+

CN110011786B - High-safety IP secret communication method - Google Patents

High-safety IP secret communication method Download PDF

Info

Publication number
CN110011786B
CN110011786B CN201910211626.XA CN201910211626A CN110011786B CN 110011786 B CN110011786 B CN 110011786B CN 201910211626 A CN201910211626 A CN 201910211626A CN 110011786 B CN110011786 B CN 110011786B
Authority
CN
China
Prior art keywords
packet
encryption
randomized
module
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910211626.XA
Other languages
Chinese (zh)
Other versions
CN110011786A (en
Inventor
李大双
徐兵杰
何远杭
樊矾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 30 Research Institute
Original Assignee
CETC 30 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 30 Research Institute filed Critical CETC 30 Research Institute
Priority to CN201910211626.XA priority Critical patent/CN110011786B/en
Publication of CN110011786A publication Critical patent/CN110011786A/en
Application granted granted Critical
Publication of CN110011786B publication Critical patent/CN110011786B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种高安全的IP保密通信方法,包括IP加密处理装置和IP解密处理装置,IP加密处理装置包括全IP报文分组加密模块、真随机化分割模块、两个异或运算模块以及两个分组加密和隧道封装模块;IP解密处理装置包括两个隧道解封和分组解密模块、两个异或运算模块、去真随机化合路模块以及全IP报文分组解密模块。本发明采取全IP报文分组加密、真随机化分割以及IP隧道分组加密三种加密保护机制,使敌手很难通过监听通信数据内容分析破译获得IP明文内容。本发明方法能够在公共互联网上以较低的投资代价建立高安全的保密通信IP网络,能够抵御现有的各种密码分析破译手段的攻击威胁,并且能够对抗量子计算机的破译分析攻击。

Figure 201910211626

The invention discloses a high-security IP secret communication method, comprising an IP encryption processing device and an IP decryption processing device. The IP encryption processing device includes a full IP packet encryption module, a true randomization segmentation module, and two XOR operation modules. and two block encryption and tunnel encapsulation modules; the IP decryption processing device includes two tunnel decapsulation and packet decryption modules, two XOR operation modules, a de-true randomization combination module and a full IP packet decryption module. The present invention adopts three encryption protection mechanisms: full IP packet encryption, true randomization segmentation and IP tunnel group encryption, so that it is difficult for an adversary to obtain IP plaintext content by monitoring the content of communication data, analyzing and deciphering. The method of the invention can establish a high-security confidential communication IP network with low investment cost on the public Internet, can resist the attack threat of various existing cryptanalysis and deciphering means, and can resist the deciphering and analysis attack of quantum computer.

Figure 201910211626

Description

High-safety IP secret communication method
Technical Field
The invention relates to a high-safety IP secret communication method.
Background
At present, quantum computers are actively developed in developed countries, and the era of quantum computing is no longer far away. Due to the dual characteristics of superposition and entanglement among the quantum bits, the computing capacity of a quantum computer can show exponential growth along with the increase of the number of the quantum bits, and quantum computing can form a huge security threat to secret communication based on cryptographic algorithm security. The rapid development of artificial intelligence based on neural network learning provides a new exponential acceleration operation way for the cryptanalysis and decryption technology. The quantum chip based neural network computing model will pose a serious security challenge to existing secure communication systems.
In the existing public internet, various network devices always have some security holes, are easy to be implanted into monitoring trojans by enemies through a network attack means, and are easy to acquire communication data between IP subnets. And even if the IP subnetworks are directly connected based on the special optical cable, optical signals transmitted in the optical fiber are easy to monitor, and IP message data is recovered through signal decoding.
In the new high-security IP secret communication method, an IP encryption device encrypts the whole message including an IP head by adopting a block algorithm aiming at each plaintext IP block to be transmitted, encrypts and masks the whole plaintext IP message in a data format, randomly divides the whole plaintext IP message byte by byte based on a quantum true random number to form two random divided data blocks with the same length as the original IP message, performs byte-by-byte XOR operation and masking on the random data blocks negotiated by a preset or key distribution protocol, re-encapsulates the obtained random XOR data blocks into two new IP secret state messages after being encrypted by the block encryption algorithm, and then transmits the two new IP secret state messages from an Internet access link of the IP encryption device. Because the true randomization segmentation mechanism not only "destroys" the integrity of the ciphertext information, but also completely eliminates any recognizable features in the input data of the block cipher algorithm, all existing cryptanalysis attack methods cannot work. Because the output of the derandomized combiner is the block encryption random data without the plaintext characteristic, an adversary cannot judge which combination of the pair of block keys is correct even if the adversary adopts a quantum computer to carry out exhaustive decoding operation, and therefore the secret communication system cannot be cracked even if the adversary finishes the exhaustive operation. Therefore, the novel IP secret communication method can greatly improve the safety of the existing secret communication system and can effectively resist the decoding analysis attack of a quantum computer with strong calculation power and neural network calculation.
Disclosure of Invention
In order to overcome the defects in the prior art, the invention provides a novel high-security secret communication method which jointly adopts three protection mechanisms of full IP packet encryption, true randomization segmentation and tunnel transmission packet encryption. Firstly, carrying out full IP block encryption on the whole plaintext IP message (including an IP header) to be transmitted by using a block encryption algorithm to form a full IP block encryption data block; secondly, randomly dividing the full IP block encrypted data into two random divided data blocks based on a quantum true random number, and performing true random XOR operation on the two random divided data blocks; then, based on two different keys negotiated independently, the two keys are encrypted in groups by adopting a group encryption algorithm to form two groups of encrypted data blocks as loads transmitted by the IP encrypted tunnel; and finally, respectively packaging the two block encrypted data blocks into standard IPSec messages, and transmitting the standard IPSec messages to the destination IP password equipment through the public Internet.
By adopting the novel high-safety IP secret communication method provided by the invention, even if an adversary obtains the IP secret messages transmitted between the IP encryption machines, the adversary cannot perform analysis and decryption by adopting a cryptographic analysis method. Even if the cryptographic system applies public cryptographic algorithms, it can force the adversary to have to do exhaustive operations that traverse three key spaces. Because the combined output of the two paths of block decryption is also random data, the adversary cannot decrypt the plaintext IP message only through the exhaustive operation of the block cipher algorithm traversing the two key spaces, the adversary is forced to perform the serial block algorithm decryption operation in the triple key space, and the operation amount of decryption at least exceeds the upper limit of the block key space adopting the single encryption algorithm. Therefore, the method of the invention has the capability of resisting the attack of decoding and analyzing implemented by strong calculation power of network monitoring, quantum computation and the like by the enemy. By adopting the technology provided by the invention, a high-safety secret communication network can be established based on the public Internet.
The technical scheme adopted by the invention for solving the technical problems is as follows: a high-security IP secret communication method comprises an IP encryption processing device and an IP decryption processing device, wherein the IP encryption processing device comprises an all-IP message packet encryption module, a quantum random number generator, a true randomization partition module, two XOR operation modules and two packet encryption and tunnel encapsulation modules; the IP decryption processing device comprises two tunnel decapsulation and packet decryption modules, two XOR operation modules, a true-removal random combination module and an all-IP packet decryption module, wherein the tunnel decapsulation and packet decryption modules are respectively connected with one XOR operation module, the XOR operation module is connected with the true-removal random combination module, and the true-removal random combination module is connected with the all-IP packet decryption module.
Compared with the prior art, the invention has the following positive effects:
in the existing public internet, various network devices always have some security holes, are easy to be implanted into monitoring trojans by enemies through a network attack means, and are easy to acquire confidential communication data between IP subnets.
The novel high-safety IP secret communication method designed by the invention adopts three protection mechanisms of full IP message packet encryption, randomized segmentation and tunnel transmission packet encryption, so that an adversary can hardly obtain IP plain text data contents by monitoring communication data content analysis and deciphering.
The novel high-safety IP secret communication method designed by the invention can establish a high-safety secret communication IP network on the public Internet at lower investment cost, can resist the attack threat of various existing cryptoanalysis deciphering means, can very effectively resist the deciphering analysis attack of a quantum computer with strong computing capacity, and can be used for both party and government secret communication with extremely high safety requirements and commercial secret communication with higher safety requirements.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
FIG. 1 is a schematic diagram of a novel high-security IP secure communication method;
FIG. 2 is a schematic diagram illustrating a true randomization partitioning and combining recovery principle of a data block;
fig. 3 is a schematic diagram of an IP encryption packet encapsulation structure.
Detailed Description
Technical architecture of novel IP secret communication method
The core idea of the novel high-security IP secret communication method provided by the invention is around the IP message content true randomization segmentation transmission technology, and three encryption mechanisms for providing transmission protection are adopted. For each plaintext IP message, three transmission protection mechanisms of full IP message packet encryption, true randomization segmentation and randomization exclusive OR, and packet encryption of data blocks are respectively implemented among IP encryptors.
The invention does not relate to the specific implementation of dynamic key negotiation between IP encryption machines and IPSec message encapsulation between IP encryption machines.
1. Implementation architecture design of novel high-security IP secret communication method
In the new high-security IP secure communication method proposed by the present invention, the secure communication architecture design is shown in fig. 1. The IP encryption processing function mainly comprises 7 modules, namely a full IP message packet encryption module, a quantum random number generator module, a true random segmentation module, two exclusive or operation modules and two packet encryption and tunnel encapsulation modules. The IP decryption processing function mainly comprises 6 modules including two tunnel decapsulation and packet decryption modules, two exclusive-or operation modules, a true-removal random combination module and a full IP message packet decryption module.
The length of the block encryption keys k1, k2 and k3 is assumed to be 256 or 512 bits, the length of the randomized exclusive-or operation keys k4 and k5 is 1500 bytes, and the keys are quantum true random data which are preset or generated by negotiation of a dynamic key distribution protocol, and the keys are generated independently of each other and are not required to be obtained by derivation inference.
2. Combination of randomized segmentation and block encryption to improve resistance to cryptanalysis cracking
The core idea of the novel high-security IP secret communication method provided by the invention is to randomize and cut the input content of the block encryption algorithm aiming at the IP message, so that the IP secret state message transmitted by the link does not contain the complete information of IP plaintext encryption mapping, the integrity of ciphertext information is damaged, various cryptanalysis decoding methods are prevented, and the message data block randomizing, cutting and recovering method is shown in figure 2. The method comprises the steps that the randomization segmentation mechanism carries out randomization segmentation operation byte by byte on the basis of quantum true random numbers which are dynamically generated in real time and have the same length as the message content (a randomization segmentation data block 1 is formed by AND operation, and a randomization segmentation data block 2 is formed by non-AND operation) on the IP message content to be transmitted through the public Internet, two data blocks with completely randomized content are obtained, the two data blocks are encrypted through a grouping algorithm and then packaged into a new IP message, the ID serial numbers of the two encrypted IP messages are generated in an increasing mode, and the difference value is 1. Because the input of the block encryption algorithm is data which is subjected to true randomization segmentation and randomization exclusive-or processing, the encrypted input data does not have any characteristics available for cryptanalysis any more, and therefore all existing cryptanalysis deciphering methods adopting plain-ciphertext comparative analysis and neural network deep learning characteristic analysis can be resisted. The true random XOR operation enables the number of the '0' bit and the '1' bit contained in the packet encryption input data to be basically consistent, and the characteristic that the '0' bit and the '1' bit are distributed unevenly, which is possibly caused by the random division, is eliminated.
3. The security mechanism of the hidden plaintext format forces the adversary to perform exhaustive operations in the triple key space
In the existing secure communication system, if a public block encryption algorithm is adopted, if the key length of the block algorithm is 256 bits, when an adversary performs a deciphering operation of traversing the whole key space, the deciphering analysis operation frequency is at least one time and reaches at most 2256Second, average is 2255Next, the process is carried out. Thus, existing secure communication systems present certain security risks.
In the novel high-security secret communication method provided by the invention, the encapsulation structure of the IP encryption message is shown in figure 3. Before executing true randomization to cut IP message, it adopts the randomization protection of block encryption to the whole IP message (including IP head), so that when the enemy carries out exhaustion decryption combination operation to two coupled IP block encrypted messages, it can not find any plaintext feature in its output data, and compels the enemy to reach the upper limit of operation of traversing the whole key space, and even if exhaustion operation is completed, it can also use the methodThe plaintext IP message cannot be decoded. If the time required for the packet decryption operation is 1ns, the adversary needs to operate at least 2 aiming at the 256-bit key space256≈3.6717×1055For trillion years. Furthermore, even in the case of an open algorithm, in order for an adversary to break the entire cryptographic system, it is necessary to first perform a packet decryption operation for each packet key combination (k1, k2) and then perform an exhaustive operation for all-IP packet decryption. The amount of storage space required for such combined decryption operations is also not at all engineering realizable. Finally, even if the adversary performs the exhaustive operation of the packet algorithm once, because the combined output of the "decryption" operation results for each pair of packet key combinations is "random" data, it is necessary to perform the cryptanalysis deciphering operation serially for the all-IP packet encryption data block. Even if the inputs of the IP encryption processing devices are the same, the loads of the tunnel transmission packet encryption are dynamically changed due to a true random segmentation mechanism, so that even if an enemy successfully decodes one IP secret message transmitted by a tunnel, the load of the next IP secret message is changed, and analysis and decoding need to be carried out again. Under the condition that the cryptographic algorithm is not disclosed, as the encrypted input is randomized data obtained by true randomized segmentation and randomized exclusive-or operation, an adversary can not adopt any analysis method of a plaintext-ciphertext pair to implement decoding attack, and can not adopt exhaustive operation to perform decoding analysis.
(II) working process
1. IP encryption processing workflow
When the IP encryption processing device needs to execute IP encryption on a plaintext IP message, the following processing steps are adopted:
the first step is as follows: based on the block encryption key k3, performing block encryption operation on the whole plaintext IP message to form an all-IP message block encryption data block;
the second step is that: and (2) performing true random segmentation on the full IP packet encrypted data block respectively based on true random data blocks which are generated by a quantum random number generator and have the same length as the full IP packet encrypted data block to form two random segmented data blocks.
The third step: the randomized segmented data blocks are subjected to byte-by-byte exclusive-OR encryption operations based on preset or 1500-byte long random data keys k4 and k5, respectively, negotiated by a key distribution protocol, to form two randomized exclusive-OR data blocks.
The fourth step: and respectively based on the block encryption keys k1 and k2, carrying out block encryption operation on the randomized exclusive-or data block, and re-encapsulating a standard IP protocol header to form two new standard IP secret state messages. The IP secret state message sequence number field encrypted by k1 is set as an increasing odd sequence number value, the IP secret state message sequence number field encrypted by k2 is set as an increasing even sequence number value, and the difference value of the two new IP message sequence numbers is 1. And then, sending the new standard IP secret message to the public Internet, and forwarding and transmitting the new standard IP secret message to a target IP cipher machine through a routing relay.
Thus, the IP cipher encryption device completes the encryption processing flow of the plaintext IP message.
2. IP decryption processing workflow
When the local IP decryption processing device receives the IP secret message, the following steps are adopted:
firstly, stripping off an IP head packaged in tunnel transmission;
secondly, for the IP secret state message corresponding to the odd sequence number, carrying out grouping decryption operation on the load of the IP secret state message based on a key k1, and for the IP secret state message corresponding to the even sequence number, carrying out grouping decryption operation on the load of the IP secret state message based on a key k2 to obtain two random exclusive-or data blocks;
and thirdly, carrying out XOR decryption operation on the load of the IP secret state message corresponding to the odd sequence number based on the key k4, and carrying out XOR decryption operation on the load of the IP secret state message corresponding to the even sequence number based on the key k5 to obtain two randomized and segmented data blocks.
Fourthly, performing byte-by-byte logic OR combination operation on the two randomized and partitioned data blocks with the collected odd and even serial numbers to recover the all-IP block encrypted data:
the method for determining whether the OR operation can be carried out or not according to the sequence number value contained in the received IP secret message header comprises the following steps: firstly, decrypting the IP secret message load with unaligned parity serial numbers, then carrying out XOR operation to obtain a randomized segmentation data block, caching and queuing, and executing combination operation after the messages are aligned. And if the true randomized segmented data blocks decrypted by the IP dense-state message loads which are associated with the parity and have the difference of a plurality of interval sequence numbers are collected and meet the condition of 'or' combining operation, discarding the true randomized segmented data blocks decrypted by the unaligned IP dense-state message loads which are queued and waited in front of the cache.
And fifthly, carrying out packet decryption operation on the all-IP packet encrypted data block obtained by the path combination operation based on the key k3 to recover the plaintext IP message.
Therefore, the IP decryption processing device completes the decryption processing flow of the IP secret message.

Claims (7)

1.一种高安全的IP保密通信方法,其特征在于:包括IP加密处理装置和IP解密处理装置,其中所述IP加密处理装置包括全IP报文分组加密模块、真随机化分割模块、量子随机数发生器、两个异或运算模块以及两个分组加密和隧道封装模块,所述全IP报文分组加密模块连接真随机化分割模块,所述真随机化分割模块连接量子随机数发生器,所述真随机化分割模块分别连接两个异或运算模块,所述异或运算模块各自连接一个分组加密和隧道封装模块;所述IP解密处理装置包括两个隧道解封和分组解密模块、两个异或运算模块、去真随机化合路模块以及全IP报文分组解密模块,所述隧道解封和分组解密模块各自与一个异或运算模块连接,所述两个异或运算模块均与去真随机化合路模块连接,所述去真随机化合路模块与全IP报文分组解密模块连接;其中:1. a high-security IP secrecy communication method is characterized in that: comprise IP encryption processing device and IP decryption processing device, wherein said IP encryption processing device comprises full IP packet encryption module, true randomization segmentation module, quantum A random number generator, two XOR operation modules, and two block encryption and tunnel encapsulation modules, the full IP packet encryption module is connected to a true randomization segmentation module, and the true randomization segmentation module is connected to a quantum random number generator , the true randomization segmentation module is respectively connected with two XOR operation modules, and the XOR operation modules are respectively connected with a packet encryption and tunnel encapsulation module; the IP decryption processing device includes two tunnel decapsulation and packet decryption modules, Two XOR operation modules, a de-realization randomization combination module and a full IP packet decryption module, the tunnel decapsulation and packet decryption modules are respectively connected with an XOR operation module, and the two XOR operation modules are both connected with the XOR operation module. The de-randomization combining module is connected, and the de-randomizing combining module is connected with the full IP packet decryption module; wherein: 所述IP加密处理装置对一个明文IP报文执行IP加密时,采取以下处理步骤:When the IP encryption processing device performs IP encryption on a plaintext IP message, the following processing steps are taken: 第一步、基于分组加密密钥k3,对整个明文IP报文执行分组加密运算,形成全IP报文分组加密数据块;The first step is to perform a block encryption operation on the entire plaintext IP message based on the block encryption key k3 to form a block encrypted data block of the full IP message; 第二步、基于量子随机数发生器产生的与全IP报文分组加密数据块长度相同的真随机数据块,对全IP报文分组加密数据块分别进行“与”或“非+与”的真随机化分割,形成两个随机化分割数据块;In the second step, based on the true random data block generated by the quantum random number generator, which has the same length as the block encrypted data block of the full IP packet, perform an "AND" or "non+AND" on the encrypted data block of the full IP packet. True randomized segmentation, forming two randomized segmentation data blocks; 第三步、分别基于预置的或密钥分发协议协商的1500字节长的随机数据密钥k4和k5,对随机化分割数据块实施逐字节的异或加密运算,形成两个随机化异或数据块;The third step is to perform a byte-by-byte XOR encryption operation on the randomized divided data blocks based on the 1500-byte long random data keys k4 and k5 that are preset or negotiated by the key distribution protocol, forming two randomized data blocks. XOR data blocks; 第四步、分别基于分组加密密钥k1和k2,对随机化异或数据块实施分组加密运算,并重新加封标准的IP协议头,形成两个新的标准IP密态报文;其中,将使用k1加密的IP密态报文序号值域设置为递增的奇序号值,将使用k2加密的IP密态报文序号值域设置为递增的偶序号值,并且这两个新的IP报文序号的差值为1;然后,将新的标准IP密态报文发送到公共互联网中,通过路由中继转发传输到目的IP密码机。In the fourth step, based on the group encryption keys k1 and k2, respectively, perform a group encryption operation on the randomized XOR data block, and re-encapsulate the standard IP protocol header to form two new standard IP encrypted state messages; Set the serial number value field of the IP encrypted state packet encrypted by k1 to the incremental odd serial number value, set the serial number value field of the IP encrypted state packet encrypted using k2 to the incremental even serial number value, and the two new IP packets The difference between the serial numbers is 1; then, the new standard IP encryption message is sent to the public Internet, and forwarded and transmitted to the destination IP encryption machine through the routing relay. 2.根据权利要求1所述的一种高安全的IP保密通信方法,其特征在于:所述全IP报文分组加密模块以分组加密算法对需要传输的整个明文IP报文实施分组加密运算,对整个明文IP报文实施数据格式加密掩盖,形成一个针对整个IP报文的分组加密数据块。2. a kind of high-security IP security communication method according to claim 1, is characterized in that: described all-IP message group encryption module implements group encryption operation to the whole plaintext IP message that needs to transmit with group encryption algorithm, Encrypting and masking the data format of the entire plaintext IP packet is performed to form a block encrypted data block for the entire IP packet. 3.根据权利要求2所述的一种高安全的IP保密通信方法,其特征在于:所述真随机化分割模块基于量子随机数发生器实时动态产生的与全IP报文分组加密数据块长度相同的量子真随机数,逐字节进行随机化分割运算,将全IP报文分组加密数据块随机化分割为两个随机化分割数据块;其中的一个随机化分割数据块由量子真随机数据块与全IP报文分组加密数据块逐字节逻辑“与”运算获得,另一个随机化分割数据块由将量子真随机数据块逐字节取反后再与全IP报文分组加密数据块逐字节逻辑“与”运算获得。3. a kind of high-security IP security communication method according to claim 2, is characterized in that: described true randomization segmentation module is based on quantum random number generator real-time dynamic generation and full IP packet encryption data block length The same quantum true random number is randomized and divided byte by byte, and the full IP packet encrypted data block is randomized and divided into two randomized divided data blocks; one of the randomized divided data blocks is composed of quantum true random data. The block and the full-IP packet encrypted data block are obtained by byte-by-byte logical "AND" operation, and another randomized divided data block is obtained by inverting the quantum true random data block byte-by-byte, and then grouping the encrypted data block with the full IP packet. Obtained by byte-by-byte logical AND operation. 4.根据权利要求3所述的一种高安全的IP保密通信方法,其特征在于:所述两个异或运算模块分别基于两个独立协商的不同的1500字节长的随机数据密钥,对随机化分割数据块执行逐字节的逻辑异或运算,形成随机化异或数据块。4. a kind of high-security IP secret communication method according to claim 3, is characterized in that: described two XOR operation modules are respectively based on two different 1500-byte long random data keys negotiated independently, Perform a byte-by-byte logical XOR operation on the randomized divided data block to form a randomized XOR data block. 5.根据权利要求4所述的一种高安全的IP保密通信方法,其特征在于:所述两个分组加密模块分别基于两个独立协商的不同密钥,采用分组加密算法对两个随机化异或数据块进行分组加密,形成两个分组加密数据块,分别重新封装成为两个IP加密隧道传输的新IP报文。5. a kind of high-security IP secret communication method according to claim 4, is characterized in that: described two group encryption modules are respectively based on two different keys negotiated independently, adopt group encryption algorithm to randomize two The XOR data block is packet-encrypted to form two packet-encrypted data blocks, which are respectively re-encapsulated into new IP packets transmitted by two IP encryption tunnels. 6.根据权利要求1所述的一种高安全的IP保密通信方法,其特征在于:所述IP解密处理装置在接收到IP密态报文时,采取以下步骤:6. a kind of high-security IP secret communication method according to claim 1, is characterized in that: when described IP decryption processing device receives IP secret state message, takes following steps: 第一步、剥离掉隧道传输封装的IP头;The first step is to strip off the IP header of the tunneling encapsulation; 第二步、对于奇序号对应的IP密态报文,基于密钥k1对其载荷实施分组解密运算,对于偶序号对应的IP密态报文,基于密钥k2对其载荷实施分组解密运算,获得两个随机化异或数据块;The second step is to perform a packet decryption operation on the payload of the IP encrypted message corresponding to the odd sequence number based on the key k1. For the IP encrypted state packet corresponding to the even sequence number, perform the packet decryption operation on the payload based on the key k2. Get two randomized XOR data blocks; 第三步、对于奇序号对应的IP密态报文,基于密钥k4对其载荷实施异或解密运算,对于偶序号对应的IP密态报文,基于密钥k5对其载荷实施异或解密运算,获得两个随机化分割数据块;The third step is to perform XOR decryption operation on the payload of the IP encrypted message corresponding to the odd sequence number based on the key k4, and perform XOR decryption on the payload based on the key k5 for the encrypted IP message corresponding to the even sequence number. operation to obtain two randomized partitioned data blocks; 第四步、对两个奇偶序号已收齐的随机化分割数据块执行逐字节逻辑“或”合路运算,恢复出全IP分组加密数据块;The fourth step is to perform a byte-by-byte logical "OR" combination operation on the two randomized partitioned data blocks whose parity numbers have been collected to recover the full IP packet encryption data block; 第五步、基于密钥k3,对合路运算获得的全IP分组加密数据块进行分组解密运算,恢复出明文IP报文。The fifth step, based on the key k3, perform a packet decryption operation on the full IP packet encryption data block obtained by the combining operation, and recover the plaintext IP message. 7.根据权利要求6所述的一种高安全的IP保密通信方法,其特征在于:确定能否进行“或”合路运算的方法为:首先将关联的奇偶序号未收齐的IP密态报文载荷解密再经异或运算后获得的随机化分割数据块进行缓存排队,等待收齐后再执行“或”合路运算;若后面相差几个间隔序号值的奇偶关联的IP密态报文载荷解密的真随机化分割数据块都收齐并达到“或”合路运算的条件,则丢弃在缓存前面排队等待的那些未收齐的IP密态报文载荷解密的真随机化分割数据块。7. a kind of high-security IP security communication method according to claim 6, is characterized in that: the method that determines whether to carry out "or" combining operation is: at first the IP secret state that the associated parity sequence number is not collected The packet payload is decrypted and then the randomized divided data blocks obtained after the XOR operation are buffered and queued, and the "OR" combination operation is performed after waiting for all of them to be collected. If the true randomization split data blocks of the decryption of the payload are all collected and reach the condition of the "OR" combination operation, the uncollected IP encrypted state packet payload decrypted true randomized data blocks that are queued in front of the cache are discarded. piece.
CN201910211626.XA 2019-03-20 2019-03-20 High-safety IP secret communication method Active CN110011786B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910211626.XA CN110011786B (en) 2019-03-20 2019-03-20 High-safety IP secret communication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910211626.XA CN110011786B (en) 2019-03-20 2019-03-20 High-safety IP secret communication method

Publications (2)

Publication Number Publication Date
CN110011786A CN110011786A (en) 2019-07-12
CN110011786B true CN110011786B (en) 2022-03-18

Family

ID=67167420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910211626.XA Active CN110011786B (en) 2019-03-20 2019-03-20 High-safety IP secret communication method

Country Status (1)

Country Link
CN (1) CN110011786B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111031075B (en) * 2020-03-03 2020-06-23 网御安全技术(深圳)有限公司 Network service security access method, terminal, system and readable storage medium
CN112787815B (en) * 2021-02-05 2021-11-30 中南大学 Continuous variable quantum key communication method and system based on attack perception and defense
CN114285565A (en) * 2021-12-29 2022-04-05 观源(上海)科技有限公司 Scheduling system of password resource pool
CN114666049B (en) * 2022-03-25 2024-02-20 中金金融认证中心有限公司 Method for encrypting plaintext data and related products

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102957533A (en) * 2011-08-25 2013-03-06 安徽量子通信技术有限公司 Code modulation device of quantum key distribution system
CN104486307A (en) * 2014-12-03 2015-04-01 中国电子科技集团公司第三十研究所 Decentralized key management method based on homomorphic encryption
CN104917610A (en) * 2015-06-15 2015-09-16 上海交通大学 Communication relay server safety system and method based on quantum true random number
CN106612176A (en) * 2016-12-16 2017-05-03 中国电子科技集团公司第三十研究所 Negotiation system and negotiation method based on quantum truly random number negotiation secret key

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102609640B (en) * 2004-10-25 2015-07-15 安全第一公司 Secure data parser method and system
US10476854B2 (en) * 2017-04-20 2019-11-12 Bank Of America Corporation Quantum key distribution logon widget

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102957533A (en) * 2011-08-25 2013-03-06 安徽量子通信技术有限公司 Code modulation device of quantum key distribution system
CN104486307A (en) * 2014-12-03 2015-04-01 中国电子科技集团公司第三十研究所 Decentralized key management method based on homomorphic encryption
CN104917610A (en) * 2015-06-15 2015-09-16 上海交通大学 Communication relay server safety system and method based on quantum true random number
CN106612176A (en) * 2016-12-16 2017-05-03 中国电子科技集团公司第三十研究所 Negotiation system and negotiation method based on quantum truly random number negotiation secret key

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于量子安全的电力信息系统安全增强方法研究;彭飞,田增垚,张晓华,安天瑜,孟庆东,陈志奎;《重庆大学学报》;20210409;全文 *

Also Published As

Publication number Publication date
CN110011786A (en) 2019-07-12

Similar Documents

Publication Publication Date Title
CN110011786B (en) High-safety IP secret communication method
CN110071943B (en) A Composite High Security IP Secrecy Communication Method with True Random Key Change
CN112235112B (en) Zero-semantic and one-time pad-based IP encryption method, system and storage medium
US8687800B2 (en) Encryption method for message authentication
CN110798311B (en) IP encryption method for realizing one-time pad based on quantum true random number matrix
CN109639650B (en) A Secure Communication Method Based on Longitudinal Random Segmentation of Packets and Path Separation Transmission
KR20030078453A (en) Method and apparatus for encrypting and decrypting data in wireless lan
CN1938980A (en) Method and apparatus for cryptographically processing data
JPH0969830A (en) Cryptographic communication system
Rege et al. Bluetooth communication using hybrid encryption algorithm based on AES and RSA
CN107666491A (en) The data transmission method of air-ground integrated network based on symmetric cryptography
CN114124416B (en) System and method for quickly exchanging data between networks
CN112073115A (en) Lora-based low-orbit satellite Internet of things registration security verification method, Internet of things terminal, network server and user server
CN110022204B (en) Method for enhancing security of file secret communication based on content true randomization segmentation
Al-Shargabi et al. An improved DNA based encryption algorithm for internet of things devices
CN114844713A (en) A video stream encryption method and related equipment based on national secret algorithm
CN104158788A (en) Method of end-to-end data transmission
CN110213257B (en) High Security IP Confidential Communication Method Based on True Random Stream XOR Encryption
CN105791296A (en) A method for fast scrambling and descrambling of network messages
CN104954136A (en) Network security encryption device under cloud computing environment
CN111526100A (en) Cross-network traffic identification method and device based on dynamic identification and path hiding
Tripathi et al. The hybrid cryptography for enhancing the data security in fog computing
CN110891072A (en) Data block transmission and recovery method
Hartl et al. Subverting counter mode encryption for hidden communication in high-security infrastructures
Abdelaziz et al. Securing the space data link communication protocol of Earth observation satellites

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载