Summary of the invention
The present invention seeks to deficiency at existing data ciphering method, providing a kind of divides by data being carried out data element, and each data element is carried out coordinate assignment and employing algorithms of different and key carry out method of encrypting and device, use this device or method that data are encrypted, can guarantee the safety of data height on the one hand, also can effectively reduce the load and the cost of computing simultaneously.
Encryption method of the present invention:
A kind of method of the mixed type data encryption based on data element and coordinate algorithm is characterized in that, comprises the steps:
A). encrypt end and set up the cryptographic algorithm database, in the database different cryptographic algorithm have make its can be indexed/coordinate label or the ID sequence called;
B). be-encrypted data is divided into the plurality of data unit;
C). the cryptographic algorithm distribution module for each data cell distribute coordinate or/the ID sequence, and use this coordinate or/ID sequence corresponding algorithm encrypts this data cell;
D). add toward the data encrypted unit this cryptographic algorithm coordinate or/the ID sequence field forms new data element;
E). new data element is combined into encrypted data.
Wherein, the different cryptographic algorithm of the cryptographic algorithm database of the above the inside refer to that carrying out identical or different computings by the key with different length or content realizes the algorithm encrypted;
Described coordinate label or ID sequence are formed by the field combination more than two sections or two sections with several Bit;
Described enciphered data is divided into the plurality of data unit and refers to that enciphered data is divided into some data segments common fixed-length or that have the different length grade that have;
Described new data element refers to be added with in front, ciphered data unit in order to the coordinate label of representing this cryptographic algorithm or ID sequence information and the data cell that forms.
As the integrality optimization that this method is used, method of the present invention also has a decryption step, and decryption step comprises:
21). decrypting end is set up the decipherment algorithm database, arbitrary cryptographic algorithm of encrypting end the decipherment algorithm database have at least one with its corresponding decipherment algorithm with different coordinate labels or ID sequence;
22). the new data element of encrypted data is separated, and extract the coordinate or the ID sequence of cryptographic algorithm from new data element;
23) be decrypted by the coordinate of decipherment algorithm and cryptographic algorithm or the coordinate or the ID sequence of hinting obliquely at algorithm acquisition decipherment algorithm of ID sequence, and by pairing algorithm;
24) decrypted data cell is reassembled into data.
Further optimize, on the method told about also comprise:
Encrypt end subscriber input private key, this private key combines back defeated encrypting again with the enciphered data that has made up after treatment;
Decrypting end, the user imports private key, this private key with treat that the password field of data decryption partly compares checking, and carry out follow-up deciphering incident by the rear in checking;
Encrypted data are carried out network data transmission in the ICP/IP protocol of encrypting use standard between end and the decrypting end.
Be encryption device of the present invention below:
A kind of based on the mixed type data encryption of data element and coordinate algorithm and the device of deciphering, it is characterized in that: it comprises as lower module:
31). the data input module that is used to obtain data and data is divided into the plurality of data unit;
32). be used for the encrypt/decrypt overall process is carried out central controlled encrypt/decrypt control module;
33). be used for the encryption/decryption algorithm database of storage encryption or decipherment algorithm;
34). be used to each data cell to carry out the algorithm assigns module of algorithm coordinate or ID sequence allocation/conversion;
35). be used to call the encrypting-decrypting module that algorithm is encrypted or deciphered;
36). be used to each encrypted data cell interpolation coordinate or ID sequence information field to form the packing module of new data element;
37). be used for new data element is combined into the composite module of encrypted/data decryption;
Described encrypt/decrypt control module control data input module obtains data and divide/or be decomposed into data cell, and the algorithm assigns module is that data cell is distributed and encrypted or the coordinate or the ID sequence of decipherment algorithm correspondence then; Close control module control encrypting-decrypting module obtains this coordinate or ID sequence corresponding algorithm is carried out encrypt/decrypt to the data unit from the encryption/decryption algorithm database; Encrypting control module control packing module forms new data cell and by composite module encrypted or decrypted data unit is made up.
Technical scheme in sum has following essence progress and beneficial effect:
1. adopt data are carried out the data element division, and by each data element is encrypted by the method with different cryptographic algorithm and key, final data is safe;
2. what the Information Security of encryption methods such as present DES, RSA, 3DES, FEAL, IDEA largely relied on is the complexity of algorithm itself and the length of key, and encryption method safety guarantee of the present invention comes from the diversity of cryptographic algorithm and key in the cryptographic algorithm database and is difficult to foreseeability;
3. when encryption method of the present invention is encrypted data element, both can adopt commonly used encrypting as DES, RSA, 3DES scheduling algorithm, more can adopt self-defining multiple simple or complicated, the cryptographic algorithm that key is changeable.The mixing of multiple encryption algorithms is used, can guarantee the degree of safety of data on the one hand, merge the advantage of multiple encryption algorithms, on the other hand, also can save the workload of encryption, because when encrypting unnecessary to all data all carry out as DES, RSA, 3DES so complex calculations handle, for the partial data unit as long as adopt simple the encryption.
4. data are illegally cracked if want, the condition that need possess is must know user's private key, must know the division methods of data cell, the rule distribution method that must know the algorithm coordinate and conversion method, must know key that cryptographic algorithm all in the database and each algorithm adopt, need know the combined method of data cell in addition exactly, so with respect to existing various encryption methods, the probability that encryption method of the present invention is cracked is littler.
Embodiment
Embodiment one
Referring to figs. 1 to 7, the method for a kind of mixed type data encryption based on data element and coordinate algorithm of open the present invention.This method comprises the steps to realize:
1). obtaining by data input module needs ciphered data;
2). data are divided into plurality of data unit, i.e. data segment; Division methods comprises: A. is divided into the data segment with identical fixing length cell with data input stream, and (length of data segment can be determined without limits according to actual needs; Because the data division of the IP datagram of IPV4 is the longest to be 64KB, so can each data segment be set at 64KB with reference to it), and with the data of a length cell of remaining less than as an independent data segment; B. define some length scale (for example can be with 128KB, 64KB, 32KB, 12KB, 1KB, 512B, 256B be defined as 6~0 grades successively, the method of definition can be determined according to actual needs, do not have restriction in principle), data input stream is divided into the data segment with the rank length that defines, and with the data of the minimum rank length of remaining deficiency as an independent data segment; C. the length by specific algorithm (produce algorithm as random number and produce random number) specified data section as the length of this data segment, the algorithm of asking optimal value etc. by the size analysis of whole data being regulated data segment, length.Compare down, the realization program that data input stream is divided into the data segment with identical fixing length cell is the simplest, divide and the efficient of control also the highest, so be that example is further described with it.
With reference to shown in Figure 1, be-encrypted data enters from an end of data input module, and (1~N), data cell is exported in order then to be divided into the data cell of serial equal length successively by the data cell partitioning algorithm of data input module.
3). obtain data cell, the cryptographic algorithm distribution module for this data cell distribute coordinate or/the ID sequence.Coordinate or/the ID sequence is by the forming more than two periods or two periods with some bytes.Denotation coordination or/byte number of ID sequence can decide according to the cryptographic algorithm number in the cryptographic algorithm database.As suppose to use 16 byte representations, but then the corresponding algorithm number mostly is 65536 kinds most; Use 32 byte representations, but then the corresponding algorithm number can reach kind more than 4,200,000,000; Based on the fail safe and the efficient of encrypting, under the general case, use 16 bytes to meet demand for security fully.Coordinate or/the ID sequence constitutes can have several different methods according to algorithm in the expression difference of database internal coordinate, as adopting the two-dimensional representation method, promptly uses (X, Y) expression (seeing Fig. 3 and Fig. 4), wherein X coordinate, Y coordinate are used 9 bytes, 7 byte representations respectively, and then the X scope is 0~511, and the Y scope is 0~127; The cryptographic algorithm distribution module is that data cell is distributed in the algorithm coordinate in the definition coordinate range successively by the algorithm in it, described algorithm is included in and produces an integer in the coordinate range at random and produce equally distributed random integers as coordinate, in coordinate range as coordinate etc., is example to produce equally distributed random integers in coordinate range as coordinate, and its algorithm can be by following realization:
Suppose and will produce a rounded coordinate equably at random in [0,511], then computing formula is:
r
i=mod(5r
i-1,4n);
t
i=int(r
i/4);
Wherein, initial value is r
0〉=0 odd number, n=2
K,K=[log
2 511]+1 can obtain random integers.
Block:
Int?r;
{int?k,l,m,i,p;
k=511;l=2;
while(l<511)l=l+1;
m=4*l;k=r;i=1
while(i<=l)
{k=k+k+k+k+k;
k=k%m;l=k/4;
If(i<=b){p=1;i=i+1}
}
r=k;
return(p);
}
The method of the byte length of coordinate or ID sequence, division hop count and generation coordinate can be done self-defined or adjustment according to actual;
4). the coordinate that produces according to the cryptographic algorithm distribution module or/ID sequence inquiry cryptographic algorithm database and the algorithm that calls the inside carry out encryption to the data unit; The algorithm characteristic of cryptographic algorithm lane database storage is: can be any general or self-defining cryptographic algorithm, promptly can comprise: common crypto algorithms such as des encryption algorithm, RSA, 3DES, block encryption algorithm FEAL, IDEA algorithm; Can comprise that also the key figure place has any figure place in employing key carries out the algorithm of any simple or complex process to data, as use 6 keys successively the data unit to be carried out XOR and encrypt, use 3 keys that the data unit is carried out moving 2 processing or the like then with computing, key and encryption method can have various variations.Because data security of the present invention is not to depend on the complexity of certain algorithm wherein or the length of key, and focus on the diversity of cryptographic algorithm and be difficult to predictability, so in cryptographic algorithm, be added into the results of the encryption method of carrying out unconventional processing beyond often can playing to the safety of data by brief key, the live load that reduction that simultaneously also can be a large amount of is encrypted has also improved the efficient of encrypting when having guaranteed data security.
5). toward encrypted data cell add this be used for to the coordinate of its algorithm of encrypting or/the ID sequence field to be to form new data element; Shown in Fig. 2 and 3, for added coordinate or/ new data element structure behind the ID sequence information.Wherein the data cell of Fig. 2 represents that its length is the regular length of acquiescence, also can not carry out data cell in decrypting end and separates and decipher so need not add in data cell in order to the length mark field that indicates its length; The data unit length that Fig. 3 represents is that divide by length scale or variable, is necessary then that at first front end in data cell adds certain byte representing the length of this data cell, and then add coordinate or/the ID sequence information.And for example shown in Figure 3, expression be with its length scale of coded representation of 4 bytes or length, with 9 byte representation coordinate X-axis positions (first half of ID sequence), with 7 byte representation Y-axis positions (latter half of ID sequence).During actual enforcement, the byte number of expression length and coordinate can be set according to actual needs.
6). after all data cells were encrypted, new data element was reassembled into data; Structure after the new data element that is respectively Fig. 2 and 3 correspondences as shown in Figure 4 and Figure 5 makes up.During enforcement, for some big files, can at first be divided into the plurality of data piece, and then data block is divided into data cell encrypts, the combination so here can be earlier be carried out the part combination with data block and carry out entire combination again, is combined into whole data file after promptly at first the corresponding new data element of each data block being reassembled into new data block.
With reference to shown in Figure 6, the flow process that adopts the present invention to carry out data encryption is further elaborated:
As S101 among the figure, at first obtaining needs ciphered data;
As S102 among the figure, the data that obtain are divided into the plurality of data unit;
As S among the figure 103, obtain a data unit in order, and distribute coordinate/ID sequence for this data cell by the cryptographic algorithm distribution module;
As S104 among the figure, use this coordinate/ID sequence inquiry cryptographic algorithm database;
As S105 among the figure, judge whether the cryptographic algorithm database exists the cryptographic algorithm of this coordinate or ID correspondence,
If then enter; S106, otherwise forward S103 to, for this data cell is redistributed coordinate/ID sequence;
As S106 among the figure, from the cryptographic algorithm database, call the cryptographic algorithm of this coordinate or ID correspondence and carry out encryption;
As S107 among the figure, encrypted data cell stem adds this coordinate or id information field (adding coordinate or id information field after perhaps adding the length mark field earlier) forms new data cell;
As S108 among the figure, new data cell is stored in spatial cache;
As S109 among the figure, judge whether all encryptions of all data cells, if otherwise forward S103 to; Otherwise forward S110 to;
As S110 among the figure, new data cell is combined into the data of finishing;
As S111 among the figure, ciphered data is output.
For a kind of data ciphering method, encryption and decryption be two of equal importance and exist positive connection process, below to the pairing deciphering do description:
21). obtaining needs decrypted data;
22). need decrypted data to isolate data cell one by one this; Or knownly identify, so only need cut apart when separating by the data unit length before being combined by stem in its data cell because encrypted data unit length is an acquiescence;
23). from the data cell that splits, extract coordinate or ID sequence to its algorithm of encrypting;
24). the decipherment algorithm distribution module uses the algorithm in it to change formation new coordinate or ID sequence to coordinate or the ID sequence extracted; Wherein conversion method have multiple, comprise this coordinate or ID sequence each form carry out various mathematical operations (as open round behind 2 roots, with the random number addition after integer etc. in the intercepting coordinate range), displacement is moving, use that key is changed etc.Because encryption and decryption are two inverse process that have positive connection, so in selection algorithm, carry out correct deciphering to data element then must correctly select the decipherment algorithm corresponding with this cryptographic algorithm and be decrypted, should have one at disclosed coordinate or ID sequence transformation rule between the two so encrypt the algorithm coordinate of end and decrypting end, the decipherment algorithm distribution module then needs to carry out coordinate or the conversion of ID sequence and then be the correct decipherment algorithm of this data cell distribution according to this transformation rule.The method of conversion is consistent with coordinate or ID sequence transformation rule.
25). coordinate that distributes for this data cell according to the decipherment algorithm distribution module or ID sequence are called corresponding decipherment algorithm and are decrypted operation from the decipherment algorithm database, carry out the deciphering incident.Wherein, exist in decipherment algorithm database and the cryptographic algorithm database and must concern and be: in the cryptographic algorithm database arbitrary cryptographic algorithm the decipherment algorithm database have at least one with it corresponding decipherment algorithm, promptly this data cell must be separated by the algorithm of decipherment algorithm database.Each cryptographic algorithm (as des encryption algorithm, RSA, 3DES, self-defining cryptographic algorithm etc.), its corresponding decipherment algorithm is inequality, and the implementer for definien and developer, this area is known, because cryptographic algorithm is many more in the cryptographic algorithm database, the decipherment algorithm of decipherment algorithm database is just many more, so enumerate explanation no longer one by one.
26). after whole (or data block is whole) pairing all data cells of data are decrypted, make up, form overall data, data decryption is finished.
With reference to figure 7, data decryption flow process of the present invention is further elaborated:
Shown in S201 among the figure, at first obtaining needs decrypted data;
Shown in S202 among the figure, these data are carried out data cell separate;
Shown in S203 among the figure, obtain one of them data cell in order, and length mark field, coordinate or id field, data field are separated; And extraction coordinate or id field wherein;
Shown in S204 among the figure, transformation rule and algorithm that the deciphering distribution module is called in it are changed acquisition new coordinate or ID to this coordinate or ID;
Shown in S205 among the figure and 206, the decipherment algorithm that calls new coordinate or ID correspondence from the decipherment algorithm database is decrypted processing to this data cell;
Shown in S207 among the figure, judge whether that all data elements are all decrypted, if otherwise forward S203 to; Otherwise forward S208 to;
Shown in S208 among the figure, data decryption unit is reassembled into data;
Shown in S209 among the figure, data decryption finishes, data output.
Embodiment two
Present embodiment discloses another kind of technical scheme of the present invention: a kind of based on the mixed type data encryption of data element and coordinate algorithm and the device of deciphering:
As shown in Figure 8, this encryption device is made up of encryption control module 10, data input module 11, cryptographic algorithm distribution module 12, cryptographic algorithm database 13, encrypting module 14, cache module 15, composite module 16; Wherein, each module or composition directly are connected with encryption control module 10, and realize encrypting under the centralized control of acceptance encryption control module 10: in the time of work based on the hybrid algorithm of data cell and coordinate, under the control of encrypting control module 10, data input module 11 be responsible for obtaining need ciphered data go forward side by side line data dividing elements and storage, and in order with data cell input encryption control module 10; Cryptographic algorithm distribution module 12 is distributed cryptographic algorithm coordinate or ID sequence for data cell; Encrypting module 14 is responsible for calling from cryptographic algorithm database 13 cryptographic algorithm of this coordinate or ID sequence correspondence the data unit is encrypted; Cache module 15 is used for interim storage from encrypting the encrypted data unit of control module 10 outputs; Composite module 16 is responsible for ciphered data unit is reassembled into complete data and output.
As shown in Figure 9, this decryption device is made up of deciphering control module 20, data input module 21, separation and coordinate extraction module 22, decipherment algorithm distribution module 23, decipherment algorithm database 24, deciphering module 25, cache module 26, composite module 27; Wherein, each module or composition directly are connected with encryption control module 20, and realize deciphering under the centralized control of acceptance encryption control module 20: in the time of work based on the hybrid algorithm of data cell and coordinate, under the control of deciphering control module 20, data input module 21 is responsible for obtaining needs the decrypted data line data unit of going forward side by side to separate, then and in order with data cell input deciphering control module 20; Separate and interior coordinate or the id information of coordinate extraction module 22 extraction data cells; Decipherment algorithm distribution module 23 transforms formation new coordinate or ID sequence with this coordinate or ID sequence; The decipherment algorithm that deciphering module 25 is responsible for calling from decipherment algorithm database 24 new coordinate or ID sequence correspondence is decrypted the data unit; Cache module 26 is used for the data decryption unit of interim storage from 20 outputs of deciphering control module; Composite module 27 is responsible for decrypted data unit is reassembled into complete data and output.
But the method for realization encryption and decryption of the contrive equipment of present embodiment and implementing of flow process reference example one.
Embodiment three
With reference to Figure 10 and Figure 11, to encrypt or the further optimization of the device of data decryption for a kind of hybrid algorithm based on data cell and coordinate of the present invention, the difference that in contrast to example two is: this encryption or decryption device also have a private key for user input module; The private key for user input module is responsible for gathering the key of user's input, and this key combine the new enciphered data of formation with encrypted data after treatment.During deciphering, then below this private key for user being verified situation about passing through, carry out follow-up decryption oprerations earlier.
The device of present embodiment is encrypted or the data decryption method time, can reference example one be implemented on the one hand based on the hybrid algorithm of data cell and coordinate realizing, also needs part steps is done corresponding modify simultaneously.
Relatively with the inventive method of embodiment one, the disclosed device of present embodiment is realized data encryption and when deciphering, need do further optimization that promptly realization flow is as follows:
Encrypt (as shown in figure 12):
At first, as S112 among the figure, at first user's input is used for these data are decrypted the key of restriction, and this key length is answered numerical value up to specification;
As S113 among the figure, this key is handled, wherein the method for Chu Liing comprise carry out between various operation method such as the secret key bits with or the displacement of evaluation, secret key bits, carry out logical operation etc. with fixed numbers;
As S101 among the figure, obtaining needs ciphered data;
As S102 among the figure, the data that obtain are divided into the plurality of data unit;
As S103 among the figure, obtain a data unit in order, and distribute coordinate/ID sequence for this data cell by the cryptographic algorithm distribution module;
As S104 among the figure, use this coordinate/ID sequence inquiry cryptographic algorithm database;
As S105 among the figure, judge whether the cryptographic algorithm database exists the cryptographic algorithm of this coordinate or ID correspondence, if then enter; S106, otherwise forward S103 to, for this data cell is redistributed coordinate/ID sequence;
As S106 among the figure, from the cryptographic algorithm database, call the cryptographic algorithm of this coordinate or ID correspondence and carry out encryption;
As S107 among the figure, encrypted data cell stem adds this coordinate or id information field (adding coordinate or id information field after perhaps adding the length mark field earlier) forms new data cell;
As S108 among the figure, new data cell is stored in spatial cache;
As S109 among the figure, judge whether all encryptions of all data cells, if otherwise forward S103 to; Otherwise forward S110 to;
As S110 among the figure, new data cell is combined into the data of finishing;
As S114 among the figure, the encrypted data of processed key and combination reconfigure the data that form the band password field;
As S111 among the figure, ciphered data is output.
Deciphering (as shown in figure 13):
Shown in S210 among the figure, at first the user imports key;
Shown in S201 among the figure, obtaining needs decrypted data;
Shown in S211 among the figure, extract the cipher key field in the decrypted data;
Shown in S212 among the figure, key is handled and verified, if the verification passes execution in step S202 then; Otherwise forward S201 to, the prompting user re-enters password;
Shown in S202 among the figure, these data are carried out data cell separate;
Shown in S203 among the figure, obtain one of them data cell in order, and length mark field, coordinate or id field, data field are separated; And extraction coordinate or id field wherein;
Shown in S204 among the figure, transformation rule and algorithm that the deciphering distribution module is called in it are changed acquisition new coordinate or ID to this coordinate or ID;
Shown in S205 among the figure and 206, the decipherment algorithm that calls new coordinate or ID correspondence from the decipherment algorithm database is decrypted processing to this data cell;
Shown in S207 among the figure, judge whether that all data elements are all decrypted, if otherwise forward S203 to; Otherwise forward S208 to;
Shown in S208 among the figure, data decryption unit is reassembled into data;
Shown in S209 among the figure, data decryption finishes, data output.
Embodiment four
Present embodiment discloses a kind of method of carrying out the secure data exchange on the internet, its feature with transfer of data before adopt earlier embodiment one to three described method or device to encrypt, by being transferred to the other side based on ICP/IP protocol, the recipient carries out decryption method of the present invention in application layer then.Encryption and decryption process reference example one to three is described, no longer repeats.