CN103490900B - Encryption and authentication method and equipment - Google Patents
Encryption and authentication method and equipment Download PDFInfo
- Publication number
- CN103490900B CN103490900B CN201310456644.7A CN201310456644A CN103490900B CN 103490900 B CN103490900 B CN 103490900B CN 201310456644 A CN201310456644 A CN 201310456644A CN 103490900 B CN103490900 B CN 103490900B
- Authority
- CN
- China
- Prior art keywords
- piecemeal
- encrypted
- encryption
- packet
- length
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 235000013399 edible fruits Nutrition 0.000 claims description 4
- 238000013519 translation Methods 0.000 claims description 3
- 230000014616 translation Effects 0.000 claims description 3
- 239000000203 mixture Substances 0.000 claims description 2
- 230000007423 decrease Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000033228 biological regulation Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of encryption and authentication method and equipment.Method includes: the block length supported according to the AES used, be-encrypted data in be encrypted and message identifying is grouped, and according to the piecemeal length supported of identifying algorithm used, the data to be certified in described to be encrypted and message identifying are carried out piecemeal;If described piecemeal length is more than described block length, then in units of piecemeal, the packet comprising described piecemeal is encrypted, it is thus achieved that comprise the encryption piecemeal of encrypted result, is authenticated described encryption piecemeal, it is thus achieved that authentication result;Or, if described block length is more than described piecemeal length, the most in packetized units, described packet being encrypted, obtains encrypted result, the piecemeal comprising described encrypted result is authenticated respectively, obtains the authentication result of each piecemeal.Technical solution of the present invention can reduce the memory access number of times in cryptographic authentication process to internal memory, improves process performance.
Description
Technical field
The present invention relates to the network communications technology, particularly relate to a kind of encryption and authentication method and equipment, belong to because of
Special net security technology area.
Background technology
Internet Protocol Security (Internet Protocol Security, referred to as IPSEC) be by
Internet engineering task group (Internet Engineering Task Force, referred to as IETF) is fixed
One safety criterion framework of justice, for ensureing the safe transmission of data.It includes authentication header
(Authentication Header, referred to as AH), ESP (Encapsulating
Security Payload, referred to as ESP), the Internet Key Exchange (Internet Key Exchange,
Referred to as IKE) agreement and for network encryption and the series of algorithms of certification.
AH agreement can be that data transmit the certification of offer source, data integrity verifying service.Source certification is permissible
The identity legitimacy of detection communication ends, prevents other people from pretending to be.Completeness check can detect data in transmission
In whether be tampered.ESP agreement has in addition to the security service that AH can provide, it is also possible to provide data
Confidentiality services, is used for ensureing that data are not peeped in transmitting procedure.AH agreement is not owing to providing data
Confidentiality services, therefore need not be encrypted the message of AH agreement.And ESP agreement provides above
Whole supports of the security service mentioned, under some configures, it had both needed to be encrypted data, also
Need data are authenticated.
Either encryption or certification, be required for data are carried out a large amount of mathematical operation and accessing operation.With
As a example by the processing procedure of transmitting terminal, particularly as follows: CPU (Central Processing Unit,
Referred to as CPU) first from internal memory, read message to be encrypted at transmitting terminal, carry out mathematical calculation, to report
Literary composition is encrypted, and then encrypted result is write back internal memory;Ensuing verification process, CPU is again from interior
Deposit the data after reading encryption and carry out mathematical calculation, complete certification.As can be seen here, there is no hardware supported
In the case of, will be very time-consuming with authentication processing if using pure software to be encrypted, and can take big
Amount CPU) resource performs mathematical calculations, and need frequently to access internal memory to obtain data, thereby result in system
Hydraulic performance decline.For solving this problem, prior art proposes employing hardware components and completes mathematical operation, but
CPU is still to participate in the access of data, it is still desirable to frequently accessing internal memory, process performance is the highest.
Summary of the invention
The present invention provides a kind of encryption and authentication method and equipment, in order to reduce in cryptographic authentication process internal memory
Memory access number of times, improve process performance.
First aspect provides a kind of encryption and authentication method, including:
According to the block length supported of AES used, to be added in be encrypted and message identifying
Ciphertext data is grouped, and the piecemeal length supported according to the identifying algorithm used, to described to be encrypted
Piecemeal is carried out with the data to be certified in message identifying;
If described piecemeal length is more than described block length, then in units of piecemeal, to described piecemeal bag
The packet contained is encrypted, it is thus achieved that comprise the encryption piecemeal of encrypted result, enters described encryption piecemeal
Row certification, it is thus achieved that authentication result;Or, if described block length is more than described piecemeal length, then with
It is grouped into unit, described packet is encrypted, obtains encrypted result, described encrypted result is comprised
Piecemeal is authenticated respectively, obtains the authentication result of each piecemeal.
Second aspect provides one encryption certification device, including:
Grouping module, for according to the block length supported of AES used, to be encrypted and recognize
Be-encrypted data in card message is grouped;
Piecemeal module, for the piecemeal length supported according to the identifying algorithm used, to described to be encrypted
Piecemeal is carried out with the data to be certified in message identifying;
Encryption authentication module, for when described piecemeal length is more than described block length, with piecemeal as list
Position, the packet comprising described piecemeal is encrypted, it is thus achieved that comprise the encryption piecemeal of encrypted result,
Described encryption piecemeal is authenticated, it is thus achieved that authentication result;Or, in described block length more than described
During piecemeal length, in packetized units, described packet is encrypted, obtains encrypted result, to described
The piecemeal that encrypted result comprises is authenticated respectively, obtains the authentication result of each piecemeal.
The third aspect provides a kind of network equipment, the arbitrary encryption certification device provided including second aspect.
Encryption and authentication method that the present invention provides and equipment, to be added by be encrypted and message identifying
Ciphertext data is grouped, and the data to be certified in be encrypted and message identifying carry out piecemeal, then with
Piecemeal is unit, and piecemeal is authenticated after being encrypted by packet again that comprise piecemeal, or with packet
For unit, first the piecemeal comprised packet again after block encryption is authenticated.Compared with prior art,
With piecemeal or be grouped into unit in the present invention, it is authenticated immediately after encryption, and the data volume encrypted is relative
Less, now encrypted result is still saved in the caching of CPU, only need to read encrypted result from caching and enter
Row certification, it is not necessary to read encrypted result from internal memory, decrease internal memory reading times, be conducive to
Improve the process performance of encryption certification.
Accompanying drawing explanation
Fig. 1 is encryption and the sequential chart of certification in prior art;
The flow chart of a kind of encryption and authentication method that Fig. 2 provides for the embodiment of the present invention;
Fig. 3 is the message structure schematic diagram employing the to be encrypted of ESP agreement and certification;
The sequential chart of a kind of Hybrid Encryption certification that Fig. 4 provides for the embodiment of the present invention;
A kind of structural representation encrypting certification device that Fig. 5 provides for the embodiment of the present invention.
Detailed description of the invention
Before introducing technical solution of the present invention, first carry out by pure software or by software and hardware in prior art
The process of encryption certification is briefly described, in order to be more fully understood that the present invention.
According to the regulation of IPSEC, at message source, it is necessary first to data are encrypted, the most again
Data after encryption are authenticated.At message sink, it is necessary first to data are authenticated, then
It is decrypted again.
The processing procedure of message source is: CPU first reads message to be encrypted, by CPU from internal memory
Or dedicated hardware units carries out mathematical calculation, completing encryption, then encrypted result is write back internal memory by CPU;
Ensuing verification process, is read the data after encrypting from internal memory again by CPU, then by CPU or special
Hardware cell carries out mathematical calculation, completes certification, and the sequential chart of this process is as shown in Figure 1.Message receives
The processing procedure of end is the inverse process of message source, is the most first authenticated message, then is decrypted.
Ciphering process of the prior art and the strict serialization of verification process, and need frequent visit internal memory with
Obtain data, cause systematic function to decline.
The flow chart of a kind of encryption and authentication method that Fig. 2 provides for the embodiment of the present invention.As in figure 2 it is shown,
Described method includes:
201, according to the block length supported of AES used, in be encrypted and message identifying
Be-encrypted data is grouped, and the piecemeal length supported according to the identifying algorithm used, and treats described
Data to be certified in encryption and message identifying carry out piecemeal.
If 202 described piecemeal length are more than described block length, then in units of piecemeal, to described point
The packet that block comprises is encrypted, it is thus achieved that comprises the encryption piecemeal of encrypted result, divides described encryption
Block is authenticated, it is thus achieved that authentication result;Or, if described block length is more than described piecemeal length,
The most in packetized units, described packet is encrypted, obtains encrypted result, to described encrypted result bag
The piecemeal contained is authenticated respectively, obtains the authentication result of each piecemeal.
The method that the present embodiment provides can be used for adding any message i.e. needing to encrypt and need certification
Close authentication processing, for ease of describe by this i.e. need to encrypt and need the message of certification be referred to as to be encrypted and
Message identifying.The agreement that to be encrypted and message identifying are used by the embodiment of the present invention does not limits, and such as may be used
To be but not limited to: ESP agreement.
In actual applications, according to the difference of agreement, message needs encryption and needs the data of certification can
Can be not quite similar.In the present embodiment, the data of encryption are needed to be referred to as treating by be encrypted in message identifying
Encryption data, needs the data of certification to be referred to as data to be certified by be encrypted in message identifying.According to association
The difference of view, be-encrypted data and data to be certified may be identical, it is also possible to differ.Such as, for
For the message of ESP agreement, data to be certified are to start to ENMES from ESP head;And number to be encrypted
According to being the next one terminated from initial vector (Initialization Vector, referred to as IV) field
Byte starts to ENMES.It is to say, in embodiments of the present invention, be-encrypted data can with treat
Authentication data is identical.Or, be-encrypted data can also be able to differ with data to be certified, such as,
For ESP agreement, described data to be certified include described be-encrypted data and header data, described
Header data includes ESP head and IV field.
Concrete, before encryption certification starts, determine AES and the identifying algorithm of employing.This enforcement
The AES that example uses is typically to support the block encryption algorithm of regular length, such as, can be that data add
Close algorithm (Data Encryption Algorithm, referred to as DES), Advanced Encryption Standard (Advanced
Encryption Standard, referred to as AES), or triple DEA (Triple Data
Encryption Algorithm, referred to as 3DES).Accordingly, the identifying algorithm that the present embodiment uses
Can be translations SHA (Secure Hash Algorithm, referred to as SHA) or information-
Digest algorithm the 5th edition (Message-Digest Algorithm 5, referred to as MD5) etc..Wherein,
Any combination of above-mentioned AES and identifying algorithm all can be applicable in the method that the present embodiment provides, also
That is, the method that the present embodiment provides is applicable to MD5 and DES, MD5 and AES, MD5 and 3DES,
SHA and DES, SHA and 3DES, or the scene of the Hybrid Encryption such as SHA and AES.
After determining the AES of employing, the packet that encryption certification device can be supported according to AES
Length, is grouped the be-encrypted data in be encrypted and message identifying.Concrete, encryption certification dress
Put and successively described be-encrypted data can be divided according to block length, form at least one length
For the packet of described block length, wherein, if length of last packet is less than described block length,
Then last packet is expanded so that the length of the packet after expansion is equal to described block length.
After determining the identifying algorithm of employing, the piecemeal length that encryption certification device can be supported according to identifying algorithm,
Data to be certified in be encrypted and message identifying are carried out piecemeal.Concrete, encryption certification device is permissible
According to piecemeal length, treat authentication data successively and divide, form at least one piecemeal, wherein, as
Really the length of last piecemeal is less than described piecemeal length, then expand last piecemeal, make
The length of the piecemeal after must expanding is equal to described piecemeal length.
Illustrating at this, the above-mentioned detailed description of the invention expanding packet or piecemeal can refer to existing protocol
Regulation, do not limit.If it addition, last is grouped and last
Piecemeal is required to expand, then can be according to piecemeal length and the magnitude relationship of block length, the greater
Expand further on the basis of smaller expands, such as, if block length is less than piecemeal length,
Then last piecemeal can expand on the basis of last is grouped after expansion further;If piecemeal
Length is less than block length, then last packet can enter one on the basis of last piecemeal expands
Step expands.
After be-encrypted data being grouped and treats authentication data and carries out piecemeal, according to piecemeal length
With the magnitude relationship of block length, determine in units of piecemeal, be encrypted certification the most in packetized units.
Concrete, if piecemeal length is more than block length, illustrate that a piecemeal comprises one point to I haven't seen you for ages
Group, then encryption certification device is in units of piecemeal, and the packet comprising this piecemeal is encrypted, and obtains
The encryption piecemeal of encrypted result must be comprised, then encryption piecemeal is authenticated, it is thus achieved that authentication result;So
By piecemeal one by one is carried out identical process, whole add corresponding with message identifying to be encrypted will be obtained
Close authentication result.Further alternative, encryption certification device can be tied in the certification often obtaining a piecemeal
After Guo, authentication result is stored in internal memory.
If block length is more than piecemeal length, illustrate that a packet including at least a piecemeal, is then encrypted
This packet in packetized units, is encrypted, it is thus achieved that encrypted result by certification device, then to encryption
The piecemeal that result comprises is authenticated respectively, obtains the authentication result of each piecemeal.It is further alternative,
Encryption certification device can often obtain the authentication result of a piecemeal, just stores in internal memory, or,
Can also be unifiedly stored in internal memory after the authentication result of all piecemeals in obtaining one and being grouped.
From above-mentioned, compared with prior art, the method that the present embodiment provides with piecemeal or is grouped into list
Position, is authenticated immediately after encryption, and the data volume encrypted is relatively small, and now encrypted result still preserves
In the caching of CPU, only need to read encrypted result from caching and be authenticated, it is not necessary to from internal memory
Middle reading encrypted result, decreases internal memory reading times, is conducive to improving the process performance of encryption certification.
In actual applications, it is more the piecemeal length application scenarios more than block length.Long at piecemeal
Degree is more than in the application scenarios of block length, it is understood that there may be packet non-integer that piecemeal comprises are individual, the most just
It is to say that piecemeal may comprise a part for certain packet rather than the whole of this packet.Illustrate,
For the message of ESP agreement, owing to data to be certified are to start to ENMES from ESP head, and treat
Encryption data is that the next byte terminated from IV field starts to ENMES, therefore, if ESP head
It is not the integral multiple of block length with the length sum of IV field, arises that piecemeal comprises non-integer point
The situation of group.
For ease of describing, express piecemeal in the following manner and comprise non-integer packet.A kind of situation is:
Piecemeal comprises i-th and is grouped, (i+1) individual packet ... (i+N-1) individual packet, and (i+N)
The part of individual packet, the most non-whole packet occurs in the decline of piecemeal;Another kind of situation is: piecemeal
The part of bag jth packet, and (j+1) individual packet ... (j+M) individual packet, the most non-whole
Individual packet occurs in the beginning of piecemeal.Wherein, i, j, N, M are natural number.For above-mentioned two
The situation of kind, the packet that encryption certification device specifically can use manner below to comprise piecemeal is encrypted
Process, it is thus achieved that the encryption piecemeal containing encrypted result, and then described encryption piecemeal is authenticated, it is thus achieved that recognize
Card result, but it is not limited to this.Illustrating at this, if piecemeal comprises non-integer packet, then piecemeal is concrete
Comprise any part data of which packet and which packet the most right according to block length and piecemeal length
Be-encrypted data and data to be certified divide during naturally it is determined that, so encryption recognize
Card device can identify piecemeal specifically comprises which packet and which part data of which packet.
It is grouped if piecemeal comprises i-th, (i+1) individual packet ... (i+N-1) individual packet,
And the part of (i+N) individual packet, then described i-th is grouped, (i+1) individual packet ...
(i+N-1) individual packet, and (i+N) individual packet is encrypted, it is thus achieved that comprise encryption knot
The encryption piecemeal of fruit, and i-th in described encryption piecemeal is grouped, (i+1) individual packet ... the
(i+N-1) encrypted result of individual packet, and the encrypted result of (i+N) individual packet belongs to described
The part of piecemeal is authenticated, it is thus achieved that authentication result;Wherein, the encrypted result of (i+N) individual packet
Other parts will be directly applied during a piecemeal under treatment;
If described piecemeal comprises the part of jth packet, and (j+1) individual packet ... (j+M)
Individual packet, then to described (j+1) individual packet ... (j+M) individual packet is encrypted, and obtains
Must comprise in the encryption piecemeal of encrypted result, and the encrypted result to jth packet and belong to described piecemeal
(j+1) individual packet in part, and described encryption piecemeal ... the encryption knot of (j+M) individual packet
Fruit is authenticated, it is thus achieved that authentication result.Wherein, jth packet encrypted result be process on one
Obtaining during piecemeal, a described upper piecemeal includes the other parts that jth is grouped, and jth packet
Other parts occur in the decline of a described upper piecemeal.
Fig. 3 is the message structure schematic diagram employing the to be encrypted of ESP agreement and certification.Below with Fig. 3
As a example by shown message, piecemeal length is described further more than the scene of block length.As it is shown on figure 3,
In message shown in Fig. 3, data to be certified are to start to ENMES from ESP head, and be-encrypted data be from
The next byte that IV field terminates starts to ENMES.
It is assumed that the identifying algorithm that IPSEC uses has MD5 or SHA, in units of 64 bytes, i.e. piecemeal
A length of 64 bytes;The AES that IPSEC uses is AES, in units of 16 bytes, and i.e. described point
Organize a length of 16 bytes.The most illustratively, described in various embodiments of the present invention, AES only changes
Packet content but do not change the length of packet, i.e. encryption before and after data length keep constant.Then to above-mentioned
Data to be certified carry out the result of piecemeal, Block0 as shown in Figure 3, Block1 ... BlockN;
The result that above-mentioned be-encrypted data is grouped, as shown in Figure 30,1,2,3 ....
During Hybrid Encryption authentication processing, first to Block0 process.Block0 comprises
ESP head and IV field, this part is only authenticated, it is not necessary to be encrypted.Except ESP head and IV word
Outside Duan, Block0 also comprises part should authenticate and need the data of encryption, is i.e. grouped 0,1,2.
Here, successively packet 0,1,2 is encrypted first by aes algorithm, respectively obtains packet 0,1,
The encrypted result of 2, for ease of describing encrypted result and the packet that will be grouped 0,1 in the embodiment of the present invention
The part sum belonging to Block0 in the encrypted result of 2 is designated as encrypted result enc_result0;Due to ESP
The length sum of head, IV field and enc_result0 has been above or equal to 64 bytes, then
MD5 or SHA algorithm can be used to start ESP head, IV field and enc_result0 be authenticated,
Obtain authentication result auth_result0.
Special handling, packet 2 existing part data is needed to be positioned at Block0, also have part data bit
The situation of non-integer packet is comprised in Block1, i.e. Block0.If ESP head and IV field
Length sum is not that the integral multiple of block length arises that this situation.For this situation, the most right
Packet 2 is encrypted, and certification when, is only authenticated the part being included in Block0.
It follows that to Block1 process.First, aes algorithm to be used completes packet 3,4,
The encryption of 5,6, the packet 3 after encryption, packet 4, packet 5, packet 6 are included in Block1
Partly and the length sum of parts that is included in Block1 of packet 2 is equal to 64 bytes, then may be used
To use MD5 or SHA algorithm that these part data are authenticated, obtain authentication result auth_result1.
Wherein, the part being included in Block2 in packet 6, then it is put into next step and is authenticated.
Process Block2, Block3 the most successively ..., until completing last piecemeal,
The process of i.e. BlockN.
Illustrating at this, the size for BlockN is likely to less than 64 bytes, but in order to be packet length
The integral multiple of degree, can expand last piecemeal, it is ensured that BlockN is 64 bytes, then
It is authenticated again, obtains authentication result.Optionally, can be dividing BlockN when, to BlockN
Expanding, being allowed to is 64 bytes;Or, it is also possible to after BlockN is completed encryption, then carry out
Expanding, making BlockN is 64 bytes.
The sequential chart of above-mentioned Hybrid Encryption certification is as shown in Figure 4.In units of piecemeal, after data are encrypted
It is authenticated at once, and owing to encryption data is relatively small, the result of encryption is also saved in caching (Cache)
In, when being authenticated, it is only necessary to the result reading encryption from Cache is authenticated, it is to avoid
From internal memory, read encrypted result, decrease the reading times of internal memory, it is possible to be obviously improved Hybrid Encryption
The performance of certification.And in the prior art scheme, owing to first to complete the encryption to whole message, just open
Beginning is authenticated, and the most original encrypted result is likely to be washed out Cache, if being now authenticated,
Will appear from a large amount of Cache disappearance, increase internal storage access number of times, cause performance drastically to decline.
Further, the method that the embodiment of the present invention provides can be applied not only to pure software mode and is encrypted
The application scenarios of certification, and there is support superscale and independent encryption unit and the machine of authentication ' unit
On, the method that the embodiment of the present invention provides can make the hardware-accelerated instruction of ciphering unit and authentication ' unit also
Row performs, and improves performance further.
Illustrating at this, the above embodiment of the present invention gives detailed process and the tool of Hybrid Encryption authentication method
Body realizes, and this Hybrid Encryption authentication method is generally used for message source, then with message source phase
Corresponding message sink also can use the method adapted with above-mentioned Hybrid Encryption authentication method to receiving
Message be authenticated and decipher.Hybrid Encryption authentication method based on the above embodiment of the present invention offer
Detailed process and implementing, those skilled in the art it is readily conceivable that message sink equally can with point
Group or piecemeal are unit, are first authenticated packet or piecemeal, then are decrypted, and detailed process is the most superfluous
State.
A kind of structural representation encrypting certification device that Fig. 5 provides for the embodiment of the present invention.Such as Fig. 5 institute
Showing, described device includes: grouping module 51, piecemeal module 52 and encryption authentication module 53.
Grouping module 51, for according to the block length supported of AES used, to be encrypted and
Be-encrypted data in message identifying is grouped.
Piecemeal module 52, for the piecemeal length supported according to the identifying algorithm used, to described to be added
Close and in message identifying data to be certified carry out piecemeal.
Encryption authentication module 53, is connected with grouping module 51 and piecemeal module 52, at described piecemeal
When length is more than described block length, in units of piecemeal, the packet comprising described piecemeal is encrypted
Process, it is thus achieved that comprise the encryption piecemeal of encrypted result, described encryption piecemeal is authenticated, it is thus achieved that certification
Result;Or, when described block length is more than described piecemeal length, in packetized units, to described
Packet is encrypted, and obtains encrypted result, and the piecemeal comprising described encrypted result is authenticated respectively,
Obtain the authentication result of each piecemeal.
In an optional embodiment, described be-encrypted data is identical with described data to be certified.
In an optional embodiment, described data to be certified include described be-encrypted data and header data.
As a example by the message using ESP agreement, described header data includes ESP head and IV field.
Based on above-mentioned, piecemeal module 52 is particularly used according to described piecemeal length, recognizes described treating successively
Card data divide, it is thus achieved that at least one piecemeal, if the length of last piecemeal is less than described point
Block length, expands last piecemeal described so that the length of the piecemeal after expansion is equal to described
Piecemeal length.
In an optional embodiment, encryption authentication module 53 is carried out for the packet comprising described piecemeal
Encryption, it is thus achieved that comprise the encryption piecemeal of encrypted result, is authenticated described encryption piecemeal, it is thus achieved that
Authentication result, including:
Encryption authentication module 53 is particularly used in and comprises i-th packet at described piecemeal, and (i+1) is individual
Packet ... (i+N-1) individual packet, and during the part of (i+N) individual packet, to described i-th
Individual packet, (i+1) individual packet ... (i+N-1) individual packet, and (i+N) individual be grouped into
Row encryption, it is thus achieved that comprise the encryption piecemeal of encrypted result, and i-th in described encryption piecemeal is divided
Group, (i+1) individual packet ... the encrypted result of (i+N-1) individual packet, and (i+N) is individual
The part belonging to described piecemeal in the encrypted result of packet is authenticated, it is thus achieved that authentication result;Or institute
State the part of piecemeal bag jth packet, and (j+1) individual packet ... (j+M) individual packet,
Then to described (j+1) individual packet ... (j+M) individual packet is encrypted, it is thus achieved that comprises and adds
The encryption piecemeal of close result, and the encrypted result to jth packet belong to the part of described piecemeal, with
And (j+1) individual packet in described encryption piecemeal ... the encrypted result of (j+M) individual packet is recognized
Card, it is thus achieved that authentication result;Wherein, i, j, N, M are natural number.
Illustrating at this, the AES that the present embodiment uses includes but not limited to: DES, AES, or 3DES;
The identifying algorithm that the present embodiment uses includes but not limited to: SHA or MD5.
The encryption certification device that the present embodiment provides can realize as message source, maybe can be arranged on
Message source realizes.
It is real that each functional module of the encryption certification device that the present embodiment provides can be used for the method shown in Fig. 2 that performs
Executing the flow process of example, its specific works principle repeats no more, and refers to the description of embodiment of the method.
The encryption certification device that the present embodiment provides, by the number to be encrypted in be encrypted and message identifying
According to being grouped, and the data to be certified in be encrypted and message identifying are carried out piecemeal, then with piecemeal
For unit, piecemeal is authenticated after being encrypted by packet again that comprise piecemeal, or to be grouped into list
Position, is first authenticated the piecemeal comprised packet again after block encryption.Compared with prior art, this reality
The encryption certification device executing example with piecemeal or is grouped into unit, is authenticated immediately, and encrypts after encryption
Data volume is relatively small, and now encrypted result is still saved in the caching of CPU, only need to read from caching
Encrypted result is authenticated, it is not necessary to read encrypted result from internal memory, decreases internal memory and reads secondary
Number, is conducive to improving the process performance of encryption certification.
The embodiment of the present invention provides a kind of network equipment, and this network equipment includes that what above-described embodiment provided adds
Close certification device, about the encryption operation principle of certification device with realize structure and can be found in above-described embodiment
Describe, do not repeat them here.
The network equipment that the present embodiment provides can be used for using said method to implement as message source
The encryption and authentication method that example provides is encrypted to sent message and certification, is then sent to message and connects
Receiving end.The network equipment that the present embodiment provides, has minimizing internal memory reading times equally, is conducive to improving
The advantage of the process performance of encryption certification.
One of ordinary skill in the art will appreciate that: realize all or part of step of above-mentioned each method embodiment
Suddenly can be completed by the hardware that programmed instruction is relevant.Aforesaid program can be stored in a computer can
Read in storage medium.This program upon execution, performs to include the step of above-mentioned each method embodiment;And
Aforesaid storage medium includes: ROM, RAM, magnetic disc or CD etc. are various can store program code
Medium.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, rather than right
It limits;Although the present invention being described in detail with reference to foregoing embodiments, this area common
Skilled artisans appreciate that the technical scheme described in foregoing embodiments still can be modified by it,
Or the most some or all of technical characteristic is carried out equivalent;And these amendments or replacement, and
The essence not making appropriate technical solution departs from the scope of various embodiments of the present invention technical scheme.
Claims (11)
1. an encryption and authentication method, it is characterised in that including:
According to the block length supported of AES used, to the be-encrypted data in be encrypted and message identifying
It is grouped, and according to the piecemeal length supported of identifying algorithm used, in described to be encrypted and message identifying
Data to be certified carry out piecemeal;
If described piecemeal length is more than described block length, then in units of piecemeal, comprise described piecemeal divides
Group is encrypted, it is thus achieved that comprise the encryption piecemeal of encrypted result, each block encryption complete after immediately to described
Encryption piecemeal is authenticated, it is thus achieved that authentication result;Or, if described block length is more than described piecemeal length,
The most in packetized units, described packet is encrypted, obtains encrypted result, each block encryption complete after immediately
The piecemeal comprising described encrypted result is authenticated respectively, obtains the authentication result of each piecemeal.
Method the most according to claim 1, it is characterised in that described be-encrypted data is treated with described
Authentication data is identical;Or, described data to be certified include described be-encrypted data and header data.
Method the most according to claim 1, it is characterised in that described according to the identifying algorithm institute used
Data to be certified in described to be encrypted and message identifying are carried out piecemeal by the piecemeal length supported, including:
According to described piecemeal length, successively described data to be certified are divided, it is thus achieved that at least one piecemeal, as
Really the length of last piecemeal is less than described piecemeal length, expands last piecemeal described so that expand
The length of the piecemeal after filling is equal to described piecemeal length.
4. according to the method described in any one of claim 1-3, it is characterised in that described to described piecemeal
The packet comprised is encrypted, it is thus achieved that comprise the encryption piecemeal of encrypted result, recognizes described encryption piecemeal
Card, it is thus achieved that authentication result, including:
It is grouped if described piecemeal comprises i-th, (i+1) individual packet ... (i+N-1) individual point
Group, and the part of (i+N) individual packet, then be grouped described i-th, (i+1) individual packet ...
(i+N-1) individual packet, and (i+N) individual packet is encrypted, it is thus achieved that comprise encryption knot
The encryption piecemeal of fruit, and i-th in described encryption piecemeal is grouped, (i+1) individual packet ... the
(i+N-1) encrypted result of individual packet, and the encrypted result of (i+N) individual packet belongs to described
The part of piecemeal is authenticated, it is thus achieved that authentication result;Or
If the part of described piecemeal bag jth packet, and (j+1) individual packet ... (j+M)
Individual packet, then to described (j+1) individual packet ... (j+M) individual packet is encrypted, and obtains
Must comprise in the encryption piecemeal of encrypted result, and the encrypted result to jth packet and belong to described piecemeal
(j+1) individual packet in part, and described encryption piecemeal ... the encryption knot of (j+M) individual packet
Fruit is authenticated, it is thus achieved that authentication result;
Wherein, i, j, N, M are natural number.
5. according to the method described in any one of claim 1-3, it is characterised in that described AES is
DEA DES, advanced encryption algorithm AES, or triple DEA 3DES;Described recognize
Card algorithm is translations SHA SHA or the 5th edition MD5 of Message Digest 5.
6. an encryption certification device, it is characterised in that including:
Grouping module, for the block length supported according to the AES used, to be encrypted and certification report
Be-encrypted data in literary composition is grouped;
Piecemeal module, for the piecemeal length supported according to the identifying algorithm used, to described to be encrypted and certification
Data to be certified in message carry out piecemeal;
Encryption authentication module, for when described piecemeal length is more than described block length, in units of piecemeal,
The packet comprising described piecemeal is encrypted, it is thus achieved that comprise the encryption piecemeal of encrypted result, and each piecemeal adds
Close complete after immediately described encryption piecemeal is authenticated, it is thus achieved that authentication result;Or, big in described block length
When described piecemeal length, in packetized units, described packet is encrypted, obtains encrypted result, Mei Gefen
The piecemeal that described encrypted result is comprised after completing by group encryption immediately is authenticated respectively, obtains the certification of each piecemeal
Result.
Device the most according to claim 6, it is characterised in that described be-encrypted data is to be certified with described
Data are identical;Or, described data to be certified include described be-encrypted data and header data.
Device the most according to claim 6, it is characterised in that described piecemeal module is specifically for according to institute
State piecemeal length, successively described data to be certified are divided, it is thus achieved that at least one piecemeal, if last
The length of piecemeal is less than described piecemeal length, expands last piecemeal described so that the piecemeal after expansion
Length equal to described piecemeal length.
9. according to the device described in any one of claim 6-8, it is characterised in that described encryption authentication module is used
It is encrypted in the packet that described piecemeal is comprised, it is thus achieved that comprise the encryption piecemeal of encrypted result, add described
Close piecemeal is authenticated, it is thus achieved that authentication result, including:
Described encryption authentication module is specifically for comprising i-th packet, (i+1) individual point at described piecemeal
Group ... (i+N-1) individual packet, and during the part of (i+N) individual packet, to described i-th
Packet, (i+1) individual packet ... (i+N-1) individual packet, and (i+N) individual packet carries out
Encryption, it is thus achieved that comprise the encryption piecemeal of encrypted result, and i-th in described encryption piecemeal is grouped,
(i+1) individual packet ... the encrypted result of (i+N-1) individual packet, and (i+N) individual packet
Encrypted result in belong to the part of described piecemeal and be authenticated, it is thus achieved that authentication result;Or at described piecemeal
The part of bag jth packet, and (j+1) individual packet ... (j+M) individual packet, then to institute
State (j+1) individual packet ... (j+M) individual packet is encrypted, it is thus achieved that comprise encrypted result
Encryption piecemeal, and the encrypted result to jth packet belongs to the part of described piecemeal, and described
(j+1) individual packet in encryption piecemeal ... the encrypted result of (j+M) individual packet is authenticated, and obtains
Obtain authentication result;
Wherein, i, j, N, M are natural number.
10. according to the device described in any one of claim 6-8, it is characterised in that described AES
For DEA DES, advanced encryption algorithm AES, or triple DEA 3DES;Described
Identifying algorithm is translations SHA SHA or the 5th edition MD5 of Message Digest 5.
11. 1 kinds of network equipments, it is characterised in that including: adding described in any one of claim 6-10
Close certification device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310456644.7A CN103490900B (en) | 2013-09-29 | 2013-09-29 | Encryption and authentication method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310456644.7A CN103490900B (en) | 2013-09-29 | 2013-09-29 | Encryption and authentication method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103490900A CN103490900A (en) | 2014-01-01 |
| CN103490900B true CN103490900B (en) | 2017-01-04 |
Family
ID=49830874
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310456644.7A Active CN103490900B (en) | 2013-09-29 | 2013-09-29 | Encryption and authentication method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103490900B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111615106B (en) * | 2019-02-25 | 2023-09-26 | 阿里巴巴集团控股有限公司 | Encryption method and device for voice data packet |
| CN113014385B (en) * | 2021-03-25 | 2023-09-01 | 黑龙江大学 | Double-network-port hardware network data encryption system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100560658B1 (en) * | 2003-02-17 | 2006-03-16 | 삼성전자주식회사 | Encryption apparatus and method thereof for fast offset codebook mode |
| US20120284524A1 (en) * | 2011-05-03 | 2012-11-08 | Texas Instruments Incorporated | Low overhead nonce construction for message security |
-
2013
- 2013-09-29 CN CN201310456644.7A patent/CN103490900B/en active Active
Non-Patent Citations (3)
| Title |
|---|
| "The Security of the Cipher Block Chaining;Mihir Bellarea, 1, Joe Kilianb, Phillip Rogawayc, 2;《Journal of Computer and System Sciences》;20001229;第61卷(第3期);第362–399页 * |
| "一种新的一阶段加密认证模式";徐津温,巧燕,王大印;《电子学报》;20091030;第37卷(第10期);第2187-2192页 * |
| "基于分组密码的加密认证码";胡予濮,肖国镇,张建中;《西安电子科技大学学报》;20100323;第26卷(第2期);第1-3页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103490900A (en) | 2014-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12192184B2 (en) | Secure session resumption using post-quantum cryptography | |
| CN109886040B (en) | Data processing method, device, storage medium and processor | |
| US10904231B2 (en) | Encryption using multi-level encryption key derivation | |
| US8484486B2 (en) | Integrated cryptographic security module for a network node | |
| CN109728914B (en) | Digital signature verification method, system, device and computer readable storage medium | |
| CN103546289A (en) | USB (universal serial bus) Key based secure data transmission method and system | |
| CN106302422B (en) | Business encryption and decryption method and device | |
| US20170012774A1 (en) | Method and system for improving the data security during a communication process | |
| CN101582109A (en) | Data encryption method and device, data decryption method and device and solid state disk | |
| CN105100076A (en) | Cloud data security system based on USB Key | |
| CN106209352A (en) | There is effective cipher key derivative of forward security | |
| CN111970114B (en) | File encryption method, system, server and storage medium | |
| Shreejith et al. | Security aware network controllers for next generation automotive embedded systems | |
| CN115865448B (en) | Data self-encryption device and method | |
| US12452043B2 (en) | Key sharing method, key sharing system, authentication device, authentication target device, recording medium, and authentication method | |
| CN114866244A (en) | Controllable anonymous authentication method, system and device based on ciphertext block chaining encryption | |
| CN118488443A (en) | A method and system for encrypted communication of unmanned aerial vehicles | |
| JP2015225376A (en) | Computer system, computer, semiconductor device, information processing method, and computer program | |
| CN103490900B (en) | Encryption and authentication method and equipment | |
| CN106257858A (en) | The data ciphering method of a kind of remote storage device, Apparatus and system | |
| CN106257859A (en) | A kind of password using method | |
| CN111460463B (en) | Electronic certificate preserving and notarizing method, device, equipment and storage medium | |
| CN115001744B (en) | Cloud platform data integrity verification method and system | |
| CN115296795A (en) | A hybrid encryption information processing and communication on-chip system and method | |
| KR102094606B1 (en) | Apparatus and method for authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor Patentee after: RUIJIE NETWORKS CO., LTD. Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor Patentee before: Fujian Xingwangruijie Network Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |