specified in the request, and the transmitting end is configured to initiate a session to the receiving end based on the network address returned by the address negotiation server.
The end-to-end communication method and system based on the national encryption and PGP trust network have the following advantages:
1. the safety of end-to-end communication is ensured by adopting a session period of dynamic negotiation, and communication errors caused by synchronization deviation are corrected by matching with door closing time;
2. public keys of the equipment end are managed through the PGP trust network, private keys of the equipment end are stored in an encrypted mode through key encryption keys stored in the security chip, and the security of the keys is guaranteed;
3. the key is stored by adopting the security chip to encrypt the key, the KEK generated by the password and the salt in the PGP is replaced, no human interaction or intervention is required, and the use scene of the equipment is increased;
4. the encryption of the secret key encryption key, the private key and the ciphertext is carried out by adopting a national encryption algorithm, so that the safety is improved, and the localization is facilitated.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments or the description of the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
The invention is further described below with reference to the accompanying drawings.
Fig. 1 is a block diagram of a PGP encryption flow;
fig. 2 is a block diagram of a PGP decryption flow;
FIG. 3 is a block diagram of a KEK generation flow;
FIG. 4 is a block diagram of a private key generation flow;
FIG. 5 is a prior art end-to-end communication mode block diagram;
fig. 6 is a flow chart of encryption of first transmitted information in an end-to-end communication method based on a national encryption and PGP trust network in embodiment 1;
fig. 7 is a flow chart of subsequent information transmission in a session period in an end-to-end communication method based on a state encryption and PGP trust network in embodiment 1;
fig. 8 is a network address access flow chart of two devices in end-to-end communication through an address negotiation server in an end-to-end communication method based on the state encryption and PGP trust network in embodiment 1.
Detailed Description
The invention will be further described with reference to the accompanying drawings and specific examples, so that those skilled in the art can better understand the invention and implement it, but the examples are not meant to limit the invention, and the technical features of the embodiments of the invention and the examples can be combined with each other without conflict.
The embodiment of the invention provides an end-to-end communication method and system based on a national encryption and PGP trust network, which are used for solving the technical problem of how to provide a convenient end-to-end safety communication mechanism based on the PGP trust network, wherein the mechanism does not depend on any third party equipment or service, and the implementation of safety communication is guaranteed to the greatest extent by utilizing resources on the end equipment.
Example 1:
the invention relates to an end-to-end communication method based on national encryption and PGP trust network, each equipment end is provided with a security chip, the security chip is provided with a random number generator for generating a session key, and a key encryption key, an encrypted private key and public keys of other equipment ends communicating with the equipment end are stored in the security chip, wherein the encrypted private key is a private key encrypted by the key encryption key based on the national encryption method.
For two device ends performing end-to-end communication, one is used as a sending end and the other is used as a receiving end, and the session between the sending end and the receiving end is performed based on the following communication mechanism:
(1) The method comprises the steps that a sending end generates a session key, configures a session period for the session key, and encrypts the session key and the session period respectively through a public key of a receiving end based on a national encryption method;
(2) Encrypting the message sent for the first time in the session by a sending end through a session key based on a national encryption method, splicing the obtained ciphertext, the encrypted session key and the session period into a message, and sending the message to a receiving end; the receiving end analyzes the received message to obtain a ciphertext, an encrypted session key and a session period, decrypts the encrypted private key stored by the encrypted session key by the key encryption key, decrypts the encrypted session key and session period by the private key to obtain the session key and session period, and decrypts the ciphertext by the session key to obtain a message sent for the first time in the session;
(3) And for the subsequently transmitted message in the session period, the transmitting end encrypts the message through the session key, then transmits the obtained ciphertext to the receiving end, and the receiving end receives the ciphertext and decrypts the ciphertext through the session key to obtain the corresponding message.
The key management in this embodiment involves a key encryption key EKE, a session key, a public key of the device side, and a private key of the device side.
The PGP is obtained after one-way hashing by password and salt, and the use scenario of the device is considered without human interaction or intervention, so in this embodiment, the key encryption key KEK is factory preset into a secure chip at the device end, and is read out from the chip from a specific interface when the KEK is needed.
In this embodiment, the session key is randomly generated by the random number generator of the security chip, and the session period of the session key is configured according to the receiving end, so that when the same device end communicates with different device ends, the session key and the life cycle of the session key may be different.
For each device side, the security chip stores therein the public key of the other device side with which it communicates. For each public key, a trust level is established with reference to the PGP web of trust (as shown in table 1), and the signature of each device and the trust level of the device determine whether the public key is valid.
TABLE 1 trust level of public keys
| Trust level | Description of the invention |
| I trust ultimately | Absolute trust (is the principal holding the private key) |
| I trust fully | Full trust |
| I trust marginally | Limited trust |
| I do Not trust | Distrust prevention |
| Unknow | Unknown key |
| Undefined | Is not provided with |
For each device side, for each sender side, the valid public key includes:
(1) A public key signed and confirmed by the receiving end;
(2) A public key validated by a fully trusted device-side signature;
(3) A public key that is validated by a plurality of limited trusted device signatures.
I.e. the public key satisfying any of the above conditions is a valid public key.
For each device end, the private key is encrypted by a key encryption public key based on a national encryption algorithm and then stored in a security chip of the device end, and when the subsequent device end is used as a receiving end to decrypt the received ciphertext, the private key is used after the key encryption key is decrypted.
In this embodiment, when the transmitting end and the receiving end perform end-to-end communication, referring to the PGP encryption manner, in each session, the transmitting end transmits the session key and the ciphertext to the receiving end, and each time the session key is transmitted, the payload is reduced, thereby reducing the transmission efficiency.
In this embodiment, a session period is set for the session key, and when the transmitting end transmits information for the first time, the following operation is performed;
encrypting the session key through a public key of a receiving end based on a national encryption algorithm to generate an encrypted session key;
encrypting the session period through a public key of a receiving end based on a national encryption algorithm to generate an encrypted session period;
after the information is compressed, encrypting the information through a session key based on a national encryption algorithm to generate ciphertext;
the encrypted session key, the encrypted session period and the ciphertext are spliced and then are used as messages to be sent to a receiving end;
after receiving the message, the receiving end decomposes the message to obtain an encrypted session key, an encrypted session period and a ciphertext;
the receiving end reads the encrypted private key from the security chip, decrypts the private key through the key encryption key, and decrypts the encrypted session key and the encrypted session period through the private key to obtain the session key and the session period;
and decrypting the ciphertext through the session key to obtain the message sent by the sending end for the first time.
After the first message sent by the receiving end, a session period is obtained, and in the session period, the following operations are executed by the subsequent messages sent between the sending end and the receiving end:
encrypting the message which is subsequently transmitted in the session period by a transmitting end through a session key to obtain a ciphertext, and transmitting the ciphertext to a receiving end;
after receiving the ciphertext, the receiving end decrypts the ciphertext through the private key to obtain the corresponding message.
In this embodiment, in order to achieve synchronization between two device ends of a transmitting end and a receiving end, each device end is configured with a session timer, a closing time is set in the session timer, the timer is used for achieving synchronization between the transmitting end and the receiving end, and the closing time is used for increasing delay time of receiving data of the receiving end based on a session period so as to avoid information loss between the transmitting end and the receiving end.
After the sending end sends the message to the receiving end, the session timer is started, and correspondingly, after the receiving end obtains the session period, the session timer is started.
Setting a session period as T, closing time as T, and for a receiving end, setting the effective time of the session period as T+t. In this embodiment, the closing time is 1% of the session period, and the minimum value is required to be greater than 5s.
In an IPV4 environment, each device end joining the PGP trust network is used for registering the network address thereof to an address negotiation server, and for each device end joining the PGP network, the address negotiation server stores the device ID and the network address of the device end;
for two device ends performing end-to-end communication, a transmitting end requests a network address of a receiving end to an address negotiation server, the address negotiation server returns the network address of the receiving end to the transmitting end based on the device ID specified in the request, and the transmitting end initiates a session to the receiving end based on the network address returned by the address negotiation server.
Example 2:
the invention relates to an end-to-end communication system based on a national encryption and PGP trust network, which comprises a plurality of equipment ends provided with safety chips, wherein random number generators used for generating session keys are arranged in the safety chips, and secret key encryption keys, encrypted private keys and public keys of other equipment ends communicating with the equipment ends are stored in the safety chips, and the encrypted private keys are private keys encrypted by the secret key encryption keys based on a national encryption method. For two device ends that are in end-to-end communication, one is the transmitting end and the other is the receiving end.
In this embodiment, the transmitting end is configured to perform the following:
(1) Generating a session key, configuring a session period for the session key, and encrypting the session key and the session period respectively through a public key of a receiving end based on a national encryption method;
(2) And encrypting the message based on a national encryption method and through a session key for the message sent for the first time in the session, splicing the obtained ciphertext, the encrypted session key and the session period into a message, and sending the message to a receiving end.
Correspondingly, the receiving end is configured to perform the following:
(1) Analyzing the received message to obtain a ciphertext, and an encrypted session key and a session period;
(2) Decrypting the encrypted private key by the key encryption key, decrypting the encrypted session key and session period by the private key to obtain the session key and session period;
(3) And decrypting the ciphertext through the session key to obtain the message which is sent for the first time in the session.
For the message subsequently sent in the session period, the sending end is configured to perform the following: after encrypting the message through the session key, sending the obtained ciphertext to a receiving end; correspondingly, the receiving end is configured to perform the following: after receiving the ciphertext, the receiving end decrypts the ciphertext through the session key to obtain the corresponding message.
In this embodiment, the key encryption key KEK is preset in the security chip at the device end by factory, and is read out from the chip from a specific interface when the KEK is required.
In this embodiment, the session key is randomly generated by the random number generator of the security chip, and the session period of the session key is configured according to the receiving end, so that when the same device end communicates with different device ends, the session key and the life cycle of the session key may be different.
For each device side, the security chip stores therein the public key of the other device side with which it communicates. For each public key, a trust level is established with reference to the PGP web of trust, and whether the public key is valid is determined by the signature of each device and the trust level of the device.
Trust levels fall into the following categories:
i trust ultimately, the I trust ultimately is absolute trust, and the device end itself holding the private key;
i trust full, wherein the I trust full is completely trusted;
i trust marginally, said I trust marginally being of limited trust;
i do Not trust, which is Not trusted;
a unknown key;
and (3) undercured, wherein the undercured is unset.
For each device side, for each sender side, the valid public key includes:
(1) A public key signed and confirmed by the receiving end;
(2) A public key validated by a fully trusted device-side signature;
(3) A public key that is validated by a plurality of limited trusted device signatures.
I.e. the public key satisfying any of the above conditions is a valid public key.
For each device end, the private key is encrypted by a key encryption public key based on a national encryption algorithm and then stored in a security chip of the device end, and when the subsequent device end is used as a receiving end to decrypt the received ciphertext, the private key is used after the key encryption key is decrypted.
In this embodiment, when the transmitting end and the receiving end perform end-to-end communication, referring to the PGP encryption manner, in each session, the transmitting end transmits the session key and the ciphertext to the receiving end, and each time the session key is transmitted, the payload is reduced, thereby reducing the transmission efficiency.
In this embodiment, a session period is set for the session key, and when the transmitting end transmits information for the first time, the transmitting end is configured to perform the following operations;
(1) Encrypting the session key through a public key of a receiving end based on a national encryption algorithm to generate an encrypted session key;
encrypting the session period through a public key of a receiving end based on a national encryption algorithm to generate an encrypted session period;
after the information is compressed, encrypting the information through a session key based on a national encryption algorithm to generate ciphertext;
(2) And splicing the encrypted session key, the encrypted session period and the ciphertext, and then sending the spliced encrypted session key, the encrypted session period and the ciphertext to a receiving end as a message.
The receiving end is used for executing the following operations:
(1) After receiving the message, decomposing the message to obtain an encrypted session key, an encrypted session period and a ciphertext;
(2) Reading the encrypted private key from the security chip, decrypting the private key through the key encryption key, and decrypting the encrypted session key and the encrypted session period through the private key to obtain a session key and a session period;
(3) And decrypting the ciphertext through the session key to obtain the message sent by the sending end for the first time.
After the first message sent by the receiving end, a session period is obtained, and in the session period, the sending end is configured to execute the following steps: encrypting the message which is subsequently transmitted in the session period through the session key to obtain a ciphertext, and transmitting the ciphertext to a receiving end; correspondingly, the receiving end is configured to perform the following: after receiving the ciphertext, decrypting the ciphertext through the private key to obtain the corresponding message.
In this embodiment, in order to achieve synchronization between two device ends of a transmitting end and a receiving end, each device end is configured with a session timer, a closing time is set in the session timer, the timer is used for achieving synchronization between the transmitting end and the receiving end, and the closing time is used for increasing delay time of receiving data of the receiving end based on a session period so as to avoid information loss between the transmitting end and the receiving end.
After the message is sent to the receiving end, the sending end is used for starting the session timer, and the receiving end is used for starting the session timer after obtaining the session period correspondingly.
Setting a session period as T, closing time as T, and for a receiving end, setting the effective time of the session period as T+t. In this embodiment, the closing time is 1% of the session period, and the minimum value is required to be greater than 5s.
In the IPV4 environment, each device end joining the PGP trust network is configured to register its network address to an address negotiation server, where for each device end joining the PGP network, the address negotiation server stores a device ID and a network address of the device end.
For two device ends performing end-to-end communication, the transmitting end is configured to request the address negotiation server for the network address of the receiving end, the address negotiation server is configured to return the network address of the receiving end to the transmitting end based on the device ID specified in the request, and the transmitting end is configured to initiate a session to the receiving end based on the network address returned by the address negotiation server.
While the invention has been illustrated and described in detail in the drawings and in the preferred embodiments, the invention is not limited to the disclosed embodiments, and it will be appreciated by those skilled in the art that the code audits of the various embodiments described above may be combined to produce further embodiments of the invention, which are also within the scope of the invention.
Claims (8)
1. An end-to-end communication method based on national encryption and PGP trust network is characterized in that each equipment end is provided with a security chip, the security chip is provided with a random number generator for generating a session key, and a key encryption key, an encrypted private key and public keys of other equipment ends communicating with the equipment end are stored in the security chip, wherein the encrypted private key is a private key encrypted by a key encryption key based on the national encryption method;
for two device ends performing end-to-end communication, one is used as a sending end and the other is used as a receiving end, and the session between the sending end and the receiving end is performed based on the following communication mechanism:
the method comprises the steps that a sending end generates a session key, configures a session period for the session key, and encrypts the session key and the session period respectively through a public key of a receiving end based on a national encryption method;
encrypting the message sent for the first time in the session by a sending end through a session key based on a national encryption method, splicing the obtained ciphertext, the encrypted session key and the session period into a message, and sending the message to a receiving end; the receiving end analyzes the received message to obtain a ciphertext, an encrypted session key and a session period, decrypts the encrypted private key stored by the encrypted session key by the key encryption key, decrypts the encrypted session key and session period by the private key to obtain the session key and session period, and decrypts the ciphertext by the session key to obtain a message sent for the first time in the session;
and for the subsequently transmitted message in the session period, the transmitting end encrypts the message through the session key, then transmits the obtained ciphertext to the receiving end, and the receiving end receives the ciphertext and decrypts the ciphertext through the session key to obtain the corresponding message.
2. The end-to-end communication method based on the national encryption and PGP trust network according to claim 1, wherein each equipment end is configured with a session timer, and a closing time is set in the session timer, and the timer is used for implementing synchronization of the transmitting end and the receiving end, and the closing time is used for increasing delay time of receiving data of the receiving end based on a session period so as to avoid information loss between the transmitting end and the receiving end;
after the sending end sends the message to the receiving end, the session timer is started, and the receiving end starts the session timer after obtaining the session period;
setting a session period as T, closing time as T, and for a receiving end, setting the effective time of the session period as T+t.
3. The end-to-end communication method based on national encryption and PGP trust network according to claim 1, wherein for each device end, its public key is configured with a trust level, the trust level is classified into the following categories:
i trust ultimately, the I trust ultimately is absolute trust, and the device end itself holding the private key;
i trust full, wherein the I trust full is completely trusted;
i trust marginally, said I trust marginally being of limited trust;
i do Not trust, which is Not trusted;
a unknown key;
an outstanding, which is unset;
for each sender, the public key satisfying the following conditions is a valid public key:
a public key that is validated by a receiver-side signature, or a public key that is validated by a fully trusted device-side signature, or a public key that is validated by a plurality of limited trusted device signatures.
4. A method according to any one of claims 1-3, wherein in an IPV4 environment, each device that joins a PGP trust network registers its network address to an address negotiation server, and for each device that joins the PGP network, the address negotiation server stores the device ID and the network address of the device;
for two device ends performing end-to-end communication, a transmitting end requests a network address of a receiving end to an address negotiation server, the address negotiation server returns the network address of the receiving end to the transmitting end based on the device ID specified in the request, and the transmitting end initiates a session to the receiving end based on the network address returned by the address negotiation server.
5. An end-to-end communication system based on national encryption and PGP trust network is characterized by comprising a plurality of equipment ends provided with security chips, wherein random number generators for generating session keys are arranged in the security chips, and secret key encryption keys, private keys after encryption and public keys of other equipment ends communicating with the equipment ends are stored in the security chips, and the encrypted private keys are private keys encrypted by the secret key encryption key based on a national encryption method;
for two equipment ends for end-to-end communication, one is used as a transmitting end and the other is used as a receiving end;
the transmitting end is used for executing the following steps:
generating a session key, configuring a session period for the session key, and encrypting the session key and the session period respectively through a public key of a receiving end based on a national encryption method;
encrypting the message sent for the first time in the session based on a national encryption method through a session key, splicing the obtained ciphertext, the encrypted session key and the session period into a message, and sending the message to a receiving end;
correspondingly, the receiving end is configured to perform the following:
analyzing the received message to obtain a ciphertext, and an encrypted session key and a session period;
decrypting the encrypted private key by the key encryption key, decrypting the encrypted session key and session period by the private key to obtain the session key and session period;
decrypting the ciphertext through the session key to obtain a message which is sent for the first time in the session;
for the message subsequently sent in the session period, the sending end is configured to perform the following: after encrypting the message through the session key, sending the obtained ciphertext to a receiving end;
correspondingly, the receiving end is configured to perform the following: after receiving the ciphertext, the receiving end decrypts the ciphertext through the session key to obtain the corresponding message.
6. The end-to-end communication system based on the national encryption and PGP trust network according to claim 5, wherein each device end is configured with a session timer, in which a closing time is set, the timer is used to achieve synchronization between the transmitting end and the receiving end, and the closing time is used to increase a delay time of the receiving end for receiving data based on a session period, so as to avoid information loss between the transmitting end and the receiving end;
the sending end sends the message to the receiving end and then is used for starting the session timer, and the receiving end is used for starting the session timer after obtaining the session period correspondingly;
setting a session period as T, closing time as T, and for a receiving end, setting the effective time of the session period as T+t.
7. The end-to-end communication system based on national encryption and PGP trust network according to claim 5, wherein for each device end its public key is configured with a trust level, the trust level is divided into the following categories:
i trust ultimately, the I trust ultimately is absolute trust, and the device end itself holding the private key;
i trust full, wherein the I trust full is completely trusted;
i trust marginally, said I trust marginally being of limited trust;
i do Not trust, which is Not trusted;
a unknown key;
an outstanding, which is unset;
for each sender, the public key satisfying the following conditions is a valid public key:
a public key that is validated by a receiver-side signature, or a public key that is validated by a fully trusted device-side signature, or a public key that is validated by a plurality of limited trusted device signatures.
8. An end-to-end communication system based on a national encryption and PGP trust network according to claims 5-7, wherein the system further comprises an address negotiation server;
in an IPV4 environment, each device end joining the PGP trust network is used for registering the network address thereof to an address negotiation server, and for each device end joining the PGP network, the address negotiation server stores the device ID and the network address of the device end;
for two device ends performing end-to-end communication, the transmitting end is configured to request the address negotiation server for the network address of the receiving end, the address negotiation server is configured to return the network address of the receiving end to the transmitting end based on the device ID specified in the request, and the transmitting end is configured to initiate a session to the receiving end based on the network address returned by the address negotiation server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310175454.1A CN116208327A (en) | 2023-02-27 | 2023-02-27 | End-to-end communication method and system based on national encryption and PGP trust network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310175454.1A CN116208327A (en) | 2023-02-27 | 2023-02-27 | End-to-end communication method and system based on national encryption and PGP trust network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116208327A true CN116208327A (en) | 2023-06-02 |
Family
ID=86518873
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310175454.1A Pending CN116208327A (en) | 2023-02-27 | 2023-02-27 | End-to-end communication method and system based on national encryption and PGP trust network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116208327A (en) |
-
2023
- 2023-02-27 CN CN202310175454.1A patent/CN116208327A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7119040B2 (en) | Data transmission method, device and system | |
| US6215878B1 (en) | Group key distribution | |
| US9008312B2 (en) | System and method of creating and sending broadcast and multicast data | |
| US20020154782A1 (en) | System and method for key distribution to maintain secure communication | |
| US11870891B2 (en) | Certificateless public key encryption using pairings | |
| CN113630248B (en) | Session key negotiation method | |
| WO2023160420A1 (en) | Group message encryption method and apparatus, device and storage medium | |
| US20020199102A1 (en) | Method and apparatus for establishing a shared cryptographic key between energy-limited nodes in a network | |
| CN110999202A (en) | Computer-implemented system and method for highly secure, high-speed encryption and transmission of data | |
| CN107682152B (en) | Group key negotiation method based on symmetric cipher | |
| CN113676448B (en) | Offline equipment bidirectional authentication method and system based on symmetric key | |
| CN111049649A (en) | Zero-interaction key negotiation security enhancement protocol based on identification password | |
| GB2543359A (en) | Methods and apparatus for secure communication | |
| CN112019553B (en) | Data sharing method based on IBE/IBBE | |
| KR20040013966A (en) | Authentication and key agreement scheme for mobile network | |
| JP2009065226A (en) | Authenticated key exchange system, authenticated key exchange method and program | |
| CN114070570A (en) | Safe communication method of power Internet of things | |
| CN116208327A (en) | End-to-end communication method and system based on national encryption and PGP trust network | |
| Gagneja et al. | IoT Devices with Non-interactive Key Management Protocol | |
| CN110719161A (en) | Security parameter interaction method, device, equipment and system | |
| CN114124369B (en) | Multi-group quantum key cooperation method and system | |
| CN114553420B (en) | Digital envelope packaging method based on quantum key and data secret communication network | |
| CN114679261B (en) | Method and system for anonymous communication on chain based on key derivation algorithm | |
| US20230041783A1 (en) | Provision of digital content via a communication network | |
| Eya et al. | New user authentication and key management scheme for secure data transmission in wireless mobile multicast |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |