Search

CN-122027300-A - Communication data encryption and decryption method and system based on key rotation

CN122027300ACN 122027300 ACN122027300 ACN 122027300ACN-122027300-A

Abstract

The application provides a communication data encryption and decryption method and system based on key rotation, wherein the communication data encryption method comprises the steps of obtaining original data to be encrypted, determining a corresponding current shared key from a preset key version set according to the current time, generating a corresponding encryption key through a preset key algorithm according to the current shared key and a data packet timestamp, generating the data packet timestamp based on the current time, encrypting the original data through the preset encryption algorithm according to the encryption key to obtain corresponding encryption data, and constructing an encrypted communication data packet by combining the encryption data, the data packet timestamp, a key version number of the current shared key and a dynamic password, wherein the dynamic password is obtained through calculation through a preset one-time password algorithm according to the current shared key and the current time, so that the safety of data communication is improved.

Inventors

  • HUANG WENKAI
  • GUO ZHICONG
  • TANG YAO
  • LUO QI
  • HAO FANGZHOU
  • WANG SHAOHUA
  • LUO JIAJIAN
  • WU JIANGWEI
  • GUO RUNKAI
  • LI SHIBO
  • LI XUECHAO
  • LIN YUANMIN

Assignees

  • 广东电网有限责任公司广州供电局

Dates

Publication Date
20260512
Application Date
20260225

Claims (10)

  1. 1. A method for encrypting communication data based on key rotation, comprising: Acquiring original data to be encrypted; Determining a corresponding current shared key from a preset key version set according to the current moment, wherein the key version set comprises a plurality of shared keys corresponding to a plurality of different life time periods; Generating a corresponding encryption key through a preset key algorithm according to the current shared key and a data packet time stamp, wherein the data packet time stamp is generated based on the current time; Encrypting the original data through a preset encryption algorithm according to the encryption key to obtain corresponding encrypted data; And constructing and obtaining an encrypted communication data packet by combining the encrypted data, the data packet timestamp, the key version number of the current shared key and a dynamic password, wherein the dynamic password is obtained by calculating through a preset one-time password algorithm according to the current shared key and the current moment.
  2. 2. The method for encrypting communication data based on key rotation according to claim 1, wherein said generating a corresponding encryption key by a preset key algorithm according to the current shared key and a data packet time stamp comprises: according to the current shared secret key and the current moment, calculating and obtaining the dynamic password through the one-time password algorithm; Splicing the dynamic password with the data packet time stamp to generate key supplementary data; and generating the encryption key through the key algorithm according to the key supplementary data and the current shared key.
  3. 3. The method for encrypting communication data based on key rotation according to claim 1, wherein said encrypting the original data by a preset encryption algorithm according to the encryption key to obtain corresponding encrypted data comprises: Generating a disposable random number according to a preset random number generation algorithm; splicing the data packet timestamp and the key version number to generate additional authentication data; And encrypting the original data through the encryption algorithm according to the encryption key, the one-time random number and the additional authentication data to obtain the encrypted data.
  4. 4. The method for encrypting communication data based on key rotation according to claim 1, wherein said obtaining said dynamic password by a preset one-time password algorithm according to said current shared key and said current time comprises: calculating to obtain a current time step variable according to the current time, a preset time window and a preset time reference; According to the current time step variable and the current shared key, a corresponding hash code is obtained through calculation of a preset hash function; and intercepting a data segment with preset byte number from the hash code through a dynamic cut-off function in the one-time password algorithm to obtain the dynamic password.
  5. 5. The method for encrypting communication data based on key rotation according to claim 1, wherein said method for encrypting communication data further comprises periodically updating said set of key versions, comprising: determining a plurality of expired shared keys from the key version set according to the current updating time; determining the expiration time length of each expired shared key according to the current updating time and the effective time period corresponding to each expired shared key; Deleting a plurality of first expired shared keys with the expiration time length being greater than or equal to a preset threshold value from the key version set; And stopping the encryption function of each second expired shared key for a plurality of second expired shared keys with the expiration time length smaller than the preset threshold value.
  6. 6. A method for decrypting communication data based on key rotation, wherein the method for decrypting communication data generated by the method for encrypting communication data based on key rotation as claimed in any one of claims 1 to 5, comprises: Acquiring a communication data packet; Carrying out data analysis on the communication data packet to obtain corresponding encrypted data, a data packet time stamp, a key version number and a dynamic password; Determining a corresponding current shared key from a preset key version set according to the key version number; performing password verification on the dynamic password through a preset one-time password algorithm according to the data packet timestamp and the current shared secret key; if the password verification is passed, generating a corresponding encryption key through a preset key algorithm according to the current shared key and the data packet time stamp; and reversely decrypting the encrypted data according to the encryption key and an encryption algorithm for generating the encrypted data to obtain corresponding original data.
  7. 7. The method for decrypting communication data based on key rotation as claimed in claim 6, wherein the performing the password verification on the dynamic password by a preset one-time password algorithm according to the data packet timestamp and the current shared key comprises: Determining the generation time of the communication data packet according to the data packet time stamp; Calculating to obtain a basic time step variable according to the generation moment, a preset time window and a preset time reference; calculating to obtain a plurality of candidate time step variables according to the basic time step variable and a preset fault-tolerant time range; Generating each corresponding candidate dynamic password through the one-time password algorithm and the current shared key according to each candidate time step variable; And comparing and checking each candidate dynamic password with the dynamic password, and if any candidate dynamic password is consistent with the dynamic password, determining that the password passes the check.
  8. 8. The communication data encryption system based on the key rotation is characterized by comprising an acquisition module, a key rotation module, a key generation module, an encryption module and a data packet construction module; the acquisition module is used for acquiring the original data to be encrypted; The key rotation module is used for determining a corresponding current shared key from a preset key version set according to the current moment, wherein the key version set comprises a plurality of shared keys corresponding to a plurality of different effective time periods; The key generation module is used for generating a corresponding encryption key through a preset key algorithm according to the current shared key and a data packet time stamp, and the data packet time stamp is generated based on the current time; The encryption module is used for encrypting the original data through a preset encryption algorithm according to the encryption key to obtain corresponding encrypted data; the data packet construction module is used for combining the encrypted data, the data packet timestamp, the key version number of the current shared key and a dynamic password to construct an encrypted communication data packet, and the dynamic password is obtained by calculation through a preset one-time password algorithm according to the current shared key and the current moment.
  9. 9. A communication data decryption system based on key rotation, which is used for decrypting a communication data packet generated by a communication data encryption system based on key rotation as claimed in claim 8, and is characterized by comprising a data packet acquisition module, a data analysis module, a key determination module, a verification module, a key generation module and a decryption module; the data packet acquisition module is used for acquiring a communication data packet; the data analysis module is used for carrying out data analysis on the communication data packet to obtain corresponding encrypted data, a data packet time stamp, a key version number and a dynamic password; The key determining module is used for determining a corresponding current shared key from a preset key version set according to the key version number; the verification module is used for carrying out password verification on the dynamic password through a preset one-time password algorithm according to the data packet time stamp and the current shared secret key; the key generation module is used for generating a corresponding encryption key through a preset key algorithm according to the current shared key and the data packet time stamp if the password verification is passed; The decryption module is used for carrying out reverse decryption on the encrypted data according to the encryption key and an encryption algorithm for generating the encrypted data to obtain corresponding original data.
  10. 10. The system for decrypting communication data based on key rotation as recited in claim 9, wherein the verification module performs the password verification on the dynamic password by a preset one-time password algorithm according to the data packet timestamp and the current shared key, and includes: Determining the generation time of the communication data packet according to the data packet time stamp; Calculating to obtain a basic time step variable according to the generation moment, a preset time window and a preset time reference; calculating to obtain a plurality of candidate time step variables according to the basic time step variable and a preset fault-tolerant time range; Generating each corresponding candidate dynamic password through the one-time password algorithm and the current shared key according to each candidate time step variable; And comparing and checking each candidate dynamic password with the dynamic password, and if any candidate dynamic password is consistent with the dynamic password, determining that the password passes the check.

Description

Communication data encryption and decryption method and system based on key rotation Technical Field The present application relates to the field of encryption communication technologies, and in particular, to a method and a system for encrypting and decrypting communication data based on key rotation. Background The large-scale deployment of the internet of things equipment and intelligent terminals makes communication security between the equipment a core concern. In this context, time-based One-Time Password (TOTP) has become One of the mainstream communication encryption and authentication technologies due to its simplicity, high efficiency and tolerance to clock bias. The core flow of the TOTP algorithm generally conforms to standards such as RFC 6238, and the basic principle is that two communication parties (such as a terminal and a server) share a secret key in advance and take a unified time source as a reference. When authentication or encryption is needed, both sides calculate the same time step counter based on the current time stamp, and operate the counter and the shared key through a hash message authentication code (e.g. HMAC-SHA 1) algorithm to generate a one-time dynamic password which is valid only in a short time window. The mechanism can effectively defend replay attack and brute force cracking attempt without real-time online interaction, and is particularly suitable for the scenes of embedded Internet of things terminals with limited resources and low power consumption, such as intelligent locks, intelligent grounding devices and the like. However, existing TOTP implementations have significant limitations in terms of long-term security and key management. The most central technical problem is that it generally relies on a static, long-term, constant shared key. Once the secret key is revealed, an attacker can easily forge a legal dynamic password in an effective time window by combining a public time synchronization mechanism, so that the security of the whole communication and authentication system is completely lost. In addition, the static key mode lacks automatic key rotation and life cycle management capabilities, and cannot adapt to security threat evolution in long-term deployment of the internet of things equipment. Therefore, how to design a set of enhancement mechanism supporting automatic key rotation, version management and life cycle control on the basis of keeping the advantages of light weight and high efficiency of TOTP has become an urgent technical requirement for improving the communication reliability and long-term security of the terminal of the Internet of things. Disclosure of Invention Aiming at the technical problems, the application provides a communication data encryption and decryption method and system based on key rotation, which improves the safety of data communication. In a first aspect, an embodiment of the present application provides a method for encrypting communication data based on key rotation, including: Acquiring original data to be encrypted; Determining a corresponding current shared key from a preset key version set according to the current moment, wherein the key version set comprises a plurality of shared keys corresponding to a plurality of different life time periods; Generating a corresponding encryption key through a preset key algorithm according to the current shared key and a data packet time stamp, wherein the data packet time stamp is generated based on the current time; Encrypting the original data through a preset encryption algorithm according to the encryption key to obtain corresponding encrypted data; And constructing and obtaining an encrypted communication data packet by combining the encrypted data, the data packet timestamp, the key version number of the current shared key and a dynamic password, wherein the dynamic password is obtained by calculating through a preset one-time password algorithm according to the current shared key and the current moment. The embodiment of the application provides a communication data encryption method based on key rotation, which obviously improves the safety and dynamic adaptability of communication data by introducing a key version set and a time stamp mechanism. Traditional communication encryption methods generally rely on static keys, and once the keys are revealed, the security of the whole communication system is seriously threatened. In the embodiment, the current shared key is dynamically determined according to different life-effect time periods through the preset key version set, so that automatic rotation of the key based on time is realized. The encryption key is further generated by combining the determined current shared key with the data packet timestamp and used for encrypting the original data, so that the mechanism not only effectively avoids the security risk caused by long-term invariance of the key, but also can flexibly switch to a new shared key when the key is