+

CN106506140A - A kind of AES encryption and decryption method and device - Google Patents

A kind of AES encryption and decryption method and device Download PDF

Info

Publication number
CN106506140A
CN106506140A CN201510559903.8A CN201510559903A CN106506140A CN 106506140 A CN106506140 A CN 106506140A CN 201510559903 A CN201510559903 A CN 201510559903A CN 106506140 A CN106506140 A CN 106506140A
Authority
CN
China
Prior art keywords
decryption
data
encryption
round
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201510559903.8A
Other languages
Chinese (zh)
Inventor
盛雪飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sanechips Technology Co Ltd
Original Assignee
Shenzhen ZTE Microelectronics Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen ZTE Microelectronics Technology Co Ltd filed Critical Shenzhen ZTE Microelectronics Technology Co Ltd
Priority to CN201510559903.8A priority Critical patent/CN106506140A/en
Priority to PCT/CN2016/089940 priority patent/WO2017036251A1/en
Publication of CN106506140A publication Critical patent/CN106506140A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

本发明实施例公开了一种高级加密标准(AES)加解密方法,包括:获取新密钥,将所述新密钥添加到下一组待加密数据中;利用原有密钥对添加有新密钥的一组待加密数据进行AES加密,并利用所述新密钥,对未进行AES加密的各组待加密数据进行AES加密;利用原有密钥对各组待解密数据依次进行AES解密,直至获取到所述新密钥;利用所述新密钥对未进行解密的各组待解密数据进行AES解密。本发明实施例同时公开了一种AES加解密装置。

The embodiment of the present invention discloses an Advanced Encryption Standard (AES) encryption and decryption method, including: obtaining a new key, adding the new key to the next set of data to be encrypted; using the original key pair to add the new Perform AES encryption on a group of data to be encrypted with the key, and use the new key to perform AES encryption on each group of data to be encrypted that has not been AES encrypted; use the original key to perform AES decryption on each group of data to be decrypted in turn , until the new key is obtained; use the new key to perform AES decryption on each group of data to be decrypted that has not been decrypted. The embodiment of the invention also discloses an AES encryption and decryption device.

Description

一种AES加解密方法和装置A kind of AES encryption and decryption method and device

技术领域technical field

本发明涉及高级加密标准(Advanced Encryption Standard,AES)加解密技术,尤其涉及一种AES加解密方法和装置。The present invention relates to Advanced Encryption Standard (AES) encryption and decryption technology, in particular to an AES encryption and decryption method and device.

背景技术Background technique

AES算法作为一种对称密钥加密算法,越来越受到人们的关注,然而在AES算法进行加解密时,通常使用固定密钥,这样,就容易为数据安全性带来隐患;目前还没有针对AES加解密过程中更换密钥的技术方案。As a symmetric key encryption algorithm, the AES algorithm has attracted more and more attention. However, when the AES algorithm is used for encryption and decryption, a fixed key is usually used, so it is easy to bring hidden dangers to data security; A technical solution for changing keys during AES encryption and decryption.

发明内容Contents of the invention

为解决上述技术问题,本发明实施例期望提供一种AES加解密方法和装置,能够在不中断加解密过程的情况下更换密钥,提高数据使用的安全性。In order to solve the above technical problems, the embodiment of the present invention expects to provide an AES encryption and decryption method and device, which can change the key without interrupting the encryption and decryption process, and improve the security of data use.

本发明的技术方案是这样实现的:Technical scheme of the present invention is realized like this:

本发明实施例提供了一种AES加解密方法,包括:The embodiment of the present invention provides an AES encryption and decryption method, comprising:

获取新密钥,将所述新密钥添加到下一组待加密数据中;利用原有密钥对添加有新密钥的一组待加密数据进行AES加密,并利用所述新密钥,对未进行AES加密的各组待加密数据进行AES加密;Obtaining a new key, adding the new key to the next group of data to be encrypted; using the original key to perform AES encryption on a group of data to be encrypted with the new key added, and using the new key, Perform AES encryption on each group of data to be encrypted that has not been AES encrypted;

利用原有密钥对各组待解密数据依次进行AES解密,直至获取到所述新密钥;利用所述新密钥对未进行解密的各组待解密数据进行AES解密。Using the original key to perform AES decryption on each group of data to be decrypted sequentially until the new key is obtained; using the new key to perform AES decryption on each group of data to be decrypted that has not been decrypted.

上述方案中,所述待加密的每组数据包括多个数据包;所述将所述新密钥添加到下一组待加密数据中,包括:在对应的一组待加密数据的各个数据包中添加新密钥;In the above solution, each set of data to be encrypted includes a plurality of data packets; adding the new key to the next set of data to be encrypted includes: in each data packet of a corresponding set of data to be encrypted Add a new key in;

所述待解密的每组数据包括多个数据包,所述利用原有密钥对各组待解密数据依次进行AES解密,直至获取到所述新密钥,包括:利用原有密钥对每组待解密数据的各个数据包进行AES解密,并对每组待解密数据的各个数据包进行检测,确定所检测的每个数据包中是否包含新密钥。Each set of data to be decrypted includes a plurality of data packets, and the use of the original key to perform AES decryption on each set of data to be decrypted in sequence until the new key is obtained includes: using the original key to decrypt each AES decryption is performed on each data packet of the group of data to be decrypted, and each data packet of each group of data to be decrypted is detected to determine whether each detected data packet contains a new key.

上述方案中,所述利用原有密钥对各组待解密数据依次进行AES解密,直至获取到所述新密钥,包括:对于每组待解密数据,所检测出的包含新密钥的数据包的包头的个数大于等于设定阈值时,获取所述新密钥。In the above solution, the use of the original key to sequentially perform AES decryption on each group of data to be decrypted until the new key is obtained includes: for each group of data to be decrypted, the detected data containing the new key When the number of packet headers is greater than or equal to the set threshold, the new key is acquired.

上述方案中,所述待加密的每组数据包括多个数据包;In the above scheme, each set of data to be encrypted includes a plurality of data packets;

对每组待加密数据进行AES加密包括:对每组待加密数据的各个数据包分别进行电码本ECB模式流水加密或计数CTR模式流水加密;Performing AES encryption on each group of data to be encrypted includes: performing stream encryption in codebook ECB mode or counting CTR mode stream encryption on each data packet of each group of data to be encrypted;

对每个数据包进行ECB模式流水加密包括:针对对应数据包,依次进行第1轮加密逻辑运算至第N轮加密逻辑运算,得出对应数据包在ECB模式下的AES加密结果,N大于1;其中,实现各轮加密逻辑运算的硬件同时存在,且实现每轮加密逻辑运算的硬件不会被重复使用;The flow encryption of each data packet in ECB mode includes: for the corresponding data packet, sequentially perform the first round of encryption logic operation to the Nth round of encryption logic operation, and obtain the AES encryption result of the corresponding data packet in ECB mode, where N is greater than 1 ; Among them, the hardware that realizes each round of encryption logic operations exists at the same time, and the hardware that realizes each round of encryption logic operations will not be reused;

对每个数据包进行CTR模式流水加密包括:在获取对应数据包之前,预先获取计数值,并对计数值依次进行第1轮加密逻辑运算至第K轮加密逻辑运算,得出计数加密结果,K大于1;在获取对应数据包之后,对对应数据包中的数据和计数加密结果进行异或运算,得出对应数据包在CTR模式下的AES加密结果;其中,实现各轮加密逻辑运算的硬件同时存在,且实现每轮加密逻辑运算的硬件不会被重复使用。Encrypting each data packet in CTR mode includes: obtaining the count value in advance before obtaining the corresponding data packet, and sequentially performing the first round of encryption logic operation to the K round of encryption logic operation on the count value to obtain the count encryption result. K is greater than 1; after obtaining the corresponding data packet, XOR operation is performed on the data in the corresponding data packet and the count encryption result to obtain the AES encryption result of the corresponding data packet in CTR mode; among them, the implementation of each round of encryption logic operation The hardware exists at the same time, and the hardware that implements each round of encryption logic operations will not be reused.

上述方案中,所述待解密的每组数据包括多个数据包;In the above scheme, each set of data to be decrypted includes a plurality of data packets;

对每组待解密数据进行AES解密包括:对每组待解密数据的各个数据包分别进行ECB模式流水解密或CTR模式流水解密;AES decryption for each set of data to be decrypted includes: performing streamline decryption in ECB mode or streamline decryption in CTR mode for each data packet of each set of data to be decrypted;

对每个数据包进行ECB模式流水解密包括:针对对应数据包,依次进行第1轮解密逻辑运算至第N轮解密逻辑运算,得出对应数据包在ECB模式下的AES解密结果,N大于1;其中,实现各轮解密逻辑运算的硬件同时存在,且实现每轮解密逻辑运算的硬件不会被重复使用;Decryption of each data packet in ECB mode includes: performing the first round of decryption logic operations to the Nth round of decryption logic operations for the corresponding data packets in order to obtain the AES decryption results of the corresponding data packets in ECB mode, where N is greater than 1 ; Wherein, the hardware for realizing each round of decryption logic operations exists at the same time, and the hardware for realizing each round of decryption logic operations will not be reused;

对每个数据包进行CTR模式流水解密包括:在获取对应数据包之前,预先获取计数值,并对计数值依次进行第1轮解密逻辑运算至第K轮解密逻辑运算,得出计数解密结果,K大于1;在获取对应数据包之后,对对应数据包中的数据和计数解密结果进行异或运算,得出对应数据包在CTR模式下的AES解密结果;其中,实现各轮解密逻辑运算的硬件同时存在,且实现每轮解密逻辑运算的硬件不会被重复使用。Decrypting each data packet in CTR mode includes: obtaining the count value in advance before obtaining the corresponding data packet, and sequentially performing the first round of decryption logic operation to the K round of decryption logic operation on the count value to obtain the count decryption result, K is greater than 1; after obtaining the corresponding data packet, XOR operation is performed on the data in the corresponding data packet and the count decryption result, and the AES decryption result of the corresponding data packet in CTR mode is obtained; wherein, each round of decryption logic operation is realized The hardware exists at the same time, and the hardware that implements each round of decryption logic operations will not be reused.

上述方案中,各组待解密数据的解密顺序与各组待加密数据的加密顺序保持一致。In the above solution, the decryption sequence of each group of data to be decrypted is consistent with the encryption sequence of each group of data to be encrypted.

本发明实施例还提供了一种AES加解密装置,包括加密端和解密端;其中,The embodiment of the present invention also provides an AES encryption and decryption device, including an encryption end and a decryption end; wherein,

加密端,用于获取新密钥,将所述新密钥添加到下一组待加密数据中;利用原有密钥对添加有新密钥的一组待加密数据进行AES加密,并利用所述新密钥,对未进行AES加密的各组待加密数据进行AES加密;The encryption end is used to obtain a new key, and add the new key to the next set of data to be encrypted; use the original key to perform AES encryption on the set of data to be encrypted with the new key added, and use the The new key is used to perform AES encryption on each group of data to be encrypted that has not been AES encrypted;

解密端,用于利用原有密钥对各组待解密数据依次进行AES解密,直至获取到所述新密钥;利用所述新密钥对未进行解密的各组待解密数据进行AES解密。The decryption end is used to use the original key to perform AES decryption on each group of data to be decrypted sequentially until the new key is obtained; use the new key to perform AES decryption on each group of data to be decrypted that has not been decrypted.

上述方案中,所述待加密的每组数据包括多个数据包;In the above scheme, each set of data to be encrypted includes a plurality of data packets;

所述加密端,具体用于在对应的一组待加密数据的各个数据包中添加新密钥;The encryption end is specifically used to add a new key to each data packet of a corresponding set of data to be encrypted;

所述待解密的每组数据包括多个数据包;Each set of data to be decrypted includes a plurality of data packets;

所述解密端,具体用于利用原有密钥对每组待解密数据的各个数据包进行AES解密,并对每组待解密数据的各个数据包进行检测,确定所检测的每个数据包中是否包含新密钥。The decryption terminal is specifically used to use the original key to perform AES decryption on each data packet of each group of data to be decrypted, and detect each data packet of each group of data to be decrypted, and determine that each data packet detected Whether to include the new key.

上述方案中,所述解密端,用于在对于每组待解密数据,所检测出的包含新密钥的数据包的包头的个数大于等于设定阈值时,获取所述新密钥。In the above solution, the decryption end is configured to acquire the new key when the detected number of headers of data packets containing the new key is greater than or equal to a set threshold for each set of data to be decrypted.

上述方案中,所述待加密的每组数据包括多个数据包;In the above scheme, each set of data to be encrypted includes a plurality of data packets;

所述加密端,具体用于对每组待加密数据的各个数据包分别进行ECB模式流水加密或CTR模式流水加密;The encryption terminal is specifically used to perform ECB mode flow encryption or CTR mode flow encryption for each data packet of each group of data to be encrypted;

所述加密端,用于针对对应数据包,依次进行第1轮加密逻辑运算至第N轮加密逻辑运算,得出对应数据包在ECB模式下的AES加密结果,N大于1;其中,实现各轮加密逻辑运算的硬件同时存在,且实现每轮加密逻辑运算的硬件不会被重复使用;The encryption end is used to sequentially perform the first round of encryption logic operations to the Nth round of encryption logic operations for the corresponding data packets to obtain the AES encryption results of the corresponding data packets in ECB mode, where N is greater than 1; wherein, each The hardware for each round of encryption logic operations exists at the same time, and the hardware for each round of encryption logic operations will not be reused;

或者,所述加密端,用于在获取对应数据包之前,预先获取计数值,并对计数值依次进行第1轮加密逻辑运算至第K轮加密逻辑运算,得出计数加密结果,K大于1;在获取对应数据包之后,对对应数据包中的数据和计数加密结果进行异或运算,得出对应数据包在CTR模式下的AES加密结果;其中,实现各轮加密逻辑运算的硬件同时存在,且实现每轮加密逻辑运算的硬件不会被重复使用。Alternatively, the encryption end is used to obtain the count value in advance before obtaining the corresponding data packet, and sequentially perform the first round of encryption logic operation to the K round of encryption logic operation on the count value to obtain the count encryption result, and K is greater than 1 ; After obtaining the corresponding data packet, XOR operation is performed on the data in the corresponding data packet and the count encryption result, and the AES encryption result of the corresponding data packet in CTR mode is obtained; wherein, the hardware for realizing each round of encryption logic operation exists at the same time , and the hardware implementing each round of encryption logic operations will not be reused.

上述方案中,所述待解密的每组数据包括多个数据包;In the above scheme, each set of data to be decrypted includes a plurality of data packets;

所述解密端,具体用于对每组待解密数据的各个数据包分别进行ECB模式流水解密或CTR模式流水解密;The decryption terminal is specifically used to perform streamline decryption in ECB mode or streamline decryption in CTR mode for each data packet of each group of data to be decrypted;

所述解密端,用于针对对应数据包,依次进行第1轮解密逻辑运算至第N轮解密逻辑运算,得出对应数据包在ECB模式下的AES解密结果,N大于1;其中,实现各轮解密逻辑运算的硬件同时存在,且实现每轮解密逻辑运算的硬件不会被重复使用;The decryption terminal is used to sequentially perform the first round of decryption logic operations to the Nth round of decryption logic operations for the corresponding data packets to obtain the AES decryption results of the corresponding data packets in ECB mode, where N is greater than 1; wherein, each The hardware for each round of decryption logic operations exists at the same time, and the hardware for each round of decryption logic operations will not be reused;

或者,所述解密端,用于在获取对应数据包之前,预先获取计数值,并对计数值依次进行第1轮解密逻辑运算至第K轮解密逻辑运算,得出计数解密结果,K大于1;在获取对应数据包之后,对对应数据包中的数据和计数解密结果进行异或运算,得出对应数据包在CTR模式下的AES解密结果;其中,实现各轮解密逻辑运算的硬件同时存在,且实现每轮解密逻辑运算的硬件不会被重复使用。Alternatively, the decryption terminal is used to obtain the count value in advance before obtaining the corresponding data packet, and sequentially perform the first round of decryption logic operation to the K round of decryption logic operation on the count value to obtain a count decryption result, where K is greater than 1 ; After obtaining the corresponding data packet, XOR operation is performed on the data in the corresponding data packet and the count decryption result, and the AES decryption result of the corresponding data packet in CTR mode is obtained; wherein, the hardware for realizing each round of decryption logic operations exists at the same time , and the hardware implementing each round of decryption logic operations will not be reused.

本发明实施例提供的一种AES加解密方法和装置,获取新密钥,将所述新密钥添加到下一组待加密数据中;利用原有密钥对添加有新密钥的一组待加密数据进行AES加密,并利用所述新密钥,对未进行AES加密的各组待加密数据进行AES加密;利用原有密钥对各组待解密数据依次进行AES解密,直至获取到所述新密钥;利用所述新密钥对未进行解密的各组待解密数据进行AES解密。如此,能够在不中断加解密过程的情况下更换密钥,提高数据使用的安全性。An AES encryption and decryption method and device provided by the embodiments of the present invention obtain a new key, and add the new key to the next group of data to be encrypted; use the original key pair to add the new key to a group Perform AES encryption on the data to be encrypted, and use the new key to perform AES encryption on each group of data to be encrypted that has not been encrypted by AES; use the original key to perform AES decryption on each group of data to be decrypted in turn until all the data are obtained. The new key; use the new key to perform AES decryption on each group of undecrypted data to be decrypted. In this way, the key can be replaced without interrupting the encryption and decryption process, thereby improving the security of data usage.

附图说明Description of drawings

图1为本发明AES加解密方法的第一实施例的流程图;Fig. 1 is the flowchart of the first embodiment of the AES encryption and decryption method of the present invention;

图2为本发明AES加解密方法的第一实施例中多轮加密逻辑运算的流程框图;Fig. 2 is the block flow diagram of multiple rounds of encryption logical operations in the first embodiment of the AES encryption and decryption method of the present invention;

图3为本发明AES加解密方法的第一实施例中多轮解密逻辑运算的流程框图;Fig. 3 is the flowchart of multiple rounds of decryption logical operations in the first embodiment of the AES encryption and decryption method of the present invention;

图4为本发明AES加解密方法的第二实施例的流程图;Fig. 4 is the flowchart of the second embodiment of the AES encryption and decryption method of the present invention;

图5为本发明实施例AES加解密装置的组成结构示意图。FIG. 5 is a schematic diagram of the composition and structure of an AES encryption and decryption device according to an embodiment of the present invention.

具体实施方式detailed description

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the drawings in the embodiments of the present invention.

图1为本发明AES加解密方法的第一实施例的流程图,如图1所示,该方法包括:Fig. 1 is the flowchart of the first embodiment of the AES encryption and decryption method of the present invention, as shown in Fig. 1, the method comprises:

步骤100:获取新密钥,将所述新密钥添加到下一组待加密数据中;利用原有密钥对添加有新密钥的一组待加密数据进行AES加密,并利用所述新密钥,对未进行AES加密的各组待加密数据进行AES加密。Step 100: Obtain a new key, add the new key to the next set of data to be encrypted; use the original key to perform AES encryption on the set of data to be encrypted with the new key added, and use the new key to The key is to perform AES encryption on each group of data to be encrypted that has not been AES encrypted.

本步骤中,可以利用加密端实现AES加密;这里,加密端可以通过硬件、软件或软硬件相结合的方式来进行AES加密。In this step, the encryption end can be used to implement AES encryption; here, the encryption end can perform AES encryption through hardware, software, or a combination of software and hardware.

这里,获取新密钥包括:生成新密钥,或者接收来自外部设备的新密钥。Here, obtaining a new key includes: generating a new key, or receiving a new key from an external device.

在实际应用中,待加密的数据包括M组数据,M大于1;这里,各组数据的加密顺序可以预先设置。In practical applications, the data to be encrypted includes M groups of data, and M is greater than 1; here, the encryption order of each group of data can be preset.

进一步地,待加密的每组数据包括多个数据包,在这种情况下,将所述新密钥添加到下一组待加密数据中,包括:在对应的一组待加密数据的各个数据包中添加新密钥;这里,可以将新密钥添加在对应的一组待加密数据的各个数据包的包头。另外,每个数据包的包头携带有指示信息,用于指示该数据包是对应一组待加密数据的第几个数据包。Further, each group of data to be encrypted includes a plurality of data packets, in this case, the new key is added to the next group of data to be encrypted, including: each data in the corresponding group of data to be encrypted Add a new key to the packet; here, the new key can be added to the header of each data packet of a corresponding set of data to be encrypted. In addition, the packet header of each data packet carries indication information, which is used to indicate which data packet the data packet corresponds to in a group of data to be encrypted.

本发明实施例中,可以在电码本(Electronic Codebook Book,ECB)模式或计数(Counter,CTR)模式下实现AES加密。本步骤中,对每组待加密数据进行AES加密包括:对每组待加密数据的各个数据包分别进行ECB模式流水加密或CTR模式流水加密。In the embodiment of the present invention, AES encryption can be implemented in Electronic Codebook (Electronic Codebook, ECB) mode or counter (Counter, CTR) mode. In this step, performing AES encryption on each set of data to be encrypted includes: performing streamline encryption in ECB mode or streamline encryption in CTR mode on each data packet of each set of data to be encrypted.

具体地,对每个数据包进行ECB模式流水加密包括:针对对应数据包,依次进行密钥异或运算、第1轮加密逻辑运算至第N轮加密逻辑运算,得出对应数据包在ECB模式下的AES加密结果,N大于1;其中,实现各轮加密逻辑运算的硬件互不相同,也就是说,实现各轮加密逻辑运算的硬件同时存在,且实现每轮加密逻辑运算的硬件不会被重复使用;如此,可以实现流水线形式的多轮加密逻辑运算,加快ECB模式下的AES加密中的计算过程。Specifically, performing ECB-mode pipeline encryption on each data packet includes: sequentially performing key XOR operations, the first round of encryption logic operations to the N-th round of encryption logic operations for the corresponding data packets, to obtain that the corresponding data packets are in the ECB mode The following AES encryption results, N is greater than 1; among them, the hardware that realizes each round of encrypted logical operations is different from each other, that is, the hardware that realizes each round of encrypted logical operations exists at the same time, and the hardware that realizes each round of encrypted logical operations does not be reused; in this way, multiple rounds of encryption logic operations in the form of pipelines can be realized, and the calculation process in AES encryption in ECB mode can be accelerated.

这里,第i轮加密逻辑运算包括按顺序执行的S盒变换(SubBytes)计算步骤、行移位变换(ShiftRows)计算步骤、列混合变换(Mixcolumns)计算步骤和轮密钥加变换(AddRound密钥)计算步骤,i取1至N-1;第N轮加密逻辑运算只包括按顺序执行的S盒变换计算步骤、行移位变换计算步骤和轮密钥加变换计算步骤。Here, the i-th round of encryption logic operations includes the S-box transformation (SubBytes) calculation step, the row shift transformation (ShiftRows) calculation step, the column mixing transformation (Mixcolumns) calculation step and the round key plus transformation (AddRound key) performed in order. ) calculation step, i ranges from 1 to N-1; the Nth round of encryption logic operations only includes the calculation steps of S-box transformation, row shift transformation calculation step and round key plus transformation calculation step executed in order.

这里,在对每个数据包进行ECB模式流水加密时,需要先获取初始密钥,将初始密钥扩展为N+1个扩展密钥;对每个数据包进行密钥异或运算包括:将对应数据包的数据与所述N+1个扩展密钥的第1个扩展密钥进行异或运算。对每个数据包进行第i’轮加密逻辑运算时,需要利用所述N+1个扩展密钥的第i’+1个扩展密钥,i’取1至N。Here, when performing ECB mode pipeline encryption on each data packet, it is necessary to obtain the initial key first, and expand the initial key into N+1 extended keys; performing key XOR operation on each data packet includes: An XOR operation is performed on the data corresponding to the data packet and the first extended key of the N+1 extended keys. When performing the i'th round of encryption logic operations on each data packet, the i'+1th extended key of the N+1 extended keys needs to be used, and i' ranges from 1 to N.

具体地,对每个数据包进行CTR模式流水加密包括:在获取对应数据包之前,预先获取计数(COUNTER)值,并对计数值依次进行密钥异或运算、第1轮加密逻辑运算至第K轮加密逻辑运算,得出计数加密结果,K大于1;在获取对应数据包之后,对对应数据包中的数据和计数加密结果进行异或运算,得出对应数据包在CTR模式下的AES加密结果;这里,实现各轮加密逻辑运算的硬件互不相同,也就是说,实现各轮加密逻辑运算的硬件同时存在,且实现每轮加密逻辑运算的硬件不会被重复使用;如此,可以实现流水线形式的多轮加密逻辑运算,加快CTR模式下的AES加密中的计算过程。Specifically, performing CTR mode pipeline encryption on each data packet includes: before obtaining the corresponding data packet, pre-obtaining the count (COUNTER) value, and sequentially performing key XOR operation on the count value, the first round of encryption logic operation to the first round K rounds of encryption logic operations to obtain the counting encryption result, K is greater than 1; after obtaining the corresponding data packet, XOR operation is performed on the data in the corresponding data packet and the counting encryption result to obtain the AES of the corresponding data packet in CTR mode encryption result; here, the hardware for implementing each round of encryption logic operations is different from each other, that is to say, the hardware for implementing each round of encryption logic operations exists at the same time, and the hardware for implementing each round of encryption logic operations will not be reused; thus, it can Realize multiple rounds of encryption logic operations in the form of a pipeline, and speed up the calculation process in AES encryption in CTR mode.

这里,第j轮加密逻辑运算包括按顺序执行的S盒变换计算步骤、行移位变换计算步骤、列混合变换计算步骤和轮密钥加变换计算步骤,j取1至K-1;第K轮加密逻辑运算只包括按顺序执行的S盒变换计算步骤、行移位变换计算步骤和轮密钥加变换计算步骤。Here, the j-th round of encryption logic operations includes the calculation steps of S-box transformation, row shift transformation, column mixing transformation and round key plus transformation calculation steps executed in sequence, and j ranges from 1 to K-1; The logical operation of round encryption only includes the calculation steps of S-box transformation, row shift transformation and round key plus transformation calculation steps executed in sequence.

这里,如果在获取对应数据包之前,不提前获取计数加密结果,那么在获取对应数据包之后,就需要在得到计数加密结果之后,才能对计数加密结果和数据包中的数据进行异或运算,这样,就需要对对应数据包进行缓存。因此在本发明实施例中,通过提前获取计数加密结果,可以有效地节省缓存资源。Here, if the counting encryption result is not obtained in advance before obtaining the corresponding data packet, then after obtaining the corresponding data packet, it is necessary to obtain the counting encryption result before performing an XOR operation on the counting encryption result and the data in the data packet. In this way, the corresponding data packets need to be cached. Therefore, in the embodiment of the present invention, cache resources can be effectively saved by obtaining the counting encryption result in advance.

这里,在对每个数据包进行CTR模式流水加密时,需要先获取初始密钥,将初始密钥扩展为K+1个扩展密钥;对计数值进行密钥异或运算包括:将计数值与所述K+1个扩展密钥的第1个扩展密钥进行异或运算。对计数值进行第j’轮加密逻辑运算时,需要利用所述K+1个扩展密钥的第j’+1个扩展密钥,j’取1至K。Here, when performing CTR mode pipeline encryption on each data packet, it is necessary to obtain the initial key first, and expand the initial key into K+1 extended keys; the key XOR operation for the count value includes: the count value Perform an XOR operation with the first extended key of the K+1 extended keys. When the j'th round of encryption logic operation is performed on the count value, the j'+1th extended key of the K+1 extended keys needs to be used, and j' ranges from 1 to K.

图2为本发明AES加解密方法的第一实施例中多轮加密逻辑运算的流程框图,如图2所示,Input表示进行ECB模式的AES加密时待加密的数据包的输入数据,或者表示进行CTR模式的AES加密时待加密的计数值,Input的位宽为128bit;round表示每一轮加密逻辑运算,除了最后一轮加密逻辑运算外,每轮加密逻辑运算包括按顺序执行的S盒变换计算步骤、行移位变换计算步骤、列混合变换计算步骤和轮密钥加变换计算步骤;最后一轮加密逻辑运算只包括S盒变换计算步骤、行移位变换计算步骤和轮密钥加变换计算步骤。Output表示进行ECB模式的AES加密时最终得出的输出数据,或者表示进行CTR模式的AES加密时的计数加密结果;第一密钥扩展模块,用于将初始密钥扩展为多个扩展密钥,在第一密钥扩展模块扩展得出的各个扩展密钥中,一个扩展密钥用于对Input进行异或运算,其余扩展密钥用于对应轮加密逻辑运算。Fig. 2 is the flow chart diagram of multi-round encryption logical operation in the first embodiment of the AES encryption and decryption method of the present invention, as shown in Fig. 2, Input represents the input data of the data packet to be encrypted when carrying out the AES encryption of ECB mode, or represents The count value to be encrypted when performing AES encryption in CTR mode, the bit width of Input is 128bit; round means each round of encryption logic operation, except for the last round of encryption logic operation, each round of encryption logic operation includes S boxes executed in order Transformation calculation steps, row shift transformation calculation steps, column mixing transformation calculation steps and round key addition transformation calculation steps; the last round of encryption logic operations only includes S-box transformation calculation steps, row shift transformation calculation steps and round key addition Transform calculation steps. Output indicates the final output data obtained when performing AES encryption in ECB mode, or indicates the counting encryption result when performing AES encryption in CTR mode; the first key expansion module is used to expand the initial key into multiple extended keys , among the expanded keys obtained by the expansion of the first key expansion module, one expanded key is used to perform an XOR operation on Input, and the remaining expanded keys are used for corresponding rounds of encryption logic operations.

进一步地,初始密钥的位宽可以是128bits、192bits或256bits,初始密钥的位宽为128bits时,多轮加密逻辑运算的轮数为10;初始密钥的位宽为192bits时,多轮加密逻辑运算的轮数为12;初始密钥的位宽为256bits时,多轮加密逻辑运算的轮数为14。Further, the bit width of the initial key can be 128bits, 192bits or 256bits. When the bit width of the initial key is 128bits, the number of rounds of multi-round encryption logic operation is 10; when the bit width of the initial key is 192bits, the multi-round The number of rounds of encryption logic operations is 12; when the bit width of the initial key is 256 bits, the number of rounds of multi-round encryption logic operations is 14.

步骤101:利用原有密钥对各组待解密数据依次进行AES解密,直至获取到所述新密钥;利用所述新密钥对未进行解密的各组待解密数据进行AES解密。Step 101: Use the original key to perform AES decryption on each group of data to be decrypted sequentially until the new key is obtained; use the new key to perform AES decryption on each group of data to be decrypted that has not been decrypted.

本步骤中,可以利用解密端实现AES解密;这里,解密端可以通过硬件、软件或软硬件相结合的方式来进行AES解密。In this step, the decryption terminal can be used to implement AES decryption; here, the decryption terminal can perform AES decryption through hardware, software, or a combination of software and hardware.

这里,各组待解密数据的解密顺序与所述各组待加密数据的加密顺序保持一致,也就是说,在步骤100中,对第1组待加密数据至第M组待加密数据依次进行AES加密,得到对应的第1组待解密数据至第M组待解密数据;在本步骤中,对第1组待解密数据至第M组待解密数据依次进行AES解密。Here, the decryption sequence of each group of data to be decrypted is consistent with the encryption sequence of each group of data to be encrypted, that is, in step 100, AES is sequentially performed on the first group of data to be encrypted to the Mth group of data to be encrypted. Encrypt to obtain the corresponding 1st to Mth group of data to be decrypted; in this step, perform AES decryption on the 1st to Mth group of data to be decrypted sequentially.

可见,本步骤中,可以通过AES解密的方式来获取所述新密钥。It can be seen that in this step, the new key can be obtained through AES decryption.

进一步地,待解密的每组数据包括多个数据包,在这种情况下,所述利用原有密钥对各组待解密数据依次进行AES解密,直至获取到所述新密钥,包括:利用原有密钥对每组待解密数据的各个数据包进行AES解密,并对每组待解密数据的各个数据包的包头进行检测,确定所检测的每个数据包的包头中是否包含新密钥;如果对于每组待解密数据,所检测出的包含新密钥的数据包的包头的个数大于等于设定阈值,则获取所述新密钥,否则,不获取所述新密钥。Further, each set of data to be decrypted includes multiple data packets. In this case, the use of the original key to perform AES decryption on each set of data to be decrypted in turn until the new key is obtained includes: Use the original key to perform AES decryption on each data packet of each group of data to be decrypted, and detect the header of each data packet of each group of data to be decrypted, and determine whether the header of each detected data packet contains the new key. key; if for each group of data to be decrypted, the number of detected packet headers containing the new key is greater than or equal to the set threshold, the new key is obtained; otherwise, the new key is not obtained.

本发明实施例中,可以在ECB模式或CTR模式下实现AES解密。本步骤中,对每组待解密数据进行AES解密包括:对每组待解密数据的各个数据包分别进行ECB模式流水解密或CTR模式流水解密。In the embodiment of the present invention, AES decryption can be implemented in ECB mode or CTR mode. In this step, performing AES decryption on each set of data to be decrypted includes: performing streamline decryption in ECB mode or streamline decryption in CTR mode on each data packet of each set of data to be decrypted.

具体地,对每个数据包进行ECB模式流水解密包括:针对对应数据包,依次进行密钥异或运算、第1轮解密逻辑运算至第N轮解密逻辑运算,得出对应数据包在ECB模式下的AES解密结果,N大于1;其中,实现各轮解密逻辑运算的硬件互不相同,也就是说,实现各轮解密逻辑运算的硬件同时存在,且实现每轮解密逻辑运算的硬件不会被重复使用;如此,可以实现流水线形式的多轮解密逻辑运算,加快ECB模式下的AES解密中的计算过程。Specifically, performing ECB mode pipeline decryption on each data packet includes: for the corresponding data packet, sequentially perform key XOR operation, the first round of decryption logic operation to the Nth round of decryption logic operation, and obtain the corresponding data packet in ECB mode For the AES decryption results below, N is greater than 1; among them, the hardware that realizes each round of decryption logic operations is different from each other, that is, the hardware that realizes each round of decryption logic operations exists at the same time, and the hardware that realizes each round of decryption logic operations does not are reused; in this way, multiple rounds of decryption logic operations in the form of a pipeline can be realized, and the calculation process in AES decryption in ECB mode can be accelerated.

这里,第i轮解密逻辑运算包括按顺序执行的逆行移位变换(InvShiftRows)计算步骤、逆S盒变换(InvSubBytes)计算步骤、轮密钥加变换(AddRound密钥)计算步骤和逆列混合变换(InvMixcolumns)计算步骤,i取1至N-1;第N轮解密逻辑运算只包括按顺序执行的逆行移位变换计算步骤、逆S盒变换计算步骤和轮密钥加变换计算步骤。Here, the i-th round of decryption logical operations includes the inverse row shift transformation (InvShiftRows) calculation step, the inverse S-box transformation (InvSubBytes) calculation step, the round key plus transformation (AddRound key) calculation step and the inverse column mixing transformation performed in sequence (InvMixcolumns) calculation step, i ranges from 1 to N-1; the Nth round of decryption logic operations only includes the calculation steps of inverse row shift transformation, inverse S-box transformation calculation step and round key plus transformation calculation step executed in sequence.

这里,在对每个数据包进行ECB模式流水解密时,需要先获取初始密钥,将初始密钥扩展为N+1个扩展密钥;对每个数据包进行密钥异或运算包括:将对应数据包的数据与所述N+1个扩展密钥的第1个扩展密钥进行异或运算。对每个数据包进行第i’轮解密逻辑运算时,需要利用所述N+1个扩展密钥的第i’+1个扩展密钥,i’取1至N。Here, when performing ECB mode pipeline decryption on each data packet, it is necessary to obtain the initial key first, and expand the initial key into N+1 extended keys; performing key XOR operation on each data packet includes: An XOR operation is performed on the data corresponding to the data packet and the first extended key of the N+1 extended keys. When performing the i'th round of decryption logic operations on each data packet, the i'+1th extended key of the N+1 extended keys needs to be used, and i' ranges from 1 to N.

需要说明的是,对每个数据包进行ECB模式流水解密时所使用的N+1个扩展密钥与对每个数据包进行ECB模式流水加密时所使用的N+1个扩展密钥相同,但是,对每个数据包进行ECB模式流水解密时所使用的N+1个扩展密钥的使用顺序为:对每个数据包进行ECB模式流水加密时所使用的N+1个扩展密钥的使用顺序的逆序。It should be noted that the N+1 extended keys used to decrypt each data packet in ECB mode are the same as the N+1 extended keys used to encrypt each data packet in ECB mode. However, the order of use of the N+1 extended keys used when performing ECB-mode pipeline decryption on each data packet is: the order of N+1 extended keys used when performing ECB-mode pipeline encryption on each data packet The reverse order of usage.

具体地,对每个数据包进行CTR模式流水解密包括:在获取对应数据包之前,预先获取计数值,并对计数值依次进行密钥异或运算、第1轮解密逻辑运算至第K轮解密逻辑运算,得出计数解密结果,K大于1;在获取对应数据包之后,对对应数据包中的数据和计数解密结果进行异或运算,得出对应数据包在CTR模式下的AES解密结果;这里,实现各轮解密逻辑运算的硬件互不相同,也就是说,实现各轮解密逻辑运算的硬件同时存在,且实现每轮解密逻辑运算的硬件不会被重复使用;如此,可以实现流水线形式的多轮加密逻辑运算,加快CTR模式下的AES解密的计算过程。Specifically, performing CTR mode pipeline decryption on each data packet includes: obtaining the count value in advance before obtaining the corresponding data packet, and sequentially performing key XOR operation on the count value, the first round of decryption logical operation to the K round of decryption Logical operation to obtain the count decryption result, K is greater than 1; after obtaining the corresponding data packet, XOR operation is performed on the data in the corresponding data packet and the count decryption result, and the AES decryption result of the corresponding data packet in CTR mode is obtained; Here, the hardware for each round of decryption logic operations is different from each other, that is to say, the hardware for each round of decryption logic operations exists at the same time, and the hardware for each round of decryption logic operations will not be reused; in this way, the pipeline form can be realized Multiple rounds of encryption logic operations speed up the calculation process of AES decryption in CTR mode.

这里,第j轮解密逻辑运算包括按顺序执行的逆行移位变换计算步骤、逆S盒变换计算步骤、轮密钥加变换计算步骤和逆列混合变换计算步骤,j取1至K-1;第K轮解密逻辑运算只包括按顺序执行的逆行移位变换计算步骤、逆S盒变换计算步骤和轮密钥加变换计算步骤。Here, the j-th round of decryption logic operations includes the calculation steps of inverse row shift transformation, inverse S-box transformation calculation step, round key plus transformation calculation step and inverse column mixing transformation calculation step performed in order, and j is 1 to K-1; The K-th round of decryption logical operations only includes the calculation steps of inverse row shift transformation, inverse S-box transformation calculation and round key plus transformation calculation steps executed in sequence.

这里,如果在获取对应待解密的数据包之前,不提前获取计数解密结果,那么在获取对应数据包之后,就需要在得到计数解密结果之后,才能对计数解密结果和数据包中的数据进行异或运算,这样,就需要对对应数据包进行缓存。因此在本发明实施例中,通过提前获取计数解密结果,可以有效地节省缓存资源。Here, if the counting decryption result is not obtained in advance before obtaining the corresponding data packet to be decrypted, then after obtaining the corresponding data packet, it is necessary to obtain the counting decryption result before the counting decryption result and the data in the data packet can be differentiated. OR operation, in this way, the corresponding data packets need to be cached. Therefore, in the embodiment of the present invention, cache resources can be effectively saved by obtaining the count decryption result in advance.

这里,在对每个数据包进行CTR模式流水解密时,需要先获取初始密钥,将初始密钥扩展为K+1个扩展密钥;对计数值进行密钥异或运算包括:将计数值与所述K+1个扩展密钥的第1个扩展密钥进行异或运算。对计数值进行第j’轮解密逻辑运算时,需要利用所述K+1个扩展密钥的第j’+1个扩展密钥,j’取1至K。Here, when performing CTR mode pipeline decryption for each data packet, it is necessary to obtain the initial key first, and expand the initial key into K+1 extended keys; performing key XOR operation on the count value includes: converting the count value Perform an XOR operation with the first extended key of the K+1 extended keys. When the j'th round of decryption logic operation is performed on the count value, the j'+1th extended key of the K+1 extended keys needs to be used, and j' ranges from 1 to K.

需要说明的是,对每个数据包进行CTR模式流水解密时所使用的K+1个扩展密钥与对每个数据包进行CTR模式流水加密时所使用的K+1个扩展密钥相同,但是,对每个数据包进行CTR模式流水解密时所使用的K+1个扩展密钥的使用顺序为:对每个数据包进行CTR模式流水加密时所使用的K+1个扩展密钥的使用顺序的逆序。It should be noted that the K+1 extended keys used when performing CTR mode pipeline decryption on each data packet are the same as the K+1 extended keys used when performing CTR mode pipeline encryption on each data packet, However, the usage order of the K+1 extended keys used when performing CTR mode pipeline decryption on each data packet is: the K+1 extended keys used when performing CTR mode pipeline encryption on each data packet The reverse order of usage.

图3为本发明AES加解密方法的第一实施例中多轮解密逻辑运算的流程框图,如图3所示,In表示进行ECB模式的AES加密时待加密的数据包的数据,或者表示进行CTR模式的AES加密时待加密的计数值,In的位宽为128bit;Round表示每一轮解密逻辑运算,除了最后一轮解密逻辑运算外,每轮解密逻辑运算包括按顺序执行的逆行移位变换计算步骤、逆S盒变换计算步骤、轮密钥加变换计算步骤和逆列混合变换计算步骤;最后一轮解密逻辑运算只包括逆行移位变换计算步骤、逆S盒变换计算步骤和轮密钥加变换计算步骤。Out表示进行ECB模式的AES加密时最终得出的加密结果,或者表示进行CTR模式的AES加密时的计数加密结果;第二密钥扩展模块,用于将初始密钥扩展为多个扩展密钥,在第二密钥扩展模块扩展得出的各个扩展密钥中,一个扩展密钥用于对In进行异或运算,其余扩展密钥用于对应轮解密逻辑运算。Fig. 3 is the flow diagram of multiple rounds of decryption logical operations in the first embodiment of the AES encryption and decryption method of the present invention, as shown in Fig. 3, In represents the data of the data packet to be encrypted when performing the AES encryption of the ECB mode, or represents the data to be encrypted. The count value to be encrypted during AES encryption in CTR mode, the bit width of In is 128bit; Round represents each round of decryption logic operation, except for the last round of decryption logic operation, each round of decryption logic operation includes reverse shift performed in order Transformation calculation steps, inverse S-box transformation calculation steps, round key plus transformation calculation steps, and inverse-column mixed transformation calculation steps; the last round of decryption logic operations only includes inverse row shift transformation calculation steps, inverse S-box transformation calculation steps and round key Key plus transform calculation steps. Out represents the final encryption result when performing AES encryption in ECB mode, or the counting encryption result when performing AES encryption in CTR mode; the second key expansion module is used to expand the initial key into multiple extended keys , among the expanded keys obtained by the expansion of the second key expansion module, one expanded key is used to perform an XOR operation on In, and the rest of the expanded keys are used for corresponding rounds of decryption logic operations.

进一步地,初始密钥的位宽可以是128bits、192bits或256bits,初始密钥的位宽为128bits时,多轮解密逻辑运算的轮数为10;初始密钥的位宽为192bits时,多轮解密逻辑运算的轮数为12;初始密钥的位宽为256bits时,多轮解密逻辑运算的轮数为14。Further, the bit width of the initial key can be 128bits, 192bits or 256bits. When the bit width of the initial key is 128bits, the number of rounds of multi-round decryption logic operation is 10; when the bit width of the initial key is 192bits, the multi-round The number of rounds of decryption logic operation is 12; when the bit width of the initial key is 256 bits, the number of rounds of multi-round decryption logic operation is 14.

本发明AES加解密方法的第一实施例中,将添加新密钥的过程设置在AES加密的过程中,如此,可以在不中断数据流的情况下更换密钥。In the first embodiment of the AES encryption and decryption method of the present invention, the process of adding a new key is set in the process of AES encryption, so that the key can be replaced without interrupting the data flow.

第二实施例second embodiment

为了能更加体现本发明的目的,在本发明第一实施例的基础上进行进一步的举例说明。In order to better reflect the purpose of the present invention, further illustrations are made on the basis of the first embodiment of the present invention.

图4为本发明AES加解密方法的第二实施例的流程图,如图4所示,该方法包括:Fig. 4 is the flowchart of the second embodiment of the AES encryption and decryption method of the present invention, as shown in Fig. 4, the method comprises:

步骤400:利用控制单元向加密端发送携带有新密钥的密钥更换通知。Step 400: Utilize the control unit to send a key replacement notification carrying a new key to the encryption end.

步骤401:加密端在接收到所述密钥更换通知之后,在下一组待加密的数据的各个数据包的包头添加新密钥;并在添加新密钥之后,利用所述新密钥对下一组待加密的数据的各个数据包进行加密,向控制单元发送加密端密钥已更换信息。Step 401: After receiving the key replacement notification, the encryption end adds a new key to the header of each data packet of the next set of data to be encrypted; and after adding the new key, uses the new key to pair the next Each data packet of a group of data to be encrypted is encrypted, and the information that the key of the encryption terminal has been changed is sent to the control unit.

步骤402:解密端使用原有密钥对第m组待解密的数据进行解密,并检测第m组待解密的数据的各个数据包包头,得出第m组待解密的数据对应的包含新密钥的数据包的包头的个数,m的初始值为1。Step 402: The decryption end uses the original key to decrypt the mth group of data to be decrypted, and detects the headers of each data packet of the mth group of data to be decrypted, and obtains the mth group of data to be decrypted. The number of packet headers of the data packet of the key, and the initial value of m is 1.

步骤403:当m小于M时,跳至步骤404,M表示待解密的数据的组数;当m等于M时,结束流程。Step 403: when m is less than M, skip to step 404, where M represents the number of groups of data to be decrypted; when m is equal to M, end the process.

步骤404:第m组待解密的数据对应的包含新密钥的数据包的包头的个数大于零时,执行步骤405;否则,当第m组待解密的数据对应的包含新密钥的数据包的包头的个数为零,令m的值增1,返回至步骤402。Step 404: When the number of headers of the data packet containing the new key corresponding to the mth group of data to be decrypted is greater than zero, perform step 405; otherwise, when the mth group of data to be decrypted corresponds to the data containing the new key The number of packet headers is zero, the value of m is incremented by 1, and the process returns to step 402 .

步骤405:判断第m组待解密的数据对应的包含新密钥的数据包的包头的个数是否大于等于设定阈值Y,如果大于等于设定阈值Y,则跳至步骤406,否则,跳至步骤407。Step 405: Judging whether the number of packet headers containing the new key corresponding to the mth group of data to be decrypted is greater than or equal to the set threshold Y, if greater than or equal to the set threshold Y, then skip to step 406, otherwise, skip to Go to step 407.

步骤406:解密端使用新密钥,依次对第m+1组数据至第M组数据进行AES解密,向控制单元发送密钥已更换信息;结束流程。Step 406: The decryption end uses the new key to perform AES decryption on the m+1th group of data to the Mth group of data in sequence, and sends the information that the key has been changed to the control unit; the process ends.

可见,在步骤406之后,控制单元获知:加密端和解密端均已进行了密钥更换过程。It can be seen that after step 406, the control unit knows that both the encryption end and the decryption end have performed the key replacement process.

步骤407:解密端向控制单元发送密钥更换失败消息,控制单元接收到密钥更换失败消息之后,针对添加新密钥的一组待加密的数据,重新在各个数据包的包头添加新密钥,并用重新添加新密钥后的每个数据包替换原有的数据包,利用所述新密钥对下一组待加密的数据的各个数据包进行加密,向控制单元发送加密端密钥已更换信息,然后返回至步骤402。Step 407: The decryption end sends a key replacement failure message to the control unit. After receiving the key replacement failure message, the control unit re-adds a new key to the header of each data packet for a set of data to be encrypted with a new key added , and replace the original data packet with each data packet after adding the new key again, use the new key to encrypt each data packet of the next group of data to be encrypted, and send the encryption end key to the control unit Replace the information, and then return to step 402.

第三实施例third embodiment

针对本发明实施例的方法,本发明实施例还提供了一种AES加解密装置。For the method of the embodiment of the present invention, the embodiment of the present invention also provides an AES encryption and decryption device.

图5为本发明实施例AES加解密装置的组成结构示意图,如图5所示,该装置包括加密端500和解密端501;其中,FIG. 5 is a schematic diagram of the composition and structure of an AES encryption and decryption device according to an embodiment of the present invention. As shown in FIG. 5 , the device includes an encryption terminal 500 and a decryption terminal 501; wherein,

加密端500,用于获取新密钥,将所述新密钥添加到下一组待加密数据中;利用原有密钥对添加有新密钥的一组待加密数据进行AES加密,并利用所述新密钥,对未进行AES加密的各组待加密数据进行AES加密;The encryption terminal 500 is used to obtain a new key, and add the new key to the next group of data to be encrypted; use the original key to perform AES encryption on the group of data to be encrypted with the new key added, and use Described new key, carries out AES encryption to each group of data to be encrypted that does not carry out AES encryption;

解密端501,用于利用原有密钥对各组待解密数据依次进行AES解密,直至获取到所述新密钥;利用所述新密钥对未进行解密的各组待解密数据进行AES解密。The decryption terminal 501 is used to use the original key to perform AES decryption on each group of data to be decrypted sequentially until the new key is obtained; use the new key to perform AES decryption on each group of data to be decrypted that has not been decrypted .

具体地,所述待加密的每组数据包括多个数据包;所述待解密的每组数据包括多个数据包。Specifically, each set of data to be encrypted includes multiple data packets; each set of data to be decrypted includes multiple data packets.

所述加密端500,具体用于在对应的一组待加密数据的各个数据包中添加新密钥。The encryption terminal 500 is specifically configured to add a new key to each data packet of a corresponding set of data to be encrypted.

所述解密端501,具体用于利用原有密钥对每组待解密数据的各个数据包进行AES解密,并对每组待解密数据的各个数据包进行检测,确定所检测的每个数据包中是否包含新密钥。The decryption terminal 501 is specifically used to use the original key to perform AES decryption on each data packet of each group of data to be decrypted, and detect each data packet of each group of data to be decrypted, and determine the detected data packet contains the new key.

所述解密端501,用于在对于每组待解密数据,所检测出的包含新密钥的数据包的包头的个数大于等于设定阈值时,获取所述新密钥。The decryption terminal 501 is configured to acquire the new key when the detected number of headers of data packets containing the new key is greater than or equal to a set threshold for each group of data to be decrypted.

进一步地,所述加密端500,具体用于对每组待加密数据的各个数据包分别进行ECB模式流水加密或CTR模式流水加密;Further, the encryption terminal 500 is specifically configured to perform pipeline encryption in ECB mode or pipeline encryption in CTR mode for each data packet of each group of data to be encrypted;

所述加密端500,用于针对对应数据包,依次进行第1轮加密逻辑运算至第N轮加密逻辑运算,得出对应数据包在ECB模式下的AES加密结果,N大于1;其中,实现各轮加密逻辑运算的硬件互不相同;也就是说,实现各轮加密逻辑运算的硬件同时存在,且实现每轮加密逻辑运算的硬件不会被重复使用;The encryption terminal 500 is used to sequentially perform the first round of encryption logic operations to the Nth round of encryption logic operations for the corresponding data packets to obtain the AES encryption results of the corresponding data packets in ECB mode, where N is greater than 1; wherein, The hardware for each round of encryption logic operations is different from each other; that is, the hardware for each round of encryption logic operations exists at the same time, and the hardware for each round of encryption logic operations will not be reused;

或者,所述加密端500,用于在获取对应数据包之前,预先获取计数值,并对计数值依次进行第1轮加密逻辑运算至第K轮加密逻辑运算,得出计数加密结果,K大于1;在获取对应数据包之后,对对应数据包中的数据和计数加密结果进行异或运算,得出对应数据包在CTR模式下的AES加密结果;其中,实现各轮加密逻辑运算的硬件互不相同;也就是说,实现各轮加密逻辑运算的硬件同时存在,且实现每轮加密逻辑运算的硬件不会被重复使用;。Alternatively, the encryption terminal 500 is used to obtain the count value in advance before obtaining the corresponding data packet, and sequentially perform the first round of encryption logic operation to the K round of encryption logic operation on the count value to obtain the count encryption result, and K is greater than 1. After obtaining the corresponding data packet, XOR operation is performed on the data in the corresponding data packet and the counting encryption result, and the AES encryption result of the corresponding data packet in CTR mode is obtained; wherein, the hardware interaction of each round of encryption logic operation is realized. Not the same; that is to say, the hardware that implements each round of encryption logic operations exists at the same time, and the hardware that implements each round of encryption logic operations will not be reused;

所述解密端501,具体用于对每组待解密数据的各个数据包分别进行ECB模式流水解密或CTR模式流水解密;The decryption terminal 501 is specifically used to perform streamline decryption in ECB mode or streamline decryption in CTR mode for each data packet of each group of data to be decrypted;

所述解密端501,用于针对对应数据包,依次进行第1轮解密逻辑运算至第N轮解密逻辑运算,得出对应数据包在ECB模式下的AES解密结果,N大于1;其中,实现各轮解密逻辑运算的硬件互不相同;也就是说,实现各轮解密逻辑运算的硬件同时存在,且实现每轮解密逻辑运算的硬件不会被重复使用;The decryption terminal 501 is used to sequentially perform the first round of decryption logic operations to the Nth round of decryption logic operations for the corresponding data packets to obtain the AES decryption results of the corresponding data packets in ECB mode, where N is greater than 1; wherein, The hardware for each round of decryption logic operations is different from each other; that is, the hardware for each round of decryption logic operations exists at the same time, and the hardware for each round of decryption logic operations will not be reused;

或者,所述解密端501,用于在获取对应数据包之前,预先获取计数值,并对计数值依次进行第1轮解密逻辑运算至第K轮解密逻辑运算,得出计数解密结果,K大于1;在获取对应数据包之后,对对应数据包中的数据和计数解密结果进行异或运算,得出对应数据包在CTR模式下的AES解密结果;其中,实现各轮解密逻辑运算的硬件互不相同;也就是说,实现各轮解密逻辑运算的硬件同时存在,且实现每轮解密逻辑运算的硬件不会被重复使用。Alternatively, the decryption terminal 501 is used to obtain the count value in advance before obtaining the corresponding data packet, and sequentially perform the first round of decryption logic operation to the K round of decryption logic operation on the count value to obtain the count decryption result, where K is greater than 1; After obtaining the corresponding data packet, XOR operation is performed on the data in the corresponding data packet and the count decryption result to obtain the AES decryption result of the corresponding data packet in CTR mode; wherein, the hardware interaction for each round of decryption logic operation is realized They are not the same; that is to say, the hardware for implementing each round of decryption logic operations exists at the same time, and the hardware for each round of decryption logic operations will not be reused.

在实际应用中,所述加密端500和解密端501均可由位于终端中的中央处理器(Central Processing Unit,CPU)、微处理器(Micro Processor Unit,MPU)、数字信号处理器(Digital Signal Processor,DSP)、或现场可编程门阵列(FieldProgrammable Gate Array,FPGA)等实现。In practical applications, the encryption terminal 500 and the decryption terminal 501 can be controlled by a central processing unit (Central Processing Unit, CPU), a microprocessor (Micro Processor Unit, MPU), a digital signal processor (Digital Signal Processor) located in the terminal , DSP), or Field Programmable Gate Array (Field Programmable Gate Array, FPGA) and other implementations.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (11)

1. An Advanced Encryption Standard (AES) encryption and decryption method, the method comprising:
acquiring a new key, and adding the new key to the next group of data to be encrypted; carrying out AES encryption on a group of data to be encrypted added with a new key by using an original key, and carrying out AES encryption on each group of data to be encrypted which is not subjected to AES encryption by using the new key;
sequentially carrying out AES decryption on each group of data to be decrypted by using the original secret key until the new secret key is obtained; and carrying out AES decryption on each group of data to be decrypted which is not decrypted by utilizing the new secret key.
2. The method of claim 1, wherein each set of data to be encrypted comprises a plurality of data packets; the adding the new key to the next group of data to be encrypted includes: adding a new key in each data packet of the corresponding group of data to be encrypted;
each group of data to be decrypted comprises a plurality of data packets, and AES decryption is sequentially performed on each group of data to be decrypted by using the original secret key until the new secret key is obtained, wherein the AES decryption comprises the following steps: and carrying out AES decryption on each data packet of each group of data to be decrypted by using the original secret key, detecting each data packet of each group of data to be decrypted, and determining whether each detected data packet contains a new secret key.
3. The method according to claim 2, wherein the sequentially performing AES decryption on each set of data to be decrypted by using the original key until the new key is obtained comprises: and for each group of data to be decrypted, acquiring the new key when the number of the detected packet headers of the data packets containing the new key is larger than or equal to a set threshold value.
4. The method of claim 1, wherein each set of data to be encrypted comprises a plurality of data packets;
the AES encryption of each group of data to be encrypted comprises the following steps: carrying out codebook ECB mode stream encryption or counting CTR mode stream encryption on each data packet of each group of data to be encrypted;
performing ECB mode pipelined encryption on each packet includes: sequentially carrying out the encryption logic operation from the 1 st round to the N th round aiming at the corresponding data packet to obtain an AES encryption result of the corresponding data packet in the ECB mode, wherein N is larger than 1; the hardware for realizing each round of encryption logic operation exists at the same time, and the hardware for realizing each round of encryption logic operation cannot be reused;
performing CTR mode pipelined encryption on each packet includes: before acquiring the corresponding data packet, acquiring a count value in advance, and sequentially carrying out 1 st round encryption logic operation to K th round encryption logic operation on the count value to obtain a count encryption result, wherein K is greater than 1; after the corresponding data packet is obtained, carrying out exclusive OR operation on the data in the corresponding data packet and the counting encryption result to obtain an AES encryption result of the corresponding data packet in the CTR mode; the hardware for realizing each round of encryption logic operation exists at the same time, and the hardware for realizing each round of encryption logic operation cannot be reused.
5. The method of claim 1, wherein each set of data to be decrypted comprises a plurality of data packets;
the AES decryption of each group of data to be decrypted comprises the following steps: carrying out ECB mode running decryption or CTR mode running decryption on each data packet of each group of data to be decrypted;
performing ECB mode pipelined decryption on each packet includes: sequentially carrying out the 1 st round of decryption logic operation to the Nth round of decryption logic operation on the corresponding data packet to obtain an AES decryption result of the corresponding data packet in the ECB mode, wherein N is larger than 1; the hardware for realizing each round of decryption logic operation exists at the same time, and the hardware for realizing each round of decryption logic operation cannot be reused;
performing CTR mode pipelined decryption on each packet includes: before acquiring the corresponding data packet, acquiring a count value in advance, and sequentially carrying out 1 st round decryption logic operation to K th round decryption logic operation on the count value to obtain a count decryption result, wherein K is greater than 1; after the corresponding data packet is obtained, carrying out exclusive OR operation on the data in the corresponding data packet and the counting decryption result to obtain an AES decryption result of the corresponding data packet in the CTR mode; the hardware for realizing each round of decryption logic operation exists at the same time, and the hardware for realizing each round of decryption logic operation cannot be reused.
6. The method according to any one of claims 1 to 5, wherein the decryption order of each set of data to be decrypted is kept consistent with the encryption order of each set of data to be encrypted.
7. An AES encryption and decryption device, which is characterized by comprising an encryption end and a decryption end; wherein,
the encryption terminal is used for acquiring a new key and adding the new key to the next group of data to be encrypted; carrying out AES encryption on a group of data to be encrypted added with a new key by using an original key, and carrying out AES encryption on each group of data to be encrypted which is not subjected to AES encryption by using the new key;
the decryption end is used for sequentially carrying out AES decryption on each group of data to be decrypted by using the original secret key until the new secret key is obtained; and carrying out AES decryption on each group of data to be decrypted which is not decrypted by utilizing the new secret key.
8. The apparatus of claim 7, wherein each set of data to be encrypted comprises a plurality of data packets;
the encryption end is specifically used for adding a new key to each data packet of a corresponding group of data to be encrypted;
each group of data to be decrypted comprises a plurality of data packets;
the decryption end is specifically configured to perform AES decryption on each data packet of each set of data to be decrypted by using the original key, detect each data packet of each set of data to be decrypted, and determine whether each detected data packet contains a new key.
9. The apparatus according to claim 8, wherein the decryption end is configured to obtain the new key when the number of detected packet headers of the data packets containing the new key is greater than or equal to a set threshold for each set of data to be decrypted.
10. The apparatus of claim 7, wherein each set of data to be encrypted comprises a plurality of data packets;
the encryption end is specifically used for respectively carrying out ECB mode stream encryption or CTR mode stream encryption on each data packet of each group of data to be encrypted;
the encryption end is used for sequentially carrying out the 1 st round encryption logic operation to the Nth round encryption logic operation aiming at the corresponding data packet to obtain an AES encryption result of the corresponding data packet in an ECB mode, wherein N is larger than 1; the hardware for realizing each round of encryption logic operation exists at the same time, and the hardware for realizing each round of encryption logic operation cannot be reused;
or, the encryption end is used for acquiring a count value in advance before acquiring the corresponding data packet, and sequentially performing 1 st round encryption logic operation to K th round encryption logic operation on the count value to obtain a count encryption result, wherein K is greater than 1; after the corresponding data packet is obtained, carrying out exclusive OR operation on the data in the corresponding data packet and the counting encryption result to obtain an AES encryption result of the corresponding data packet in the CTR mode; the hardware for realizing each round of encryption logic operation exists at the same time, and the hardware for realizing each round of encryption logic operation cannot be reused.
11. The apparatus of claim 7, wherein each set of data to be decrypted comprises a plurality of data packets;
the decryption end is specifically used for performing ECB mode pipelined decryption or CTR mode pipelined decryption on each data packet of each group of data to be decrypted;
the decryption end is used for sequentially performing the 1 st round decryption logic operation to the Nth round decryption logic operation on the corresponding data packet to obtain an AES decryption result of the corresponding data packet in the ECB mode, wherein N is larger than 1; the hardware for realizing each round of decryption logic operation exists at the same time, and the hardware for realizing each round of decryption logic operation cannot be reused;
or, the decryption end is configured to obtain a count value in advance before obtaining the corresponding data packet, and sequentially perform 1 st round decryption logic operation to K th round decryption logic operation on the count value to obtain a count decryption result, where K is greater than 1; after the corresponding data packet is obtained, carrying out exclusive OR operation on the data in the corresponding data packet and the counting decryption result to obtain an AES decryption result of the corresponding data packet in the CTR mode; the hardware for realizing each round of decryption logic operation exists at the same time, and the hardware for realizing each round of decryption logic operation cannot be reused.
CN201510559903.8A 2015-09-06 2015-09-06 A kind of AES encryption and decryption method and device Withdrawn CN106506140A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510559903.8A CN106506140A (en) 2015-09-06 2015-09-06 A kind of AES encryption and decryption method and device
PCT/CN2016/089940 WO2017036251A1 (en) 2015-09-06 2016-07-13 Advanced encryption standard encryption and decryption method, device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510559903.8A CN106506140A (en) 2015-09-06 2015-09-06 A kind of AES encryption and decryption method and device

Publications (1)

Publication Number Publication Date
CN106506140A true CN106506140A (en) 2017-03-15

Family

ID=58186628

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510559903.8A Withdrawn CN106506140A (en) 2015-09-06 2015-09-06 A kind of AES encryption and decryption method and device

Country Status (2)

Country Link
CN (1) CN106506140A (en)
WO (1) WO2017036251A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109299614A (en) * 2018-10-30 2019-02-01 天津津航计算技术研究所 A kind of system and method for realizing SM4 cryptographic algorithm using pipeline system
CN119854015A (en) * 2025-01-10 2025-04-18 北京汇元吉祥科技有限公司 End-to-end secure communication encryption method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818920A (en) * 2005-02-07 2006-08-16 微软公司 Systems and methods for managing multiple keys for file encryption and decryption
CN103166758A (en) * 2011-12-19 2013-06-19 中兴通讯股份有限公司 Key update method and system for GPON uplink AES encryption
US20140270153A1 (en) * 2013-03-13 2014-09-18 Futurewei Technologies, Inc. System and Method for Content Encryption in a Key/Value Store
WO2015023550A1 (en) * 2013-08-13 2015-02-19 Fiske Software, LLC. Nado cryptography using one-way functions
CN104579645A (en) * 2015-01-26 2015-04-29 中国科学院半导体研究所 Secret key updating method based on AES encryption system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8527750B2 (en) * 2010-12-29 2013-09-03 Adobe Systems Incorporated System and method for generating multiple protected content formats without redundant encryption of content
CN104038337A (en) * 2014-06-20 2014-09-10 上海动联信息技术股份有限公司 Data encryption method based on AES128
CN104639314A (en) * 2014-12-31 2015-05-20 深圳先进技术研究院 Device based on AES (advanced encryption standard) encryption/decryption algorithm and pipelining control method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818920A (en) * 2005-02-07 2006-08-16 微软公司 Systems and methods for managing multiple keys for file encryption and decryption
CN103166758A (en) * 2011-12-19 2013-06-19 中兴通讯股份有限公司 Key update method and system for GPON uplink AES encryption
US20140270153A1 (en) * 2013-03-13 2014-09-18 Futurewei Technologies, Inc. System and Method for Content Encryption in a Key/Value Store
WO2015023550A1 (en) * 2013-08-13 2015-02-19 Fiske Software, LLC. Nado cryptography using one-way functions
CN104579645A (en) * 2015-01-26 2015-04-29 中国科学院半导体研究所 Secret key updating method based on AES encryption system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109299614A (en) * 2018-10-30 2019-02-01 天津津航计算技术研究所 A kind of system and method for realizing SM4 cryptographic algorithm using pipeline system
CN119854015A (en) * 2025-01-10 2025-04-18 北京汇元吉祥科技有限公司 End-to-end secure communication encryption method and system

Also Published As

Publication number Publication date
WO2017036251A1 (en) 2017-03-09

Similar Documents

Publication Publication Date Title
CN101753292B (en) Methods and devices for a chained encryption mode
US11546135B2 (en) Key sequence generation for cryptographic operations
Mandal Evaluation of performance of the Symmetric Key Algorithms: DES, 3DES, AES and Blowfish
CN104298937B (en) For the encrypted device and method of storage address
US8374351B2 (en) Encryption device, program, and method
Anwar et al. Comparative study of cryptography algorithms and its’ applications
US9565018B2 (en) Protecting cryptographic operations using conjugacy class functions
KR101095386B1 (en) Cryptographic System Using Discrete Chaotic Functions
WO2016088453A1 (en) Encryption apparatus, decryption apparatus, cryptography processing system, encryption method, decryption method, encryption program, and decryption program
Saicheur et al. An implementation of AES-128 and AES-512 on Apple mobile processor
JP2015156013A (en) Information processing device and method therefor
US9049004B2 (en) Low-power encryption apparatus and method
Wu et al. Resynchronization Attacks on WG and LEX
Alenezi et al. On the performance of AES algorithm variants
CN111740818A (en) A data processing method, device, equipment and storage medium
CN106506140A (en) A kind of AES encryption and decryption method and device
Khaleel et al. An overview of cryptosystems based on finite automata
Shinde et al. A review of various encryption techniques
Mohan et al. Revised aes and its modes of operation
Rajashekarappa et al. Study on cryptanalysis of the tiny encryption algorithm
Rahma et al. To modify the partial audio cryptography for Haar wavelet transform by using AES algorithm
Labbi et al. Symmetric encryption algorithm for RFID systems using a dynamic generation of key
US20180054307A1 (en) Encryption device
US9160523B2 (en) Apparatus and method to prevent side channel power attacks in advanced encryption standard
Khaleel et al. A Comparative Performance Analysis of Modified DÓ § mÓ § si’ s Cryptosystem and Data Encryption Standard

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20170315

WW01 Invention patent application withdrawn after publication
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载