CN112615824A - Anti-leakage one-time pad communication method and device - Google Patents
Anti-leakage one-time pad communication method and device Download PDFInfo
- Publication number
- CN112615824A CN112615824A CN202011410475.XA CN202011410475A CN112615824A CN 112615824 A CN112615824 A CN 112615824A CN 202011410475 A CN202011410475 A CN 202011410475A CN 112615824 A CN112615824 A CN 112615824A
- Authority
- CN
- China
- Prior art keywords
- key
- codebook
- book
- user
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000006854 communication Effects 0.000 title claims abstract description 77
- 238000004891 communication Methods 0.000 title claims abstract description 76
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000008569 process Effects 0.000 claims abstract description 16
- 230000002457 bidirectional effect Effects 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012790 confirmation Methods 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 5
- 238000004806 packaging method and process Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 4
- 238000011084 recovery Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/067—Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
本发明提供防泄漏一次一密通信方法及装置,包括:发送方将从密码本中按照主动读取方式读取的一次性密钥和待发送明文通过预设加密算法生成密文;将所述密文和所述一次性密钥对应的密码本位置范围打包后,通过公共信道传送至接收方;接收方根据所述密码本位置范围,以被动读取的方式从所述密码本中读取解密密钥;通过预设解密算法将所述解密密钥和所述密文进行解密运算,得到接收明文。本发明通过采用一次读写的密钥进行加解密,解决了一次性密码本在实际使用过程中面临的密钥泄露、密钥难以彻底销毁问题;通过引入主动、被动两种读取密钥的方式,保证每段密钥只对一个消息使用一次,解决了一次性密钥被重复使用的问题。
The invention provides a leak-proof one-time-one-key communication method and device, including: a sender generates a ciphertext through a preset encryption algorithm from a one-time key read from a codebook in an active reading manner and a plaintext to be sent; After the ciphertext and the codebook location range corresponding to the one-time key are packaged, they are sent to the receiver through a public channel; the receiver reads the codebook passively according to the codebook location range. Decryption key; perform decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain the received plaintext. The invention solves the problems of key leakage and difficulty in completely destroying the key faced by the one-time codebook in the actual use process by adopting a key for reading and writing once for encryption and decryption; The method ensures that each key is only used once for one message, which solves the problem of repeated use of one-time keys.
Description
Technical Field
The invention relates to the technical field of encrypted communication and network security, in particular to a leakage-proof one-time pad communication method and device.
Background
To ensure the confidentiality of communications, one-time pad was proven to be an absolutely secure means of encrypting communications, and was originally invented by Major Joseph Mauborgne and Gilbert Vernam of AT & T in 1917.
When the one-time pad mode is used for encrypted communication, the following conditions are required to be met so as to ensure the absolute safety of communication:
(1) the key must be a truly random sequence;
(2) the key length is at least as long as the plaintext;
(3) each key is used for only one message and cannot be reused;
(4) the key cannot be revealed during transmission.
Correspondingly, a One Time Pad (One Time Pad) is a typical One-Time Pad communication method. A block diagram of a one-time pad system is shown in fig. 1. The pad A, B has the same sequence of random numbers written thereon as a communication key. The codebook A, B was distributed (mechanically transportable) in some way to both communicating parties in advance, assuming that both communicating parties are respectively designated as Alice and Bob. The most important advantage of the one-time pad is that even if an attacker obtains a real secret key by brute force cracking and other methods, the attacker cannot judge whether the decoded plaintext is correct or not, so that the one-time pad can theoretically ensure that the ciphertext cannot be decoded by the attacker.
In practical applications, the one-time pad has the following problems:
one is the problem of key randomness, which requires the generation of a large number of random numbers as keys in a one-time pad system. Each key can only be used once, depending on the conditions of cryptographic security, so the random number used as a key cannot be a pseudo-random number generated by a computer program, but must be a truly random sequence without repetition. Most of the Hardware methods currently used to generate true Random Number sequences, the Hardware Random Number Generator (HRNG) is usually based on microscopic physical phenomena, such as thermal noise and photoelectric effect. However, these random number generation devices based on physical phenomena are generally complex and difficult to implement.
Secondly, the problem of secret key disclosure can be specifically divided into two aspects:
(1) distribution and storage of codebooks: the one-time cipher books need to be distributed to two communication parties in a secure mode, the safety of the cipher books needs to be guaranteed in the communication process, and secret key leakage cannot occur. In addition, the cipher key length on the cipher book is larger than or equal to the plaintext length, so that the cipher book and the plaintext are transmitted and stored with considerable difficulty. Therefore, if a method capable of ensuring the data security of the cipher text exists, the plaintext can be directly transmitted by the method without encryption.
(2) The key is difficult to destroy completely: in the actual use process, storage devices such as a U disk, a mobile hard disk, a DVD-R and the like can be used for storing the key, and the key data needs to be destroyed in time after a section of key is used each time. However, at present, when a lot of storage devices delete data, the data at the corresponding position is not directly erased, but a tag to be erased is marked on the part of data to prohibit a user from accessing the data; and when the user writes new data into the corresponding storage position, the original data is overwritten by the new data. Therefore, if a general storage medium is used as the pad storage key, a risk of data recovery is encountered. Namely, an attacker can use a data recovery technology of a logical layer or a physical layer to recover the used key on the codebook, so that the key is leaked.
Thirdly, the authentication problem can be divided into two specific aspects:
(1) authentication of the message: conventional one-time pad communications do not provide message authentication functionality, i.e., Bob cannot identify whether a received message is from Alice and whether the message content has been tampered with. As shown in fig. 2, assuming that Alice encrypts a plaintext including "three-point-in-the-morning meeting" in tomorrow, the transmitted ciphertext C is intercepted by Eve, if Eve knows a part of plaintext information in Alice's transmission message in advance, it can reversely derive a key k at a corresponding position through the plaintext and ciphertext, and then encrypt a self-modified plaintext (e.g., "five-point-in-the-tomorrow meeting") by using the key, and transmit a new ciphertext C' to Bob, thereby cheating Bob.
(2) Authentication of the codebook: another problem faced by one-time pad communications during practical use is authentication of the pad. An attacker may "pack" the codebooks of both parties at the same time, i.e., Eve replaces the codebooks a, B of Alice and Bob with the one forged by Eve, and then eavesdrops on the communication between Alice and Bob. At this point, if Alice and Bob do not authenticate the codebook, communication continues using the false codebook provided by Eve, which can decrypt smoothly based on the known key.
In view of the above problems, a new processing method for one-time pad communication needs to be proposed.
Disclosure of Invention
The invention provides a leakage-proof one-time pad communication method and a leakage-proof one-time pad communication device, which are used for solving the defects that a secret key is easy to leak in the transmission process and a cipher book is easy to be falsified or forged in the prior art.
In a first aspect, the present invention provides a method of leak-proof one-time pad communication, comprising:
a sender generates a ciphertext from a one-time secret key read from a codebook in an active reading mode and a plaintext to be sent through a preset encryption algorithm;
after the cipher text and the position range of the cipher book corresponding to the one-time key are packaged, transmitting the cipher text and the position range of the cipher book to a receiver through a public channel;
the receiver reads a decryption key from the codebook in a passive reading mode according to the position range of the codebook;
and carrying out decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain a received plaintext.
Further, the sender reads the one-time key from the codebook in an active reading mode and generates a ciphertext from a plaintext to be sent through a preset encryption algorithm, and the method also comprises the following steps:
bidirectional identity authentication is carried out between the user and the password book;
and after the authentication is passed, the user normally uses the password book. Further, the sender generates a ciphertext from the one-time key read from the codebook in an active reading manner and the plaintext to be sent by using a preset encryption algorithm, and then the method further includes:
and the sender erases and destroys the key data corresponding to the position range of the password book through an erasing circuit, wherein the position range of the password book is an address range which can not be repeatedly used.
Further, the receiving party performs decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain a received plaintext, and then the method further includes:
and the receiver erases and destroys the key data corresponding to the position range of the codebook through an erasing circuit, wherein the position range of the codebook is an address range which can not be repeatedly used.
Further, the bidirectional identity authentication specifically includes:
a user starts an authentication process through preset input information;
the password book verifies the preset input information input by the user, if the preset input information is consistent with the input information during the user registration, the user authentication is judged to be successful, an authentication request is sent to a trusted authentication server, and if not, error reporting information is sent to the user, and the authentication is terminated;
the trusted authentication server sends data to be signed to the codebook;
the password book prompts triggering authentication to the user, after receiving the confirmation information of the user, the password book signs the data to be signed by using a private key, and the signed data is returned to the authentication server;
the trusted authentication server verifies the signed data returned by the codebook by using a public key, if the verification is passed, a confirmation message is sent to the user, otherwise, codebook authentication failure information is sent to the user;
if the authentication failure times of the user on the password book exceed a first preset threshold value, the user puts the password book into a blacklist and does not send an authentication request to the password book any more;
if the authentication failure times of the user by the password book exceed a second preset threshold, the password book starts a self-destruction program to automatically erase internal data, so that the data in the password book is prevented from being further attacked;
and if the user does not use the password book after exceeding the preset time interval, automatically triggering an authentication process.
Further, the active reading mode is specifically;
when both communication parties adopt a full duplex mode, a first sender reads a key to be used from the beginning position of the cipher book from small to large according to a position serial number as an encryption key, and a second sender reads the key to be used from the end position of the cipher book from large to small according to the position serial number as the encryption key;
correspondingly, the passive reading mode is specifically;
when both communication parties adopt a full duplex mode, the first receiving party and the second receiving party read the key to be used on the cipher book as a decryption key according to the key position range sent by the other party.
Further, the active reading mode and the passive reading mode further include:
when the unused area on the codebook of any one of the two communication parties is smaller than a first threshold value, immediately sending a first warning message to the other party, wherein the length of the message sent by the two communication parties is not more than half of the first threshold value;
when the unused area on the codebook of any one of the two communication parties is smaller than a second threshold value, immediately sending a second warning message to the other party, and terminating the use of the codebook and erasing the residual data;
wherein the second threshold is less than the first threshold.
In a second aspect, the present invention also provides a leak-resistant one-time-pad communication device, comprising:
the first encryption module is used for enabling a sender to generate a ciphertext from the one-time secret key read from the codebook in an active reading mode and the plaintext to be sent through a preset encryption algorithm;
the second encryption module is used for packaging the cipher text and the position range of the cipher book corresponding to the one-time key and then transmitting the cipher text and the position range of the cipher book to a receiver through a public channel;
the first decryption module is used for reading a decryption key from the codebook in a passive reading mode by a receiver according to the position range of the codebook;
and the second decryption module is used for carrying out decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain a received plaintext.
In a third aspect, the present invention further provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the leak-proof one-time-pad communication method as described in any of the above when executing the program.
In a fourth aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the leak-proof one-time-pad communication method as described in any of the above.
According to the leakage-proof one-time pad communication method and device, the one-time read-write secret key is used for encryption and decryption, so that the problems that the secret key is leaked and the secret key is difficult to thoroughly destroy in the actual use process of the one-time pad are solved; by introducing two ways of reading the key actively and passively, each section of the key is ensured to be used for only one message once, and the problem that the one-time key is reused is solved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a block diagram of a one-time pad system provided by the prior art;
fig. 2 is a problem of authentication of a one-time pad provided by the prior art;
FIG. 3 is a flow chart of a method of leak-proof one-time pad communication according to the present invention;
FIG. 4 is a block diagram of a leak resistant one time pad system provided by the present invention;
FIG. 5 is a schematic diagram of a two-way authentication system between a user and a codebook provided by the present invention;
FIG. 6 is a flow chart of two-way authentication provided by the present invention;
FIG. 7 is a flow chart of a triggering mechanism of the authentication process provided by the present invention;
FIG. 8 is a schematic diagram of the active and passive key reading modes provided by the present invention;
FIG. 9 is a schematic diagram of a leak resistant one time pad communication device provided by the present invention;
fig. 10 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In view of the deficiencies of the prior art, the present invention provides a leak-proof one-time pad communication method, as shown in fig. 3, comprising:
s1, the sender generates a ciphertext from the one-time key read from the codebook in an active reading mode and the plaintext to be sent through a preset encryption algorithm;
s2, after the cipher text and the cipher book position range corresponding to the one-time key are packaged, transmitting the cipher text and the cipher book position range to a receiver through a public channel;
s3, the receiving party reads the decryption key from the cipher book in a passive reading mode according to the position range of the cipher book;
and S4, carrying out decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain a received plaintext.
Specifically, the invention solves the problems of key leakage, difficult complete destruction of keys and the like in a one-time pad communication system by designing a set of electronic device, as shown in fig. 4, the device consists of a writing module and a matched anti-leakage one-time pad module, and the anti-leakage one-time pad can work in three modes of writing, encrypting and decrypting.
First is the write mode: in the system, two communication parties respectively hold a codebook, and the two codebooks store the same random number sequence as a communication key. The cipher book is designed into a portable hardware electronic device, such as a small mobile hard disk with a USB interface. The device comprises a write-once circuit, a mass storage, a read-once circuit, an erase circuit and the like. Here, the sender is not set to Alice and holds the codebook a; the receiver is Bob and holds a codebook B.
The second is an encryption mode: when a sender Alice sends a message each time, the position range of the codebook used this time needs to be determined according to the length of the plaintext to be sent and the available area of the codebook a. For example: the Alice uses the 0 th to 1000 th bits of the codebook A before, and the length of the plaintext to be sent is 100 bits, so that the Alice can select the 1001 st to 1100 th random sequence on the codebook A as the secret key of the communication. After reading the key of the communication through the one-time reading circuit, the sender Alice uses the key and the plaintext to perform encryption operation (such as XOR operation) to obtain a ciphertext, and then destroys and erases the key data in the corresponding position range through the erasing circuit. And the sender Alice packs and sends the ciphertext and the position range of the cipher book used this time, and transmits the ciphertext and the position range of the cipher book to the receiver Bob through an open channel.
Finally, the decryption mode is used, and the format of the message received by the receiver Bob is < position range; and B, reading data in the corresponding position range on the codebook B by Bob, using the data as a secret key, performing decryption operation (such as XOR operation) by using the secret key and the ciphertext to obtain a plaintext, and then destroying and erasing the secret key data in the corresponding position range by using an erasing circuit.
The invention solves the problem of key leakage of the one-time cipher book fundamentally by using the one-time read-write circuit, the key data can only be written and read in one time, the key can be completely erased after being used, and the used key can not be recovered by the existing data recovery technology; for the condition that a key is leaked in the using process, if an attacker steals the codebook and reads the key data in the codebook, the stolen key data cannot be read again when a legal user uses the codebook again; in addition, the user can find that the usable position range of the code book changes, so that the code book can be found to be stolen.
For example, when Alice has used 0-1000 bits of the codebook A, Eve steals the codebook and reads out 1001-2000 bit of key data, then Alice can only read the key data after 2000 bits in the codebook in the next communication, and does not use the key stolen by Eve.
Based on the above embodiment, the method step S1 is preceded by:
bidirectional identity authentication is carried out between the user and the password book; and after the authentication is passed, the user normally uses the password book.
Specifically, the above embodiment uses a write-once circuit and an erase circuit to ensure that data in the codebook can only be read once, thereby solving the problem of data leakage of the codebook, and the embodiment of the present invention designs a set of bidirectional authentication mechanism for the authentication problem, so as to implement bidirectional identity authentication between a user and the codebook, specifically including two aspects:
(1) the codebook authenticates the user: the password book is bound with the user, only the user himself has the right to use the password book, and before the password book is used each time, the user identity needs to be verified;
(2) user authentication codebook: before the user uses the cipher book each time, the authenticity of the cipher book needs to be verified, and the cipher book is prevented from being forged and exchanged.
Based on any embodiment, the method further includes, after step S1:
and the sender erases and destroys the key data corresponding to the position range of the password book through an erasing circuit, wherein the position range of the password book is an address range which can not be repeatedly used.
Wherein, the method further comprises, after step S4:
and the receiver erases and destroys the key data corresponding to the position range of the codebook through an erasing circuit, wherein the position range of the codebook is an address range which can not be repeatedly used.
Specifically, the invention uses the one-time read-write circuit, thus fundamentally solving the problem of key leakage of the one-time cipher book, after encryption and decryption, the key is respectively and completely erased physically, and after the key is erased, the corresponding position range is not reusable, so that the existing data recovery technology can not recover the used key.
Based on any of the above embodiments, the bidirectional identity authentication specifically includes:
a user starts an authentication process through preset input information;
the password book verifies the preset input information, if the preset input information is consistent with the input information during the user registration, the user authentication is judged to be successful, an authentication request is sent to an authentication server, and if not, error reporting information is sent to the user, and the authentication is terminated;
the authentication server sends data to be signed to the codebook;
the password book prompts triggering authentication to the user, after receiving the confirmation information of the user, the password book signs the data to be signed by using a private key, and the signed data is returned to the authentication server;
and the authentication server verifies the signed data returned by the codebook by using a public key, if the signed data passes the verification, a confirmation message is sent to the user, and otherwise, a codebook authentication failure message is sent to the user.
If the authentication failure times of the user on the password book exceed a first preset threshold value, the user puts the password book into a blacklist and does not send an authentication request to the password book any more;
and if the authentication failure times of the user by the password book exceed a second preset threshold, starting a self-destruction program by the password book, and automatically erasing the internal data to prevent the data in the password book from being further attacked.
And if the user does not use the password book after exceeding the preset time interval, automatically triggering an authentication process.
Specifically, the two-way authentication scheme proposed by the present invention is shown in fig. 5, in which a codebook is responsible for performing authentication on a user; the user's authentication of the pad is carried out by means of a secure and trusted authentication server.
The user needs to register before first using the codebook. The user can register by using preset input information, such as a traditional user name-password mode, and can also input personal information such as fingerprints, voice, iris and facial features, and the personal information is stored in a local safe area of the password book and is stored separately from a random number sequence used as a secret key, so that the safety of personal data of the user is ensured. After the successful registration, the cipher book generates a pair of asymmetric keys for the user, wherein the private key is stored in the local cipher book, and the public key is sent to the remote authentication server.
Before the user uses the codebook, the user needs to perform two-way authentication, which is shown in fig. 6, and the specific process of two-way authentication is as follows:
(1) the user inputs a user name and a password, or starts an authentication process through fingerprints, voice and other modes;
(2) the password book verifies the input information of the user, if the input information is consistent with the information input during the registration of the user, the user is informed of the successful authentication, and an authentication request is sent to an authentication server; otherwise, sending error information to the user and terminating the authentication process;
(3) the authentication server sends a piece of data (Challenge message) to be signed to the cipher book;
(4) the cipher book prompts a user to trigger authentication, after receiving user confirmation, the cipher book signs the Challenge message by using a private key, and returns signed data to the authentication server;
(5) the authentication server uses the public key to verify the response sent by the cipher book, if the response passes the verification, the authentication server sends confirmation information to the user to inform the user that the cipher book passes the verification; otherwise, sending authentication error information to the user.
If an error occurs in either direction of the two-way identity authentication, the re-authentication can be requested while sending the error information. When multiple times of authentication are wrong, the following measures can be taken:
the first is the authentication of the user to the cipher book: if the cipher book fails to be authenticated for many times, the user equipment can list the cipher book in a blacklist and does not send an authentication request to the cipher book any more;
secondly, the user is authenticated by the cipher book: if the user fails to authenticate for many times, the password book can start a self-destruction program to automatically erase all internal data, so that the password book is prevented from further attack.
It can be understood that when the sender needs to use the codebook each time, the sender needs to perform bidirectional authentication first to verify the authenticity of the codebook; if the user does not use the codebook for a long time, the mutual authentication is triggered periodically, so that if the codebook is exchanged, the early discovery can be ensured. The trigger mechanism of the authentication process is shown in fig. 7, and in practical application, the authentication time interval T can be properly selected according to practical requirements0。
Aiming at the problem that the codebook can be forged and exchanged, the invention designs a user-codebook bidirectional authentication mechanism, realizes bidirectional identity authentication between a user and the codebook, and realizes the authentication of the user identity through a fingerprint mode, a password mode and the like; the authentication of the cipher book is realized by introducing an authentication server and using an asymmetric key signature; if the cipher book is forged or exchanged, the authentication server can directly send error information to the user to remind the user that the identity of the cipher book is abnormal.
Based on any of the above embodiments, the active reading mode is specifically;
when both communication parties adopt a full duplex mode, a first sender reads a key to be used from the beginning position of the cipher book from small to large according to a position serial number as an encryption key, and a second sender reads the key to be used from the end position of the cipher book from large to small according to the position serial number as the encryption key;
correspondingly, the passive reading mode is specifically;
when both communication parties adopt a full duplex mode, the first receiving party and the second receiving party read the key to be used on the cipher book as a decryption key according to the key position range sent by the other party.
The active reading mode and the passive reading mode further comprise:
when the unused area on the codebook of any one of the two communication parties is smaller than a first threshold value, immediately sending a first warning message to the other party, wherein the length of the message sent by the two communication parties is not more than half of the first threshold value;
when the unused area on the codebook of any one of the two communication parties is smaller than a second threshold value, immediately sending a second warning message to the other party, and terminating the use of the codebook and erasing the residual data;
wherein the second threshold is less than the first threshold.
In particular, when using a one-time pad, each piece of key read from the pad can only be used once for the same message. If both parties read the codebook from front to back in the same order, one possible scenario is: alice reads the key in the range of [ x0, x1] in the codebook A, encrypts a message Ma and sends the message Ma to Bob; before receiving the message Ma, Bob reads the key in the range of [ x0, x2] in the codebook B, encrypts the message Mb, and sends the encrypted message Mb to Alice. In this case, the key in the range of [ x0, min (x1, x2) ] on the codebook is used twice, encrypting different messages separately, violating the principle of "one-time pad".
Therefore, in order to avoid the above-mentioned situation of key reuse and support full duplex communication, it is necessary to design a rule for reading the key, so that the two parties of communication read the key data in different orders. As shown in fig. 8, the user reads the key in the following two modes:
(1) active reading:
both communication parties are well defined in advance, when a message needs to be sent to the opposite party, one party (Alice) reads the cipher book from the position 0 of the cipher book as an encryption key according to the sequence of the position serial numbers from small to large; the other party (Bob) reads the cipher book from the tail end of the cipher book according to the sequence of the position serial numbers from big to small as an encryption key;
(2) passive reading:
when receiving the message of the other party and needing to decrypt, the key is read according to the position range sent by the other party for decryption.
Here, to ensure the security of the codebook when the available storage range is about to be exhausted, the present invention also proposes the following interaction scheme:
when the length of an unused area on the codebook of any one of the two communication parties is smaller than a certain threshold value L1, a WARNING message is immediately sent to the other party to remind the other party that the usable range of the codebook is about to be used up; thereafter, the message length sent by both communication parties each time cannot exceed 0.5 × L1;
when the length of the unused area of the cipher book of any one of the two communication parties is smaller than another threshold value L2(L2< L1), the use of the cipher book is terminated and the rest data is erased, and meanwhile, a WARNING message is sent to the other party to remind the other party that the cipher book is invalidated.
The following describes the leakage-proof otp communication apparatus provided by the present invention, and the leakage-proof otp communication apparatus described below and the leakage-proof otp communication method described above can be referred to correspondingly.
Fig. 9 is a schematic structural diagram of a leak-proof otp communication apparatus according to the present invention, as shown in fig. 9, including: a first encryption module 91, a second encryption module 92, a first decryption module 93, and a second decryption module 94; wherein:
the first encryption module 91 is used for the sender to generate a ciphertext from the one-time key read from the codebook in an active reading mode and the plaintext to be sent through a preset encryption algorithm; the second encryption module 92 is configured to package the ciphertext and the codebook position range corresponding to the one-time key, and transmit the ciphertext and the codebook position range to a receiver through a public channel; the first decryption module 93 is configured to, by the receiving party, read a decryption key from the codebook in a passive reading manner according to the position range of the codebook; the second decryption module 94 is configured to perform decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain a received plaintext.
The invention adopts the key which is read and written once to encrypt and decrypt, thus solving the problem of key leakage in the practical use process of the one-time password book.
Fig. 10 illustrates a physical structure diagram of an electronic device, and as shown in fig. 10, the electronic device may include: a processor (processor)1010, a communication interface (communication interface)1020, a memory (memory)1030, and a communication bus 1040, wherein the processor 1010, the communication interface 1020, and the memory 1030 communicate with each other via the communication bus 1040. The processor 1010 may invoke logic instructions in the memory 1030 to perform a method of leak-proof one-time-pad communication, the method comprising: a sender generates a ciphertext from a one-time secret key read from a codebook in an active reading mode and a plaintext to be sent through a preset encryption algorithm; after the cipher text and the position range of the cipher book corresponding to the one-time key are packaged, transmitting the cipher text and the position range of the cipher book to a receiver through a public channel; the receiver reads a decryption key from the codebook in a passive reading mode according to the position range of the codebook; and carrying out decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain a received plaintext.
Furthermore, the logic instructions in the memory 1030 can be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method of leak-proof one-time-pad communication provided by the above methods, the method comprising: a sender generates a ciphertext from a one-time secret key read from a codebook in an active reading mode and a plaintext to be sent through a preset encryption algorithm; after the cipher text and the position range of the cipher book corresponding to the one-time key are packaged, transmitting the cipher text and the position range of the cipher book to a receiver through a public channel; the receiver reads a decryption key from the codebook in a passive reading mode according to the position range of the codebook; and carrying out decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain a received plaintext.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program that when executed by a processor is implemented to perform the method for leak-proof one-time-pad communication provided above, the method comprising: a sender generates a ciphertext from a one-time secret key read from a codebook in an active reading mode and a plaintext to be sent through a preset encryption algorithm; after the cipher text and the position range of the cipher book corresponding to the one-time key are packaged, transmitting the cipher text and the position range of the cipher book to a receiver through a public channel; the receiver reads a decryption key from the codebook in a passive reading mode according to the position range of the codebook; and carrying out decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain a received plaintext.
The above-described apparatus embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, and may be deployed in a single node, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method of leak-proof one-time pad communication, comprising:
a sender generates a ciphertext from a one-time secret key read from a codebook in an active reading mode and a plaintext to be sent through a preset encryption algorithm;
after the cipher text and the position range of the cipher book corresponding to the one-time key are packaged, transmitting the cipher text and the position range of the cipher book to a receiver through a public channel;
the receiver reads a decryption key from the codebook in a passive reading mode according to the position range of the codebook;
and carrying out decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain a received plaintext.
2. The leak-proof otp communication method according to claim 1, wherein the sender generates ciphertext from the otp read from the codebook in an active reading manner and the plaintext to be sent through a predetermined encryption algorithm, and the method further comprises:
bidirectional identity authentication is carried out between the user and the password book; and after the authentication is passed, the user normally uses the password book.
3. The leak-proof otp communication method according to claim 1 or 2, wherein the sender generates ciphertext from the otp read from the codebook in an active reading manner and the plaintext to be sent through a predetermined encryption algorithm, and then further comprises:
and the sender erases and destroys the key data corresponding to the position range of the password book through an erasing circuit, wherein the position range of the password book is an address range which can not be repeatedly used.
4. The leak-proof otp communication method according to claim 1, wherein the decrypting the decryption key and the ciphertext with a predetermined decryption algorithm to obtain a received plaintext, further comprising:
and the receiver erases and destroys the key data corresponding to the position range of the codebook through an erasing circuit, wherein the position range of the codebook is an address range which can not be repeatedly used.
5. The leak-resistant one-time pad communication method according to claim 2, wherein the bidirectional authentication specifically comprises:
the user starts an authentication process by inputting a preset user name and password or by scanning fingerprints, voiceprints and the like;
the password book verifies the preset input information input by the user, if the preset input information is consistent with the input information during the user registration, the user authentication is judged to be successful, an authentication request is sent to a trusted authentication server, and if not, error reporting information is sent to the user, and the authentication is terminated;
the trusted authentication server sends data to be signed to the codebook;
the password book prompts triggering authentication to the user, after receiving the confirmation information of the user, the password book signs the data to be signed by using a private key, and the signed data is returned to the authentication server;
the trusted authentication server verifies the signed data returned by the codebook by using a public key, if the verification is passed, a confirmation message is sent to the user, otherwise, codebook authentication failure information is sent to the user;
if the authentication failure times of the user on the password book exceed a first preset threshold value, the user puts the password book into a blacklist and does not send an authentication request to the password book any more;
if the authentication failure times of the user by the password book exceed a second preset threshold, the password book starts a self-destruction program to automatically erase internal data, so that the data in the password book is prevented from being further attacked;
and if the user does not use the password book after exceeding the preset time interval, automatically triggering an authentication process.
6. The leak-resistant one-time pad communication method as recited in claim 1, wherein the active reading mode is specifically;
when both communication parties adopt a full duplex mode, a first sender reads a key to be used from the beginning position of the cipher book from small to large according to a position serial number as an encryption key, and a second sender reads the key to be used from the end position of the cipher book from large to small according to the position serial number as the encryption key;
correspondingly, the passive reading mode is specifically;
when both communication parties adopt a full duplex mode, the first receiving party and the second receiving party read the key to be used on the cipher book as a decryption key according to the key position range sent by the other party.
7. The leak resistant one-time pad communication method as recited in claim 6, wherein the active read mode and the passive read mode further comprise:
when the unused area on the codebook of any one of the two communication parties is smaller than a first threshold value, immediately sending a first warning message to the other party, wherein the length of the message sent by the two communication parties is not more than half of the first threshold value;
when the unused area on the codebook of any one of the two communication parties is smaller than a second threshold value, immediately sending a second warning message to the other party, and terminating the use of the codebook and erasing the residual data;
wherein the second threshold is less than the first threshold.
8. Leak-proof one-time pad communication device, comprising:
the first encryption module is used for enabling a sender to generate a ciphertext from the one-time secret key read from the codebook in an active reading mode and the plaintext to be sent through a preset encryption algorithm;
the second encryption module is used for packaging the cipher text and the position range of the cipher book corresponding to the one-time key and then transmitting the cipher text and the position range of the cipher book to a receiver through a public channel;
the first decryption module is used for reading a decryption key from the codebook in a passive reading mode by a receiver according to the position range of the codebook;
and the second decryption module is used for carrying out decryption operation on the decryption key and the ciphertext through a preset decryption algorithm to obtain a received plaintext.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor realizes the steps of the leak-proof one-time-pad communication method according to any one of claims 1 to 7 when executing the computer program.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, performs the steps of the leak-proof one-time-pad communication method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011410475.XA CN112615824B (en) | 2020-12-03 | 2020-12-03 | Leak-proof one-time pad communication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011410475.XA CN112615824B (en) | 2020-12-03 | 2020-12-03 | Leak-proof one-time pad communication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112615824A true CN112615824A (en) | 2021-04-06 |
| CN112615824B CN112615824B (en) | 2021-12-24 |
Family
ID=75228917
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011410475.XA Active CN112615824B (en) | 2020-12-03 | 2020-12-03 | Leak-proof one-time pad communication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112615824B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113630386A (en) * | 2021-07-15 | 2021-11-09 | 金杉 | Encryption and decryption method, device and communication system thereof |
| CN113872970A (en) * | 2021-09-28 | 2021-12-31 | 北京天融信网络安全技术有限公司 | Data access method, device and storage medium |
| CN114786176A (en) * | 2022-06-21 | 2022-07-22 | 广东卓维网络有限公司 | Wireless communication encryption method, decryption method, computer device and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030026429A1 (en) * | 2000-03-29 | 2003-02-06 | Vadium Technology, Inc. | One-time-pad encryption with key ID and offset for starting point |
| CN1601490A (en) * | 2003-09-26 | 2005-03-30 | 刘任 | Information security authentication and method for its encrypting device |
| US20140337615A1 (en) * | 2013-05-07 | 2014-11-13 | Terrance A. Tomkow | One-time pad communications network |
| US20150244520A1 (en) * | 2014-02-21 | 2015-08-27 | Safe Frontier Llc | One-time-pad data encryption with media server |
| US20150271147A1 (en) * | 2014-03-19 | 2015-09-24 | Kabushiki Kaisha Toshiba | Communication system, communication apparatus, communication method, and computer program product |
| US20170033925A1 (en) * | 2014-04-11 | 2017-02-02 | Oscar Tango Papa Llc | Methods and apparatus for implementing a communications system secured using one-time pads |
| US20190116026A1 (en) * | 2016-09-09 | 2019-04-18 | Hewlett-Packard Development Company, L.P. | Printer encryption |
| CN110022326A (en) * | 2019-04-19 | 2019-07-16 | 上海法诺光电技术有限公司 | A kind of Internet of Things cipher authentication method using cipher table synchronization |
| CN111488618A (en) * | 2020-04-13 | 2020-08-04 | 深圳信息职业技术学院 | One-time pad encryption method, device and storage medium based on blockchain |
| CN111670559A (en) * | 2017-12-05 | 2020-09-15 | 卫士网络技术公司 | Secure content routing using one-time pads |
-
2020
- 2020-12-03 CN CN202011410475.XA patent/CN112615824B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030026429A1 (en) * | 2000-03-29 | 2003-02-06 | Vadium Technology, Inc. | One-time-pad encryption with key ID and offset for starting point |
| CN1601490A (en) * | 2003-09-26 | 2005-03-30 | 刘任 | Information security authentication and method for its encrypting device |
| US20140337615A1 (en) * | 2013-05-07 | 2014-11-13 | Terrance A. Tomkow | One-time pad communications network |
| US20150244520A1 (en) * | 2014-02-21 | 2015-08-27 | Safe Frontier Llc | One-time-pad data encryption with media server |
| US20150271147A1 (en) * | 2014-03-19 | 2015-09-24 | Kabushiki Kaisha Toshiba | Communication system, communication apparatus, communication method, and computer program product |
| US20170033925A1 (en) * | 2014-04-11 | 2017-02-02 | Oscar Tango Papa Llc | Methods and apparatus for implementing a communications system secured using one-time pads |
| US20190116026A1 (en) * | 2016-09-09 | 2019-04-18 | Hewlett-Packard Development Company, L.P. | Printer encryption |
| CN111670559A (en) * | 2017-12-05 | 2020-09-15 | 卫士网络技术公司 | Secure content routing using one-time pads |
| CN110022326A (en) * | 2019-04-19 | 2019-07-16 | 上海法诺光电技术有限公司 | A kind of Internet of Things cipher authentication method using cipher table synchronization |
| CN111488618A (en) * | 2020-04-13 | 2020-08-04 | 深圳信息职业技术学院 | One-time pad encryption method, device and storage medium based on blockchain |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113630386A (en) * | 2021-07-15 | 2021-11-09 | 金杉 | Encryption and decryption method, device and communication system thereof |
| CN113872970A (en) * | 2021-09-28 | 2021-12-31 | 北京天融信网络安全技术有限公司 | Data access method, device and storage medium |
| CN114786176A (en) * | 2022-06-21 | 2022-07-22 | 广东卓维网络有限公司 | Wireless communication encryption method, decryption method, computer device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112615824B (en) | 2021-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112000975B (en) | Key management system | |
| CN107735793B (en) | Binding trusted input sessions to trusted output sessions | |
| CN112615824B (en) | Leak-proof one-time pad communication method and device | |
| US8688996B2 (en) | Multipad encryption | |
| JP2007013433A (en) | Method and information processing system for transmitting / receiving encrypted data | |
| CN101800738A (en) | Realization system and method for safely visiting and storing intranet data by mobile equipment | |
| CN109063523B (en) | Radio frequency identification security authentication method and system | |
| KR20220025155A (en) | Data protection and recovery systems and methods | |
| CN115150180A (en) | Storage device management method, storage device, management device, and storage medium | |
| CN107124277A (en) | A kind of hard copy control system based on national commercial cipher algorithm | |
| CN108768636A (en) | A method of restoring private key using multi-party collaboration | |
| CN109446831B (en) | Key generation and verification method and system based on hardware device | |
| US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
| CN106257859A (en) | A kind of password using method | |
| CN110113153B (en) | NFC secret key updating method, terminal and system | |
| CN107343276A (en) | A kind of guard method of the SIM card lock data of terminal and system | |
| Blaze | Key escrow from a safe distance: looking back at the clipper chip | |
| CN105049433B (en) | Markization card number information transmits verification method and system | |
| CN109344632A (en) | A kind of OPENSTACK volumes of encryption method based on hardware encryption card | |
| CN115603898A (en) | Verification code generation method, verification code generation device, terminal and storage medium | |
| JP4140617B2 (en) | Authentication system using authentication recording medium and method of creating authentication recording medium | |
| CN117118613B (en) | Whole vehicle instrument data security protection method, equipment and readable storage medium | |
| CN115119150B (en) | Short message encryption and decryption method, device, equipment and storage medium | |
| CN114329510B (en) | A digital authorization method, device, terminal equipment and storage medium | |
| JP4289552B2 (en) | How to prevent leakage of confidential data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |