1248276 九、發明說明: 【發明所屬之技術領域】 本發明是有關於一種加密/解密的方法’且特別是有關 於一種使用SHA函數之加密/解密的方法。 【先前技術】 加密演算法(encryption algorithm)廣泛使用在通訊系 統中,用於保護資料安全以及隱私。傳統上有許多驗證過 的對稱(symmetric)以及非對稱(asymmetric)演算法’可以達 到保密以及可靠的效果。但是,在資料傳輸過程中’如果 要將加密演算法應用在物理的層面(physical layer),例如用 一個加密模組内嵌在整個通訊系統中,加密模組的效能 (performance)必須不會造成資料傳輸的瓶頸。 大多數已驗證過的非對稱式演算法對計算量以及所需 時間的需求比較大,因此不適合用在高速資料傳輸的系統 中0 在高傳輸速度的加密模組硬體中,通常使用對稱式演 算法。大部分對稱式演算法使用一個短的、固定長度的鑰 值(key),而且一次只能對一個小的資料區塊(data block)作 加密。舉例來說,AES(nPS PUB 197)—次對一個128-bit 長度的資料區塊進行加密,且使用的鑰值長度是128、192 或256-bit。但是,AES的安全性(security)限於最長256-bit 的输值。 【發明内容】 1248276 、因此本發明的目的就是在提供_種加密/解密的方 法,此方法提供高安全性、可㈣驗朗㈣及低 需求。 、本I明的另-目的是在提供—種加密/解密的方法,此 方法能夠對較長的資料區塊進行加密。 本發明的又-目的是在提供—種加密/解㈣方法,此 方法在加密或解密的過程中都能夠產生—組訊息摘要以供 驗證訊息。 本發明的再一目的是在提供一種加密/解密的方法,此 方法在不改變演算法的前提之下,可以使用各種長度的餘 值。 本發明的再-目的是在提供_種加密/解密的方法,此 方法的效能表現已經足以符合Gigabh Ethemet的效能,同 時也能在訊息傳遞的相同速率之下進行加密或解密。 根據本發明之上述目的,提出一種對一訊息進行加密 的方法,#中此訊息包含複數個訊息片段。依照本發明一 較佳實施例,此方法包括下列步驟。首先,將一鑰值㈣ 輸入一 SHA函數以產生一第一雜湊值(hash ”丨此)。接著, 利用第-雜凑值之-部份對_第—訊息片段進行加密以產 生-第-密碼片段。接著,將第一訊息片段以及第一雜湊 值輸入SHA函數以產生一第二雜凑值。 、 接著,利用第二雜湊值之一部份對一第二訊息片段進 行加谘以產生一第二密碼片段。接著,將第二訊息片段以 及第二雜湊值輸入SHA函數以產生一第三雜湊值。接著, 重複對下一個訊息片段進行加密以產生下一個密碼片段, 1248276 並將下一個訊息片段輸入SHA函數以產生下—個雜、奏值 直到最後一個訊息片段已經加密且最後一個雜凑值已 '經產 生。 、二 其中’當這些密碼片段需要解密時,鑰值用於對這些 密碼片段進行解密以還原訊息。最後之雜湊值用於驗證^ 解密的訊息,此訊息在傳輸過程中處於保密狀態。sha函 數例如81^小811八-224、811八-256、811八-384 或811八-512。 根據本發明之目的,提出一種對一密碼進行解密的方 法’此訊息包含複數個密碼片段。依照本發明一較佳實施 例,此方法包括下列步驟。首先,將一鑰值(key)輸入一 sha 函數以產生一第一雜湊值(hash value)。接著,利用第一雜 湊值之一部份對一第一密碼片段進行解密以產生一第一訊 息片段。 接著,將弟一訊息片段以及第一雜凑值輸入sha函數 以產生一第二雜湊值。接著,利用第二雜湊值之一部份對 一第二密碼片段進行解密以產生一第二訊息片段。接著, 將第一訊息片段以及第二雜湊值輸入SHA函數以產生一第 三雜湊值。 接著,重複對下一個密碼片段進行解密以產生下一個 訊息片段’並將此下一個訊息片段輸入SHA函數以產生下 一個雜湊值,直到最後一個密碼片段已經解密且最後一個 雜湊值已經產生。其中,最後之雜湊值用於驗證已解密的 訊息’此訊息在傳輸過程中處於保密狀態。SHA函數例如 SHA-1、SHA-224、SHA-256、SHA-384 或 SHA-512。 當此方法用於一通訊系統,且此通訊系統具有一發送 1248276 端(sender)與一接收端(receiver)時,此方法更包括下列步 驟。首先’從發送端傳送一識別碼(identificati(m number) 給接收端,供接收端識別發送端。接著,在發送端對訊息 進行加密以產生複數個密碼片段以及產生一第一最後雜湊 值。接著,將這些密碼片段以及最後之雜湊值傳送給接收 端。接著,在接收端對這些密碼片段進行解密以還原訊息 以及產生一第二最後雜湊值。接著,對發送器產生之第一 最後雜湊值以及接收器產生之第二最後雜湊值進行比較, 以決定訊息之解密是否正確。 本發明至少具有下列優點。與AES相比較,本發明的 加密/解密方法能夠對較長的資料區塊(16〇、256、384或 512_bit)進订加密,AES只能對128捕的資料區塊進行加 牷本叙月的加岔/解猎方法在加密或解密的過程中都能夠 產生一組訊息摘要以供驗證訊息。本發明的加密/解密方法 在不改變演算法的前提之τ,可以使用各種長度的鑰值。 本發明的加密/解密方法效能表現已經足以符纟Gigabit1248276 IX. Description of the Invention: [Technical Field] The present invention relates to a method of encryption/decryption and particularly relates to a method of encrypting/decrypting using a SHA function. [Prior Art] Encryption algorithms are widely used in communication systems to protect data security and privacy. Traditionally, many validated symmetric and asymmetric algorithms have achieved confidentiality and reliable results. However, in the data transmission process, if the encryption algorithm is to be applied to the physical layer, for example, an encryption module is embedded in the entire communication system, the performance of the encryption module must not be caused. The bottleneck of data transmission. Most of the proven asymmetric algorithms require a large amount of computation and time required, so they are not suitable for use in systems with high-speed data transmission. 0 In high-speed cryptographic module hardware, symmetrical is usually used. Algorithm. Most symmetric algorithms use a short, fixed-length key and can only encrypt one small data block at a time. For example, AES (nPS PUB 197)—encrypts a 128-bit data block and uses a key length of 128, 192, or 256-bit. However, AES security is limited to longest 256-bit values. SUMMARY OF THE INVENTION 1248276, and therefore the object of the present invention is to provide a method of encryption/decryption which provides high security, (4) authentication (4) and low demand. Another object of the present invention is to provide a method of encrypting/decrypting, which is capable of encrypting a long data block. Yet another object of the present invention is to provide an encryption/solution (4) method that can generate a set of message digests for verification messages during encryption or decryption. It is still another object of the present invention to provide a method of encrypting/decrypting which can use residual values of various lengths without changing the algorithm. A further object of the present invention is to provide a method of encryption/decryption that is sufficiently efficient to comply with the performance of Gigabh Ethemet and to encrypt or decrypt at the same rate of message delivery. According to the above object of the present invention, a method of encrypting a message is proposed, in which the message contains a plurality of message segments. In accordance with a preferred embodiment of the invention, the method includes the following steps. First, a key value (4) is input into a SHA function to generate a first hash value (hash). Then, the _th message segment is encrypted using the ----------- a cipher segment. Next, the first message segment and the first hash value are input to the SHA function to generate a second hash value. Then, a second message segment is supplemented by one of the second hash values to generate a second message segment. a second cipher segment. Next, the second message segment and the second hash value are input to the SHA function to generate a third hash value. Then, the next message segment is repeatedly encrypted to generate the next cipher segment, 1248276 and will be A message fragment is input into the SHA function to generate a next-to-one value, until the last message fragment has been encrypted and the last hash value has been generated. Second, 'When these cipher fragments need to be decrypted, the key value is used for These cipher fragments are decrypted to restore the message. The last hash value is used to verify the decrypted message, which is kept secret during transmission. The sha function is for example 81^8 11-224, 811---256, 811-eight-384 or 811-eight-512. According to the purpose of the present invention, a method for decrypting a password is proposed. The message contains a plurality of cipher segments. In an embodiment, the method comprises the following steps: First, a key value is input into a sha function to generate a first hash value. Then, using a portion of the first hash value to a first password The segment is decrypted to generate a first message segment. Next, the message segment and the first hash value are input to the sha function to generate a second hash value. Then, one of the second hash values is used to be a second. The cipher segment is decrypted to generate a second message segment. Then, the first message segment and the second hash value are input to the SHA function to generate a third hash value. Then, the next cipher segment is repeatedly decrypted to generate the next message. Fragment 'put this next message fragment into the SHA function to produce the next hash value until the last cipher fragment has been decrypted and the last hash value has been generated. The last hash value is used to verify the decrypted message 'This message is kept secret during transmission. SHA functions such as SHA-1, SHA-224, SHA-256, SHA-384 or SHA-512. When this method is used A communication system, and the communication system has a sending 1248276 sender and a receiver, the method further comprises the following steps: first, 'transmit an identification code (identificati (m number) from the transmitting end to the receiving end The receiving end identifies the transmitting end. Next, the message is encrypted at the transmitting end to generate a plurality of cipher segments and a first last hash value is generated. Then, the cipher segments and the last hash value are transmitted to the receiving end. The cryptographic segments are then decrypted at the receiving end to restore the message and produce a second last hash value. Next, the first last hash value generated by the transmitter and the second last hash value generated by the receiver are compared to determine whether the decryption of the message is correct. The present invention has at least the following advantages. Compared with AES, the encryption/decryption method of the present invention can encrypt and encrypt a longer data block (16〇, 256, 384 or 512_bit), and AES can only add a data block of 128 captures. The coronation/hunting method can generate a set of message digests for verification messages during encryption or decryption. The encryption/decryption method of the present invention can use key values of various lengths without changing the premise of the algorithm. The performance of the encryption/decryption method of the present invention is sufficient to satisfy Gigabit
Ethernet的效能,同時也能在訊息傳遞的相同速率之下 加密或解密。 必須注意的是,本發明之實施例皆為舉例,本發明並 不限制於本發明提出之實施例。㈣之範㈣ 範圍為準。 〜 【實施方式】 第1圖繪示本發明 之加密/解密方法之一範例流程圖 1248276 請參照第1圖,此方法對一訊息(message)進行加密,其中 此訊息包括複數個訊息片段(message segments)。在第1圖 中,以 SEA(secure encryption algorithm)代表此方法。SEA 是一種對稱式加密演算法(symmetric encryption algorithm),其演算方式係利用安全雜湊標準(Secure Hash Standard)(FIPS PUB 180-2),一種單向雜湊函數 (one-way-hash function)演算法。SEA能夠對較長的資料區 塊(datablock)(160, 256, 384,或 512-bit)進行加密,相對於 AES只能處理128_bit之資料區塊。SEA不需要對演算法進 行修改就能採用各種長度的鑰值(key)。此外,SEA能夠伴 隨密碼產生一個訊息摘要(signature,digest)。 SEA以一個片段(segment)為單位處理資料。在加密過 程中,舉例來說,一個訊息(message)首先被分成複數個相 同長度的訊息片段(message segments)。在解密過程中,一 個密碼(cipher)被分成相同長度的密碼片段(Cipher segments)。在一個實施例中,訊息的長度與密碼的長度相 同,一個訊息片段的長度也與一個密碼片段的長度相同。 訊息的長度或密碼的長度是一個片段的整數倍。 一個片段的長度不超過SHA函數所產生之雜湊值 (hash value)之長度。舉例來說,當使用SHA-1當作SEA之 演算法時,訊息片段的最大長度是160-bit;使用SHA-256 時,最大長度是256-bit;使用SHA-384時,最大長度是 384_bit ;使用SHA-512時,最大長度是512-bit。 假設Μ代表一個訊息,C代表一個密碼,且一個訊息 片段以及一個密碼片段分別以Μχ以及Cx表示。其中X為 1248276 一個整數,代表不同片段。舉例來說,MO代表第一訊息片 段,Ml代表第二訊息片段。藉此,具有n+1個訊息片段的 訊息可以表示成M={Mn,…,M2, Ml,M0},其中Μ由M0 到Μη的訊息片段連接而形成。一個相對應的密碼可以表 示成 C={Cn,…,C2, Cl,C0}。 SEA是一個簡單而且有效率的演算法,在加密/解密過 程中只使用三個函數。 1 · E(Mx,Sx): SEA加密函數,以Mx和Sx當作輸入, 輸出是一個密碼片段(即Cx=E(Mx,Sx))。 • Mx: —個訊息片段。 春Sx: —個對應於一個訊息片段的雜湊值(hash value)或一個密碼種子(cipher seed)。 2· D(Cx,Sx): SEA解密函數,以Cx和Sx當作輸入, 輸出是一個訊息片段(即Mx=E(Cx,Sx))。 鲁Cx: —個密碼片段。 ❿Sx: —個對應於一個訊息片段的雜湊值(hash value)或一個密碼種子(cipher seed),此雜泰值用 於對一個密碼片段進行解密。 3. SHA(MB,H): —個 SHA 函數,例如一個 SHA-1、 SHA-224、SHA-256、SHA-384 或 SHA-512 ° 此 SHA 函數 的兩個輸入是MB和H。每一個雜湊值(SEA之密碼種子) 由此SHA函數產生(即Sx=SHA(MB,H))。 • MB: 一個訊息區塊,當使用SHA-1或SHA-256 時,MB的長度為512-bit;當使用SHA-384或 SHA-512 時,MB 的長度為 1024_bit。 1248276 • Η: —個初始雜湊值(initial hash value),當使用 SHA-1時,H的長度為160-bit ;當使用SHA-256 時,Η的長度為256-bit ;當使用SHA-384時,Η 的長度為384-bit;當使用SHA-512時,Η的長度 為 512-bit。 E(Mx,Sx)和D(Cx,Sx)可以利用兩種方式實施。如下 所示,這兩種方式都是合適的SEA加密以及解密的操作, 符號Λ代表XOR,XOR代表互斥或(exclusive or)之操作。 1. Cx=E(Mx? Sx)=MxASx Mx=D(Cx, Sx)=CxASx 2· Cx=E(Mx,Sx)=Mx+Sx Mx=D(Cx, Sx)=Cx-Sx 請參照第1圖,在一種實施例中,首先,SEA產生一 第一雜湊值(密碼種子),叫做 SO(步驟 100)。 S0=SHA({T,K},Hi),其中: ♦ Hi 是 SHA_1、SHA-224、SHA-256、SHA-384 或 SHA-512之初始雜湊值,在FIPS PUB 180_2中有詳 細說明。 籲{T,K}是一個訊息區塊(message block),由T與K 連接形成。當使用SHA-1或SHA-256時,{T,K}的 長度不超過512-bit;當使用SHA-384或SHA-512 時,{T,K}的長度不超過1024-bit。必須注意的是, 雖然SHS訊息區塊空出來的部分可以用常數填補 1248276 之後再進行計算,然而,使用訊息區塊全部可用的 長度能提供較佳安全性。 K是加密以及解密過程中的主要鑰值(primary key) ° T是一個時間碼,例如當使用此SEA時,採 用代表世界時間(universal time)的數字。 接著(步驟102),在加密的過程中,e(m〇,s〇)使用第 一雜湊值(密碼種子)SO當作輸入,輸出是c〇(步驟103)。 在解密的過程中,D(C0,S0)也使用第一雜湊值(密碼種 子)S0當作輸入,輸出是M0(步驟103)。同時,第二雜凑值 (下一個雜湊值)S1經由si=SHA({M0,K0},S0)產生(步騍 101)。加密/解密的過程(步驟102以及步驟103)以及產生下 一個雜湊值(密碼種子)(步驟1〇1)的過程不斷重複,以對剩 餘的訊息片段進行加密(步驟104-112)。最後的訊息片段會 產生最後的雜凑值(last hash value)(步驛110以及113),此 最後雜湊值為此訊息的摘要(signature或digest)。 在一實施例中,引入一個新的變數,填補變數Kx(在 步驟 1(Π、104、107、110 中分別以 Κ0、ΙΠ、Κ2、Κη 代表)。 Kx的基本功用是填補SHS訊息區塊(MB)空出來的部分。 在SHA({Mx,Kx},Sx)中,{Mx,Kx}代表一個訊息區塊 (MB),此訊息區塊由Mx以及Kx相連接形成。一個MB的 長度是 512-bit(SHA-l 以及 SHA-256)或 l〇24-bit(SHA-512 以及SHA-384)。{Mx,Kx}的總長度必須填滿SHA函數中訊 12 1248276 息區塊所需的長度。Κχ可以是一任意常數(例如一鑰值 (key)),且此鑰值在發送端或是接收端都是已知的。Κχ也 可以是由一演算法產生之數值,此數值在發送端或是接收 端都是已知的。Κχ也可以是一常數以及一演算法產生之數 值之組合。 舉例而言,Κχ可以是一片段錄值(segment key)(即一常 數SKx)、以及一個利用Sx和K(主要鑰值(primary key))計 算出來的數值(f(Sx,K))的組合。所以,The performance of Ethernet can also be encrypted or decrypted at the same rate as the message is delivered. It is to be noted that the embodiments of the present invention are all examples, and the present invention is not limited to the embodiments of the present invention. (4) The scope of the standard (4) shall prevail. ~ [Embodiment] FIG. 1 is a flow chart showing an example of the encryption/decryption method of the present invention. 1248276. Referring to FIG. 1, the method encrypts a message, wherein the message includes a plurality of message fragments (message). Segments). In Figure 1, this method is represented by SEA (secure encryption algorithm). SEA is a symmetric encryption algorithm. Its calculation method uses Secure Hash Standard (FIPS PUB 180-2), a one-way-hash function algorithm. . SEA can encrypt longer data blocks (160, 256, 384, or 512-bit) and can only process 128_bit data blocks relative to AES. SEA does not require modifications to the algorithm to use keys of various lengths. In addition, SEA can generate a message digest with the password. SEA processes data in units of a segment. In the encryption process, for example, a message is first divided into a plurality of message segments of the same length. During the decryption process, a cipher is divided into Cipher segments of the same length. In one embodiment, the length of the message is the same as the length of the password, and the length of a message segment is also the same as the length of a cipher segment. The length of the message or the length of the password is an integer multiple of a fragment. The length of a fragment does not exceed the length of the hash value generated by the SHA function. For example, when SHA-1 is used as the SEA algorithm, the maximum length of the message fragment is 160-bit; when SHA-256 is used, the maximum length is 256-bit; when SHA-384 is used, the maximum length is 384_bit. When using SHA-512, the maximum length is 512-bit. Suppose Μ represents a message, C represents a password, and a message fragment and a cipher fragment are represented by Μχ and Cx, respectively. Where X is 1248276 an integer representing a different fragment. For example, MO represents the first message segment and M1 represents the second message segment. Thereby, the message having n+1 message segments can be expressed as M = {Mn, ..., M2, Ml, M0}, wherein Μ is formed by connecting the message segments of M0 to Μη. A corresponding password can be expressed as C={Cn,...,C2, Cl,C0}. SEA is a simple and efficient algorithm that uses only three functions during encryption/decryption. 1 · E(Mx,Sx): The SEA encryption function takes Mx and Sx as input and the output is a cipher fragment (ie Cx=E(Mx, Sx)). • Mx: — A message fragment. Spring Sx: A hash value or a cipher seed corresponding to a message fragment. 2· D(Cx,Sx): The SEA decryption function takes Cx and Sx as input and the output is a message fragment (ie Mx=E(Cx, Sx)). Lu Cx: - a password fragment. ❿Sx: A hash value corresponding to a message fragment or a cipher seed, which is used to decrypt a cipher fragment. 3. SHA(MB,H): — SHA function, such as a SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512 ° The two inputs to this SHA function are MB and H. Each hash value (the password seed of the SEA) is generated by this SHA function (ie, Sx = SHA(MB, H)). • MB: A message block. When using SHA-1 or SHA-256, the length of the MB is 512-bit. When using SHA-384 or SHA-512, the length of the MB is 1024_bit. 1248276 • Η: — initial hash value, when using SHA-1, the length of H is 160-bit; when using SHA-256, the length of Η is 256-bit; when using SHA-384 The length of Η is 384-bit; when SHA-512 is used, the length of Η is 512-bit. E(Mx, Sx) and D(Cx, Sx) can be implemented in two ways. As shown below, both methods are suitable for SEA encryption and decryption operations, the symbol Λ stands for XOR, and the XOR stands for exclusive or exclusive operation. 1. Cx=E(Mx? Sx)=MxASx Mx=D(Cx, Sx)=CxASx 2· Cx=E(Mx,Sx)=Mx+Sx Mx=D(Cx, Sx)=Cx-Sx Please refer to In the first diagram, in one embodiment, first, the SEA generates a first hash value (password seed) called SO (step 100). S0=SHA({T,K},Hi), where: ♦ Hi is the initial hash value of SHA_1, SHA-224, SHA-256, SHA-384, or SHA-512, as detailed in FIPS PUB 180_2. The call {T, K} is a message block formed by the connection of T and K. When using SHA-1 or SHA-256, the length of {T, K} does not exceed 512-bit; when SHA-384 or SHA-512 is used, the length of {T, K} does not exceed 1024-bit. It must be noted that although the vacant portion of the SHS message block can be filled with constants after 1248276, the total usable length of the message block provides better security. K is the primary key in the encryption and decryption process. ° T is a time code. For example, when using this SEA, a number representing the universal time is used. Next (step 102), in the process of encryption, e(m〇, s〇) uses the first hash value (password seed) SO as an input, and the output is c〇 (step 103). In the process of decryption, D(C0, S0) also uses the first hash value (password seed) S0 as an input, and the output is M0 (step 103). At the same time, the second hash value (next hash value) S1 is generated via si = SHA ({M0, K0}, S0) (step 101). The process of encryption/decryption (steps 102 and 103) and the process of generating the next hash value (password seed) (step 1〇1) are repeated to encrypt the remaining message segments (steps 104-112). The last message fragment will produce the last hash value (steps 110 and 113), which is the sum of the message (signature or digest). In one embodiment, a new variable is introduced to fill the variable Kx (represented in steps 1 (Π, 104, 107, 110 as Κ0, ΙΠ, Κ2, Κη, respectively). The basic function of Kx is to fill the SHS message block. (MB) The vacated part. In SHA ({Mx, Kx}, Sx), {Mx, Kx} represents a message block (MB), which is formed by connecting Mx and Kx. The length is 512-bit (SHA-l and SHA-256) or l〇24-bit (SHA-512 and SHA-384). The total length of {Mx, Kx} must fill the SHA function Zhongxun 12 1248276 block The required length. Κχ can be an arbitrary constant (such as a key), and the key value is known at the sender or the receiver. Κχ can also be a value generated by an algorithm. This value is known at both the transmitting end and the receiving end. Κχ can also be a combination of a constant and a value generated by an algorithm. For example, Κχ can be a segment key (ie a constant) SKx), and a combination of values (f(Sx, K)) calculated using Sx and K (primary key).
Kx={SKx? f(Sx?K)} SHA({Mx,Kx},Sx)=SHA({Mx,{SKx,f(Sx,K)}},Sx) SEA可以允許訊息片段的長度小於一 SHA函數產生的 雜湊值長度。因此,當Mx和Cx短於Sx時,Sx無法直接 用於E(Mx,Sx)或D(Cx,Sx)。解決的方法是利用一個Sx’代 替Sx,其中Sx’的長度等於一個片段的長度。如此, Cx=E(Mx,Sx,)且 Mx=D(Cx,Sx,)。 在一個實施例中,Sx’可以是Sx的部分位元(subset of bits),Sx’由Sx選出,意即Sx’=f(Sx)。也就是說,Sx’是雜 湊值Sx的一部份。舉例來說,如果用SHA-1來實現SEA, 其雜湊值Sx有160-bit,但是片段的長度只有128-bit,Mx, Cx,以及Sx’的長度都是128-bit,Sx’=f(Sx)。舉例來說, 只要簡單地將Sx的前128 bit(bit 1到bit 128)取出,當作 Sx’即可。 在一個實施例中,T的值是一個時間碼。只要T的長 13 1248276 度比SHS的訊息區塊的長度短,T可以是任何長度。但是, 以128-bit的長度來代表時間碼已經相當足夠,128-bit長度 的T對SEA而言是一個合適的選擇。如此,SHS訊息區塊 空出來的部分是384-bit(對SHA-1或SHA-256而言)或 896-bit(對SHA-384或SHA-512而言)。這空出來的部分可 以用主要鑰值(primary key) K填補,其安全性足夠應付強 烈的攻擊。 但是,更長的K經過些許的修改也能夠輕易地應用於 SEA。假設τ固定在128-bit且K的長度為mega-byte的等 級’則{T,K}會是SHS訊息區塊長度的許多倍。則s〇會是 {T,K}的訊息摘要(message digest),而不是單一訊息區塊的 訊息摘要(步驟1〇0)。SHA(MB,H)需要使用許多次,而不是 只有一次,用來算出so。由{T,K}得到so之後,SEA繼續 加密/解密的動作(步驟10^^3)。 時間碼T能夠增進SEA的安全性(security)。即使相同 的訊息在不同的時間傳遞,SEA在每次傳遞時會產生不同 的雄碼。雖然T可以不是一個世界時間,但是世界時間是 一個較佳的選擇,因為世界時間是連續的,且不會重複相 同的時間。在這個實施例中,如果兩個完全相同的訊息在 完全相同的時間T傳遞,則密碼會相同。 在一個實施例中,τ的值是由一接收端所提供,而不 疋I送端所提供。κ則是接收端以及發送端都知道的鑰 值,但Κ是保密的資訊。τ的值則是公開傳遞的值。另一 種5全釋了的方式是Τ值是由發送端接收由接收端傳送而來 喊&示(quiz)或一挑戰碼(challenge code),發送端需以 1248276 τ值編碼回覆。 在另一個實施例中,為了完全利用SEA的優點,定義 了 一種高階的通訊協定(protocol)。此通訊協定顯示於第2 圖。第2圖繪示一通訊系統之示意圖,此通訊系統採用本 發明所述之加密/解密方法,以及一高階通訊協定。請參照 第2圖,第一步,發送端200傳送一識別碼(identification number)給接收端205,此識別碼例如一 VIN碼(Vehicle identification number)201。VIN 供接收端 205 確認發送端 200,並通知接收端205作預先之準備,以接收發送端200 傳送而來的訊息。例如,接收端205預先準備符合此發送 端200之主要鑰值(K)。 第二步,接收端205傳送一時間碼T 202給發送端 200。發送端200利用接收端205傳送而來的T 202對一訊 息進行加密並產生一摘要(即最後雜湊值)。第三步,發送端 200將此密碼以及摘要{S,C} 203 —起傳送給接收端205(例 如,{S,C}等同於{S,Cn,_..C2,Cl,C0})。 接收端205接收{S,C}並開始對C解密,由C0開始, 一次一片段。解密的過程利用傳送給發送端200的T值以 及主要鑰值。當所有的密碼片段依序解密完成且訊息被還 原之後,接收端205也利用Μ產生一訊息摘要(最後雜湊 值)。接收端205在步驟113(顯示於第1圖)中產生之訊息摘 要(最後雜湊值)與發送端200產生的訊息摘要相比較,以驗 證解密後的訊息是否正確。如果這兩個訊息摘要是相同 的,解密後的訊息就沒有錯誤。 接著是一個選擇性的步驟,將一個確認碼 15 1248276 (acknowledge code 204)由接收端205傳送至發送端200’使 得發送端200能夠知道訊息被接受或拒絕。 SEA函數舉例來說,可以利用一數位電路實現,此數 位電路可以稱之為安全加密加速器(Secure Encryption Accelerator,SEX)。在一個實施例中,SEX 利用一 SHA-256 加速器(SHA-256 Accelerator,SHAX-256)或一個 SHA-512 加速器(SHA-512 Accelerator, SHAX_512)實現 SHA(MB,H) 函數之功能。其中,SHAX-256能夠在65個時脈(clock)之 内完成SHA(MB,H),SHAX-512能夠在81個時脈(clock)之 内完成 SHA(MB,H)。 請參照第1圖,T的長度(步驟100)為128-bit。當使用 SHAX-256時,K的長度為384_bit(步驟100),當使用 SHAX-512時,K的長度為896_bit。當使用SHAX-256時, Hi(步驟 100)是 256-bit,當使用 SHAX-512 時,Hi 是 512-bit。當使用SHAX_256時,一個片段(Mx或Cx)的長度 是256-bit,當使用SHAX-512時,一個片段的長度是 5 12-bit。當使用SHAX-256時,Sx的長度是256-bit,當使 用SHAX-512時,Sx的長度是512-bit。Mx的長度剛好是 訊息區塊的一半,其中訊息區塊為512-bit或1024-bit(分別 對應於SHA-256以及SHA_512)。如此,Kx的長度等同於 Μχ的長度。最後,SEX利用Sx的值當作Κχ,藉此,在 SEX 中,SHA({Mx,Kx},Sx)(步驟 101,104,107,以及 11〇)變 成SHA({Mx,Sx},Sx)。SEX配合SHAX為SEA提供可靠的 實現方式。 在這個實施例中,SEX可以在65個時脈(利用 1248276 SHAX-256)(clock)之内完成一個Sx的計算,可以在81個 時脈(利用SHAX-512)之内完成一個Sx的計算。加密或解 密的過程(步驟102, 105, 108以及111)可以利用平行演算的 方法與雜湊值產生的過程(步驟101,104, 107,以及110)同 時進行。因此,這樣不會耗費多餘的時脈。 假設每個雜湊值產生的過程平均多3個時脈,則產生 一個Sx需要68個時脈(利用SHAX-256)或84個時脈(利用 SHAX-512)。 在這個實施例中,SEX可以輕易達到處理一個片段只 需要少於100個時脈的效能。換句話說,每100個時脈, 一個 SEX可以加密/解密一個 512-bit的片段(利用 SHAX_512),或加密/解密一個 256-bit的片段(利用 SHAX_256)。 如果SEX使用400MHz的時脈,每秒可以加密/解密的 平均資料量大約是2 gigabits(利用 SHAX-512)或是1 gigabits(利用SHAX-256)。這樣的效能表現已經足以符合 Gigabit Ethernet的效能,同時也能在訊息傳遞的相同速率 之下進行加密或解密。 本發明至少具有下列優點。與AES相比較,本發明的 加密/解密方法能夠對較長的資料區塊(160、256、384或 512-bit)進行加密,AES只能對128-bit的資料區塊進行加 密。本發明的加密/解密方法在加密或解密的過程中都能夠 產生一組訊息摘要以供驗證訊息。本發明的加密/解密方法 在不改變演算法的前提之下,可以使用各種長度的鑰值。 本發明的加密/解密方法效能表現已經足以符合Gigabit 17 1248276Kx={SKx? f(Sx?K)} SHA({Mx,Kx},Sx)=SHA({Mx,{SKx,f(Sx,K)}},Sx) SEA can allow the length of the message fragment to be less than The length of the hash value produced by a SHA function. Therefore, when Mx and Cx are shorter than Sx, Sx cannot be directly used for E(Mx, Sx) or D(Cx, Sx). The solution is to replace Sx with an Sx', where the length of Sx' is equal to the length of a segment. Thus, Cx = E(Mx, Sx,) and Mx = D(Cx, Sx,). In one embodiment, Sx' may be a subset of bits of Sx, and Sx' is selected by Sx, meaning Sx' = f(Sx). That is, Sx' is a part of the hash value Sx. For example, if SHA is used to implement SEA, its hash value Sx is 160-bit, but the length of the fragment is only 128-bit, and the lengths of Mx, Cx, and Sx' are both 128-bit, Sx'=f (Sx). For example, simply remove the first 128 bits (bit 1 to bit 128) of Sx as Sx'. In one embodiment, the value of T is a time code. As long as the length of T 13 1248276 degrees is shorter than the length of the SMS message block, T can be any length. However, it is quite sufficient to represent the time code with a length of 128-bit. A 128-bit length T is a suitable choice for SEA. Thus, the portion of the SHS message block that is vacant is 384-bit (for SHA-1 or SHA-256) or 896-bit (for SHA-384 or SHA-512). This vacant part can be filled with the primary key K, which is safe enough to cope with a strong attack. However, longer K can be easily applied to SEA with a few modifications. Assuming that τ is fixed at 128-bit and the length of K is mega-byte's then {T, K} will be many times the length of the SHS message block. Then s〇 will be the message digest of {T, K} instead of the message digest of a single message block (step 1〇0). SHA(MB, H) needs to be used many times, not just once, to calculate so. After the so is obtained by {T, K}, the SEA continues the encryption/decryption action (step 10^^3). The time code T can enhance the security of the SEA. Even if the same message is delivered at different times, the SEA will produce a different male code each time it is delivered. Although T may not be a world time, world time is a better choice because world time is continuous and does not repeat the same time. In this embodiment, if two identical messages are delivered at exactly the same time T, the passwords will be the same. In one embodiment, the value of τ is provided by a receiving end and is not provided by the I transmitting end. κ is the key value known to both the receiving end and the sending end, but it is confidential information. The value of τ is the value that is publicly passed. Another way to fully release the 5 is that the Τ value is received by the sender and sent by the receiver to call & quiz or a challenge code, and the sender needs to encode the replies with a value of 1248276 τ. In another embodiment, in order to fully utilize the advantages of SEA, a high order protocol is defined. This communication agreement is shown in Figure 2. Figure 2 is a schematic diagram of a communication system employing the encryption/decryption method of the present invention and a high-level communication protocol. Referring to Figure 2, the first step, the transmitting end 200 transmits an identification number to the receiving end 205, such as a VIN code (Vehicle identification number) 201. The VIN is provided to the receiving end 205 to acknowledge the transmitting end 200, and the receiving end 205 is notified to prepare in advance to receive the message transmitted by the transmitting end 200. For example, the receiving end 205 is prepared in advance to conform to the primary key value (K) of the transmitting terminal 200. In the second step, the receiving end 205 transmits a time code T 202 to the transmitting end 200. The transmitting end 200 encrypts a message by using the T 202 transmitted from the receiving end 205 and generates a digest (i.e., the last hash value). In the third step, the transmitting end 200 transmits the password and the digest {S, C} 203 to the receiving end 205 (for example, {S, C} is equivalent to {S, Cn, _.. C2, Cl, C0}). . The receiving end 205 receives {S, C} and starts decrypting C, starting with C0, one segment at a time. The decryption process utilizes the T value transmitted to the transmitting end 200 and the primary key value. After all the cipher fragments are sequentially decrypted and the message is restored, the receiving end 205 also uses Μ to generate a message digest (last hash value). The message summary (last hash value) generated by the receiving terminal 205 in step 113 (shown in Fig. 1) is compared with the message digest generated by the transmitting terminal 200 to verify whether the decrypted message is correct. If the two message digests are the same, the decrypted message will be error free. Next is an optional step of transmitting a confirmation code 15 1248276 (acknowledge code 204) from the receiving end 205 to the transmitting end 200' so that the transmitting end 200 can know that the message is accepted or rejected. For example, the SEA function can be implemented by a digital circuit, which can be called a Secure Encryption Accelerator (SEX). In one embodiment, SEX implements the SHA (MB, H) function using a SHA-256 Accelerator (SHAX-256) or a SHA-512 Accelerator (SHAX_512). Among them, SHAX-256 can complete SHA (MB, H) within 65 clocks, and SHAX-512 can complete SHA (MB, H) within 81 clocks. Referring to Fig. 1, the length of T (step 100) is 128-bit. When SHAX-256 is used, the length of K is 384_bit (step 100), and when SHAX-512 is used, the length of K is 896_bit. When using SHAX-256, Hi (step 100) is 256-bit, and when SHAX-512 is used, Hi is 512-bit. When using SHAX_256, the length of a fragment (Mx or Cx) is 256-bit. When using SHAX-512, the length of a fragment is 5 12-bit. When using SHAX-256, the length of Sx is 256-bit. When SHAX-512 is used, the length of Sx is 512-bit. Mx is just half the length of the message block, where the message block is 512-bit or 1024-bit (corresponding to SHA-256 and SHA_512, respectively). Thus, the length of Kx is equal to the length of Μχ. Finally, SEX uses the value of Sx as the Κχ, whereby in SEX, SHA({Mx, Kx}, Sx) (steps 101, 104, 107, and 11〇) becomes SHA ({Mx, Sx}, Sx) ). SEX and SHAX provide a reliable implementation for SEA. In this embodiment, SEX can perform an Sx calculation within 65 clocks (using 1248276 SHAX-256) (clock), and can complete an Sx calculation within 81 clocks (using SHAX-512). . The process of encryption or decryption (steps 102, 105, 108, and 111) can be performed simultaneously with the process of hash value generation (steps 101, 104, 107, and 110) using a parallel calculus method. Therefore, this does not consume redundant clocks. Assuming that each hash value produces an average of three more clocks, generating an Sx requires 68 clocks (using SHAX-256) or 84 clocks (using SHAX-512). In this embodiment, SEX can easily achieve the performance of processing less than 100 clocks per segment. In other words, every 100 clocks, a SEX can encrypt/decrypt a 512-bit segment (using SHAX_512), or encrypt/decrypt a 256-bit segment (using SHAX_256). If SEX uses a 400MHz clock, the average amount of data that can be encrypted/decrypted per second is about 2 gigabits (using SHAX-512) or 1 gigabits (using SHAX-256). This performance is sufficient to match the performance of Gigabit Ethernet, and it can also be encrypted or decrypted at the same rate as the message is delivered. The present invention has at least the following advantages. Compared with AES, the encryption/decryption method of the present invention can encrypt longer data blocks (160, 256, 384 or 512-bit), and AES can only encrypt 128-bit data blocks. The encryption/decryption method of the present invention is capable of generating a set of message digests for verification messages during encryption or decryption. The encryption/decryption method of the present invention can use key values of various lengths without changing the algorithm. The performance of the encryption/decryption method of the present invention is sufficient to comply with Gigabit 17 1248276
Ethernet的效能,同時也能在訊息傳遞的相同速率之下進a 加密或解密。 雖然本發明已以一較佳實施例揭露如上,然其並非用 以限定本發明,任何熟習此技藝者,在不脫離本發明之精 神和範圍内,當可作各種之更動與潤飾,因此本發明之^ 護範圍當視後附之申請專利範圍所界定者為準。 【圖式簡單說明】 為讓本發明之上述和其他目的、特徵、優點與實施例 月b更明顯易懂,所附圖式之詳細說明如下·· 第1圖繪示本發明之加密/解密方法之一範例流程圖; 以及 第2圖緣示一通訊系統之示意圖,此通訊系統採用本 t月所述之加密/解密方法,以及一高階通訊協定。 201 : VIN 碼 203 : {s,C} 2〇5 =接收端 【主要元件符號說明 200 :發送端 202 :間碼τ 204 :確認石馬 18The performance of Ethernet can also be encrypted or decrypted at the same rate of message delivery. Although the present invention has been described above in terms of a preferred embodiment, it is not intended to limit the invention, and it is obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit and scope of the invention. The scope of the invention is defined by the scope of the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS In order to make the above and other objects, features, advantages and embodiments of the present invention more obvious, the detailed description of the drawings is as follows: Figure 1 illustrates the encryption/decryption of the present invention. One example flow chart of the method; and the second figure shows a schematic diagram of a communication system using the encryption/decryption method described in this month and a high-order communication protocol. 201 : VIN code 203 : {s, C} 2〇 5 = receiving end [Main component symbol description 200: Transmitter 202: Interval τ 204 : Confirmation of Shima 18